A revised edition of the text that offers a comparative introduction to global wireless standards, technologies and their applications The revised and updated fourth edition of From GSM to LTE-Advanced Pro and 5G: An Introduction to Mobile Networks and Mobile Broadband offers an authoritative guide to the technical descriptions of the various wireless technologies currently in use. The author—a noted expert on the topic—explains the rationale behind their differing mechanisms and implementations while exploring the advantages and limitations of each technology. The fourth edition reflects the significant changes in mobile network technology that have taken place since the third edition was published. The text offers a new chapter on 5G NR that explores its non-standalone and standalone architecture. In the Wi-Fi chapter, additional sections focus on the new WPA3 authentication protocol, the new 802.11ax air interface and protocol extensions like 802.11k and 11v for meshed networks. This important book: Presents the various systems based on the standards, their practical implementation and design assumptions, and their performance and capacity Provides an in-depth analysis of each system in practice Offers an updated edition of the most current changes to mobile network technology Includes questions at the end of each chapter and answers on the accompanying website that make this book ideal for self-study or as course material Written for students and professionals of wireless technologies, the revised fourth edition of From GSM to LTE-Advanced Pro and 5G provides an in-depth review and description of the most current mobile networks and broadband
Trang 1Table of Contents
1 Cover2 Title Page3 Copyright Page
4 Preface to Fourth Edition
5 1 Global System for Mobile Communications (GSM)1 1.1 Circuit‐Switched Data Transmission
2 1.2 Standards
3 1.3 Transmission Speeds
4 1.4 The Signaling System Number 75 1.5 The GSM Subsystems
6 1.6 The Network Subsystem
7 1.7 The Base Station Subsystem (BSS) and Voice Processing8 1.8 Mobility Management and Call Control
9 1.9 The Mobile Device10 1.10 The SIM Card
11 1.11 The Intelligent Network Subsystem and CAMEL12 Questions
13 References
6 2 General Packet Radio Service (GPRS) and EDGE
1 2.1 Circuit‐Switched Data Transmission over GSM2 2.2 Packet‐Switched Data Transmission over GPRS3 2.3 The GPRS Air Interface
4 2.4 The GPRS State Model5 2.5 GPRS Network Elements
6 2.6 GPRS Radio Resource Management7 2.7 GPRS Interfaces
8 2.8 GPRS Mobility Management and Session Management(GMM/SM)
4 3.4 UMTS Channel Structure on the Air Interface
5 3.5 The UMTS Terrestrial Radio Access Network (UTRAN)6 3.6 Core Network Mobility Management
7 3.7 Radio Network Mobility Management8 3.8 UMTS CS and PS Call Establishment9 3.9 UMTS Security
10 3.10 High‐Speed Downlink Packet Access (HSDPA) andHSPA+
Trang 211 3.11 High‐Speed Uplink Packet Access (HSUPA)12 3.12 Radio and Core Network Enhancements: CPC13 3.13 Radio Resource State Management
14 3.14 Automated Emergency Calls (eCall) from Vehicles15 Questions
11 4.11 Network Planning Aspects
12 4.12 CS‐Fallback for Voice and SMS Services with LTE13 4.13 Network Sharing – MOCN and MORAN
14 4.14 From Dipoles to Active Antennas and Gigabit Backhaul15 4.15 IPv6 in Mobile Networks
16 4.16 Network Function Virtualization
17 4.17 Machine Type Communication and the Internet ofThings
18 Questions19 References
9 5 VoLTE, VoWifi, and Mission Critical Communication1 5.1 Overview
2 5.2 The Session Initiation Protocol (SIP)
3 5.3 The IP Multimedia Subsystem (IMS) and VoLTE4 5.4 VoLTE Roaming
5 5.5 Voice over WiFi (VoWifi)
6 5.6 VoLTE Compared to Fixed‐Line IMS in Practice7 5.7 Mission Critical Communication (MCC)
8 Questions9 References
10 6 5G New Radio (NR) and the 5G Core1 6.1 Introduction and Overview
2 6.2 5G NR Non‐Standalone (NSA) Architecture3 6.3 5G TDD Air Interface
4 6.4 5G FDD Air Interface
5 6.5 EN‐DC Bearers and Scheduling
6 6.6 Basic Procedures and Mobility Management in Non‐Standalone Mode
7 6.7 Network Planning and Deployment Aspects
Trang 38 6.8 5G NR Standalone (SA) Architecture and Basic Procedures9 6.9 The 5G Air Interface in Standalone Operation
10 6.10 Future 5G Functionalities11 Questions
12 References
11 7 Wireless Local Area Network (WLAN)1 7.1 Wireless LAN Overview
2 7.2 Transmission Speeds and Standards
3 7.3 WLAN Configurations: From Ad Hoc to Wireless Bridging4 7.4 Management Operations
5 7.5 The MAC Layer
6 7.6 The Physical Layer and MAC Extensions7 7.7 Wireless LAN Security
8 7.8 IEEE 802.11e and WMM – Quality of Service9 Questions
3 Table 1.3 Basic services of a GSM network.
4 Table 1.4 Supplementary services of a GSM network.5 Table 1.5 GSM frequency bands.
6 Table 1.6 GSM power levels and corresponding power output.7 Table 1.7 SIM card properties.
8 Table 1.8 Examples for APDU commands.
9 Table 1.9 Some fields of the response APDU for a SELECTcommand.
2 Chapter 2
1 Table 2.1 Selected GPRS multislot classes from 3GPP (3rdGeneration Partnersh
Trang 42 Table 2.2 GPRS coding schemes.
3 Table 2.3 EDGE modulation and coding schemes (MCS).
4 Table 2.4 Re‐segmentation of EDGE blocks using a different MCS.3 Chapter 3
1 Table 3.1 Spreading factors and datarates.
2 Table 3.2 Spreading and scrambling in uplink and downlinkdirections.
3 Table 3.3 AMR codecs and bit rates.4 Table 3.4 RNC and SGSN states.
5 Table 3.5 Core network and radio network states.
6 Table 3.6 A selection of HSDPA mobile device categories.
7 Table 3.7 Spreading code sets and maximum resulting speed ofdifferent E‐DCH
4 Chapter 4
1 Table 4.1 LTE UE categories.
2 Table 4.2 Typical LTE frequency bands that are simultaneouslysupported by hi
3 Table 4.3 Defined bandwidths for LTE.
4 Table 4.4 System information blocks and content overview.5 Table 4.5 LTE transmission modes.
6 Table 4.6 Downlink control channel message types (DCI formats).7 Table 4.7 UE categories and the number of supported carriers for
carrier aggr
8 Table 4.8 CA bandwidth classes.5 Chapter 6
1 Table 6.1 Frequency bands for 5G TDD deployments in FR1.
2 Table 6.2 Examples of typical 3.5 GHz (n78) spectrumassignments as of 2020.
3 Table 6.3 Modulation schemes used on the NR air interface.
4 Table 6.4 Maximum data rate of a single user LTE/5G splitdownlink bearer.
5 Table 6.5 FR2 bands.
6 Table 6.6 Frequency bands used or likely to be used in the nearfuture with t
6 Chapter 7
1 Table 7.1 Different PHY standards.
2 Table 7.2 Additional 802.11 standard documents that describeoptional functio
Trang 59 Table 7.9 Radio layer parameter comparison between 802.11ac,802.11ax, and LT
10 Table 7.10 60 GHz channel availability in different regions.7 Chapter 8
1 Table 8.1 Bluetooth versions.2 Table 8.2 ACL packet types.3 Table 8.3 SCO packet types.4 Table 8.4 ACL packet types.
5 Table 8.5 Selection of HCI commands.
6 Table 8.6 Bluetooth profiles for different applications.
List of Illustrations
1 Chapter 1
1 Figure 1.1 Switching matrix in a switching center.
2 Figure 1.2 Necessary software changed to adapt a fixed‐lineswitching center
3 Figure 1.3 Timeslot architecture of an E‐1 connection.
4 Figure 1.4 An SS‐7 network with an STP, two SCP databases, andthree switchi
5 Figure 1.5 Comparison of the SS‐7, OSI, and TCP/IP protocolstacks.
6 Figure 1.6 Establishment of a voice call between two switchingcenters.
7 Figure 1.7 Enhancement of the SS‐7 protocol stack for GSM.
8 Figure 1.8 Comparison of the classic and IP‐based SS‐7 protocolstacks.
9 Figure 1.9 Interfaces and nodes in a classic NSS architecture.10 Figure 1.10 Interfaces and nodes in an IP‐based NSS
11 Figure 1.11 Digitization of an analog voice signal.
12 Figure 1.12 Mobile Switching Center (MSC) with integratedVisitor Location R
13 Figure 1.13 The International Mobile Subscriber Identity(IMSI).
14 Figure 1.14 Creation of a signed response (SRES).
15 Figure 1.15 Message flow during the authentication of asubscriber.
16 Figure 1.16 Authentication between network and mobiledevice.
17 Figure 1.17 SMS delivery principle.
18 Figure 1.18 GSM uplink and downlink in the 900 MHzfrequency band.
19 Figure 1.19 A typical antenna of a GSM base station Theoptional microwave
Trang 620 Figure 1.20 Cellular structure of a GSM network.21 Figure 1.21 Sectorized cell configurations.
