MCC UNIT2

2/19/202
MCC-UNIT2-kss 1
4
 Europe USA Japan

Cellular GSM 450-457, 479- AMPS, TDMA, CDMA PDC

Phones 486/460-467,489- 824-849, 810-826,
496, 890-915/935- 869-894 940-956,
960, TDMA, CDMA, GSM 1429-1465,
1710-1785/1805- 1850-1910, 1477-1513
1880 1930-1990
UMTS (FDD) 1920-
1980, 2110-2190
UMTS (TDD) 1900-
1920, 2020-2025
Cordless CT1+ 885-887, 930- PACS 1850-1910, 1930- PHS
Phones 932 1990 1895-1918
CT2 PACS-UB 1910-1930 JCT
864-868 254-380
DECT
1880-1900
Wireless IEEE 802.11 902-928 IEEE 802.11
LANs 2400-2483 IEEE 802.11 2471-2497
HIPERLAN 2 2400-2483 5150-5250
5150-5350, 5470- 5150-5350, 5725-5825
5725
Others RF-Control RF-Control RF-Control
MCC-UNIT2-kss
27, 128, 418, 433, 315, 915 2/19/202 426, 868
2
4
868
 Migration To 3G
2.75G 3G
Multimedia
Intermediate
2.5G Multimedia

2G Packet Data

1G Digital Voice
Analog Voice
GPRS W-CDMA
GSM
EDGE (UMTS)
115 Kbps
NMT 9.6 Kbps 384 Kbps Up to 2 Mbps

GSM/
TD-SCDMA
TDMA GPRS
(Overlay)
TACS 2 Mbps?
115 Kbps
9.6 Kbps

iDEN iDEN
9.6 Kbps PDC (Overlay)
9.6 Kbps
AMPS CDMA 1xRTT cdma2000
CDMA 1X-EV-DV

14.4 Kbps
PHS
(IP-Based) 144 Kbps Over 2.4 Mbps
/ 64 Kbps
PHS 64 Kbps
2003 - 2004+
2003+
2001+ 2/19/202
MCC-UNIT2-kss 1992 - 2000+ 3
Source: U.S. Bancorp Piper Jaffray
4
1984 - 1996+
 Cellular Architecture

 Many
Transmitters
 Low Power
 Frequency
Reuse

2/19/202
MCC-UNIT2-kss 4
4
 Frequency Reuse

Seven-Way Frequency
Reuse
Cellular
networks are
designed so
adjacent cells
use different
frequencies

2/19/202
MCC-UNIT2-kss 5
4
 HAND OFF

2/19/202
MCC-UNIT2-kss 6
4
 Second Generation – 2G
◼ Digital systems
◼ Leverage technology to increase capacity
◼ Speech compression; digital signal processing

◼ Utilize/extend “Intelligent Network” concepts

◼ Improve fraud prevention
◼ Add new services
◼ There are a wide diversity of 2G systems
◼ IS-54/ IS-136 North American TDMA; PDC (Japan)

◼ iDEN

◼ DECT and PHS

◼ IS-95 CDMA (cdmaOne)

◼ GSM

2/19/202
MCC-UNIT2-kss 7
4
 GSM
◼ « Groupe Special Mobile », later changed to
« Global System for Mobile »
◼ joint European effort beginning in 1982

◼ focus on seamless roaming across Europe

◼ Services launched 1991

◼ time division multiple access (8 users per 200KHz)

◼ 900 MHz band; later extended to 1800MHz

◼ added 1900 MHz (US PCS bands)

◼ GSM is dominant world standard today

◼ well defined interfaces; many competitors

tri-band GSM phone can roam the world today

2/19/202
MCC-UNIT2-kss 8
4
GSM: Mobile Services

 GSM offers
 Several types of connections
 voice connections, data connections, short message service
 Multi-service options (combination of basic services)
 Three service domains
 Bearer Services
 Telematic Services
 Supplementary Services

2/19/202
MCC-UNIT2-kss 9
4
 GSM: Mobile Services

Bearer service
MS
transit source/
TE MT GSM-PLMN network destination TE
R, S Um (PSTN, ISDN) network (U, S, R)

tele service

PLMN :Public Land Mobile Network

PSTN: Public Switched Telephone Network
MCC-UNIT2-kss
2/19/202
10
4
ISDN: Integrated Service Digital Service
Bearer Services

 Telecommunication services to transfer data between

access points
 Specification of services up to the terminal interface
(OSI layers 1-3)
 Different data rates for voice and data (original
standard)
 data service (circuit switched)
 synchronous: 2.4, 4.8 or 9.6 kbit/s
 asynchronous: 300 - 1200 bit/s
 data service (packet switched)
 synchronous: 2.4, 4.8 or 9.6 kbit/s
 asynchronous: 300 - 9600 bit/s

2/19/202
MCC-UNIT2-kss 11
4
Tele Services I
 Telecommunication services that enable voice
communication via mobile phones
 All these basic services have to obey cellular
functions, security measurements etc.
 Offered services
 Encrypted voice transmission
 Emergency number
common number throughout Europe (112); mandatory for all service
providers; free of charge; connection with the highest priority
(preemption of other connections possible)
 Multi numbering
several ISDN phone numbers per user possible

2/19/202
MCC-UNIT2-kss 12
4
Tele Services II
 Additional services
 Non-Voice-Teleservices
 group 3 fax
 voice mailbox (implemented in the fixed network supporting the mobile terminals)
 electronic mail (MHS, Message Handling System, implemented in the fixed network)
 ...
 Short Message Service (SMS)
alphanumeric data transmission to/from the mobile terminal using the signaling
channel, thus allowing simultaneous use of basic services and SMS

2/19/202
MCC-UNIT2-kss 13
4
Supplementary Service
 Services in addition to the basic services,
cannot be offered stand-alone

 Important services
 identification: forwarding of caller number
 suppression of number forwarding
 automatic call-back
 conferencing with up to 7 participants
 locking of the mobile terminal (incoming or outgoing
calls)
 ...
2/19/202
MCC-UNIT2-kss 14
4
GSM Architecture

Antenna, Signal Processing, amplifiers

2/19/202
MCC-UNIT2-kss 15
4
GSM Architecture

GSM VMSC SMSC

Air interface
B
S
C A AUC
interface HLR
Abis
interface
TRAU MSC PSTN

B VLR
BTS S
BTS C
BTS EIR
OMCS

BTS BTS
BTS
Network and switching
subsystem
Mobile A interface SS7 / speech
Station X.25
OMCR
2/19/202
SS7
MCC-UNIT2-kss 16
4
Base Station System
GSM Elements and Interfaces
Components
MSC (Mobile Services Switching
radio cell
BSS Center):
MS MS
IWF (Interworking Functions)
Um radio cell

RSS BTS MS ISDN (Integrated Services Digital

Network)
BTS
PSTN (Public Switched
Telephone Network)
Abis
PSPDN (Packet Switched Public
BSC BSC
Data Net.)
A
CSPDN (Circuit Switched Public
MSC MSC Data Net.)
NSS signaling
VLR VLR
HLR GMSC
ISDN, PSTN Databases
PDN
IWF
O
HLR (Home Location Register)
VLR (Visitor Location Register)
OSS
EIR AUC OMC
EIR (Equipment Identity Register)
2/19/202
MCC-UNIT2-kss 17
4
A interface ckt switched PCM-30 system carrying 30 64 kbits/s connection at 2.048 Mbits/s
O interface uses Signaling system 7 (SS7) based on X.25
System architecture: radio subsystem and n/w and
switching subsystem
radio network and switching subsystem fixed partner
subsystem networks

MS MS
ISDN
PSTN
Um MSC

BTS Abis
BSC EIR
BTS

SS7
HLR

A VLR
BTS
BSC ISDN
BTS MSC
PSTN
BSS IWF
PSPDN
CSPDN
2/19/202
MCC-UNIT2-kss 18
4
Mobile station
 Terminal for the use of GSM services
 A mobile station (MS) comprises several functional groups
 MT (Mobile Terminal):
 offers common functions used by all services the MS offers
 corresponds to the network termination (NT) of an ISDN access
 end-point of the radio interface (U m)
 TA (Terminal Adapter):
 terminal adaptation, hides radio specific characteristics
 TE (Terminal Equipment):
 peripheral device of the MS, offers services to a user
 does not contain GSM specific functions
 SIM (Subscriber Identity Module):
 personalization of the mobile terminal, stores user parameters (with out SIM only
emergency call
 SIM= PIN (unlocking MS) +PUK(unlocking SIM)+Ki(authentication key+IMEI
(International Mobile Equipment identity (IMEI) identifies MS).
Which is used for theft protection
2/19/202
MCC-UNIT2-kss  MS stores TMSI(temporary mobile subscriber id.)+LAT(location
4
19 area Id.)

