GSM Mobility Management

GSM architecture overview

Network layout Protocols Addresses & identifiers

Location management

Handover management

Call delivery + location update Security

Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001 Prof. M. Veeraraghavan, Polytechnic University, New York
1

GSM network layout

PLMN: Public Land Mobile Network

GSM Network (PLMN)

MSC region
Location area

MSC: Mobile Switching Center BTS: Base Transceiver Station BSC: Base Station Controller

MSC region
BSC Location area

BSC
BTS BTS

MSC region

GSM network layout

PSTN OMC BSC MSC BTS BTS BTS
Um Abis E

ISDN

GMSC

BSC

B,C

EIR

HLR AUC

VLR
3

GSM MAP protocol

GSM MAP similar to IS41 MAP MAP uses Transactions Capabilities Part (TCAP) of the SS7 stack MAP functions:

Updating of location information in VLRs Storing routing information in HLRs Updating and supplementing user profiles in HLRs Handoff of connections between MSCs
4

What is a location area (LA)?

A powered-on mobile is informed of an incoming call by a paging message sent over the PAGCH channel of a cell One extreme is to page every cell in the network for each call - a waste of radio bandwidth Other extreme is to have a mobile send location updates at the cell level. Paging cut to 1 cell, but large number of location updating messages. Hence, in GSM, cells are grouped into Location Areas updates sent only when LA is changed; paging message sent to all cells in last known LA
5

Addresses and Identifiers

International Mobile Station Equipment Identity (IMEI)
It is similar to a serial number. It is allocated by equipment manufacturer, registered by network, and stored in EIR

International Mobile Subscriber Identity (IMSI)

MCC

MNC

MSIN

MCC: Country Code MNC: Mobile Network Code MSIN: Mobile Subscriber Identification Number

When subscribing for service with a network, subscriber receives (IMSI) and stores it in the SIM (Subscriber Identity Module) card. The HLR can be identified by a VLR/MSC from the IMSI.
6

Addresses and Identifiers

Mobile Subscriber ISDN (MSISDN)
The real telephone number: assigned to the SIM The SIM can have several MSISDN numbers for selection of different services like voice, data, fax
CC NDC SN
NDC: National Destination Code (NDC identifies operator); SN: Subscriber Number; CC: Country Code; Digits following NDC identifies the HLR
7

Addresses and Identifiers

Mobile Station Roaming Number (MSRN)
It is temporary location dependent ISDN number It is assigned by local VLR to each MS in its area.
CC NDC SN

Addresses and identifiers

Temporary Mobile Subscriber Identity (TMSI)
It is an alias of the IMSI and is used in its place for privacy. It is used to avoid sending IMSI on the radio path. It is an temporary identity that is allocated to an MS by the VLR at inter-VLR registration, and can be changed by the VLR TMSI is stored in MS SIM card and in VLR.

TMSI, IMSI, MSRN and MSISDN

Unlike MSISDN, IMSI is not known to the GSM user. The CC of MSISDN translates to an MCC of IMSI as follows, e.g, Denmark CC: 45 MCC: 238 TMSI is used instead of IMSI during location update to protect privacy. As user moves, TMSI is used to send location update. Thus a third party snooping on the wireless link cannot track a user as he/she moves. MSRN is the routing number that identifies the current location of the called MS. MSRN is temporary network identity assigned to a mobile subscriber. MSRN identifies the serving MSC/VLR. MSRN is used for call delivery (calls incoming to an MS). MSISDN is the dialed number to reach a GSM user
10

Addresses and Identifiers

Location Area ID (LAI)
CC: Country Code, MNC:Mobile Network Code, LAC: Location Area Code LAI is broadcast regularly by Base Station on BCCH Each cell is identified uniquely as belonging to an LA by its LAI
CC MNC LAC
11

Location management
Set of procedures to:
track a mobile user find the mobile user to deliver it calls

Current location of MS maintained by 2-level hierarchical strategy with HLRs and VLRs.

12

Ways to obtain MSRN

1. Obtaining at location update MSRN for the MS is assigned at the time of each location update, and is stored in the HLR. This way the HLR is in a position to immediately supply the routing info (MSRN) needed to switch a call through to the local MSC. Obtaining on a per call basis This case requires that the HLR has at least an identification for the currently responsible VLR. When routing info is requested from the HLR, it first has to obtain the MSRN from the VLR. This MSRN is assigned on a per call basis, i.e. each call involves a new MSRN assignment
13

2.