22 Figure 1.22 A GSM TDMA frame.23 Figure 1.23 A GSM burst.
24 Figure 1.24 Arrangement of bursts of a frame for thevisualization of logica
25 Figure 1.25 Use of timeslots in the downlink direction per3GPP TS 45.002 [2
26 Figure 1.26 Time shift of bursts of distant subscriberswithout timing advan
27 Figure 1.27 Establishment of a signaling connection.
28 Figure 1.28 Mapping of E‐1 timeslots to air interfacetimeslots.
29 Figure 1.29 Establishment of a traffic channel (TCH).30 Figure 1.30 Message flow during a handover procedure.31 Figure 1.31 GSM speech compression.
32 Figure 1.32 Speech compression with a 4:1 compressionratio in the TRAU.
33 Figure 1.33 Source–filter model of the GSM FR codec.
34 Figure 1.34 Complete transmission chain with thetransmitter and receiver of
35 Figure 1.35 Transmission path in the downlink directionbetween the network
36 Figure 1.36 GSM channel coder for full‐rate speech frames.37 Figure 1.37 Frame interleaving.
38 Figure 1.38 Ciphering of an air interface burst.
39 Figure 1.39 Message flow for a location update procedure.40 Figure 1.40 Discontinuous transmission (DTX).
41 Figure 1.41 Cells in different location areas.
42 Figure 1.42 Mobile‐terminated call establishment, part 1.43 Figure 1.43 Mobile‐terminated call establishment, part 2.44 Figure 1.44 Inter‐MSC handover.
45 Figure 1.45 Subsequent inter‐MSC handover.46 Figure 1.46 Architecture of a smartphone.
47 Figure 1.47 Example of a tool to visualize the datacontained on a SIM card
48 Figure 1.48 Block diagram of SIM card components.49 Figure 1.49 Structure of a command APDU.
50 Figure 1.50 Response APDU.
51 Figure 1.51 Structure of the SELECT command APDU.
52 Figure 1.52 Simplified state model for an originator (O‐BCSM) according to 3
Trang 74 Figure 2.4 Simplified visualization of PDTCH assignment andtimeslot aggrega
5 Figure 2.5 Shared use of the timeslots of a cell for GSM andGPRS.
6 Figure 2.6 CS‐2 and CS‐3 channel coder.
7 Figure 2.7 GMSK (GPRS) and 8‐PSK (EDGE) modulation.
8 Figure 2.8 MCS‐9 convolutional coding and incrementalredundancy.
9 Figure 2.9 Paging for an incoming voice call via the Gs interface.10 Figure 2.10 PDTCH and PACCH are sent on the same
11 Figure 2.11 GPRS logical channels.
12 Figure 2.12 Packet resources: requests and assignments.13 Figure 2.13 The GPRS state model.
14 Figure 2.14 Difference between ready and standby states.15 Figure 2.15 GPRS network nodes.
16 Figure 2.16 Interfaces and protocols of the SGSN on layers2 and 3.
17 Figure 2.17 Ciphering in GSM and GPRS.
18 Figure 2.18 Subscriber changes location within the GPRSnetwork.
19 Figure 2.19 Use of the uplink state flag (USF).
20 Figure 2.20 Use of the temporary flow identifier (TFI) in thedownlink direc
21 Figure 2.21 Packet Timeslot Reconfiguration messageaccording to 3GPP TS 44
22 Figure 2.22 GPRS protocol stacks in the radio network.23 Figure 2.23 The Gn interface protocol stack.
24 Figure 2.24 GTP packet on the Gn interface.25 Figure 2.25 The Gr interface.
26 Figure 2.26 The Gp interface.
27 Figure 2.27 GPRS attach message flow.
28 Figure 2.28 GPRS Attach message on the Gb interface.29 Figure 2.29 The PDP context activation procedure.
30 Figure 2.30 Identification of user data packets on differentGPRS interfaces
3 Chapter 3
1 Figure 3.1 Common GSM/UMTS network: Release 99.
2 Figure 3.2 UMTS Release 4 (Bearer‐Independent Core Network).3 Figure 3.3 Separation of protocols between the core and radio
network into A
4 Figure 3.4 Simultaneous communication of several users with abase station i
5 Figure 3.5 Simultaneous conversation between two users with asingle base st
Trang 86 Figure 3.6 Relation between spreading factor, chip rate,processing gain, an
7 Figure 3.7 The OVSF code tree.
8 Figure 3.8 Spreading and scrambling.9 Figure 3.9 Cell breathing.
10 Figure 3.10 User and control planes.
11 Figure 3.11 Logical, transport, and physical channels indownlink direction
12 Figure 3.12 Logical, transport, and physical channels inuplink direction (w
13 Figure 3.13 Network search after the mobile device isswitched on.
14 Figure 3.14 Initial network access procedure (RRCconnection setup) as descr
15 Figure 3.15 Preparation of user data frames for airinterface (Uu) transmiss
16 Figure 3.16 User data transmission in downlink directionvia the complex I‐p
17 Figure 3.17 User data transmission via the I‐path only.18 Figure 3.18 RNC protocols and interfaces for user data
21 Figure 3.21 Radio Resource Control (RRC) states.
22 Figure 3.22 Discontinuous Transmission (DTX) on adedicated channel reduces
23 Figure 3.23 Data of different subscribers is timemultiplexed on the FACH.
24 Figure 3.24 UMTS hard handover.
25 Figure 3.25 Connections to a mobile device during a softhandover procedure
26 Figure 3.26 Soft handover reduces the energy consumptionof the mobile due t
27 Figure 3.27 Use of scrambling codes while a mobile deviceis in soft handove
28 Figure 3.28 Soft handover with S‐RNC and D‐RNC.29 Figure 3.29 SRNS relocation procedure.
Trang 934 Figure 3.34 Location concepts of radio and core network.35 Figure 3.35 Messaging for a mobile‐originated voice call
36 Figure 3.36 Radio resource allocation for a voice trafficchannel.
37 Figure 3.37 PDP context activation.
38 Figure 3.38 Simplified HSDPA channel overview in downlinkdirection.
39 Figure 3.39 Simplified HSDPA channel overview in uplinkdirection.
40 Figure 3.40 Detection and report of a missing frame withimmediate retransmi
41 Figure 3.41 Establishment of an HSDPA connection.
42 Figure 3.42 Transport and Physical Channels used forHSUPA.
43 Figure 3.43 Simultaneous downlink channels forsimultaneous HSUPA, HSDPA, an
44 Figure 3.44 E‐DCH protocol stack.
45 Figure 3.45 Serving E‐DCH cell, serving RLS, and non‐serving RLS.
46 Figure 3.46 Control channel switch‐off during times withlittle activity.
47 Figure 3.47 Message exchange to move a mobile devicefrom URA‐PCH state back
4 Chapter 4
1 Figure 4.1 LTE network overview.
2 Figure 4.2 S1 control plane (a) and user plane (b) protocolstacks.
3 Figure 4.3 Physical routing of the S1 and the X2 interface.4 Figure 4.4 LTE international roaming with home routing.5 Figure 4.5 Principles of OFDMA for downlink transmission.6 Figure 4.6 Principles of SC‐FDMA for uplink transmission.7 Figure 4.7 16‐QAM modulation.