 TE
MS TA mobile subscriberMT
stores TMSI (temporary id.)+LAT(location area Id.)
U m
R S
RSS

 Radio subsystem
 The Radio Subsystem (RSS) comprises the cellular mobile network
up to the switching centers
 Components :
 Base Station Subsystem (BSS):
 Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover
several cells
 Base Station Controller (BSC): switching between BTSs, controlling
BTSs, managing of network resources, mapping of radio channels
(Um) onto terrestrial channels (A interface)
 BSS = BSC + sum(BTS) + interconnection
 Mobile Stations (MS)

2/19/202
MCC-UNIT2-kss 20
4
Base Transceiver Station and Base Station
Controller

 Tasks of a BSS are distributed over BSC and BTS

 BTS comprises radio specific functions BSC is the switching center for
radio channels

2/19/202
MCC-UNIT2-kss 21
4
Network and switching subsystem
 NSS is the main component of the public mobile network
GSM
 switching, mobility management, interconnection to other networks,
system control
 Components
 Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile
terminal within the domain of the MSC - several BSC can belong to a
MSC
 Databases (important: scalability, high capacity, low delay)
 Home Location Register (HLR)
central master database containing user data, permanent and
semi-permanent data of all subscribers assigned to the HLR (one
provider can have several HLRs)
 Visitor Location Register (VLR)
local database for a subset of user data, including data about all
user currently in the domain of the VLR

2/19/202
MCC-UNIT2-kss 22
4
Mobile Services Switching Center
 The MSC (mobile switching center) plays a central role in GSM
 switching functions
 additional functions for mobility support
 management of network resources
 interworking functions via Gateway MSC (GMSC)
 integration of several databases
 Functions of a MSC
 specific functions for paging and call forwarding
 termination of SS7 (signaling system no. 7)
 mobility specific signaling
 location registration and forwarding of location information
 provision of new services (fax, data calls)
 support of short message service (SMS)
 generation and forwarding of accounting and billing information

2/19/202
MCC-UNIT2-kss 23
4
Operation subsystem

 The OSS (Operation Subsystem) enables centralized operation,

management, and maintenance of all GSM subsystems
 Components
 Authentication Center (AUC)
 generates user specific authentication parameters on request of a VLR
 authentication parameters used for authentication of mobile terminals and encryption of
user data on the air interface within the GSM system
 Equipment Identity Register (EIR)
 registers GSM mobile stations and user rights
 stolen or malfunctioning mobile stations can be locked and sometimes even localized
 Operation and Maintenance Center (OMC)
 different control capabilities for the radio subsystem and the network subsystem via o
interface (ss7 and x.25):
 Traffic monitoring, status reports of network entities.
 Uses Telecommunication management network (TMN) standard.

2/19/202
MCC-UNIT2-kss 24
4
Localization and calling

 One fundamental feature of the GSM system is the

automatic, worldwide localization of users
 To provide this service, GSM performs periodic location
updates even if a user does not use the mobile station
(provided that the MS is still logged into the GSM
network and is not completely switched off)
 The HLR always contains information about the current
location (only the location area, not the precise
geographical location), and the VLR currently
responsible for the MS informs the HLR about location
changes.
 To locate an MS and to address the MS, several numbers
are needed

2/19/202
MCC-UNIT2-kss 25
4
Mobile station international
ISDN number (MSISDN)
 The MSISDN follows the ITU-T standard E.164 for
addresses as it is also used in fixed ISDN networks.
 This number consists of the country code (CC) (e.g.,
+49 179 1234567 with 49 for Germany), the national
destination code (NDC) (i.e., the address of the
network provider, e.g., 179), and the subscriber
number (SN)

2/19/202
MCC-UNIT2-kss 26
4
International mobile
subscriber identity (IMSI):
 GSM uses the IMSI for internal unique identification of a
subscriber.
 IMSI consists of a mobile country code (MCC) (e.g., 240
for Sweden, 208 for France), the mobile network code
(MNC) (i.e., the code of the network provider), and
finally the mobile subscriber identification number
(MSIN).

2/19/202
MCC-UNIT2-kss 27
4
Temporary mobile subscriber
identity (TMSI)
 To hide the IMSI, which would give away the exact
identity of the user signaling over the air interface GSM
uses the 4 byte TMSI for local subscriber identification.
 TMSI is selected by the current VLR and is only valid
temporarily and within the location area of the VLR (for
an ongoing communication TMSI and LAI are sufficient to
identify a user; the IMSI is not needed).

2/19/202
MCC-UNIT2-kss 28
4
Mobile station7 roaming
number (MSRN)
 Another temporary address that hides the identity and
location of a subscriber is MSRN.
 The VLR generates this address on request from the
MSC, and the address is also stored in the HLR.
 MSRN contains the current visitor country code (VCC),
the visitor national destination code (VNDC), the
identification of the current MSC together with the
subscriber number

2/19/202
MCC-UNIT2-kss 29
4
Mobile Terminated Call

 1: calling a GSM subscriber(MSISDN)

 2: forwarding call to GMSC
 3: signal call setup to HLR*
 4, 5: request MSRN from VLR
4
 6: identifies the MSC and forwards responsible MSC HLR VLR
to GMSC 5
8 9
 7: forward call to 3 6 14 15
 current MSC calling 7
PSTN GMSC MSC
 8, 9: get current status of MS from VLR1
station 2
 10, 11: paging all cells its is responsible for (LA) 10 10 13 10
and BTS forwards it to MS 16
 12, 13: MS answers BSS BSS BSS
 14, 15: security checks 11 11 11
 16, 17: set up connection
11 12
17
2/19/202 MS
MCC-UNIT2-kss 30
* HLR id is coded in the phone no 4

Checks whether the no exists, and user has subscribed for the service.
 2/19/202
MCC-UNIT2-kss 31
4
 Mobile Originated Call

VLR
 1, 2: connection 
3 4
request 6 5
PSTN GMSC MSC
 3, 4: security check* 7 8
2 9
 5-8: check resources 1
(free circuit) MS
10
BSS

 9-10: set up call

*MCC-UNIT2-kss
Checks if user is allowed to setup a call with requested
2/19/202 services
32
4
GSM protocol layers for signaling

CALL Management,
Call Control MS
Supplementary
BTS BSC MSC
SMS (SDCCH,SACCH)
CM CM
Mobility
management MM Radio Resource Mgmt MM
TMSI,IMSI, VLR Setup , maintenance
HLR and release of radio
channel BSSAP BSSAP
RR RR’
RR’ BTSM BTSM SS7 SS7
HDLC LAPDm LAPDm LAPD LAPD
with no checksum
,pre-sequencing,
Flow controllv radio radio PCM PCM PCM PCM

(Burst creation),
Synchronization, 16/64 kbit/s 64 kbit/s /
Idle channel detection,
Measurement of channel quality 2.048 Mbit/s
GMSK for digital modulation,
Channel coding and error correction
MCC-UNIT2-kss
2/19/202
33
4
 physical layer

 Layer 1, the physical layer, handles all radio-specific

functions.
 This includes the creation of bursts according to the five
different formats, multiplexing of bursts into a TDMA
frame, synchronization with the BTS, detection of idle
channels, and measurement of the channel quality on
the downlink.
 The physical layer at Um uses GMSK for digital
modulation and performs encryption/decryption of
data, i.e., encryption is not performed end-to-end,but
only between MS and BSS over the air interface.

