GSM Mobility Management

munchdrabNetworking and Communications

Oct 30, 2013 (3 years and 11 months ago)

118 views

1

GSM Mobility Management

Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001

Prof. M. Veeraraghavan, Polytechnic University, New York


GSM architecture overview


Network layout


Protocols


Addresses & identifiers


Location management


Call delivery + location update


Security


Handover management

2

GSM network layout

GSM Network
(PLMN)

MSC region

MSC region

MSC region

Location area

BSC

BSC

Location
area


BTS

BTS

PLMN: Public Land Mobile Network

MSC: Mobile Switching Center

BTS: Base Transceiver Station

BSC: Base Station Controller

3

GSM network layout


BSC

MSC

BSC

BTS

EIR

HLR

AUC

VLR

BTS

BTS

Um

A

Abis

E

B,C

OMC

GMSC

PSTN

ISDN

4

GSM MAP protocol


GSM MAP similar to IS41 MAP


MAP uses Transactions Capabilities
Part (TCAP) of the SS7 stack


MAP functions:


Updating of location information in VLRs


Storing routing information in HLRs


Updating and supplementing user profiles
in HLRs


Handoff of connections between MSCs

5

What is a location area (LA)?


A powered
-
on mobile is informed of an incoming
call by a paging message sent over the PAGCH
channel of a cell


One extreme is to page every cell in the network
for each call
-

a waste of radio bandwidth


Other extreme is to have a mobile send location
updates at the cell level. Paging cut to 1 cell, but
large number of location updating messages.


Hence, in GSM, cells are grouped into Location
Areas


updates sent only when LA is changed;
paging message sent to all cells in last known LA

6

Addresses and Identifiers


International Mobile Station Equipment Identity (IMEI)


It is similar to a serial number. It is allocated by equipment
manufacturer, registered by network, and stored in EIR


International Mobile Subscriber Identity (IMSI)

MCC


MNC


MSIN


MCC: Country Code

MNC: Mobile Network Code

MSIN: Mobile Subscriber Identification Number

When subscribing for service with a network, subscriber receives (IMSI)

and stores it in the SIM (Subscriber Identity Module) card.

The HLR can be identified by a VLR/MSC from the IMSI.

7

Addresses and Identifiers


Mobile Subscriber ISDN (MSISDN)


The “real telephone number”: assigned to
the SIM


The SIM can have several MSISDN
numbers for selection of different
services like voice, data, fax

CC


NDC


SN

NDC: National Destination Code (NDC identifies operator);
SN: Subscriber Number; CC: Country Code;

Digits following NDC identifies the HLR

8

Addresses and Identifiers


Mobile Station Roaming Number
(MSRN)


It is temporary location dependent
ISDN number


It is assigned by local VLR to each MS in
its area.

CC


NDC


SN

9

Addresses and identifiers


Temporary Mobile Subscriber
Identity (TMSI)


It is an alias of the IMSI and is used in its place for
privacy.


It is used to avoid sending IMSI on the radio path.


It is an temporary identity that is allocated to an MS by
the VLR at inter
-
VLR registration, and can be changed by
the VLR


TMSI is stored in MS SIM card and in VLR.


10

TMSI, IMSI, MSRN and MSISDN


Unlike MSISDN, IMSI is not known to the GSM user. The
CC of MSISDN translates to an MCC of IMSI as follows,
e.g, Denmark CC: 45 MCC: 238


TMSI is used instead of IMSI during location update to
protect privacy. As user moves, TMSI is used to send
location update. Thus a third party snooping on the wireless
link cannot track a user as he/she moves.


MSRN is the routing number that identifies the current
location of the called MS.


MSRN is temporary network identity assigned to a mobile
subscriber.


MSRN identifies the serving MSC/VLR.


MSRN is used for call delivery (calls incoming to an MS).


MSISDN is the dialed number to reach a GSM user

11

Addresses and Identifiers


Location Area ID (LAI)


CC: Country Code, MNC:Mobile Network
Code, LAC: Location Area Code


LAI is broadcast regularly by Base
Station on BCCH


Each cell is identified uniquely as
belonging to an LA by its LAI

CC


MNC


LAC

12

Location management


Set of procedures to:


track a mobile user


find the mobile user to deliver it calls


Current location of MS maintained by
2
-
level hierarchical strategy with
HLRs and VLRs.

13

Ways to obtain MSRN

1.
Obtaining at location update


MSRN for the MS
is assigned at the time of each location update,
and is stored in the HLR. This way the HLR is in
a position to immediately supply the routing info
(MSRN) needed to switch a call through to the
local MSC.