8 Figure 4.8 LTE resource grid.
9 Figure 4.9 Symbols in a resource block used for the referencesignal.
10 Figure 4.10 LTE downlink channel structure.11 Figure 4.11 LTE channel uplink structure.12 Figure 4.12 Random access procedure.
13 Figure 4.13 Simplified illustration of MIMO operation.14 Figure 4.14 Synchronous HARQ in the downlink direction.15 Figure 4.15 Air interface protocol stack and main functions.16 Figure 4.16 Downlink data reception overview.
17 Figure 4.17 PSS and SSS in an LTE FDD frame.
18 Figure 4.18 Attach and default bearer activation messageflow – part 1.
Trang 1019 Figure 4.19 Attach and default bearer activation messageflow – part 2.
20 Figure 4.20 X2‐based handover message flow.21 Figure 4.21 Basic S1‐based handover.
22 Figure 4.22 Short and long DRX cycles.
23 Figure 4.23 Interconnection of LTE to GSM and UMTSnetworks.
24 Figure 4.24 CA configuration during RRC connectionestablishment.
25 Figure 4.25 Use of PCell and SCell resources, DRX and Idleto save power.
26 Figure 4.26 Fractional frequency reuse for reducing cell‐edge interference
27 Figure 4.27 SGs interconnection for delivery of SMSmessages.
28 Figure 4.28 IPv6 default bearer establishment.
29 Figure 4.29 An IPv6 Router Advertisement sent duringtethering.
30 Figure 4.30 An Ubuntu Linux host running Windows as aguest operating system
31 Figure 4.31 The NB‐IoT channel resource grid.
32 Figure 4.32 CIoT Control Plane Optimization and Non‐IPData Delivery.
5 Chapter 5
1 Figure 5.1 The basic SIP infrastructure.2 Figure 5.2 SIP Register message.
3 Figure 5.3 SIP call establishment.
4 Figure 5.4 List of codecs in the SDP section of a SIP Invitemessage.
5 Figure 5.5 The basic IMS components.6 Figure 5.6 The IMS registration procedure.7 Figure 5.7 VoLTE call establishment part 1.8 Figure 5.8 VoLTE call establishment part 2.9 Figure 5.9 AMR‐WB codec in an RTP packet.
10 Figure 5.10 An RTP frame with an embedded DTMFsignaling message The messag
11 Figure 5.11 An SMS message being sent over SIP.
12 Figure 5.12 IMS and MSC components required for SRVCC.13 Figure 5.13 A speech connection before and after an
Trang 1120 Figure 5.20 Signaling for establishment of a ‘Pre‐ArrangedGroup Call.’
21 Figure 5.21 MCPTT and eMBMS network nodes.6 Chapter 6
1 Figure 6.1 5G New Radio Non‐Standalone Architecture.2 Figure 6.2 Base Station Site components.
3 Figure 6.3 5G New Radio deployment options.
4 Figure 6.4 Typical NR air interface configuration in band n78.5 Figure 6.5 Synchronization and broadcast information
10 Figure 6.10 5G NR uplink channels.
11 Figure 6.11 Dynamic Spectrum Sharing (DSS) between LTEand NR.
12 Figure 6.12 An LTE Frame with MBSFN subframes.
13 Figure 6.13 Use of 2 UE transmitters for EN‐DC with a splitdownlink and LTE
14 Figure 6.14 LTE anchor setup for a 5G EN‐DC bearer – part1.
15 Figure 6.15 LTE anchor setup for a 5G EN‐DC bearer – part2.
16 Figure 6.16 LTE/NR split bearer setup.
17 Figure 6.17 Split‐bearer configuration in downlink and LTE‐only bearer in up
18 Figure 6.18 Different steps of an EN‐DC handoverprocedure.
19 Figure 6.19 The basic components of the 5G Core Network(5GC).
20 Figure 6.20 UE registration message flow.
21 Figure 6.21 GTP tunneling with a 5G core network.22 Figure 6.22 Session Establishment.
23 Figure 6.23 5G Handover with an Xn interface between twogNBs.
24 Figure 6.24 LTE and NR core network interconnection forinter‐RAT mobility
25 Figure 6.25 Context transfer procedure when moving from4G to 5G in RRC‐Idle
7 Chapter 7
1 Figure 7.1 The WLAN protocol stack.2 Figure 7.2 Infrastructure BSS.
Trang 123 Figure 7.3 Access point, IP router, and DSL modem in a singledevice.
4 Figure 7.4 ESS with three access points.
5 Figure 7.5 Overlapping coverage of access points forming anESS.
6 Figure 7.6 Client device configuration for a BSS or ESS.7 Figure 7.7 An extract from a beacon frame.
8 Figure 7.8 Authentication and association of a client device withan access
9 Figure 7.9 Reassociation (acknowledgment frames not shown).10 Figure 7.10 Activation and deactivation of PS mode
(acknowledgment frames no
11 Figure 7.11 Acknowledgment for every frame and requiredinterframe space per
12 Figure 7.12 Reservation of the air interface via RTS/CTSframes.
13 Figure 7.13 MAC and LLC header of a WLAN frame.
14 Figure 7.14 Complementary code keying for 11 Mbit/stransmissions.
15 Figure 7.15 Simplified representation of OFDMsubchannels.
16 Figure 7.16 Default frame transmission compared to frameaggregation.
17 Figure 7.17 2 × 2 MIMO.
18 Figure 7.18 PLCP header variants.
19 Figure 7.19 A Power Save Multipoll (PSMP) window in whichseveral clients tr
20 Figure 7.20 PHY packet structure.
21 Figure 7.21 WPA‐PSK authentication and ciphering keyexchange.
22 Figure 7.22 EAP‐TLS authentication.
23 Figure 7.23 EAP‐TTLS certificate authentication.24 Figure 7.24 EAP‐SIM authentication.
25 Figure 7.25 Protocols used in the EAP‐SIM authenticationprocess.
26 Figure 7.26 A Beacon frame indicating PMF support.
27 Figure 7.27 Comparison of authentication with and withoutPMF support.
28 Figure 7.28 Disassociation with and without PMF support.29 Figure 7.29 WMM priority classes with example values for
CWmin, CWmax, and T
30 Figure 7.30 QoS field in an IP packet.
31 Figure 7.31 Packet bursting and block acknowledgments.8 Chapter 8
1 Figure 8.1 Three examples of achievable Bluetooth dataratesdepending on the
Trang 132 Figure 8.2 By using different hopping sequences, many piconetscan coexist i
3 Figure 8.3 Data exchange between a master and three slavedevices.
4 Figure 8.4 The Bluetooth protocol stack.5 Figure 8.5 Composition of an ACL packet.
6 Figure 8.6 The ACL payload field including the ACL header andchecksum.
7 Figure 8.7 Retransmission of an eSCO packet caused by atransmission error
8 Figure 8.8 Establishment of a connection between two Bluetoothdevices.
9 Figure 8.9 Communication between two link managers via theLMP.
10 Figure 8.10 Establishment of a connection via the HCIcommand.
11 Figure 8.11 Multiplexing of several data streams.
12 Figure 8.12 Establishment of a connection to a service.13 Figure 8.13 Multiplexing on different protocol layers.
14 Figure 8.14 The different steps of a Bluetooth connectionestablishment.
15 Figure 8.15 Pairing procedure between two Bluetoothdevices.
16 Figure 8.16 Authentication of a Bluetooth remote device.17 Figure 8.17 Bluetooth encryption using a ciphering
18 Figure 8.18 Protocol stack for the SPP.
19 Figure 8.19 Protocol stack of the OBEX file transfer profile.20 Figure 8.20 XML‐encoded directory structure.
21 Figure 8.21 The FTP, object push, and synchronizationprofiles are based on
22 Figure 8.22 The headset profile protocol stack.
23 Figure 8.23 Establishment of the signaling and the speechchannels.
24 Figure 8.24 Structure of the SIM access profile.
25 Figure 8.25 The protocol stack used for A2DP and remotecontrol.
26 Figure 8.26 Simultaneous audio streaming and controlconnections to differen
27 Figure 8.27 HID input message sent from a keyboard.28 Figure 8.28 Bluetooth Low Energy protocol stack.29 Figure 8.29 A BLE 4.0/4.1 link layer packet.
30 Figure 8.30 BLE Connect Request packet excerpt.31 Figure 8.31 A GATT Read Request.
32 Figure 8.32 A GATT Read Response.33 Figure 8.33 A practical example.
Trang 1434 Figure 8.34 IPv6 over Bluetooth Low Energy.