2/19/202
MCC-UNIT2-kss 34
4
physical layer

 The main tasks of the physical layer comprise channel

coding and error detection/correction, which is directly
combined with the coding mechanisms.
 Channel coding makes extensive use of different
forward error correction (FEC) schemes.
 FEC adds redundancy to user data, allowing for the
detection and correction of selected errors.

2/19/202
MCC-UNIT2-kss 35
4
Data link layer

 Signaling between entities in a GSM network requires

higher layers
 For this purpose, the LAPDm protocol has been defined
at the Um interface for layer two.
 LAPDm is a lightweight LAPD because it does not need
synchronization flags or check summing for error
detection.
 LAPDm offers reliable data transfer over connections,
re-sequencing of data frames, and flow control (ETSI,
1993b), (ETSI, 1993c).

2/19/202
MCC-UNIT2-kss 36
4
Network layer

 The network layer in GSM, layer three, comprises

several sublayers
 The lowest sublayer is the radio resource management
(RR). Only a part of this layer, RR’, is implemented in
the BTS, the remainder is situated in the BSC.
 The functions of RR’ are supported by the BSC via the
BTS management (BTSM).
 The main tasks of RR are setup, maintenance, and
release of radio channels.
 RR also directly accesses the physical layer for radio
information and offers a reliable connection to the next
higher layer

2/19/202
MCC-UNIT2-kss 37
4
Mobility management (MM

 Mobility management (MM) contains functions for

registration, authentication, identification, location
updating, and the provision of a temporary mobile
subscriber identity (TMSI) that replaces the
international mobile subscriber identity (IMSI) and
which hides the real identity of an MS user over the air
interface.
 While the IMSI identifies a user, the TMSI is valid only in
the current location area of a VLR
 MM offers a reliable connection to the next higher layer

2/19/202
MCC-UNIT2-kss 38
4
call management (CM)

 The call management (CM) layer contains three

entities: call control (CC), short message service
(SMS), and supplementary service (SS).
 SMS allows for message transfer using the control
channels SDCCH and SACCH (if no signaling data is sent)
 CC provides a point-to-point connection between two
terminals and is used by higher layers for call
establishment, call clearing and change of call
parameters.
 This layer also provides functions to send in-band tones,
called dual tone multiple frequency (DTMF), over the
GSM network.
2/19/202
MCC-UNIT2-kss 39
4
Signaling system No. 7 (SS7)

 Data transmission at the physical layer typically uses

pulse code modulation (PCM) systems.
 Signaling system No. 7 (SS7) is used for signaling
between an MSC and a BSC.
 This protocol also transfers all management information
between MSCs, HLR, VLRs, AuC, EIR, and OMC. An MSC
can also control a BSS via a BSS application part
(BSSAP).

2/19/202
MCC-UNIT2-kss 40
4
HANDOVER

 In cellular communications, the handoff is the process

of transferring an active call or data session from one
cell in a cellular network or from one channel to
another.
 In satellite communications, it is the process of
transferring control from one earth station to another.
Handoff is necessary for preventing loss of interruption
of service to a caller or a data session user. Handoff is
also called handover.

2/19/202
MCC-UNIT2-kss 41
4
 2/19/202
MCC-UNIT2-kss 42
4
Situations for triggering
Handoff
 If a subscriber who is in a call or a data session moves
out of coverage of one cell and enters coverage area of
another cell, a handoff is triggered for a continuum of
service. The tasks that were being performed by the
first cell are delineating to the latter cell.

 Each cell has a pre-defined capacity, i.e. it can handle

only a specific number of subscribers. If the number of
users using a particular cell reaches its maximum
capacity, then a handoff occurs. Some of the calls are
transferred to adjoining cells, provided that the
subscriber is in the overlapping coverage area of both
the cells.

2/19/202
MCC-UNIT2-kss 43
4
Situations for triggering
Handoff
 Cells are often sub-divided into microcells. A handoff
may occur when there is a transfer of duties from the
large cell to the smaller cell and vice versa. For
example, there is a traveling user moving within the
jurisdiction of a large cell. If the traveler stops, then
the jurisdiction is transferred to a microcell to relieve
the load on the large cell.

 Handoffs may also occur when there is an interference

of calls using the same frequency for communication.

2/19/202
MCC-UNIT2-kss 44
4
Types of Handoffs

 There are two types of handoffs −

 Hard Handoff − In a hard handoff, an actual break in the
connection occurs while switching from one cell to
another. The radio links from the mobile station to the
existing cell is broken before establishing a link with the
next cell. It is generally an inter-frequency handoff. It is
a “break before make” policy.
 Soft Handoff − In soft handoff, at least one of the links
is kept when radio links are added and removed to the
mobile station. This ensures that during the handoff, no
break occurs. This is generally adopted in co-located
sites. It is a “make before break” policy.

2/19/202
MCC-UNIT2-kss 45
4
 2/19/202
MCC-UNIT2-kss 46
4
4 types of handover

1
2 3 4
MS MS MS MS

BTS BTS BTS BTS

BSC BSC BSC

MSC MSC
2/19/202
MCC-UNIT2-kss 47
4
 Types of handover

 Intra-cell handover: Within a cell, narrow-band

interference could make transmission at a certain
frequency impossible.
 The BSC could then decide to change the carrier
frequency (scenario 1).
 Inter-cell, intra-BSC handover: This is a typical
handover scenario. The mobile station moves from one
cell to another, but stays within the control of the same
BSC.
 The BSC then performs a handover, assigns a new radio
channel in the new cell and releases the old one
(scenario 2).
2/19/202
MCC-UNIT2-kss 48
4
 Inter-BSC, intra-MSC handover: As a BSC only controls a
limited number of cells; GSM also has to perform
handovers between cells controlled by different BSCs.
 This handover then has to be controlled by the MSC
(scenario 3)..
 Inter MSC handover: A handover could be required
between two cells belonging to different MSCs. Now
both MSCs perform the handover together (scenario 4).

2/19/202
MCC-UNIT2-kss 49
4
Handover decision

receive level receive level

BTSold BTSold

HO_MARGIN

MS MS

BTSold BTSnew
2/19/202
MCC-UNIT2-kss 50
4
Handover decision

 Figure 4.12 shows the typical behavior of the received

signal level while an MS moves away from one BTS
(BTSold) closer to another one (BTSnew).
 In this case, the handover decision does not depend on
the actual value of the received signal level, but on the
average value.
 Therefore, the BSC collects all values (bit error rate and
signal levels from uplink and downlink) from BTS and MS
and calculates average values.
 These values are then compared to thresholds, i.e., the
 handover margin (HO_MARGIN), which includes some
hysteresis to avoid a ping-pong effect (Wong, 1997)

2/19/202
MCC-UNIT2-kss 51
4
 Handover procedure
MS BTSold BSCold MSC BSCnew BTSnew
measurement measurement
report result

HO decision
HO required HO request
resource allocation
ch. activation

HO command HO request ack ch. activation ack

HO command HO command
HO access
Link establishment

HO complete HO complete
clear command clear command

clear complete clear complete

2/19/202
MCC-UNIT2-kss 52
4
Security

 GSM offers several security services using confidential

information stored in the AuC and in the individual SIM
(which is plugged into an arbitrary MS).
 The SIM stores personal, secret data and is protected
with a PIN against unauthorized use.
 For example, the secret key Ki used for authentication
and encryption procedures is stored in the SIM

2/19/202
MCC-UNIT2-kss 53
4
Security services

 Access control and authentication: The first step

includes the authentication of a valid user for the SIM.
The user needs a secret PIN to access the SIM.
 The next step is the subscriber authentication This step
is based on a challenge-response scheme
 Confidentiality: All user-related data is encrypted.
After authentication, BTS and MS apply encryption to
voice, data, and signaling
 This confidentiality exists only between MS and BTS, but
it does not exist end-to-end or within the whole fixed
GSM/telephone network.