Routing information: case when MSRN is selected per call by VLR/MSC

MSISDNIMSI, VLR number
HLR

MSRN GMSC

MSC/VLR

MSISDN

If MSRN is allocated to each subscriber visiting at an MSC, then the number of MSRNs required is large. If instead, an MSRN is allocated only when a call is to be established, then the number of MSRNs is roughly equal to number of circuits at MSC a much smaller number hence MSRNs typically allocated per call by 14 VLR/MSC

Call routing to a mobile station: case when HLR returns MSRN

1 MSISDN

GMSC
LA 1
4 MSRN 2

ISDN
1

BSC BTS
7 TMSI

MSISDN

MSRN

MSC
7 TMSI 5 MSRN

MSC

HLR

LA 2

BSC
BTS
8 TMSI 7 TMSI

EIR

VLR
BTS
6 TMSI

AUC
15

MS

Messages exchanged: call delivery

PSTN
1

GMSC

5 2

HLR

3 6

VLR
Target MSC

HLR GMSC Originating 1. ISUP IAM Switch 2. MAP_SEND_ROUTING_INFO

VLR

Target MSC

3. MAP_PROVIDE_ROAMING_NUMBER 4. MAP_PROVIDE_ROAMING_NUMBER_ack 5. MAP_SEND_ROUTING_INFO_ack 6. ISUP IAM

16

Find operation in GSM

ISDN switch recognizes from the MSISDN that the call subscriber is a mobile subscriber. Therefore, forward the call to the GMSC of the home PLMN (Public Land Mobile Network) GMSC requests the current routing address (MSRN) from the HLR using MAP By way of MSRN the call is forwarded to the local MSC Local MSC determines the TMSI of the MS (by querying VLR) and initiates the paging procedure in the relevant LA After MS responds to the page the connection can be switched through.
17

GSM security
Authentication What signed response (SRES) are you able to derive from the input challenge RAND by applying the A3 algorithm with your personal key Ki (Ki is per subscriber)? Ki RAND (128bit) Ki RAND

A3 algorithm

A3 algorithm

SRES

MS

SRES

network
equal?
18

GSM security
Encryption Digital technology easy to encrypt voice data A5 derives a ciphering sequence of 114 bits for each burst independently XOR 114 bits of a radio burst with 114 bits of a ciphering sequence generated by A5

BTS

MS Kc (64 bits) frame number

(22 bits)

Kc

frame number

A5 algorithm
S1(114) deciphering S2(114) ciphering

A5 algorithm
S1 S2 deciphering
19

ciphering

Key management
Ciphering key Kc is generated using algorithm A8 in the same manner as SRES (from RAND and Ki) Each time a mobile station is authenticated the MS and network compute the ciphering key Kc by running algorithm A8 with the same inputs RAND and Ki as for SRES Ciphering with Kc applies only when the network knows the identity of the subscriber it is talking to. Bootstrap period during which network does not know who the subscriber is
Up to and including the first message carrying the nonambiguous subscriber identity is carried in the clear (unencrypted)

Protection: use TMSI instead of IMSI when possible TMSI should be exchanged during protected signaling (ciphered) procedures
20

Location registration
MS has to register with the PLMN to get communication services Registration is required for a change of PLMN MS has to report to current PLMN with its IMSI and receive new TMSI by executing Location Registration process. The TMSI is stored in SIM, so that even after power on or off, there is only normal Location Update. If the MS recognizes by reading the LAI broadcast on BCCH that it is in new LA, it performs Location Update to update the HLR records. Location update procedure could also be performed periodically, independent of the MS movement. The difference in Location Registration and Location Update is that in location update the MS has already been assigned a TMSI.
21

MS
IMSI Ki

BSS/MSC

Location registration
Upd Loc.Area (IMSI,LAI) Authenticate Aut.Par.Req Auth.Info.Req (IMSI) Auth.Info (IMSI,Kc, RAND,SRES)

VLR

HLR

AUC

Loc.Upd.Req (IMSI,LAI)

(IMSI)
Aut. Info. (IMSI,Kc, RAND,SRES)

Authentic. Req (RAND)

Ki RAND

(RAND)

A3 & A8
Kc SRES

SRES Auth.Resp. Auth.Resp (SRES) Update Location (IMSI,MSRN)

(SRES)

Generate TMSI

Contd...
22

(contd) Location registration.