Although the first standardization activities for GSM date back to the middle of the 1980s, GSMis still widely used today In recent years however, 4G LTE networks have become tremendouslypopular and a new service was standardized to support voice calls over the LTE radio network.This service is referred to as Voice over LTE (VoLTE) and is discussed in a separate chapter.Although efforts to roll out VoLTE are significant, many mobile voice calls are still handled byGSM and UMTS networks, to which devices without VoLTE support fall back for this service.In addition, even if a device and a network support VoLTE, a transfer to GSM or UMTS is stillrequired when the user leaves the LTE coverage area Also, GSM and UMTS networks are stillpredominantly used for voice telephony when a subscriber roams internationally, as at the timeof publication only a few network operators had extended their VoLTE service for roaming.Consequently, knowledge of GSM is still required for a thorough understanding of how mobilenetworks are deployed and used in practice today.
Over the years, the way GSM was deployed in practice changed significantly To understandtoday’s system architecture, this chapter first introduces how GSM was initially designed andthen describes with how the system has evolved over the next decades.
1.1 Circuit‐Switched Data Transmission
Initially, GSM was designed as a circuit‐switched system that established a direct and exclusiveconnection between two users on every interface between all network nodes of thesystem. Section 1.1.1 gives a first overview of this traditional architecture Over time, thisphysical circuit switching has been virtualized and network nodes are now connected over IP‐based broadband connections The reasons for this and further details on virtual circuit switchingcan be found in Section 1.1.2.
Trang 151.1.1 Classic Circuit Switching
The GSM mobile telecommunication network has been designed as a circuit‐switched network ina similar way to fixed‐line phone networks of the time At the beginning of a call, the networkestablished a direct connection between two parties, which was then used exclusively for thatconversation As shown in Figure 1.1, the switching center used a switching matrix to connectany originating party to any destination party Once the connection was established, theconversation was then transparently transmitted via the switching matrix between the twoparties The switching center only became active again to clear the connection in the switchingmatrix if one of the parties wanted to end the call This approach was identical in both mobileand fixed‐line networks Early fixed‐line telecommunication networks were designed only forvoice communication, for which an analog connection between the parties was established Inthe mid‐1980s, analog technology was superseded by digital technology in the switching center.This meant that calls were no longer sent over an analog line from the originator to theterminator Instead, the switching center digitized the analog signal that it received from thesubscribers, which were directly attached to it, and forwarded the digitized signal to theterminating switching center There, the digital signal was again converted back to an analogsignal, which was then sent over the copper cable to the terminating party In some countries,ISDN (Integrated Services Digital Network) lines were quite popular With this system, thetransmission became fully digital and the conversion back to an analog audio signal was donedirectly in the phone.
Trang 16Figure 1.1 Switching matrix in a switching center.
Figure 1.2 Necessary software changed to adapt a fixed‐line switching center for a wireless
network.
Trang 17GSM reused much of the fixed‐line technology that was available at the time the standards werecreated Thus, existing technologies such as switching centers and long‐distance communicationequipment were used The main development for GSM, as shown in Figure 1.2, was the means towirelessly connect the subscribers to the network In fixed‐line networks, subscriber connectivityis very simple as only two dedicated wires are necessary per user In a GSM network, however,the subscribers are mobile and can change their location at any time Thus, it was not possible touse the same input and output in the switching matrix for a user for each call as was the case infixed‐line networks.
As a mobile network consists of many switching centers, with each covering a certaingeographical area, it was not even possible to predict in advance which switching center a callshould be forwarded to for a certain subscriber This meant that the software for subscribermanagement and routing of calls of fixed‐line networks could not be used for GSM Instead of astatic call‐routing mechanism, a flexible mobility management architecture in the core networkbecame necessary, which needed to be aware of the current location of the subscriber to routecalls to them at any time.
It was also necessary to be able to flexibly change the routing of an ongoing call, as a subscribercan roam freely and thus might leave the coverage area of the radio transmitter of the networkover which the call was established While there was a big difference between the software of afixed switching center and a Mobile Switching Center (MSC), the hardware as well as the lowerlayers of the software, which were responsible, for example, for the handling of the switchingmatrix, were mostly identical Therefore, most telecommunication equipment vendors at the timelike Ericsson, Nokia, and Alcatel‐Lucent offered their switching center hardware for both fixed‐line and mobile networks Only the software in the switching center determined whether thehardware was used in a fixed or mobile network (see Figure 1.2).
1.1.2 Virtual Circuit Switching over IP
While voice calls in the 1990s were the dominating form of communication, this hassignificantly changed today While voice calls remain important, other forms of communicationvia the Internet play an even larger role All these services share the Internet Protocol (IP) as atransport protocol to connect people globally.
While circuit switching establishes an exclusive channel between two parties, the Internet isbased on transferring individual data packets A link with a high bandwidth is used to transfer thepackets of many users By using the destination address contained in each packet, each networknode that the packet traverses decides over which outgoing link to forward the packet Furtherdetails can be found in the chapter on GPRS.
Owing to the rise of the Internet and IP‐based applications, network operators thus had tomaintain two separate networks: a circuit‐switched network for voice calls and a packet‐switchednetwork for Internet‐based services.
As the simultaneous operation of two different networks is very inefficient and costly, networkoperators have replaced the switching matrix in the MSC with a device referred to as a mediagateway This allowed them to virtualize circuit switching and to transfer voice calls over IP
Trang 18packets The physical presence of a circuit‐switched infrastructure is thus no longer necessaryand the network operator can concentrate on maintaining and expanding a single IP‐basednetwork This approach has been standardized under the name ‘Bearer‐Independent CoreNetwork’ (BICN).
The basic operation of GSM is not changed by this virtualization The main differences can befound in the lower protocol layers for call signaling and voice call transmission The movetoward IP‐based communication also took place in the GSM radio network, especially once radiobase station sites started to support several radio technologies such as GSM, UMTS, LTE, and5G NR simultaneously Typically, connectivity is provided over a single IP‐based link today.The GSM air interface between the mobile devices and the network was not affected by thetransition from circuit to packet switching For mobile devices, the transition from circuitswitching to IP‐based interfaces was completely transparent.
1.2 Standards
As many network infrastructure manufacturers compete globally for orders fromtelecommunication network operators, standardization of interfaces and procedures is necessary.Without standards, which are defined by the International Telecommunication Union (ITU), itwould not be possible to make phone calls internationally, and network operators would bebound to the supplier they initially select for the delivery of their network components One ofthe most important ITU standards, discussed in Section 1.4, is the Signaling System Number 7(SS‐7), which is used for call routing Many ITU standards, however, only represented the lowestcommon denominator as most countries had specified their own national extensions In practice,this incurred a high cost for software development for each country, as a different set ofextensions needs to be implemented in order for a vendor to be able to sell its equipment.Furthermore, the interconnection of networks of different countries was complicated by this.GSM, for the first time, set a common standard for Europe for wireless networks Due to itssuccess, it was later adopted around the globe This is the main reason why subscribers can roamin GSM networks across the world that have roaming agreements with each other The commonstandard also substantially reduced research and development costs as hardware and softwarecould now be sold worldwide with only minor adaptations for the local market The EuropeanTelecommunication Standards Institute (ETSI), which is also responsible for a number of otherstandards, was the main body responsible for the creation of the GSM standard The ETSI GSMstandards are composed of a substantial number of standards documents, which are called atechnical specification (TS), and describe a particular part of the system In the followingchapters, many of these specifications are referenced and can thus be used for furtherinformation about a specific topic Due to the global success of GSM, the 3rd GenerationPartnership Project (3GPP) was later founded as a global organization and ETSI became one ofthe regional standardization bodies of the project Today, 3GPP is responsible for maintainingand further developing the GSM, UMTS, LTE, and 5G standards All documents are freelyavailable on the Internet at http://www.etsi.org [1] or at http://www.3gpp.org [2].
1.3 Transmission Speeds
Trang 19The smallest transmission speed unit in a classic circuit‐switched telecommunication networkwas the digital signal level 0 (DS0) channel It had a fixed transmission speed of 64 kbit/s Sucha channel could be used to transfer voice or data, and thus it was usually not called a speechchannel but simply referred to as a user data channel.