2/19/202
MCC-UNIT2-kss 54
4
Security services

➢ Anonymity: To provide user anonymity, all data is

encrypted before transmission, and user identifiers
(which would reveal an identity) are not used over the
air.
➢ GSM transmits a temporary identifier (TMSI), which is
newly assigned by the VLR after each location update.
Additionally, the VLR can change the TMSI at any time.
 Three algorithms have been specified to provide
security services in GSM.
 Algorithm A3 is used for authentication, A5 for
encryption, and A8 for the generation of a cipher key.

2/19/202
MCC-UNIT2-kss 55
4
Authentication

 Authentication Goals
 Subscriber (SIM holder) authentication
 Protection of the network against unauthorized use
 Create a session key
 Authentication Scheme
 Subscriber identification: IMSI or TMSI
 Challenge-Response authentication of the subscriber by
the operator

2/19/202
MCC-UNIT2-kss 56
4
GSM Authentication Principles
 Network authenticates the SIM to protect against
cloning
 Challenge-response protocol
 SIM demonstrates knowledge of Ki
 infeasible for an intruder to obtain information
about Ki which could be used to clone the SIM
 Encryption key agreement
 a key (Kc) for radio interface encryption is
derived as part of the protocol
 Authentication can be performed at call
establishment allowing a new Kc to be used for
each call
2/19/202
MCC-UNIT2-kss 57
4
 GSM Authentication
(1) Distribution of
authentication data
(2) Authentication

MSC HLR AuC

MSC – circuit switched

services
SIM ME BTS BSC SGSN – packet switched
SGSN services (GPRS)
Mobile Visited Access Network Visited Home
Station (MS) Core Network Network

2/19/202
MCC-UNIT2-kss 58
4
 GSM Authentication: Prerequisites

 Authentication centre in home network (AuC) and security module (SIM) inserted into mobile phone
share
 subscriber specific secret key, Ki
 authentication algorithm consisting of
 authentication function, A3
 key generating function, A8

 AuC has a random number generator

2/19/202
MCC-UNIT2-kss 59
4
Entities Involved in GSM
Authentication
SIM Subscriber Identity Module
MSC Mobile Switching Centre (circuit services)
SGSN Serving GPRS Support Node (packet services)
HLR/AuC Home Location Register / Authentication Centre

2/19/202
MCC-UNIT2-kss 60
4
 GSM Authentication Protocol

SIM MSC or HLR/AuC

SGSN RAND
Ki
Authentication Data
Request A3 A8

{RAND, XRES, Kc} XRES Kc

RAND
RAND
Ki

A3 A8
RES RES = XRES?
RES Kc
2/19/202
MCC-UNIT2-kss 61
4
GSM Authentication Parameters

Ki = Subscriber authentication key (128 bit)

RAND = Authentication challenge (128 bit)
(X)RES = A3Ki (RAND)
= (Expected) authentication response (32 bit)
Kc = A8Ki (RAND)
= Cipher key (64 bit)

Authentication triplet = {RAND, XRES, Kc} (224 bit)

MCC-UNIT2-kss
 Typically sent in batches to MSC or SGSN
2/19/202
62
4
 GSM Authentication Algorithm

 Composed of two algorithms which are often combined

 A3 for user authentication
 A8 for encryption key (Kc) generation
 Located in the customer’s SIM and in the home network’s AuC
 Standardisation of A3/A8 not required and each operator can choose
their own

2/19/202
MCC-UNIT2-kss 63
4
A3 – MS Authentication
Algorithm
 Goal
 Generation of SRES response to MSC’s random challenge
RAND

RAND (128 bit)

Ki (128 bit) A3

SRES (32 bit)

2/19/202
MCC-UNIT2-kss 644
A8 – Voice Privacy Key
Generation Algorithm
 Goal
 Generation of session key K s
 A8 specification was never made public

RAND (128 bit)

Ki (128 bit) A8

KC (64 bit)
2/19/202
MCC-UNIT2-kss 654
Logical Implementation
of A3 and A8
 Both A3 and A8 algorithms are implemented on the SIM
 Operator can decide, which algorithm to use.
 Algorithms implementation is independent of hardware
manufacturers and network operators.

2/19/202
MCC-UNIT2-kss 664
Logical Implementation
of A3 and A8
 COMP128 is used for both A3 and A8 in most GSM
networks.
 COMP128 is a keyed hash function

RAND (128 bit)

Ki (128 bit) COMP128

128 bit output

MCC-UNIT2-kss
SRES 32 bit and Kc 54 bit
2/19/202
67
4
 2/19/202
MCC-UNIT2-kss 68
4
A5 – Encryption Algorithm

 A5 is a stream cipher
 Implemented very efficiently on hardware
 Design was never made public
 Leaked to Ross Anderson and Bruce Schneier

 Variants
 A5/1 – the strong version
 A5/2 – the weak version
 A5/3
 GSM Association Security Group and 3GPP design

 Based on Kasumi algorithm used in 3G mobile systems

2/19/202
MCC-UNIT2-kss 694
 Logical A5 Implementation

Mobile Station BTS

Fn (22 bit) Kc (64 bit) Fn (22 bit) Kc (64 bit)

A5 A5

114 bit 114 bit

Data (114 bit) Ciphertext (114 bit) Data (114 bit)
XOR XOR

Real A5 output is 228 bit for both directions

2/19/202
MCC-UNIT2-kss 704
 A5 Encryption
Mobile Stations Base Station Network Subscriber and terminal
Subsystem Management equipment databases

OMC
BTS
Exchange
System
VLR
BTS BSC MSC
HLR AUC

BTS EIR
2/19/202
MCC-UNIT2-kss 714
A5 Encryption
Encryption

 To ensure privacy, all messages containing user-related

information are encrypted in GSM over the air interface.
 After authentication, MS and BSS can start using
encryption by applying the cipher key Kc (the precise
location of security functions for encryption, BTS and/or
BSC are vendor dependent).
 Kc is generated using the individual key Ki and a
random value by applying the algorithm A8.
 Note that the SIM in the MS and the network both
calculate the same Kc based on the random value RAND.
 The key Kc itself is not transmitted over the air
interface

2/19/202
MCC-UNIT2-kss 72
4
Encryption

2/19/202
MCC-UNIT2-kss 73
4
Um Fundamentals
960 MHz

959.8MHz 124 TS: Time slot

123
DOWNLINK ……. GSM utilizes two bands (TDMA
Downlink of 25 MHz.
frame)890-915
= 8 TS
……
MHz band is used for uplink while the 935-
960 MHz is used for downlink.
200KHz
935.2 Mhz
2 0 1 2 3 5 6 7
The frequency bands are divided into 200
935 MHz
1
4 called ARFCNs (Absolute
KHz wide channels
Radio Frequency
Data burst =Channel Numbers)
156.25 bit periods = i.e.
there576.9s
are 125 ARFCNs out of which only 124
915 MHz
are used.
914.8 MHz 124
Each ARFCN supports 8 users with each user
45 MHz
0 1 2 3 5 6 7
123 transmitting / receiving on a particular time
Delay
200KHz ……. slot (TS).
4 (TDMA frame)
UPLINK
…… Uplink
2
890.2 MHz
1
890 MHz
MCC-UNIT2-kss Therefore 1 2/19/202
TDMA 4
frame 74
= 156.25 x 8 = 1250 bits
The technology and has a duration of 576.92s x 8 = 4.615 ms
GSM - TDMA/FDMA
935-960 MHz
124 channels (200 kHz)
downlink

890-915 MHz
124 channels (200 kHz)
uplink
higher GSM frame structures
time

GSM TDMA frame

1 2 3 4 5 6 7 8
4.615 ms

GSM time-slot (normal burst)

guard guard
space tail user data S Training S user data tail space
3 bits 57 bits 1 26 bits 1 57 bits 3
546.5 µs
577 µs
2/19/202
MCC-UNIT2-kss 75
4
 Frame hierarchy
1 hyperframe = 2048 superframes = 2715648 TDMA frames

0 1 2 3 ……

2044 2045 2046 2047

1 superframe = 51 (26frame) multiframes OR 26 (51 frame) multiframes

………. 4
0 1 2 3 7 48 49 50
0 1 ………. 24 25

1 speech multiframe = 26TDMA frames 1 control multiframe = 51TDMA frames

T0 T1 ….. T1 S T1 ….. T2 I T0 T1 T2 T3 …. ….. ….. T4 T4 T5

1 2 3 8 9 0

TN=Nth TDMA frame

2/19/202
MCC-UNIT2-kss 76
4
 2/19/202
MCC-UNIT2-kss 77
4
Channels : differentiating between Physical and
Logical channels

Physical channels : The combination of an ARFCN and a time slot

defines a physical channel.