MS

BSS/MSC

VLR
Generate TMSI

HLR

AUC

Start Ciph.
(Kc) Forw. New TMSI Ciph.Mod.Com.
Kc
Message M

Ins.Subsc.Data
(IMSI) Subs.Dat.Ins.Ack Loc.Upd.Accept

(TMSI)

Loc.Upd.Accept

(IMSI)

A5
Kc(M)

Ciph.Mod.
Kc(M) Kc Kc(M)

New TMSI is received by MS

A5
TMSI Realloc.Cmd. M

(TMSI Reallocation) in ciphering mode.

Loc.Upd.Accept
TMSI Realloc.Ack

can be combined
TMSI.Ack
23

MS
IMSI, TMSI Ki, Kc, LAI

BSS/MSC

Location update

VLR

HLR

AUC

Loc.Upd.Req (TMSI,LAI)

Update Loc.Area (TMSI,LAI)

Authentication
Update Location (IMSI,MSRN) Generate TMSI

Start ciphering
(Kc)

Insert Subscriber. data IMSI Subs. Data Insert Ack (contd..)

24

Start ciphering.

(..contd) Location update.

MS

BSS/MSC

VLR

HLR

AUC

Start ciphering.
Forward new TMSI (TMSI) Loc. Upd. Acept (IMSI) Loc. Upd. Acept
TMSI Realloc. Cmd.

Auth. Para. Req (IMSI)

Loc. Upd. Acept TMSI Reallocation Complete TMSI Ack

Auth. Info.
(IMSI,Kc, RAND,SRES)

Auth.Info.Req (IMSI) Auth.Info

(IMSI,Kc, RAND,SRES)

25

Types of handover (same as handoff)

There are four different types of handover in the GSM system. Handover involves transferring a call between:

Channels (time slots) in the same cell Cells (Base Transceiver Stations) under the control of the same Base Station Controller (BSC), Cells under the control of different BSCs, but belonging to the same Mobile services Switching Center (MSC), and Cells under the control of different MSCs.
26

Attributes of radio-link handover

Hard handover MAHO Backward COS selection scheme: static

Cross-over switch: anchor switch

27

Handover (MAHO)
Handovers are initiated by the BSS/MSC (as a means of traffic load balancing). During its idle time slots, the mobile scans the Broadcast Control Channel of up to 16 neighboring cells, and forms a list of the six best candidates for possible handover, based on the received signal strength. This information is passed to the BSC and MSC, at least once per second, and is used by the handover algorithm.
28

Handover procedures in GSM

8

Connection route
9

MSC-A
1

MSC-B

MSC-C
8

BSC
4 BTS 1 BTS 2 3

BSC

BSC

2 BTS 3
5 7 BTS 3

29

Inter MSC basic handover

MS/BSS 1

MSC-A

MSC-B
Allocate Handover number Handover report

VLR-B

Handover required

Perform Handover

Radio chan. Ack IAM ACM HA Indication Send End Signal ANS End of Call REL RLC End Signal Handover report
30

MS/BSS 2
HB Indication HB Confirm

Subsequent handover from MSC-B to MSC-A

MS/BSS 1

MSC-A

MSC-B

MS/BSS 2

HA Required Perform subsequent Handover Subseq. Handover HB Indication Acknowledge

HB Confirm HA Indication End Signal

VLR-B
Handover report

End of Call

REL RLC
31

Subsequent handover from MSC-B to MSC-C

MSC-A
Perform subsequent Handover

MSC-B
HA Request

MS

MSC-C
Perform Handover

VLR-C

Allocate Handover
Number Radio chan. Ack. Send Handover report

IAM ACM HB Indication (Contd)

32

(contd) Subsequent handover from MSC-B to MSC-C

MSC-A
Perform subsequent Acknowledge

MSC-B
HA Indication

MS

MSC-C
Send End Signal ANS HB Confirm

MSC-B
End Signal

VLR-B

Handoff Report
REL RLC
33

Abbreviations
ISC: International switching center OMC: Operations and maintenance center GMSC: Gateway switching center MSC: Mobile switching center VLR: Visitor location register HLR: Home Location register EIR: Equipment Identification register AUC: Authentication center BSC: Base station controller BTS: Base transceiver station MS: Mobile subscriber TMSI: Temporary Mobile Subscriber Identity IMSI: International Mobile Subscriber Identity
34

References
The GSM Sytem for Mobile communications by Mouly & Pautet Wireless and Mobile Network Architectures by Yi-Bing Lin & Imrich Chlamtac Wireless Personal Communications Systems by Dr. Goodman GSM Switching, Services and Protocols by Jorg Eberspacher and Hans-Jorg Vogel
35