The main reference unit of a telecommunication network was an E‐1 connection in Europe and aT‐1 connection in the United States, which used either a twisted pair or coaxial copper cable Thegross datarate was 2.048 Mbit/s for an E‐1 connection and 1.544 Mbit/s for a T‐1 An E‐1 wasdivided into 32 timeslots of 64 kbit/s each, as shown in Figure 1.3, while a T‐1 was divided into24 timeslots of 64 kbit/s each One of the timeslots was used for synchronization, which meantthat 31 timeslots for an E‐1 or 23 timeslots for a T‐1, respectively, were used to transfer data Inpractice, only 29 or 30 timeslots were used for user data transmission while the rest (usually oneor two) were used for SS‐7 signaling data (see Figure 1.3) More about SS‐7 can be foundin Section 1.4.
A single E‐1 connection with 31 DS0s was typically not enough to connect two switchingcenters with each other An alternative was an E‐3 connection over twisted pair or coaxial cables.An E‐3 connection was defined at a speed of 34.368 Mbit/s, which corresponded to 512 DS0s.
Figure 1.3 Timeslot architecture of an E‐1 connection.Table 1.1 STM transmission speeds and number of DS0s.
levelSpeed (Mbit/s)Approximate number of DS0 connections
Trang 20For virtual circuit switching over IP, optical Ethernet links are typically used between networknodes Transmission speeds of one Gbit/s or more are used on these links Unlike the circuit‐switched technology described above, Ethernet is the de facto standard for IP‐basedcommunication over fiber and copper cables and is widely used As a consequence, networkequipment can be built much more inexpensively.
1.4 The Signaling System Number 7
For establishing, maintaining, and clearing a connection, signaling information needs to beexchanged between the end user and network devices In traditional fixed‐line networks, analogphones signaled their connection request when the receiver was lifted off the hook and a dialedphone number was sent to the network either via pulses (pulse dialing) or via tone dialing, whichwas called dual tone multifrequency (DTMF) dialing With fixed‐line ISDN phones and GSMmobile phones, the signaling is done via a separate dedicated signaling channel, and informationsuch as the destination phone number is sent as messages.
If several components in the network are involved in the call establishment, for example, iforiginating and terminating parties are not connected to the same switching center, it is alsonecessary that the different nodes in the network exchange information with each other Thissignaling is transparent for the user, and a protocol called the Signaling System Number 7 (SS‐7)is used for this purpose SS‐7 is also used in GSM networks and the standard was enhanced byETSI to fulfill the special requirements of mobile networks, for example, subscriber mobilitymanagement.
The SS‐7 standard defines three basic types of network nodes:
Trang 21Service Switching Points (SSPs) are switching centers that are more generallyreferred to as network elements and are able to establish, transport, orforward voice and data connections.
Service Control Points (SCPs) are databases and application software that caninfluence the establishment of a connection In a GSM network, SCPs can beused, for example, for storing the current location of a subscriber During call
establishment to a mobile subscriber, the switching centers query thedatabase for the current location of the subscriber to be able to forward thecall More about this procedure can be found in Section 1.6.3 about the Home
Location Register (HLR).
Figure 1.4 An SS‐7 network with an STP, two SCP databases, and
three switching centers.
Signaling Transfer Points (STPs) are responsible for the forwarding ofsignaling messages between SSPs and SCPs as not all network nodes have adedicated link to all other nodes of the network The principal functionality ofan STP can be compared to an IP router in the Internet, which also forwardspackets to different branches of the network Unlike IP routers, however, STPsonly forward signaling messages that are necessary for establishing,maintaining, and clearing a call The calls themselves are directly carried ondedicated links between the SSPs.
Figure 1.4 shows the general structure of an SS‐7 circuit‐switched telecommunication networkand the way the nodes, as described above, are interconnected with each other.
Trang 22The SS‐7 protocol stack is also used in virtual circuit‐switched networks for communicationbetween the network nodes Instead of dedicated signaling timeslots on an E‐1 link, signalingmessages are transported in IP packets. Section 1.4.1 describes the classic SS‐7 protocol stackand follows with the way SS‐7 messages are transported over IP networks.
1.4.1 The Classic SS‐7 Protocol Stack
SS‐7 comprises a number of protocols and layers A well‐known model for describingtelecommunication protocols and different layers is the Open System Interconnection (OSI) 7‐layer model, which is used in Figure 1.5 to show the layers on which the different SS‐7 protocolsreside.
The Message Transfer Part 1 (MTP‐1) protocol describes the physical properties of thetransmission medium on layer 1 of the OSI model Thus, this layer is also called the physicallayer Properties that are standardized in MTP‐1 are, for example, the definition of the differentkinds of cables that can be used to carry the signal, signal levels, and transmission speeds.
On layer 2, the data link layer, messages are framed into packets and a start and stopidentification at the beginning and end of each packet are inserted into the data stream, so thatthe receiver is able to detect where one message ends and where a new message begins.
Figure 1.5 Comparison of the SS‐7, OSI, and TCP/IP protocol stacks.
Layer 3 of the OSI model, which is called the network layer, is responsible for packet routing Toenable network nodes to forward incoming packets to other nodes, each packet gets a source anddestination address on this layer This is done by the MTP‐3 protocol of the SS‐7 stack Forreaders who are already familiar with the TCP/IP protocol stack, it may be noted at this point thatthe MTP‐3 protocol fulfills the same tasks as the IP protocol Instead of IP addresses, however,the MTP‐3 protocol uses so‐called ‘point codes’ to identify the source and the destination of amessage.
A number of different protocols are used on layers 4–7, depending on the application If amessage needs to be sent to establish or clear a call, the Integrated Services Digital NetworkUser Part (ISUP) protocol is used. Figure 1.6 shows how a call is established between two partiesby using ISUP messages In the example, party A is a mobile subscriber while party B is a fixed‐
Trang 23line subscriber Thus, A is connected to the network via an MSC, while B is connected via afixed‐line switching center.
To call B, the phone number of B is sent by A to the MSC The MSC then analyzes the NationalDestination Code (NDC) of the phone number, which usually comprises the first two to fourdigits of the number, and detects that the number belongs to a subscriber in the fixed‐linenetwork In the example shown in Figure 1.6, the MSC and the fixed‐line switching center aredirectly connected with each other Therefore, the call can be directly forwarded to theterminating switching center This is quite a realistic scenario, as direct connections are oftenused if, for example, a mobile subscriber calls a fixed‐line phone in the same city.
As B is a fixed‐line subscriber, the next step for the MSC is to establish a voice channel to thefixed‐line switching center This is done by sending an ISUP Initial Address Message (IAM).The message contains, among other data, the phone number of B and informs the fixed‐lineswitching center of the channel that the MSC would like to use for the voice path In theexample, the IAM message is not sent directly to the fixed‐line switching center Instead, an STPis used to forward the message.
At the other end, the fixed‐line switching center receives the message, analyzes the phonenumber, and establishes a connection via its switching matrix to subscriber B Once theconnection is established via the switching matrix, the switch applies a periodic current to theline of the fixed‐line subscriber so that the fixed‐line phone can generate an alerting tone Toindicate to the originating subscriber that the phone number is complete and the destination partyhas been found, the fixed‐line switch sends back an Address Complete Message (ACM) TheMSC then knows that the number is complete and that the terminating party is being alertedabout the incoming call.
Trang 24Figure 1.6 Establishment of a voice call between two switching centers.
If B answers the call, the fixed‐line switching center sends an Answer Message (ANM) to theMSC and conversation can start.
When B ends the call, the fixed‐line switching center resets the connection in the switchingmatrix and sends a Release (REL) message to the MSC The MSC confirms the termination ofthe connection by sending back a Release Complete (RLC) message If A had terminated thecall, the messages would have been identical, with only the direction of the REL and RLCreversed.
For communication between the switching centers (SSPs) and the databases (SCPs), theSignaling Connection and Control Part (SCCP) is used on layer 4 SCCP is very similar to TCPand User Datagram Protocol (UDP) in the IP world Protocols on layer 4 of the protocol stackenable the distinguishing of different applications on a single system TCP and UDP use ports todo this If a personal computer, for example, is used as both a web server and a File TransferProtocol (FTP) server at the same time, both applications would be accessed over the networkvia the same IP address However, while the web server can be reached via port 80, the FTPserver waits for incoming data on port 21 Therefore, it is quite easy for the network protocolstack to select the application to which incoming data packets should be forwarded In the SS‐7world, the task of forwarding incoming messages to the correct application is done by SCCP.Instead of port numbers, SCCP uses Subsystem Numbers (SSNs).
