GPRS & EDGE

M K HAK.
Agenda
GPRS

EDGE

Deployment Reference

Security in GPRS
 GPRS
(General Packet Radio Service)
Agenda
General GPRS

GPRS Network

GPRS Roaming

GPRS Security

Security in GPRS
General GPRS
GSM Bit Rate Evolution

Bit rate in kbps

100
90
80
70
60
50 Higher
40 Bandwidth!
30
20
10

0
9.6kbps 14.4kbps HSCSD GPRS Technology
(Today) CS-2 EDGE
38.4-64kbps 115kbps 384kbps
CS-1
GPRS Network
 Network Architecture – 1/2
A’’ A MAP
BTS BSC MSC/VLR HLR
Gr (MAP)
BTS
Gb
 Packet data for the radio interface
Gs Gc IP
Network
 CS and PS data descrimination
Gi (IP)
 Slot and channel allocation
SGSN GGSN
 Existing A’’ interface is reused

Gd (MAP) Gn Gn BSC
 GPRS Mobility Management
SMS-GMSC Backbone
Network
 Gb – Frame Relay
SMS-IWMSC
IP  Allocation of PDCH in cells
MS  Handling of GPRS Paging
 Broadcast GPRS information
 HLR
 GPRS subscription and
routing information
Network Architecture – 2/2  Maps subscriber to one
or more GGSNs
A’’ A MAP  Update SGSN at attach and
BTS BSC MSC/VLR HLR detach
Gr (MAP)
Gb
Gs Gc IP
Network
Gi (IP)
SMS-GMSC SGSN GGSN
MS SMS-IWMSC
Gi (X.25)
MSC Gd (MAP) Gn Gn

 Location info from X.25

SGSN Backbone Network
Network
 CS paging request IP
to SGSN
SMS-SC
 Signalling •SS7/MAP based
coordination for •SMS is delivered over GPRS for
class A/B mobile GPRS attached terminals
(Gs)
 Charging in GPRS – 1/2
SMS-G/IW MSC
Gd (MAP)
A’’ A
BTS BSC MSC/VLR HLR
Gr (MAP)
Gs (BSSAP+)
Gb
ISP
Charging can be done Network
Gi (IP)
• at SGSN or GGSN or both
• for data volume and / or
SGSN GGSN
MS • for PDP context duration Gi (IP)
Gn Gn

Corporate
Mediation Backbone Network
Network
Types of CDRs in GPRS
S-CDR : radio n/w related (fm SGSN)
G-CDR : for External n/w usage (fm GGSN)
M-CDR : related to MM activities (fm SGSN)
2 CDRs related to usage of SMS with GPRS (fm SGSN)
Charging in GPRS – 2/2
SMS-G/IW MSC
Gd (MAP)
A’’ A
BTS BSC MSC/VLR HLR
Gr (MAP)
Gs (BSSAP+)
Gb
ISP
Gi (IP) Network
SGSN GGSN
MS Gi (IP)
Gn Gn

Corporate
Mediation Backbone Network

Billing Gateway Functions Network

•interface between GSNs and existing billing systems
•Matching & Filtering of CDRs per PDP context basis
•Rating : can put price tag to GPRS CDRs, partly or fully
•Can convert volume based CDRs into time based CDRs for billing systems
•Storing : (i) Stores security the CDRs till a session ends
(ii) The matched CDRs are stored till billing system needs them for processing
GPRS PDP Context Activation
SMS-G/IW MSC SOG

BTS BSC MSC/VLR AUC

HLR

ISP
MS Network
SGSN GGSN

Activate PDP context Request

BG Corporate
Activate PDP context Accept Network
Backbone
Authentication and Ciphering Req. Network
Authentication and Ciphering Response
Send Authentication Info.
Create PDP context
Request Send Authentication Info. ACK.
Create PDP context Response
Mobile Terminals

Class A mode of operation:

Attached both to CS and PS
Simultaneous Circuit (CS) and Packet-Switched (PS) services

Class B mode of operation:

Attached both to CS and PS.
Automatic choice of service, CS or PS, but only one at a time

Class C mode of operation:

Can be attached to either CS or PS service
Network - Mode of Operation
Network operation mode I:
• CS paging message for a GPRS-attached MS, either on the GPRS paging channel (i.e., the
packet paging channel or the CCCH paging channel), or on a GPRS traffic channel.
• MS needs only to monitor one paging channel (More sleep time to MS)
• Combined RA and LA update
• Gs interface is present between SGSN & MSC/VLR

Network operation mode II:

•CS paging message for a GPRS-attached MS on the CCCH paging channel, and this
channel is also used for GPRS paging.