Logical channels : These are channels specified by GSM which are

mapped on physical channels.

2/19/202
MCC-UNIT2-kss 78
4
 Logical Channels on Air interface

LOGICAL
CHANNELS

COMMON DEDICATED
CHANNELS CHANNELS
Connection Setup
BTS to MS

BROADCAST COMMON DEDICATED TRAFFIC

CHANNELS CONTROL CONTROL CHANNELS
CHANNELS CHANNELS
Stand alone low data rates
Synchronization Authentication, registration

FCCH SCH BCCH SDCCH SACCH FACCH

Cell Ids., options Slow association

Frequency correction
(channel quality signal strength)

PCH RACH AGCH TCH/F TCH/H TCH/EFR

Access Grant 2/19/202
MCC-UNIT2-kss Random access 79
Paging 4
22.8 kbits/s
11.4 kbits/s
Traffic channels (TCH):

 GSM uses a TCH to transmit user data (e.g., voice,

fax).
 Two basic categories of TCHs have been defined, i.e.,
full-rate TCH(TCH/F) and half-rate TCH (TCH/H). A
TCH/F has a data rate of 22.8 kbit/s, whereas TCH/H
only has 11.4 kbit/s.
 Data transmission in GSM is possible at many different
 data rates, e.g., TCH/F4.8 for 4.8 kbit/s, TCH/F9.6 for
9.6 kbit/s, and, as a
 newer specification, TCH/F14.4 for 14.4 kbit/s

2/19/202
MCC-UNIT2-kss 80
4
Control Channels(CCH)

 Many different CCHs are used in a GSM system to control

medium access, allocation of traffic channels or
mobility management.
 Broadcast control channel (BCCH):
 Common control channel (CCCH):
 Dedicated control channel (DCCH):

2/19/202
MCC-UNIT2-kss 81
4
Broadcast control channel
(BCCH):

 A BTS uses this channel to signal information to all MSs

within a cell.
 Information transmitted in this channel is, e.g., the cell
identifier, options available within this cell (frequency
hopping), and frequencies available inside the cell and
in neighboring cells.
 The BTS sends information for frequency correction via
the frequency correction channel (FCCH) and
information about time synchronization via the
synchronization channel (SCH), where both channels
are subchannels of the BCCH.

2/19/202
MCC-UNIT2-kss 82
4
Common control channel (CCCH):

 All information regarding connection setup between MS

and BS is exchanged via the CCCH
 For calls toward an MS, the BTS uses the paging channel
(PCH) for paging the appropriate MS.
 If an MS wants to set up a call, it uses the random
access channel (RACH) to send data to the BTS.
 The RACH implements multiple access (all MSs within a
cell may access this channel) using slotted Aloha.
 The BTS uses the access grant channel (AGCH) to signal
an MS that it can use a TCH or SDCCH for further
connection setup

2/19/202
MCC-UNIT2-kss 83
4
Dedicated control channel
(DCCH):

 While the previous channels have all been unidirectional,

the following channels are bidirectional
 As long as an MS has not established a TCH with the BTS, it
uses the stand-alone dedicated control channel (SDCCH)
with a low data rate (782 bit/s) for signaling
 This can comprise authentication, registration or other
data needed for setting up a TCH
 Each TCH and SDCCH has a slow associated dedicated
control channel (SACCH) associated with it, which is used
to exchange system information, such as the channel
quality and signal power level.
 if more signaling information needs to be transmitted and a
TCH already exists, GSM uses a fast associated dedicated
control channel (FACCH).
2/19/202
MCC-UNIT2-kss 84
4
 2/19/202
MCC-UNIT2-kss 85
4
 2/19/202
MCC-UNIT2-kss 86
4
 2/19/202
MCC-UNIT2-kss 87
4
 2/19/202
MCC-UNIT2-kss 88
4
 2/19/202
MCC-UNIT2-kss 89
4
GPRS

2/19/202
MCC-UNIT2-kss 90
4
What is GPRS ?

 General Packet Radio Service (GPRS) is a new bearer

service for GSM that greatly improves and simplifies
wireless access to packet data networks

 GPRS applies packet radio principal to transfer user

data packets in an efficient way b/w MS & external
packet data network

2/19/202
MCC-UNIT2-kss 91
4
General Packet Radio Service
GPRS
 GPRS and its Features
 GPRS Network Architecture
 Location Management in GPRS
 Mobility Management in GPRS
 Logical Channels of GPRS
 GPRS Applications
 GPRS protocol stacks

2/19/202
MCC-UNIT2-kss 92
4
Constraints with existing
network
 Data Rates too slow – about 9.6 kbps
 Connection setup time too long
 Inefficient resource utilization for bursty traffic
 Proves expensive for bursty traffic utilization
 No efficient method for packet transfers

2/19/202
MCC-UNIT2-kss 93
4
Comparison of GSM & GPRS

2/19/202
MCC-UNIT2-kss 94
4
 2/19/202
MCC-UNIT2-kss 95
4
GPRS architecture

 Interfaces, reference points and network elements

 Functional view on GPRS
 Subscription of GPRS service
 New network elements
 GGSN
 SGSN

 Other elements
 GPRS backbones
 GPRS Mobile classes

2/19/202
MCC-UNIT2-kss 96
4
 2/19/202
MCC-UNIT2-kss 97
4
 2/19/202
MCC-UNIT2-kss 98
4
 2/19/202
MCC-UNIT2-kss 99
4
 SMS-GMSC
SMS-IWMSC SM-SC

MAP-H MAP-C
Gd
MSC/VLR HLR
MAP-D
Gs Gc
A
Gb Gr Gi
TE MT BSS SGSN GGSN PDN TE
Gn
R Um Gp MAP-F
EIR
GGSN

Other PLMN

2/19/202
Signalling Interface
MCC-UNIT2-kss
4
100

Signalling and Data Transfer Interface

Interfaces

 Gb – Connects BSC with SGSN

 Gn – SGSN – SGSN/GGSN (in the same network)
 Gp – SGSN –GGSN (in different networks)
 Gf – For equipment querying at registering time
 Gi – Connects PLMN with external Packet Data Networks
(PDNs)
 Gr – To exchange User profile between HLR & SGSN
 Gs – To exchange Database between SGSN & MSC
 Gd – Interface between SMS & GPRS

2/19/202
MCC-UNIT2-kss 101
4
 Assignment of functions to
general logical architecture
Function MS BSS SGSN GGSN HLR
Network Access Control:
Registration X
Authentication and Authorisation X X X
Admission Control X X X
Message Screening X
Packet Terminal Adaptation X
Charging Data Collection X X

Packet Routeing & Transfer:

Relay X X X X
Routeing X X X X
Address Translation and Mapping X X X
Encapsulation X X X
Tunnelling X X
Compression X X
Ciphering X X X

Mobility Management: X X X X

Logical Link Management:

Logical Link Establishment X X
Logical Link Maintenance X X
Logical Link Release X X

Radio Resource Management:

Um Management X X
Cell Selection X X
Um-Tranx X X
2/19/202
MCC-UNIT2-kss
Path Management X X 102
4
Gateway GPRS Support Node

 GGSN
 Typically located at one of the MSC sites
 One (or few) per operator
Main functions
 Interface to external data networks
 Resembles to a data network router
 Forwards end user data to right SGSN
 Routes mobile originated packets to right destination
 Filters end user traffic
 Collects charging information for data network usage
 Data packets are not sent to MS unless the user has activated
the PDP address
2/19/202
MCC-UNIT2-kss 103
4
Serving GPRS Support Node

 SGSN
 Functionally connected with BSC, physically can be at MSC or BSC
site
 One for few BSCs or one (or few) per every BSC
 One SGSN can support BSCs of several MSC sites

 Main functions
 Authenticates GPRS mobiles
 Handles mobile’s registration in GPRS network
 Handles mobile’s mobility management
 Relays MO and MT data traffic
 TCP/IP header compression, V.42bis data compression, error
control MS- SGSN (ARQ)
 Collect charging information of air interface usage

2/19/202
MCC-UNIT2-kss 104
4
GPRS Register

 GPRS Register is integrated with GSM-HLR.