Trang 25For database access, the Transaction Capability Application Part (TCAP) protocol has beendesigned as part of the SS‐7 family of protocols TCAP defines a number of different modulesand messages that can be used to query all kinds of different databases in a uniform way.
1.4.2 SS‐7 Protocols for GSM
Apart from the fixed‐line‐network SS‐7 protocols, the following additional protocols weredefined to address the special needs of a GSM network.
The Mobile Application Part (MAP). This protocol has been standardized
in 3GPP TS 29.002 [3] and is used for the communication between an MSCand the HLR, which maintains subscriber information The HLR is queried, forexample, if the MSC wants to establish a connection to a mobile subscriber.In this case, the HLR returns information about the current location of thesubscriber The MSC is then able to forward the call to the mobile subscriber’sswitching center, establishing a voice channel between itself and the nexthop by using the ISUP message flow that has been shown in Figure 1.6 MAPis also used between two MSCs if the subscriber moves into the coveragearea of a different MSC while a call is ongoing As shown in Figure 1.7, theMAP protocol uses the TCAP, SCCP, and MTP protocols on lower layers.
The Base Station Subsystem Mobile Application Part (BSSMAP). This
protocol is used for communication between the MSC and the radio network.Here, the additional protocol is necessary, for example, to establish adedicated radio channel for a new connection to a mobile subscriber AsBSSMAP is not a database query language like the MAP protocol, it is baseddirectly on SCCP instead of TCAP being used in between.
The Direct Transfer Application Part (DTAP). This protocol is used
between the user’s mobile device, which is also called mobile station (MS),and the MSC, to communicate transparently To establish a voice call, the MSsends a ‘Setup’ message to the MSC As in the example in Section 1.4.1, thismessage contains the phone number of the called subscriber, among otherthings As it is only the MSC’s task to forward calls, all network nodesbetween the MS and the MSC forward the message transparently and thusneed not understand the DTAP protocol.
Trang 26Figure 1.7 Enhancement of the SS‐7 protocol stack for GSM.
1.4.3 IP‐Based SS‐7 Protocol Stack
Today, an IP network is used for the transmission of SS‐7 signaling messages and the MTP‐1and MTP‐2 protocols were replaced by the IP and the transport‐medium‐dependent lower‐layerprotocols (e.g Ethernet). Figure 1.8 shows the difference between the IP stack and the classicstack presented in the previous section.
In the IP stack, layer‐4 protocols are either UDP or TCP for most services For the transmissionof SS‐7 messages, however, a new protocol has been specified, which is referred to as StreamControl Transmission Protocol (SCTP) When compared to TCP and UDP, it offers advantageswhen many signaling connections between two network nodes are active at the same time.
On the next protocol layer, SCTP is followed by the M3UA (MTP‐3 User Adaptation Layer)protocol As the name implies, the protocol is used to transfer information that is contained in theclassic MTP‐3 protocol For higher protocol layers such as SCCP, M3UA simulates allfunctionalities of MTP‐3 Therefore, the use of an IP protocol stack is transparent to all higher‐layer SS‐7 protocols.
Trang 27In the industry, the IP‐based SS‐7 protocol stack or the IP‐based transmission of SS‐7 messagesis often referred to as SIGTRAN (signaling transmission) The abbreviation originated from thename of the IETF (Internet Engineering Task Force) working group that was created for thedefinition of these protocols.
As described in Section 1.1.1, the ISUP protocol was used for the establishment of voice callsbetween switching centers and the assignment of a 64 kbit/s timeslot In an IP‐based network,voice calls are transmitted in IP packets, and consequently, the ISUP protocol had to be adaptedas well The resulting protocol is referred to as the Bearer‐Independent Call Control (BICC)protocol, which largely resembles ISUP.
Figure 1.8 Comparison of the classic and IP‐based SS‐7 protocol stacks.1.5 The GSM Subsystems
A GSM network is split into three subsystems, which are described in more detail below:
The Base Station Subsystem (BSS), which is also called ‘radio network,’
contains all nodes and functionalities that are necessary to connect mobilesubscribers wirelessly over the radio interface to the network The radiointerface is usually also referred to as the ‘air interface.’
The Network Subsystem (NSS), which is also called ‘core network,’
contains all nodes and functionalities that are necessary for switching of calls,for subscriber management and mobility management.
The Intelligent Network Subsystem (IN) comprises SCP databases that
add optional functionality to the network One of the most important optionalIN functionalities of a mobile network is the prepaid service, which allows
Trang 28subscribers to first fund an account with a certain amount of money whichcan then be used for network services like phone calls, Short MessagingService (SMS) messages, and of course, Internet access When a prepaidsubscriber uses a service of the network, the responsible IN node is contactedand the amount the network operator charges for a service is deducted fromthe account in real‐time.
1.6 The Network Subsystem
The most important responsibilities of the NSS are call establishment, call control, and routing ofcalls between different fixed and mobile switching centers and other networks Furthermore, theNSS is responsible for subscriber management The nodes necessary for these tasks in a classicnetwork architecture are shown in Figure 1.9. Figure 1.10 shows the nodes required in IP‐basedcore networks Both designs are further described in the following sections.
Figure 1.9 Interfaces and nodes in a classic NSS architecture.
Trang 29Figure 1.10 Interfaces and nodes in an IP‐based NSS architecture.
1.6.1 The Mobile Switching Center (MSC), Server, and Gateway
The MSC is the central element of a mobile telecommunication network, which is also called aPublic Land Mobile Network (PLMN) in the standards In a classic circuit‐switched network, allconnections between subscribers are managed by the MSC and are always routed over theswitching matrix even if two subscribers who have established a connection communicate overthe same radio cell.
The management activities to establish and maintain a connection are part of the call control(CC) protocol, which is generally responsible for the following tasks:
Registration of mobile subscribers: When the mobile device, also referred toas MS, is switched on, it registers to the network and is then reachable by allother subscribers of the network.
Call establishment and call routing between two subscribers.
Trang 30If no active connection exists between the network and the mobile device,the MS has to report a change of location to the network to be reachable forincoming calls and SMS messages This procedure is called location updateand is further described in Section 1.8.1.
If the subscriber changes their location while a connection is established withthe network, the MSC is part of the process that ensures that the connectionis not interrupted and is rerouted to the next cell This procedure is called‘handover’ and is described in more detail in Section 1.8.3.
To enable the MSC to communicate with other nodes of the network, it is connected to them viastandardized interfaces as shown in Figure 1.9 This allows network operators to acquiredifferent components for the network from different network equipment vendors The interfaceswe discuss next were initially transmitted over timeslots in circuit‐switched E‐1 lines, but havesince been transitioned toward IP based links As described earlier, only the lower protocollayers were affected by this evolution On the application layer, both variants are identical.The BSS, which connects all subscribers to the core network, was typically connected to theMSCs via a number of 2‐Mbit/s E‐1 connections before the transition towards IP This interfaceis called the ‘A interface.’ As has been shown in Section 1.4, the BSSMAP and DTAP protocolsare used over the A interface for communication between the MSC, the BSS, and the mobiledevices As an E‐1 connection could only carry 31 channels, many E‐1 connections werenecessary to connect an MSC to the BSS In practice, this meant that many E‐1s were bundledand sent over optical connections such as STM‐1 to the BSS Another reason to use an opticalconnection is that electrical signals can only be carried over long distances with great effort andit was common for an MSC to be several hundred kilometers away from the next BSS node.As an MSC had only a limited switching capacity and processing power, a PLMN was usuallycomposed of dozens of independent MSCs Each MSC thus covered only a certain area of thenetwork To ensure connectivity beyond the immediate coverage area of an MSC, E‐1s, whichwere again bundled into optical connections, were used to interconnect the different MSCs of anetwork As a subscriber could roam into the area that is controlled by a different MSC while aconnection is active, it was necessary to change the route of an active connection to the newMSC (handover) The necessary signaling connection is called the ‘E interface.’ ISUP was usedfor the establishment of the speech path between different MSCs, and the MAP protocol was andstill is used for the handover signaling between the MSCs Further information on the handoverprocess can be found in Section 1.8.3.