Network operation mode III:

• CS paging for a GPRS-attached MS on the CCCH paging channel
• GPRS paging on either the packet paging channel (if allocated in the cell) or on the CCCH
paging channel.
• MS shall monitor both paging channels if the packet paging channel is allocated in the cell.
Channel Allocation
• Fixed and/or dynamic channels
• 0-8 fixed GPRS channels / cell
• unlimited number of on-demand (dynamic) GPRS channels /cell
• CS can pre-empt dynamic GPRS channels
• First fixed GPRS channel carries PCCCH

TS0 TS1 ... TS7

f1
f2

fn

BCCH TCH

SDCCH PDCH
Efficient use of Radio Resources
Example on Radio Channel Allocation

TS 1

TS 2 Circuit
Switched
TS 3

TS 4

TS 5

TS 3 Packet
Switched
TS 2

TS 1
Time
GPRS Roaming
 PLMN Roaming

HPLMN
DNS
ISP
SGSN GGSN

APN available in Home PLMN only

UPLMN
DNS

MS SGSN GGSN
GGSN
GGSN
VPLMN
 ISP Roaming

HPLMN
SGSN GGSN

APN available in Visited PLMN

DNS
ISP
MS SGSN GGSN
GGSN
VPLMN
Multi PLMN Support

BSS
HPLMN2
BSS
HLR
HLR
HPLMN3 SGSN
Gb
BSS GGSN ISP
HLR
M-PLMN feature provides seamless PLMN Roaming

HPLMN1 Normal GSM Roaming

GPRS Charging Same
MS
BSS
HLR HPLMN4
Inter SGSN Roaming

HPLMN1
SGSN GGSN ISP
Normal GSM Roaming

APNs are same as GGSN is common Gn

CDRs generated in Visited SGSN

SGSN

HPLMN2
GPRS Roaming Scenario (with GRX)

VPLMN1
DNS
HPLMN
DNS SLA

GRX
GRX
DNS
DNS DNS
VPLMN2 - INT
GRX DNS

GRX = GPRS Roaming Exchange

Roaming Billing

• TAP - Records (Transferred Account Procedure)

– Existing methods of TAP exchanges shall be used
– TAP File Spec 3 required - GPRS enhancements like: data
volume, IP address, APN, etc.

• Different concepts to existing TAP Record

Procedures
– Partial Records Generated + Data volume counts
– CDRs from HGGSN and VSGSN - different records from
different networks for the same connection
Security Issues in GPRS
Mobile Operator Security Requirements

Corporate Roaming
Partner #1
Network #1

GTP

Firewall Firewall

Firewall Operator GTP

GRX
Firewall
VPN
Over
IPSec

VPN VPN
Roaming
Corporate Partner #2
Network #2
Security Threats on the Gn / Gp Interface

• Threat:
– Denial of Service from invalid or flood of GTP traffic
– Undesirable GTP messages
• Solution:
– GTP traffic management prevents the GSNs from being overwhelmed
– GTP packet sanity check in firewall prevents GSNs from having to try to
process malformed GTP packets
– GTP stateful inspection prevents GSNs from having to process GTP
packets which don’t make sense because of no PDP context or wrong
PDP context state
– GTP policies which determine which GTP messages should be allowed
Security Threats on the Gn / Gp Interface

• Threat:
– GTP traffic from a non-roaming partner can kill a MS session or
hijack a session
– GTP traffic spoofed to appear from a valid roaming partner
• Solution:
– GTP security policies block traffic from non-roaming partners
– High performance IPSec tunnels across GRX can be used to
maintain confidentiality and integrity of GTP and prevent GTP
from being spoofed
Security Threats on the Gi Interface