 Maintains the GPRS subscriber data and Routing
information.
 Stores current SGSN address

2/19/202
MCC-UNIT2-kss 105
4
Other elements

 BG (Border Gateway)
 (Not defined within GPRS)
 Routes packets from SGSN/GGSN of one operator to a SGSN/GGSN of an other
operator
 Provides protection against intruders from external networks
 DNS (Domain Name Server)
 Translates addresses from ggsn1.oper1.fi -format to 123.45.67.89 format (i.e.
as used in Internet)
 Charging Gateway
 Collects charging information from SGSNs and GGSNs
 PTM-SC (Point to Multipoint -Service Center)
 PTM Multicast (PTM-M): Downlink broadcast; no subscription; no ciphering
 PTM Group call (PTM-G): Closed or open groups; Down/up -link; ciphered
 Geographical area limitation

2/19/202
MCC-UNIT2-kss 106
4
Protocol architecture of the
transmission plane for GPRS

2/19/202
MCC-UNIT2-kss 107
4
GPRS tunnelling protocol
(GTP)
 All data within the GPRS backbone, i.e., between the
GSNs, is transferred using the GPRS tunneling protocol
(GTP).
 GTP can use two different transport protocols, either
the reliable TCP (needed for reliable transfer of X.25
packets) or the non-reliable UDP (used for IP packets).
The network protocol for the GPRS backbone is IP
(using any lower layers).

2/19/202
MCC-UNIT2-kss 108
4
subnetwork dependent
convergence protocol
(SNDCP)
 To adapt to the different characteristics of the
underlying networks, the subnetwork dependent
convergence protocol(SNDCP) is used between an SGSN
and the MS.
 On top of SNDCP and GTP, user packet data is tunneled
from the MS to the GGSN and vice versa
 LLC:To achieve a high reliability of packet transfer
between SGSN and MS, a special LLC is used, which
comprises ARQ and FEC mechanisms for PTP (and later
PTM) services.

2/19/202
MCC-UNIT2-kss 109
4
A base station subsystem
GPRS protocol (BSSGP)
➢ A base station subsystem GPRS protocol (BSSGP) is used
to convey routing and QoS-related information between
the BSS and SGSN.
➢ BSSGP does not perform .error correction and works on
top of a frame relay (FR) network.
➢ The radio link protocol (RLC) provides a reliable link,
while the
➢ MAC controls access with signaling procedures for the
radio channel and the mapping of LLC frames onto the
GSM physical channels.

2/19/202
MCC-UNIT2-kss 110
4
GPRS backbones

 Enables communication between GPRS Support Nodes

 Based on private IP network
 IPv6 is the ultimate protocol
 IPV4 can be used as an intermediate solution
 Intra-PLMN backbone
 Connects GPRS Support Nodes of one operator
 Operator decides the network architecture
 LAN, point-to-point links, ATM, ISDN, ...
 Inter-PLMN backbone
 Connects GPRS operators via BGs
 Provides international GPRS roaming
 Operators decide the backbone in the roaming agreement
2/19/202
MCC-UNIT2-kss 111
4
GPRS mobile types

 Class A:
 Simultaneous GPRS and conventional GSM operation
 Supports simultaneous circuit switched and GPRS data transfer
 Class B:
 Can be attached to both GPRS and conventional GSM services
simultaneously
 Can listen circuit switched and GPRS pages (via GPRS)
 Supports either circuit switched calls or GPRS data transfer but not
simultaneous communication
 Class C:
 Alternatively attached in GPRS or conventional GSM
 No simultaneous operation
 ‘GPRS only’ mobiles also possible (e.g. for telemetric applications)

2/19/202
MCC-UNIT2-kss 112
4
GPRS operations

 Security: Basic security rules

 Authentication, key management, ciphering
 GPRS attach
 Data transmission
 MO, MT, MO+MT
Mobility management
 Interworking with GSM services

2/19/202
MCC-UNIT2-kss 113
4
LOCATION MANAGEMENT IN
GPRS

2/19/202
MCC-UNIT2-kss 114
4
 Instead of Location Area, GPRS uses Routing Areas to group cells.
RA is a subset of LA.

 IDLE:
 MS is not known by the network (SGSN)
 STANDBY:
 MS’s location is known in accuracy of Routing Area
 MS can utilize DRX (to save battery)
 MS must inform its location after every Routing Area change (no
need to inform if MS changes from one cell to another within same
Routing Area)
 Before the network can perform MT data transfer MS must be
paged within the Routing Area
 MS may initiate MO data transfer at any time

2/19/202
MCC-UNIT2-kss 115
4
 READY:
 MS’s location is known in accuracy of cell
 MS must inform its location after every cell change
 MS can initiate MO data transfer at any time
 SGSN does not need to page the MS before MT data
transfer
 MS listens continuously GPRS PCCCH channel
 DRX in READY state is optional

2/19/202
MCC-UNIT2-kss 116
4
Routing Area Update

 GSM Location Area(LA) is divided into several Routing

Areas(RA)
 RA consists of several cells
 SGSN is informed when MS moves to a new RA
 MS sends a “Routing Area Update Request” to its assigned
SGSN
 When an MS that is in an active or a standby state moves
from one routing area to another within the service area of
one SGSN, it must perform a routing update.
 The routing area information in the SGSN is updated, and
the success of the procedure is indicated in the response
message.
2/19/202
MCC-UNIT2-kss 117
4
Mobility Management

 Consists of two levels:

 Micro mobility management :
 Tracks the current RA or cell of MS
 It is performed by SGSN
 Macro mobility management :
 Keep tracks of MS’s current SGSN
 Stores it in HLR, VLR, and GGSN

2/19/202
MCC-UNIT2-kss 118
4
Channels in GPRS

 Logical Channel
 Traffic Channels
 Signalling Channels (Control Channels)
 Physical Channels

2/19/202
MCC-UNIT2-kss 119
4
 2/19/202
MCC-UNIT2-kss 120
4
UMTS ( 3G)

2/19/202
MCC-UNIT2-kss 121
4
IMT-2000

 The (IMT-2000), consists of 3 operating modes based on Code

Division Multiple Access (CDMA) technology.

 3G CDMA modes are most commonly known as:

 CDMA2000,
 WCDMA (called UMTS) and
 TD-SCDMA
(Time Division-Synchronous Code Division Multiple Access)

2/19/202
MCC-UNIT2-kss 122
4
High-Speed Packet Data Services

 2 Mbps in fixed or in-building environments (very

short distances, in the order of metres)

 384 kbps in pedestrian or urban environments

 144 kbps in wide area mobile environments

 Variable data rates in large geographic area systems

(satellite)

2/19/202
MCC-UNIT2-kss 123
4
 2/19/202
MCC-UNIT2-kss 124
4
 Network Elements from UMTS

UMTS differs from GSM Phase 2+ (GSM +GPRS) mostly in the new
principles for the air interface transmission
WCDMA instead of TDMA/FDMA
Therefore a new RAN (Radio Access Network) called:
UTRAN (UMTS Terrestrial Radio Access Network)
must be introduced with UMTS
Only minor modifications are needed in the CN (Core Network) to
accommodate the change
2/19/202
MCC-UNIT2-kss 125
4
UTRA: UMTS Terrestrial Radio Access
The most significant change in REL. ´99 was the “UTRAN”, a W-CDMA
radio interface for land-based communications.
UTRAN supports time (TDD) and frequency division duplex (FDD).
The TDD mode is optimized for public micro and pico cells and unlicensed cordless
applications.
The FDD mode is optimized for wide-area coverage, i.e. public macro and micro
cells.
Both modes offer flexible and dynamic data rates up to 2 Mbps.