The ‘C interface’ was and is used to connect the MSCs of a network with the HLR of the mobilenetwork While the A and E interfaces that were described always consist of signaling andspeech path links, the C interface is a pure signaling link Speech channels are not necessary for
Trang 31the C interface, as the HLR is purely a database, which cannot accept or forward calls Despitebeing only a signaling interface, E‐1 connections were used for this interface All timeslots wereused for signaling purposes or were unused.
As we saw in Section 1.3, a voice connection was carried over a 64‐kbit/s E‐1 timeslot in aclassic circuit‐switched fixed‐line or mobile network Before the voice signal can be forwarded,it needs to be digitized For an analog fixed‐line connection, this was done in the switchingcenter, while an ISDN fixed‐line phone or a GSM mobile phone digitized the voice signal itself.An analog voice signal is digitized in several steps, as shown in Figure 1.11: in the first step, thebandwidth of the input signal is limited to 300–3400 Hz to enable the signal with the limitedbandwidth of a 64‐kbit/s timeslot to be carried Afterward, the signal is sampled at a rate of 8000times per second The next step in the processing is the quantization of the samples, which meansthat the analog samples are converted into 8‐bit digital values that can each have a value from 0to 255.
Figure 1.11 Digitization of an analog voice signal.
The higher the volume of the input signal, the higher the amplitude of the sampled value and itsdigital representation To also transmit low‐volume conversations, the quantization is not linearover the entire input range but only in certain areas For small input‐signal amplitudes, a muchhigher range of digital values is used than for high‐amplitude values The resulting digital datastream is called a pulse code‐modulated (PCM) signal Which volume is represented by which
digital 8‐bit value is described in the A‐law standard for European networks and in the μ‐law
standard in North America.
The use of different standards unfortunately complicates voice calls between networks usingvarying standards Therefore, it is necessary to convert a voice signal for a connection between,for example, France and the United States.
As the MSC controlled all connections, it was also responsible for billing This is done bycreating a billing record for each call, which is later transferred to a billing server The billingrecord contains information like the number of the caller and the calling party, cell ID of the cellfrom which the call originated, time of call origination, duration of the call, and so on Calls forprepaid subscribers are treated differently as the charging is already done while the call isrunning The prepaid billing service is implemented on an IN system and not on the MSC, asfurther described in Section 1.11.
MSC‐Server and Media Gateway
Trang 32In today’s mobile voice networks, circuit‐switched components have been replaced with IP‐based devices The MSC has been split into an MSC‐Server (MSC‐S) and a Media Gateway(MGW) This is shown in Figure 1.10 and has been specified in 3GPP TS 23.205 [4] The MSC‐Ss are responsible for CC and MM (signaling), and the MGWs handle the transmission of virtualvoice circuits (user data).
To establish a voice connection, MSC‐Ss and MGWs communicate over the Mc interface Thisinterface does not exist in the classical model, as the MSC contained both components 3GPP TS29.232 [5] describes this interface on which the H.248 / MEGACO (Media Gateway Control)protocol is used [6] The protocol is used, for example, to establish voice channels to two partiesand then to logically connect the two channels in the MGW The protocol is also used to instructthe MGWs to play announcements to inform users of events, for example, where the called partyis currently not available or is busy, and to establish conference calls between more than twosubscribers To add redundancy and for load‐balancing reasons, several MSC‐Ss and MGWs canbe interconnected in a mesh If an MSC‐S fails, an MGW can thus still continue to operate, andis then controlled by another server Thus, a single MSC‐S is no longer solely responsible for asingle geographical area as was the case in the traditional model.
On the radio network side, the A interface continues to be used to connect the radio network tothe MSC‐Ss and MGWs over an IP‐based link In addition, the A interface has been made moreflexible and can now be connected to several media gateways This adds redundancy toward theradio network as well, as a geographical region can still be served even if a media gateway fails.The Nc interface is used to transport voice calls within the core network and to gateways to othermobile or to fixed networks The protocol used on this interface is referred to as the BearerIndependent Call Control (BICC) protocol and is very similar to the traditional ISUP protocol.This is specified in ITU Q.1901 [7] and 3GPP TS 29.205 [8] By using an SGW as shownin Figure 1.10, the protocol can be converted into ISUP.
Virtual speech channels that have been negotiated over the Nc interface are transmitted betweenMGWs over the Nb interface The combination of the Nb interface and Nc interface thusreplaces the E interface of the classic network architecture A voice channel is transmitted overIP connections as either PCM/G.711, Narrowband‐AMR, or Wideband‐AMR, depending on thetype of radio network, the configuration of the network, and the capabilities of the mobile device.Interconnections between mobile networks are often still based on ISUP and circuit switchedlinks, even though networks are currently based on IP technology In recent years, however, IP‐based transport links have become more common between networks as well An additionalbenefit of this transition is that advanced speech codecs such as Wideband‐AMR can also beused between networks.
Just as in classic core networks, the C and D interfaces are used in a BICN network tocommunicate with the HLR Instead of E‐1 links, however, current communication is based onIP links.
Trang 331.6.2 The Visitor Location Register (VLR)
Each MSC has an associated Visitor Location Register (VLR), which holds the record of eachsubscriber that is currently served by the MSC (Figure 1.12) These records are only copies ofthe original records, which are stored in the HLR (see Section 1.6.3) The VLR is mainly used toreduce signaling between the MSC and the HLR If a subscriber roams into the area of an MSC,the data is copied to the VLR of the MSC and are thus locally available for every connectionestablishment Verification of the subscriber’s record at every connection establishment isnecessary as the record contains information about the services that are active and the servicesfrom which the subscriber is barred Thus, it is possible, for example, to bar outgoing calls whileallowing incoming calls, to prevent abuse of the system While the standards allowimplementation of the VLR as an independent hardware component, all vendors haveimplemented the VLR simply as a software component in the MSC This is possible becauseMSC and VLR use different SCCP SSNs as shown in Figure 1.12 (see Section 1.4.1) and canthus run on a single physical node.
When a subscriber leaves the coverage area of an MSC, their record is copied from the HLR tothe VLR of the new MSC, and is then removed from the VLR of the previous MSC Thecommunication with the HLR is standardized in the ‘D interface’ specification, which is showntogether with other MSC interfaces in Figure 1.9 and Figure 1.10.
Figure 1.12 Mobile Switching Center (MSC) with integrated Visitor Location Register
(VLR).
Trang 341.6.3 The Home Location Register (HLR)
The HLR is the subscriber database of a GSM network It contains a record for each subscriber,with information about the individually available services.
The International Mobile Subscriber Identity (IMSI) is an internationally unique number thatidentifies a subscriber, and is used for most subscriber‐related signaling in the network (Figure1.13) The IMSI is stored in the subscriber’s subscriber identity module (SIM) card and in theHLR, and is thus the key to all information about the subscriber The IMSI consists of thefollowing parts:
The Mobile Country Code (MCC). The MCC identifies the subscriber’s
home country. Table 1.2 shows a number of MCC examples.
The Mobile Network Code (MNC). This part of the IMSI is the national part
of a subscriber’s home network identification A national identification isnecessary because there are usually several independent mobile networks ina single country In the United Kingdom, for example, the following MNCs areused: 10 for O2, 15 for Vodafone, 30 for EE and 20 for Three.
The Mobile Subscriber Identification Number (MSIN). The remaining
digits of the IMSI form the MSIN, which uniquely identifies a subscriber withinthe home network.
Figure 1.13 The International Mobile Subscriber Identity (IMSI).
As an IMSI is internationally unique, it enables a subscriber to use their phone abroad if a GSMnetwork is available that has a roaming agreement with their home operator When the mobiledevice is switched on, the IMSI is retrieved from the SIM card and sent to the MSC There, theMCC and MNC of the IMSI are analyzed and the MSC is able to request the subscriber’s recordfrom the HLR of the subscriber’s home network.
Table 1.2 Mobile country codes.
Trang 35234United Kingdom310United States228Switzerland208France262Germany604Morocco505Australia
The phone number of the user, which is called the Mobile Subscriber Integrated Services DigitalNetwork Number (MSISDN) in the GSM standards, has a length of up to 15 digits, and consistsof the following parts:
The country code is the international code of the subscriber’s home country.The country code has one to three digits such as +44 for the United Kingdom,+1 for the United States, and +353 for Ireland.