2.
Obtaining on a per call basis


This case requires
that the HLR has at least an identification for
the currently responsible VLR. When routing
info is requested from the HLR, it first has to
obtain the MSRN from the VLR. This MSRN is
assigned on a per call basis, i.e. each call involves
a new MSRN assignment

14

Routing information: case when MSRN
is selected per call by VLR/MSC


If MSRN is allocated to each subscriber visiting at an MSC, then
the number of MSRNs required is large. If instead, an MSRN is
allocated only when a call is to be established, then the number of
MSRNs is roughly equal to number of circuits at MSC


a much
smaller number


hence MSRNs typically allocated per call by
VLR/MSC

MSISDN

GMSC

HLR



MSC/VLR







MSISDN

IMSI, VLR number

MSRN

15

Call routing to a mobile station:

case when HLR returns MSRN

GMSC

BSC

BSC

EIR

HLR

AUC

VLR

MSC

BTS

BTS

BTS

LA 1

LA 2

ISDN

1

MS

1

MSISDN

6

TMSI

4

MSRN

3

MSRN

2

MSISDN

7

TMSI

7

TMSI

7

TMSI

8

TMSI

5

MSRN

MSC

16

Messages exchanged: call delivery

PSTN

GMSC

HLR

VLR

Target

MSC

Originating
Switch

GMSC

HLR

VLR

Target
MSC

1. ISUP IAM

2. MAP_SEND_ROUTING_INFO

3. MAP_PROVIDE_ROAMING_NUMBER

4. MAP_PROVIDE_ROAMING_NUMBER_ack

5. MAP_SEND_ROUTING_INFO_ack

6. ISUP IAM

1

2

3

4

5

6

17

Find operation in GSM


ISDN switch recognizes from the MSISDN that
the call subscriber is a mobile subscriber.
Therefore, forward the call to the GMSC of the
home PLMN (Public Land Mobile Network)


GMSC requests the current routing address
(MSRN) from the HLR using MAP


By way of MSRN the call is forwarded to the local
MSC


Local MSC determines the TMSI of the MS (by
querying VLR) and initiates the paging procedure in
the relevant LA


After MS responds to the page the connection can
be switched through.

18

GSM security


Authentication


What signed response (SRES) are you able to
derive from the input challenge RAND by
applying the A3 algorithm with your personal
key Ki (Ki is per subscriber)?

equal?

RAND (128bit)

SRES

A3 algorithm

Ki

SRES

A3 algorithm

Ki

MS

RAND

network

19

GSM security


Encryption


Digital technology


easy to encrypt voice data


A5 derives a ciphering sequence of 114 bits for each
burst independently


XOR 114 bits of a radio burst with 114 bits of a ciphering
sequence generated by A5

A5 algorithm

Kc (64 bits)

MS

frame number

(22 bits)

A5 algorithm

BTS

Kc

frame number

S2(114)

ciphering

S2

deciphering

S1

ciphering

S1(114)

deciphering

20

Key management


Ciphering key Kc is generated using algorithm A8 in the same
manner as SRES (from RAND and Ki)


Each time a mobile station is authenticated the MS and
network compute the ciphering key Kc by running algorithm
A8 with the same inputs RAND and Ki as for SRES


Ciphering with Kc applies only when the network knows the
identity of the subscriber it is talking to.


Bootstrap period during which network does not know
who the subscriber is


Up to and including the first message carrying the non
-
ambiguous subscriber identity is carried in the clear
(unencrypted)


Protection: use TMSI instead of IMSI when possible


TMSI should be exchanged during protected signaling
(ciphered) procedures

21

Location registration


MS has to register with the PLMN to get communication
services


Registration is required for a change of PLMN


MS has to report to current PLMN with its IMSI and
receive new TMSI by executing Location Registration
process.


The TMSI is stored in SIM, so that even after power on or
off, there is only normal Location Update.


If the MS recognizes by reading the LAI broadcast on
BCCH that it is in new LA, it performs Location Update to
update the HLR records.


Location update procedure could also be performed
periodically, independent of the MS movement.


The difference in Location Registration and Location Update
is that in location update the MS has already been assigned
a TMSI.

22

Location registration

MS

BSS/MSC

VLR

HLR

AUC

IMSI Ki

A3 & A8

Generate

TMSI

Loc.Upd.Req

(IMSI,LAI)

Upd Loc.Area

(IMSI,LAI)

Aut.Par.Req

Auth.Info.Req
(IMSI)

(RAND)

Authenticate

(IMSI,Kc,
RAND,SRES)

Aut. Info.

(IMSI)

(RAND)

Authentic. Req

(IMSI,Kc,
RAND,SRES)

Auth.Info

Auth.Resp.

(SRES)

(SRES)

Auth.Resp

Update
Location

(IMSI,MSRN)

SRES

RAND

Ki

Kc

SRES

Contd...

23

(…contd) Location registration.

MS

BSS/MSC

VLR

HLR

AUC

A5

Generate

TMSI

(Kc)

Start Ciph.

Ciph.Mod.Com.