2/19/202
MCC-UNIT2-kss 126
4
UMTS architecture

UTRAN (UTRA NETWORK)

• Radio Network Subsystem (RNS)

UE (User Equipment)
CN (Core Network)

Uu Iu

UE UTRAN CN
2/19/202
MCC-UNIT2-kss 127
4
 2/19/202
MCC-UNIT2-kss 128
4
UTRAN
Two new network elements
are introduced in UTRAN

• RNC
• Node B

UTRAN is subdivided
into individual radio
network systems (RNSs),
where each RNS is
controlled by an RNC.
The RNC is connected to
a set of Node B elements,
each of which can serve
2/19/202
one or several cells.
MCC-UNIT2-kss 129
4
UTRAN architecture
RNS RNC: Radio Network Controller
RNS: Radio Network Subsystem
UE1 Node B Iub
lu
RNC CN
UE2
Node B UTRAN comprises several RNSs

UE3
Node B can support FDD or TDD
or both
Iur
Node B
Iub RNC is responsible for handover
Node B decisions requiring signaling to
RNC
the UE
Node B
Cell offers FDD or TDD
RNS
2/19/202
MCC-UNIT2-kss 130
4
 UTRAN functions

 Admission control
 Congestion control
 Radio channel encryption
 Handover
 Radio network configuration
 Channel quality measurements
 Radio resource control
 Data transmission over the radio interface
 Outer loop power control (FDD and TDD)
 Channel coding

2/19/202
MCC-UNIT2-kss 131
4
 Core network
The Core Network (CN) and the Interface Iu, are separated into two logical domains:

❑Circuit Switched Domain (CSD) ❑Packet Switched Domain (PSD)

• Circuit switched service incl. signaling • GPRS components (SGSN, GGSN)
• Resource reservation at connection setup • IuPS
• GSM components (MSC, GMSC, VLR)
• IuCS

VLR
BTS BSS
Abis Iu
BSC MSC GMSC
PSTN
Node
BTSB
IuCS
AuC
EIR HLR
GR
Node B
Iub
Node B
RNC SGSN GGSN
G Gi
2/19/202
n
MCC-UNIT2-kss Node B 132
IuPS 4
CN
RNS
 Access method CDMA

CDMA (Code Division Multiple Access)

 all terminals send on the same frequency probably at
the same time and can use the whole bandwidth of
the transmission channel
 each sender has a unique random number, the sender
XORs the signal with this pseudo random number
 the receiver can “tune” into this signal if it knows the
pseudo random number, tuning is done via a
correlation function

2/19/202
MCC-UNIT2-kss 133
4
 Spreading and scrambling of user data
 Constant chip rate of 3.84 Mchip/s

 Different user data rates supported via different spreading factors

 higher data rate: less chips per bit and vice versa

 User separation via unique, quasi orthogonal scrambling codes

 users are not separated via orthogonal spreading codes
 much simpler management of codes: each mobile can use the
same orthogonal spreading codes

data1 data2 data3 data4 data5

spr. spr. spr. spr. spr.

code1 code2 code3 code1 code4

scrambling scrambling
code1 code2
2/19/202
MCC-UNIT2-kss 134
4
sender1 sender2
 1
Length
Ri

Length
1
1 Rc

Ri = R c SPREADING FACTOR
2/19/202
MCC-UNIT2-kss
1 Ri 4
135

Rc
 2/19/202
MCC-UNIT2-kss 136
4
 2/19/202
MCC-UNIT2-kss 137
4
DS-CDMA= Direct Sequence Code Division Multiple Access
 3.84 Mchip/s

2/19/202
MCC-UNIT2-kss 138
4
CDMA in theory

 Sender A
 sends Ad = 1, key Ak = 010011 (assign: „0“= -1, „1“= +1)
 sending signal As = Ad * Ak = (-1, +1, -1, -1, +1, +1)
 Sender B
 sends Bd = 0, key Bk = 110101 (assign: „0“= -1, „1“= +1)
 sending signal B s = Bd * Bk = (-1, -1, +1, -1, +1, -1)
 Both signals superimpose in space
 interference neglected (noise etc.)
 As + Bs = (-2, 0, 0, -2, +2, 0)
 Receiver wants to receive signal from sender A
 apply key Ak bitwise (inner product)
Ae = (-2, 0, 0, -2, +2, 0) • Ak
(-2, 0, 0, -2, +2, 0) • (-1, +1, -1, -1, +1, +1)= 2 + 0 + 0 + 2 + 2 + 0 = 6
 result greater than 0, therefore, original bit was „1“
 receiving B
Be = (-2, 0, 0, -2, 2, 0) • Bk
( -2, 0, 0,- 2,- 2, 0) • (1, 1, -1, +1, -1, +1) = -6, i.e. „0“
2/19/202
MCC-UNIT2-kss 139
4
 CDMA on signal level I
data A
1 0 1 Ad
key A
key
sequence A 0 1 0 1 0 0 1 0 0 0 1 0 1 1 0 0 1 1 Ak
data  key 1 0 1 0 1 1 1 0 0 0 1 0 0 0 1 1 0 0

signal A As

Here the binary ”0” is assigned a positive value,

The binary ”1” a negative value!

Real systems use much longer keys resulting in a larger distance

between single code words in code space. 2/19/202
MCC-UNIT2-kss 140
4
 CDMA on signal level II
+1
signal A
-1 As

data B 1 0 0 Bd

key B
key 0 0 0 1 1 0 1 0 1 0 0 0 0 1 0 1 1 1 Bk
sequence B
data  key
1 1 1 0 0 1 1 0 1 0 0 0 0 1 0 1 1 1
+1
signal B
Bs
-1
+2
0
As + Bs
-2

2/19/202
MCC-UNIT2-kss 141
4
 CDMA on signal level III
data A
1 0 1 Ad
+2
As + Bs 0
-2

1
Ak
-1
+2
(As + Bs) 0
* Ak -2

integrator
output
comparator 1 0 1
output
2/19/202
MCC-UNIT2-kss 142
4
 CDMA on signal level IV
data B
1 0 0 Bd

As + Bs

Bk

(As + Bs)
* Bk

integrator
output
comparator 1 0 0
output
2/19/202
MCC-UNIT2-kss 143
4
 CDMA on signal level V

+2
As + Bs
0

-2

wrong
key K

+2
(As + Bs)
0
*K
-2

integrator
output
comparator
output (0) (0) ?
2/19/202
MCC-UNIT2-kss 144
4
OSVF coding
Ortogonal Variable Spreading Factor Codes
1,1,1,1,1,1,1,1
1,1,1,1 ...
Recursive rule 1,1,1,1,-1,-1,-1,-1
1,1
1,1,-1,-1,1,1,-1,-1
1,1,-1,-1 ...
X,X
1,1,-1,-1,-1,-1,1,1
X 1
1,-1,1,-1,1,-1,1,-1
X,-X 1,-1,1,-1 ...
1,-1,1,-1,-1,1,-1,1
SF=n SF=2n 1,-1
1,-1,-1,1,1,-1,-1,1
1,-1,-1,1 ...
1,-1,-1,1,-1,1,1,-1
2/19/202
MCC-UNIT2-kss 145
4
SF=1 SF=2 SF=4 SF=8
  Multicasting of data via
Support of mobility: several physical
channels
macro diversity  Enables soft handover
 FDD mode only
 Uplink
 simultaneous reception of
UE data at several Node
UE Node B Bs

 Downlink
 Simultaneous transmission
Node B RNC CN
of data via different cells

2/19/202
MCC-UNIT2-kss 146
4
 Transmit Power Control is essential

Near – far problem

despreading
MS
MS Node B

Power control

despreading

MS MS Node B

Transmit
MCC-UNIT2-kss Minimize More 2/19/202
4
Increase
147

Power Control the Tx power secure the system capacity

 Frequency Allocation

FDMA / TDMA CDMA

f1 f1 f1 f1
f2 f2 f1 f1
f3 f3 f1 f1
f1 f1 f1 f1 f1 f1
f2 f2 f2 f1 f1 f1
f3 f3 f3 f1 f1 f1
f1 f1 f1 f1
f2 f2 f1 f1
f3 f3 f1 f1

A case of 3 cell repetitions Same frequency in all cells.