• Threat:
– A subscribers Internet connection may be flooded by incoming
traffic
– The Gi Internet connection may be flooded
– Hackers may attack subscribers with malicious traffic
• Solution:
– Firewall traffic management protects the Gi Internet connection
for subscribers and the PLMN as a whole
– Firewall can protect against many common attacks
Security Threats on the Gi Interface

• Threat:
– Mobile Subscribers attack each other
– Corporate customers attack each other
• Solution:
– Firewall Gi tunnel hub sends all Internet traffic to the firewall
before its sent back to the GGSN; security policies prevent
subscribers from attacking each other
– Firewall Gi tunnel hub uses virtual routers to logically separate
traffic corporate intranet traffic all the way from the GGSN to the
corporate network
 EDGE
(Enhanced Data rates for GSM Evolution)
Agenda
General EDGE

EDGE Network

Security in GPRS
 GPRS Evolution
- The Way to UMTS SMS-G/IW MSC SOG

BTS BSC MSC/VLR AUC

MS HLR

ISP
EDGE Network
MS BTS SGSN GGSN

UMTS
Corporate
U BTS R
BTS R BG
Network
MS N
N Backbone
T
BTS C
C Network
R BTS
R
R
A
N
N
N BTS
BTS PTM-SC
C
C
 384 kbps
EDGE boosts GSM…

Data rates
EDGE
115 kbps

GPRS
57.6 kbps

9.6 kbps HSCSD

GSM
 The Abbreviation

GPRS = General Packet Radio System

EGPRS = GPRS + EDGE modulation

EDGE = Enhanced Data rates for GSM Evolution

kbps Standardized improvement I
60 EGPRS Coding Schemes 59.2

54.4
50

40
44.8

30 29.6
22.4
20 20.0
14.4 17.6
12.0 14.8
11.2
10
8.0 8.4

0
MCS2

MCS3

MCS4
MCS1

MCS5

MCS6

MCS7

MCS8

MCS9
CS1

CS2

CS4
CS3

GPRS EGPRS
GMSK modulation 8PSK modulation
(E)GPRS Basic Technical Parameters

GSM EDGE
Modulation GMSK 8-PSK / GMSK
Symbol rate 270 ksym/s 270 ksym/s
Modulation bit rate 270 kb/s 810 kb/s
Radio data rate per time slot 22.8 kb/s 69.2 kb/s
User data rate per time slot 20kb/s (CS4) 59,2 kb/s (MCS9)
User data rate (8 time slots) 160kb/s 473,6kb/s
(182.4kb/s) (553.6kb/s)
Network modification !
Internet

GPRS Protocol
GPRS MS SGSN GGSN
GGSN

EDGE
BTS PCU
TRU

EDGE MS EDGE Protocol

No changes
EDGE ...
is easy to implement

increases both capacity

and performance in GPRS networks

provides complementary coverage

takes GSM to one seamless network

Ericsson GPRS / Edge

Deployment
ERICSSON GPRS Deployment

• 94 GPRS commercial agreement world

wide

• 280 million subscribers accessing through

Ericsson GPRS system

• 15 EDGE commercial contracts

ERICSSON GPRS with Non Ericsson Core Network (SS+BSS)

Operator Core Network Vendor

 Orange, France Motorola BSS

 Unicom, China Motorola BSS
 Etisalat, UAE Motorola BSS
 Panafone, Greece Motorola BSS
 Sonera, Finland Nokia (NSS & BSS)
 Bouygues Telecom, France Nokia and Nortel BSS, Ericsson NSS
 Telia Mobile, Sweden Nokia (NSS and BSS)
 Orange, UK Nokia (NSS and BSS)
 France Telecom, France Alcatel (SS & BSS)
 T-Mobil, Germany Alcatel & Lucent BSS, Alacatel & Siemens NSS
 Omnipoint Voicestrem, USA Nortel
 One-2-One, UK Nortel BSS
 Cesky Mobile, Czech Republic Siemens (BSS)
 Telecell, Pourtgal Lucent (BSS)
 AT&T Wireless, USA Lucent and Nokia
 Questions ?

Thank You !!