GPRS & EDGE

Agenda
GPRS
EDGE Deployment Reference

Security in GPRS

GSM was the most important Cellular mobile technology of the 2nd generation. But the need was felt to transmit / receive the high rate Data also on the GSM / Mobile networks. The first system to make impact was GPRS ( General Packet Radio Service) GPRS enables the achievement of higher Data rates. GPRS is the middle step between the 2nd generation GSM & third generation W-CDMA/UMTS. The system is also called 2.5 G system.

It offers the services up to 115 Kbps GPRS is used for WEB Browsing & other services which involve the transaction of higher data rates. The Key element of GPRS is that it is used for transmitting the packet switched Data

The different data rates are transmitted on GPRS networks as different multi- level coding schemes are involved.
The same arrangement is used for circuit switched Data because four coding schemes are involved This technique makes the efficient use of the available capacity

Most of the Data transfer occurs in the bursty fashion.The Data transfer occurs in short packets followed by breaks& sometimes ,there can be little or no activity.

GPRS has the backward compatibility, we are in a position to have the voice conversations by using the GPRS handset on the GSM networks

Circuit Switching & packet Switching.(Definition)

When a circuit is switched permanently to a particular user , we call it the circuit switching mode.This mode is mostly used for the voice transmission.

When the data is of bursty nature & the transfer occurs in short packets followed by breaks, the overall capacity can be shared by many users. To achieve this the data is split in the packets & tags are inserted in the packets to provide the destination address. The data reaches the destination & since there is address available with every packet we are in a position to make the data reach the proper place for which the data is required to go as per the address available

Packets of several sources can be transmitted over the link as it is not likely that the data burst of all the users will occur at the same time By sharing the overall resources in this fashion, the channel or the number of channels can be used more efficiently This technique is known as packet switching. Packet switching enables us to transmit the very high rate data on the same networks

GPRS is the overlay network of GSM

i.e we dont require any change in the network topology when GSM network is used for GPRS transmissions i.e GSM & GPRS are able to operate alongside one another, by undergoing the various upgrades for enabling it to work for GPRS. The upgrades required for GPRS prepares the core infrastructure for the evolution of 3G W-CDMA/UMTS

For using the GSM architecture for GPRS the requirement on the other side will be the GPRS enabled mobile , as it is not possible to upgrade a GSM mobile for enabling it to work for GPRS. GSM mobiles can be used for receiving/transmitting the GPRS speech, but cannot transmit the GPRS data in the required format Since GPRS is able to have the transaction of the high rate data it is called a 2.5 G technology

GSM Bit Rate Evolution

Bit rate in kbps

100 90 80 70 60 50 40 30 20 10 0 9.6kbps (Today) CS-1 14.4kbps CS-2 HSCSD 38.4-64kbps GPRS 115kbps Technology EDGE 384kbps

Higher Bandwidth!

GPRS Network

Network Architecture 1/2

A

BTS
BTS

BSC

MAP

MSC/VLR
Gr (MAP) Gb Gs Gc

HLR IP Network
Gi (IP)

Packet data for the radio interface CS and PS data discrimination Slot and channel allocation Existing A interface is reused
Gd (MAP)

SGSN
Gn

GGSN
Gn

BSC

GPRS Mobility Management Gb Frame Relay

SMS-GMSC SMS-IWMSC

Backbone Network IP

Allocation of PDCH in cells

Handling of GPRS Paging Broadcast GPRS information

MS

HLR

Network Architecture 2/2

A

GPRS subscription and routing information Maps subscriber to one or more GGSNs

BTS

BSC

MAP

Update SGSN at attach and

detach

MSC/VLR
Gr (MAP) Gb Gs Gc

HLR

IP Network
Gi (IP)

MS

SMS-GMSC SMS-IWMSC

SGSN
Gd (MAP) Gn

GGSN
Gi (X.25) Gn

MSC

Location info from SGSN CS paging request to SGSN Signalling coordination for class A/B mobile

Backbone Network IP

X.25 Network

SMS-SC SS7/MAP based SMS is delivered over GPRS for GPRS attached terminals

(Gs)

Charging in GPRS 1/2

A

SMS-G/IW MSC
Gd (MAP)

BTS

BSC

MSC/VLR
Gr (MAP) Gs (BSSAP+)

HLR

Gb

Charging can be done at SGSN or GGSN or both SGSN for data volume and / or MS for PDP context duration Gn

Gi (IP)

ISP Network

GGSN
Gn Gi (IP)