2/19/202
MCC-UNIT2-kss 148
4
 UMTS protocol stacks (user plane)

UE Uu UTRAN IuCS 3G
apps. & MSC
protocols
Circuit RLC
RLC SAR
SAR
switched MAC MAC AAL2 AAL2

radio radio ATM ATM

UE Uu UTRAN IuPS 3G Gn 3G
apps. &
protocols SGSN GGSN
IP, PPP, IP tunnel IP, PPP,
… …
Packet PDCP GTP
PDCP GTP GTP GTP
switched RLC RLC UDP/IP UDP/IP UDP/IP UDP/IP

MCC-UNIT2-kss
MAC MAC AAL5 AAL5
2/19/202 L2
149
L2
4
radio radio ATM ATM L1 L1
CSD

 The CSD uses the ATM adaptation layer 2 (AAL2) for user
data transmission on top of ATM as transport technology.
 The RNC in the UTRAN implements the radio link
control (RLC) and the MAC layer, while the physical
layer is located in the node B.
 The AAL2 segmentation and reassembly layer (SAR) is,
for example, used to segment data packets received
from the RLC into small chunks which can be
transported in ATM.
 AAL2 and ATM has been chosen, too, because these
protocols can transport and multiplex low bit rate voice
data streams with low jitter and latency (compared to
the protocols used in the PSD).

2/19/202
MCC-UNIT2-kss 150
4
PSD

 UDP/IP is used to create a UMTS internal IP network.

 GTP: All packets (e.g., IP, PPP) destined for the UE are
encapsulated using the GPRS tunnelling protocol (GTP).
 PDCP:The RNC performs protocol conversion from the
combination GTP/UDP/IP into the packet data
convergence protocol (PDCP).
 This protocol performs header compression to avoid
redundant data transmission using scarce radio
resources.

2/19/202
MCC-UNIT2-kss 151
4
Protocol Stack

 The medium access control (MAC) layer coordinates

medium access and multiplexes logical channels onto
transport channels.
 The MAC layers also help to identify mobile devices and
may encrypt data.
 The radio link control (RLC) layer offers three different
transport modes.
 The acknowledged mode transfer uses ARQ for error
correction and guarantees onetime in-order delivery of
data packets.
 The unacknowledged mode transfer does not perform ARQ
but guarantees at least one-time delivery of packets with
the help of sequence numbers.
 The transparent mode transfer simply forwards MAC data
without any further processing
2/19/202
MCC-UNIT2-kss 152
4
UTRA-FDD (W-CDMA)

 The FDD mode for UTRA uses wideband CDMA (W-CDMA)

with direct sequence spreading. As implied by FDD,
uplink and downlink use different frequencies.
 (MS->BS) Uplink -> 1920 to 1980 MHz
 (BS->MS) Downlink -> 2110 to 2170 MHz
 Each radio channel is divided into 10 millisecond frames
and each frame is further divided into 15 time slots.
The time slots over here are not used for user
separation (as in GSM) but for periodic functions.

2/19/202
MCC-UNIT2-kss 153
4
 2/19/202
MCC-UNIT2-kss 154
4
Dedicated physical data
channel (DPDCH):
 This channel conveys user or signaling data.
 The spreading factor of this channel can vary between
4 and 256. This directly translates into the data rates
this channel can offer:
 960 kbit/s (spreading factor 4, 640 bits per slot, 15 slots
per frame, 100 frames per second), 480, 240, 120, 60,
30, and 15 kbit/s (spreading factor 256).

2/19/202
MCC-UNIT2-kss 155
4
UTRA-FDD uplink data rates

2/19/202
MCC-UNIT2-kss 156
4
Dedicated physical control
channel (DPCCH):
 In each connection layer 1 needs exactly one DPCCH.
This channel conveys control data for the physical layer
only and uses the constant spreading factor 256.
 Pilot :The pilot is used for channel estimation.
 Transport format combination identifier:The transport
format combination identifier (TFCI) specifies the
channels transported within the DPDCHs .
 FBI :Signaling for a soft handover is supported by the
feedback information field (FBI).
 Transmit power control (TPC): The last field, transmit
power control (TPC) is used for controlling the
transmission power of a sender.

2/19/202
MCC-UNIT2-kss 157
4
Dedicated physical channel
(DPCH):
 The downlink time multiplexes control and user data.
Spreading factors between 4 and 512 are available.
 The available data rates for data channels (DPDCH)
within a DPCH are 6 (SF=512), 24, 51, 90, 210, 432,
912,and 1,872 kbit/s (SF=4).

2/19/202
MCC-UNIT2-kss 158
4
Steps for searching a cell

 A UE has to perform the following steps during the search

for a cell after power on:
 Primary synchronization:A UE has to synchronize with the
help of a 256 chip primary synchronization code. This code
is the same for all cells and helps to synchronize with the
time slot structure.
 Secondary synchronization:During this second phase the UE
receives a secondary synchronization code which defines
the group of scrambling codes used in this cell. The UE is
now synchronized with the frame structure.
 Identification of the scrambling code: The UE tries all
scrambling codes within the group of codes to find the
right code with the help of a correlator. After these
three steps the UE can receive all further data over a
broadcast channel.

2/19/202
MCC-UNIT2-kss 159
4
UTRA-TDD

 The second UTRA mode, UTRA-TDD, separates up and

downlink in time using a radio frame structure similar to
FDD. 15 slots with 2,560 chips per slot form a radio
frame with a duration of 10 ms. The chipping rate is
also 3.84 Mchip/s.
 To reflect different user needs in terms of data rates,
the TDD frame can be symmetrical or asymmetrical,
i.e., the frame can contain the same number of uplink
and downlink slots or any arbitrary combination.
 The frame can have only one switching point from
uplink to downlink or several switching points.

2/19/202
MCC-UNIT2-kss 160
4
UTRA-TDD(TD-CDMA frame
structure

2/19/202
MCC-UNIT2-kss 161
4
 The figure shows a burst of type 2 which comprises two
data fields of 1,104 chips each.
 Midample: A midample is used for training and channel
estimation.
 As TDD uses the same scrambling codes for all stations,
the stations must be tightly synchronized and the
spreading codes are available only once per slot.
 Guard period (GP):To loosen the tight synchronization a
little bit, a guard period (GP) has been introduced at
the end of each slot.

2/19/202
MCC-UNIT2-kss 162
4
Comparison between UTRA-
FDD and UTRA -TDD
PARAMETER UTRA FDD UTRA TDD
Multiple access CDMA TDMA, CDMA
method
Channel spacing 5 MHz 5 MHz (and
1.6MHz for TD-
SCDMA)
Carrier chip rate 3.84 Mcps 3.84 Mcps
Spreading factors 4 .. 512 1 .. 16
Time slot 15 slots / frame 15 / 14 slots /
structure frame
Frame length (ms) 10 10

2/19/202
MCC-UNIT2-kss 163
4
Comparison between UTRA-
FDD and UTRAUTRA
PARAMETER -TDD
FDD UTRA TDD

Multirate concept Multicode, and OVSF Multicode, multislot and

OVSF

Burst types N/A (1) traffic bursts

(2) random access burst
(3) synchronisation burst

Detection Coherent based on pilot Coherent based on mid-

symbols amble
Dedicated channel Fast closed loop 1500 Hz Uplink: open loop 100
power control rate Hz or 200 Hz rate
Downlink: closed loop
2/19/202
4 max 164
800 Hz rate
 Thank you

2/19/202
MCC-UNIT2-kss 165
4