The NDC usually represents the code with which the network operator can bereached It is normally three digits in length It should be noted that mobilenetworks in the United States use the same NDCs as fixed‐line networks.Thus, it is not possible for users to distinguish whether they are calling afixed‐line or a mobile phone This affects both billing and routing, as theoriginating network cannot deduct which tariff to apply from the NDC.
The remainder of the MSISDN is the subscriber number, which is unique inthe network.
There is usually a 1:1 or 1:N relationship in the HLR between the IMSI and the MSISDN.Furthermore, a mobile subscriber is normally assigned only a single MSISDN However, as theIMSI is the unique identifier of a subscriber in the mobile network, it is also possible to assignseveral numbers to a single subscriber.
Trang 36Another advantage of using the IMSI as the key to all subscriber information instead of theMSISDN is that the phone number of the subscriber can be changed without replacing the user’sSIM card or changing any information on it To change the MSISDN, only the HLR record ofthe subscriber needs to be changed In effect, this means that the mobile device is not aware of itsown phone number This is not necessary because the MSC automatically adds the user’sMSISDN to the message flow for a mobile‐originated call establishment so that it can bepresented to the called party.
Many countries have introduced functionality called mobile number portability (MNP), whichallows a subscriber to retain their MSISDN even if they want to change their mobile networkoperator This is a great advantage for subscribers and for competition between mobile operators,but it also implies that it is no longer possible to discern the mobile network to which the callwill be routed from the NDC Furthermore, the introduction of MNP also increased thecomplexity of call routing and billing in both fixed‐line and mobile networks, because it is nolonger possible to use the NDC to decide which tariff to apply to a call Instead of a simple call‐routing scheme based on the NDC, the networks now have to query an MNP database for everycall to a mobile subscriber to find out if the call can be routed inside the network or if it has to beforwarded to a different national mobile network.
Table 1.3 Basic services of a GSM network.Basic serviceDescription
TelephonyIf this basic service is activated, a subscriber can use the voice telephonyservices of the network This can be partly restricted by other supplementaryservices that are described below.
Short messagingservice (SMS)
If activated, a subscriber is allowed to use the SMS.
Data serviceDifferent circuit switched data services can be activated for a subscriber with‐speeds of 2.4, 4.8, 9.6, and 14.4 kbit/s data calls.
FAXAllows or denies a subscriber the use of the FAX service, which can be usedto exchange FAX messages with fixed line or mobile devices.‐
Apart from the IMSI and MSISDN, the HLR contains a variety of information about eachsubscriber, such as which services they are allowed to use. Table 1.3 shows a number of ‘basicservices’ that can be activated on a per subscriber basis.
In addition to the basic services described above, the GSM network offers a number of otherservices that can also be activated on a per‐subscriber basis These services are calledsupplementary services and are shown in Table 1.4.
Trang 37Most supplementary services can be activated by the network operator on a per‐subscriber basis,and allow the operator to charge an additional monthly fee for some services if desired Otherservices, like multiparty, can be charged on a per‐use basis Although some network operatorsmade use of this in the early years of GSM, most services are now included as part of the basicmonthly fee.
Most services can be configured by the subscriber via a menu on the mobile device The menu,however, is just a graphical front end for the user and the mobile device translates the user’scommands into numerical strings which start with an ‘*’ character These strings are then sent tothe network by use of an Unstructured Supplementary Service Data (USSD) message The codesare standardized in 3GPP TS 22.030 [13] and are thus identical in all networks As the menu isonly a front end for the USSD service, the user can also input the USSD strings themselves viathe keypad After pressing the ‘send’ button, which is usually the button that is also used to starta phone call after typing in a phone number, the mobile device sends the string to the HLR viathe MSC, where the string is analyzed and the requested operation is performed For example,call forwarding to another phone (e.g 0782 192 8355) while a user is already engaged in anothercall – call forward busy (CFB) – is activated with the following string: **67* 07821928355# + callbutton.
Table 1.4 Supplementary services of a GSM network.Supplementary
unconditional (CFU) If this service is activated, a number can be configured to which allincoming calls are forwarded immediately [9] This means that the mobiledevice will not be notified of the incoming call even if it is switched on.Call forward busy
(CFB) This service allows a subscriber to define a number to which calls areforwarded if they are already engaged in a call when a second call comesin.
Call forward no reply
(CFNRY) If this service is activated, it is possible to forward the call to a user‐defined number if the subscriber does not answer the call within a certaintime The subscriber can change the number to which to forward the callas well as the timeout value (e.g 25 seconds).
Call forward notreachable (CFNR)
This service forwards the call if the mobile device is attached to thenetwork but is not reachable momentarily (e.g temporary loss ofnetwork coverage).
Trang 38Barring of alloutgoingcalls(BAOC)
This functionality can be activated by the network operator if, forexample, the subscriber has not paid their monthly invoice in time It isalso possible for the network operator to allow the subscriber to changethe state of this feature together with a PIN (personal identificationnumber) so that the subscriber can lend the phone to another person forincoming calls only [10].
Barring of allincoming calls (BAIC)
Same functionality as provided by BAOC for incoming calls [10].
Call waiting (CW)This feature allows signaling of an incoming call to a subscriber while theyare already engaged in another call [11] The first call can then be put onhold to allow the subscriber to accept the incoming call The feature canbe activated or barred by the operator and switched on or off by thesubscriber.
Call hold (HOLD)This functionality is used to accept an incoming call during an alreadyactive call or to start a second call [11].
presentation (CLIP)
If activated by the operator for a subscriber, the functionality allows theswitching center to forward the number of the caller.
restriction (CLIR)
If allowed by the network, the caller can instruct the network not to showtheir phone number to the called party.
Connected linepresentation (COLP)
Shows the calling party the MSISDN to which a call is forwarded, if callforwarding is active at the called party side.
Connected lineIf COLR is activated at the called party, the calling party will not be
Trang 39presentationrestriction (COLR)
notified of the MSISDN to which the call is forwarded.
Multiparty (MPTY)Allows subscribers to establish conference bridges with up to sixsubscribers [12].
1.6.4 The Authentication Center
Another important part of the HLR is the AuC The AuC contains an individual key per‐subscriber (Ki), which is a copy of the Ki on the SIM card of the subscriber As the Ki is secret,it is stored in the AuC, and especially on the SIM card, in a way that prevents it from being readdirectly.
For many operations in the network the subscriber is identified by use of this key, for instance,during the establishment of a call Thus, it can be ensured that the subscriber’s identity is notmisused by a third party. Figure 1.15 shows how the authentication process is performed.
The authentication process, as shown in Figure 1.16, is initiated when a subscriber establishes asignaling connection with the network before the actual request (e.g call establishment request)is sent In the first step of the process, the MSC requests an authentication triplet from theHLR/AuC The AuC retrieves the Ki of the subscriber and the authentication algorithm (A3algorithm) based on the IMSI of the subscriber that is part of the message from the MSC The Kiis then used together with the A3 algorithm and a random number to generate the authenticationtriplet, which contains the following values:
RAND: A 128‐bit random number.
SRES: The signed response (SRES) is generated by using Ki, RAND, and the
A3 authentication algorithm, and has a length of 32 bits (see Figure 1.14).
Figure 1.14 Creation of a signed response (SRES).
Trang 40Figure 1.15 Message flow during the authentication of a subscriber.
Kc: The ciphering key, Kc, is also generated by using Ki and RAND It is used
for the ciphering of the connection once the authentication has beenperformed successfully Further information on this topic can be foundin Section 1.7.7.
RAND, SRES, and Kc are then returned to the MSC, which then performs authentication of thesubscriber It is important to note that the secret Ki information never leaves the AuC.
To speed up subsequent connection establishments, the AuC usually returns severalauthentication triplets per request These are buffered by the MSC/VLR and are used duringsubsequent connection establishments.
In the next step, the MSC sends the RAND inside an ‘Authentication Request’ message to themobile device The mobile device forwards the RAND to the SIM card, which then uses the Kiand the authentication A3 algorithm to generate a Signed Response (SRES*) The SRES* isreturned to the mobile device and then sent back to the MSC inside an ‘AuthenticationResponse’ message The MSC then compares SRES and SRES*, and if they are equal, thesubscriber is authenticated and allowed to proceed with the communication.