Mediation

Types of CDR;s in GPRS S-CDR : radio n/w related (fm SGSN) G-CDR : for External n/w usage (fm GGSN) M-CDR : related to MM activities (fm SGSN) 2 CDR,s related to usage of SMS with GPRS (fm SGSN)

Backbone Network

Corporate Network

Charging in GPRS 2/2

A

SMS-G/IW MSC
Gd (MAP)

BTS

BSC

MSC/VLR
Gr (MAP) Gs (BSSAP+)

HLR

Gb

Gi (IP)

ISP Network

SGSN MS
Gn

GGSN
Gn Gi (IP)

Mediation

Backbone Network

Corporate Network

Billing Gateway Functions

It is an interface between GGSN & existing Billing System It matches & filters the CDR,s On PDP contest basis Rating , can put price tags to CDR,s partially or Fully Can convert volume based CDR,to time based CDRs for billing systems. Storing. Can store the security of CDRs till Session Ends The Matched CDR,s are stored till billing system needs them for processing

Functions of SGSN SGSN takes care of some important functions including routing

Handover & IP address assignment

It has a logical connection to GPRS device If you were browsing the internet while traveling . You will pass through many different Cells SGSN makes sure that connection is not interrupted while going from one Cell to another

Functions of SGSN It works with BSC to route the connection through. If USER moves to the segment which is under different SGSN , it will perform a quick hand-off to that SGSN & the user will not notice as to what is happening.

Any packet which is lost is re-transmitted.

SGSN converts the mobile Data into IP & is connected to GGSN Via tunneling protocol.

Functions of GGSN GGSN is the last port of call in the GPRS network before a connection between an ISP network:s Router occurs. GGSN is basically a gateway , a router & a firewall rolled into one It also confirms user details with radius servers for security, which are usually situated in the IP network& outside GPRS network.

Connectivity between SGSN & GGSN.

Connectivity between SGSN & GGSN is made with protocol called the GPRS tunneling Protocol GPRS tunneling protocol (GTP) sits on top of TCP/IP & is also responsible for mediation & billing information.

GPRS is billed on Megabyte basis In practice the two GSM devices maybe a single unit.

How does SGSN know which GGSN to direct you

A mobile device is programmed with one or more APNs (Access point names) AN APN consists of a fully qualified DNS name e.g like Morgandoyle .co. UK When a GPRS device wants to talk to this network SGSN does a DNS look up& resolves the name to correct GGSN One could have multiple APNs programmed into your phones, So one is not limited to a single service or single GGSN
.

Classification of Mobile Terminals

Class A mode of operation: Attached both to CS and PS Simultaneous Circuit (CS) and Packet-Switched (PS) services Class B mode of operation: Attached both to CS and PS. Automatic choice of service, CS or PS, but only one at a time Class C mode of operation: Can be attached to either CS or PS service

Mobile classification:-

Class A:- This set can be connected to GSM & GPRS services at the same time.

Class B :- These mobiles are attached to both GSM & GPRS services .
But they can be used for only one service at a time.

The mobile can make or receive a call or send or receive an SMS during GPRS connection During the voice calls GPRS services are suspended , but are resumed when the voice call is completed. Class C type of mobile :-

These classification covers phones that can be attached to either GSM or GPRS
Services but the user are categorized by the data rates that can support within GSM

Services but the user requires to switch manually between the two different types.GSM mobiles are categorized by the data rates that can support within GSM

A number of timeslots are used for a GPRS call.

There are total 29 classes of Mobiles Class 1 mobiles are used to send or receive calls in one slot & class 29 mobiles are used to send & receive calls in all the eight slots.

Classes within these two limits are able to send & RECEIVE THE DATA IN DIFFERENT COMBINATIONS FOR UPLINK & DOWNLINK SLOTS

LAYERS:- Software plays an important part in current Cellular mobile systems

The concept of layers is used in GSM & other mobile Systems.

The idea takes a greater prominence as they become more Data centric THE FUNCTIONS OF THE LAYERS 1,2 &3 Layer 1:- It concerns the physical link between the mobile & the base Station It is divided into two sub-layers

Sub Layer 1:-

It is the RF layer that includes the modulation & demodulation

SL-2 :It is the physical link layer It manages the response & controls required for the operation of the RF link.

These includes elements such as error correction, interleaving & correct assembly of Data, Power control & the like.

Above this are RLC & MAC layers. These organize the logical link between mobile & the base station.

They control the Radio link access & organize the logical channels that route the Data to & from the mobile

There is also the logical link layer that formats the Data frames & is used to link the elements of core network to mobiles.

GPRS Physical Channels.

GPRS channel architecture is built upon basic GSM architecture. It uses the same frame architecture & the modulation technique as GSM.