Message M

Kc

Kc(M)

Ins.Subsc.Data

(IMSI)

Forw. New TMSI

(TMSI)

Subs.Dat.Ins.Ack

Loc.Upd.Accept

(IMSI)

Loc.Upd.Accept

Ciph.Mod.

Kc(M)

A5

Kc(M)

Kc

M

TMSI Realloc.Ack

TMSI Realloc.Cmd.

TMSI.Ack

Loc.Upd.Accept

can be combined

New TMSI is received by MS

(
TMSI Reallocation
) in ciphering mode.

24

Location update

MS

BSS/MSC

VLR

HLR

AUC

IMSI, TMSI

Ki, Kc, LAI

Start ciphering.

Authentication

Loc.Upd.Req

(TMSI,LAI)

Update Loc.Area

(TMSI,LAI)

Update Location

(IMSI,MSRN)

Generate

TMSI

Start ciphering

(Kc)

IMSI

Insert Subscriber. data

Subs. Data Insert Ack

(contd..)

25

(..contd) Location update.

MS

BSS/MSC

VLR

HLR

AUC

(IMSI)

Auth.Info.Req

(IMSI,Kc, RAND,SRES)

Auth.Info

Start ciphering.

Forward new TMSI

Auth. Para. Req

Loc. Upd. Acept

Loc. Upd. Acept

TMSI Ack

TMSI Reallocation

Complete

TMSI Realloc. Cmd.

(TMSI)

Auth. Info.

(IMSI,Kc, RAND,SRES)

(IMSI)

(IMSI)

Loc. Upd. Acept

26

Types of handover

(same as “handoff”)


There are four different types of
handover in the GSM system. Handover
involves transferring a call between:


Channels (time slots) in the same cell


Cells (Base Transceiver Stations) under the
control of the same Base Station Controller
(BSC),


Cells under the control of different BSCs, but
belonging to the same Mobile services
Switching Center (MSC), and


Cells under the control of different MSCs.

27

Attributes of radio
-
link handover


Hard handover


MAHO


Backward


COS selection scheme: static


Cross
-
over switch: anchor switch


28

Handover (MAHO)


Handovers are initiated by the BSS/MSC
(as a means of traffic load balancing).


During its idle time slots, the mobile scans
the Broadcast Control Channel of up to 16
neighboring cells, and forms a list of the
six best candidates for possible handover,
based on the received signal strength.


This information is passed to the BSC and
MSC, at least once per second, and is used
by the handover algorithm.

29

Handover procedures in GSM

BSC

MSC
-
A

BSC

MSC
-
B

BTS 1

BTS 3

BTS 2

BSC

MSC
-
C

BTS 3

Connection route

1

2

3

4

5

6

7

8

8

9

30

Inter MSC basic handover


MS/BSS 1

MSC
-
A

Handover required

HA Indication

MSC
-
B

VLR
-
B

Radio chan. Ack

Handover report

MS/BSS 2

Allocate Handover number

RLC

ANS

REL

End Signal

HB Indication

HB Confirm

Handover report

Perform Handover

IAM

ACM

Send End Signal

End of Call

31

Subsequent handover from MSC
-
B to MSC
-
A


MS/BSS 1

MSC
-
A

HB Indication

HB Confirm

MSC
-
B

VLR
-
B

Subseq. Handover

Acknowledge

MS/BSS 2

RLC

REL

End Signal

HA Required

HA Indication

Handover report

Perform subsequent

Handover

End of Call

32

Subsequent handover from MSC
-
B to MSC
-
C


MSC
-
A

MSC
-
C

Perform Handover

Radio chan. Ack.

MSC
-
B

Allocate Handover

Number

MS

IAM

ACM

HA Request

Perform subsequent

Handover

VLR
-
C

Send Handover report

HB Indication

(Contd…)

33

(…contd) Subsequent handover from MSC
-
B to MSC
-
C


MSC
-
A

MSC
-
C

Send End Signal

Handoff Report

MSC
-
B

MS

REL

RLC

HA Indication

Perform subsequent

Acknowledge

HB Confirm

ANS

MSC
-
B

VLR
-
B

End Signal

34

Abbreviations


ISC: International switching center


OMC: Operations and maintenance center


GMSC: Gateway switching center


MSC: Mobile switching center


VLR: Visitor location register


HLR: Home Location register


EIR: Equipment Identification register


AUC: Authentication center


BSC: Base station controller


BTS: Base transceiver station


MS: Mobile subscriber


TMSI: Temporary Mobile Subscriber Identity


IMSI: International Mobile Subscriber Identity



35

References


The GSM Sytem for Mobile
communications by Mouly & Pautet


Wireless and Mobile Network
Architectures by Yi
-
Bing Lin & Imrich
Chlamtac


Wireless Personal Communications Systems
by Dr. Goodman


GSM Switching, Services and Protocols by
Jorg Eberspacher and Hans
-
Jorg Vogel