For the GPRS call the slots are assigned dynamically., depending upon the demand , the remaining ones are used for GSM. There is a new Data channel used for GPRS , It is called PDCH ( Packet data channel)

Overall slot structure for this channel is the same as that of GSM having the same power profile & timing advance Attributes to overcome the different signal travel time to the Base Station, depending upon the the distance the mobile is from the base station.

This enables the burst to fit in seamlessly within the GSM Structure.

Each burst information is 0.577ms in length & is the same as that used in GSM .

. It carries 2 blocks of 57 bits of information giving a total of 114bits per burst.

It therefore requires 4 bursts to carry 20ms blocks of data i.e 456 bits of encoded Data. PDCH are assigned by BSC to particular timeslot. When PDCH is in-active it allows the mobiles to check for other Base Stations & monitor their final strength

GSM time slot may be used by the base station using a logical channel The Channel is Known PACKET TIMING ADVANCE CONTROL CHANNEL

Although GPRS uses only one physical (PDCH) for sending the data, it employs several logical channels that are mapped together to enable the GPRS data & facilitates to be managed.

The packets in GPRS are assigned a space within the system according to the current needs& routed accordingly.

ii)Standby mode. & iii) Ready mode i) Initialization Mode ;

ii) When the mobile is turned on it must register with the network& update the location register This location is very similar to GSM iii) It first locates a suitable cell & transmits a Radio burst on a RACH using a shortened burst because it does not know what timing advance is required iv) The data contained within this burst temporarily identifies the mobile& indicates that the reason for the update is to temporarily perform the location update

At the time of location update the network also performs an authentication to ensure that it is allowed to access the network

At the time of registration the network detects whether the mobile phone has the GPRS capability

SGSN maintains the record of the mobile so that the Data can be sent there when required.

STANDBY MODE:- Mobile then enters the standby mode. It periodically updates its position as required. It monitors the MNC of the base station to ensure that it has not changed the base station & also looks for stronger Base Station control channel

Mobile will monitor PPCH in case of an incoming alert indicating that Data is ready to be Sent.

READY. Mobile is attached to the SYSTEM & a virtual connection is made with SGSN & GGSN. BY making this connection the network knows where to route the packets When the packets are sent & received. The Mobile is likely to use PTCCH to ensure that its timing is correctly set so that it is ready for Data transfer should one be needed.When the mobile is attached to the network , it is ready for a call or Data transfer..

.For transmitting Data mobile sends the request on PRACH. If this channel is busy Mobile monitors the PCCCH which contains a status bit indicating the status of the base station receiver. When the status bit indicates that the receiver is idle the mobile sends its packet channel request message. If accepted, the base station will respond by sending an assignment message on PAGCH indicating as to which channel the mobile is to use for its packet Data transfer .

If the Data needs to be transmitted in the D/L direction a separate assignment is performed.

On disconnecting the mobile sends a temporary block flow message & this is acknowledged.
Once this has taken place the USF assigned to the mobile becomes Mobile effectively becomes disconnected although still attached to the network No more Data transfer takes place unless it is reindicated.Separate messages are required to detach the mobile from the network.

Network - Mode of Operation

Network operation mode I: CS paging message for a GPRS-attached MS, either on the GPRS paging channel (i.e., the packet paging channel or the CCCH paging channel), or on a GPRS traffic channel. MS needs only to monitor one paging channel (More sleep time to MS) Combined RA and LA update Gs interface is present between SGSN & MSC/VLR

Network operation mode II: CS paging message for a GPRS-attached MS on the CCCH paging channel, and this channel is also used for GPRS paging. Network operation mode III: CS paging for a GPRS-attached MS on the CCCH paging channel GPRS paging on either the packet paging channel (if allocated in the cell) or on the CCCH paging channel. MS shall monitor both paging channels if the packet paging channel is allocated in the cell.

Channel Allocation
Fixed and/or dynamic channels 0-8 fixed GPRS channels / cell unlimited number of on-demand (dynamic) GPRS channels /cell CS can pre-empt dynamic GPRS channels First fixed GPRS channel carries PCCCH TS7 TS0 TS1 ...
f1 f2 fn
BCCH SDCCH TCH PDCH

Efficient use of Radio Resources

Example on Radio Channel Allocation

TS 1 TS 2 Circuit Switched

TS 3
TS 4 TS 5 TS 3 TS 2 TS 1 Time Packet Switched

GPRS Roaming

Roaming Billing TAP - Records (Transferred Account Procedure) Existing methods of TAP exchanges shall be used TAP File Spec 3 required - GPRS enhancements like: data volume, IP address, APN, etc. Different concepts to existing TAP Record Procedures Partial Records Generated + Data volume counts CDRs from HGGSN and VSGSN - different records from different networks for the same connection

Security Issues in GPRS

Mobile Operator Security Requirements

Corporate Network #1 Roaming Partner #1

GTP Firewall Firewall VPN Firewall

Operator

GTP Firewall Over IPSec

GRX

VPN
Corporate Network #2

VPN Roaming Partner #2

Security Threats on the Gn / Gp Interface Threat: Denial of Service from invalid or flood of GTP traffic Undesirable GTP messages Solution: GTP traffic management prevents the GSNs from being overwhelmed GTP packet sanity check in firewall prevents GSNs from having to try to process malformed GTP packets GTP stateful inspection prevents GSNs from having to process GTP packets which dont make sense because of no PDP context or wrong PDP context state GTP policies which determine which GTP messages
should be allowed

Security Threats on the Gn / Gp Interface

Threat: GTP traffic from a non-roaming partner can kill a MS session or hijack a session GTP traffic spoofed to appear from a valid roaming partner Solution: GTP security policies block traffic from nonroaming partners High performance IP Sec tunnels across GRX can be used to maintain confidentiality and integrity of GTP and prevent GTP from being spoofed

Security Threats on the Gi Interface

Threat: A subscribers Internet connection may be flooded by incoming traffic The Gi Internet connection may be flooded Hackers may attack subscribers with malicious traffic Solution: Firewall traffic management protects the Gi Internet connection for subscribers and the PLMN as a whole Firewall can protect against many common

Security Threats on the Gi Interface

Threat: Mobile Subscribers attack each other Corporate customers attack each other Solution: Firewall Gi tunnel hub sends all Internet traffic to the firewall before its sent back to the GGSN; security policies prevent subscribers from attacking each other Firewall Gi tunnel hub uses virtual routers to logically separate traffic corporate intranet traffic all the way from the GGSN to the corporate network

EDGE
(Enhanced Data rates for GSM Evolution)

Agenda
General EDGE
EDGE Network

Security in GPRS

GPRS Evolution
- The Way to UMTS BTS BSC MSC/VLR

SMS-G/IW MSC
HLR

SOG AUC

MS

MS

EDGE BTS UMTS R BTS N C BTS R N BTS C

ISP Network

SGSN

GGSN

MS

U T R A N

BG
Backbone Network

Corporate Network

EDGE boosts GSM

384 kbps

EDGE 115 kbps

57,6 kbps

GPRS

9.6 kbps GSM

HSCSD

Data rates

The Abbreviation
GPRS = General Packet Radio System

EGPRS = GPRS + EDGE modulation

EDGE = Enhanced Data rates for GSM Evolution

kbps 60 50 40 30 20

Standardized improvement I EGPRS Coding Schemes

54.4

59.2

CS coding scheme. MCS Multilevel CS

44.8 29.6 20.0 14.4 12.0 14.8 11.2 8.4 17.6 22.4

10 0

8.0

MCS1

MCS2

MCS3

MCS4

MCS6

MCS5

MCS7

MCS8

GPRS
GMSK modulation

EGPRS
8PSK modulation

MCS9

CS1

CS2

CS4

CS3

Coding Schemes used in GPRS & EDGE.

ETSI has defined 3 new coding schemes for RADIO interface other than the existing one. When the GPRS device talks to the base station , they can use one of the four coding schemes. CS-1 is the same as standard GSM.
.

CS-1 being slow is highly redundant. But because of this scheme being Slow , coding schemes number 2 & 3 are also being used ( These Coding Schemes have less redundancy) . CS-4 has the least & has no forward error correction control, but gives maximum throughput. If radio quality is bad the CS 1 is used otherwise the higher coding schemes are used. For EDGE we are mostly using multilevel coding schemes.

(E)GPRS Basic Technical Parameters

GSM Modulation Symbol rate Modulation bit rate Radio data rate per time slot User data rate per time slot User data rate (8 time slots) GMSK 270 ksym/s 270 kb/s 22.8 kb/s 20kb/s (CS4) 160kb/s 473,6kb/s (182.4kb/s) (553.6kb/s) EDGE 8-PSK / GMSK 270 ksym/s 810 kb/s 69.2 kb/s 59,2 kb/s (MCS9)

Network modification !
Internet GPRS
MS

GPRS Protocol

SGSN GGSN GGSN

EDGE BTS TRU

PCU

EDGE

MS

EDGE Protocol

No changes