example: - measurement report a rr message has the the
TRANSCRIPT
Mobile communications
Example: - MEASUREMENT_REPORT – a RR message has the
message type field: 00010 - 101 and the PD field equal to 0110
The message will be decoded by BTS; BTS adds its own
measurements (uplink) and sends the message to BSC
Information elements – body of the signaling message
5.4 Signaling on the Abis interface
-several destinations/origins possible
(the BSC must be able to communicate
with each TRX)
-each TRX has its own signaling link (RSL)
at 16kbps or 64kbps and a supplementary
O&M 64kbps link
is provided per BTS
Example (revisited) :BSC-BTS with 4 TRXs
Mobile communications
5.4.2 Data link layer
- LAPD- Link Access Protocol for D channel
-error correction is not provided by the lower layer -> a FCS is needed
for ensuring reliable data transfer ; a go-back-N retransmission strategy
is employed on the Abis interface
-the HDLC addressing facilities must allow the BSC to communicate
with each TRX within a BTS and to process the information with the
right software module
-addressing is carried out on two levels:
SAPI
= 0 – signaling data coming or going from/to the radio interface (RSL-
Radio Signaling Link- CM,MM and RR signaling)
= 62- O@M (software downloading for example)
= 63- layer 2 management – dynamic allocation of TEIs
TEI (Terminal Endpoint Identifier)
= allows distinction between TRXs at a data link layer level
Mobile communications
BSC
TRX, frequency
and TS known
MS
BTS
TRX jSAPI = 0
TEI->TRX j
LAPDm LAPD
Logical
channel
BSC
MS
BTS
TRX kSAPI = 0
TEI
Layer 3
RR(meas.
report)meas. report
for uplink
Examples
TEI->TRX k
Mobile communications
5.4.3 Layer 3 signaling on the Abis interface
MS BTS BSC
PD = CM, MM
MSC
-MM, CM related signaling is not interpreted by a BSS and must be transmitted
in a transparent way.
-for RR messages destinations/origins can be MS/BTS/BSC
-The solution is implemented through a dedicated protocol BTSM (BTS
Management) that add in the header a supplementary byte called Message
Discriminator (MD)
MD Layer 3 message
000xxxxT transparent if 1
0000001 RLM
0000100 DCM
0000110 CCM
0001000 TRX management
MS BTS BSCActive link
MD->RLM
- RLM (Radio Link Management) used for transmitting layer 3 messages in
transparent mode and for releasing/establishing/configuring/maintaing layer 2
signaling links – ex: the MS initiates a LAPDm connection on the radio interface at
handover time; the message arrives at BSC which releases the old channel
Mobile communications
❑DCM – Dedicated Control Channel Management – BSC-BTS messages used
for activation /deactivation of a dedicated channel in a specific TRX of the BTS
and setting up of its parameters, power control, reception of measurement reports
etc.
BTS BSC
MD->DCM
❑CCM – Common Control Channel Management (CCM)
– messages for managing information transferred on the common control
channels on the radio interface (RACH, paging, BCCH information, AGCH etc)
❑TRX management – TRX management
BTS BSC
MD=CCM
Common
control
channels
Mobile communications
5.5 Signaling on the A interface
- based on SS7 (Signaling System no.7)
5.5.1 SS7 signaling
- GSM employs “out of band” signaling – the signaling path is not
identical with the voice/data path
Signaling messages for
establishing voice/data circuits
SSPA SSPB
STP
interrogations, insertion of new
fields etcSCP
Voice/data
Mobile communications
SSP –signaling switching points – can terminate or initiate calls (MSCs
in GSM)
STP – signaling transfer points – packet switches dealing with routing of
SS7 messages
SCP - signaling control points – databases that can be interrogated and
updated (example HLR in GSM) accepting queries from an SSP
Each SS7 node has an unique address denoted SPC (Signaling Point
Code)
SS7 terminology:
SS7 lower layers:
MTP3 – routing role: each messages carries destination/origin
information – Destination Point Code/Originating Point Code DPC/SPC
Mobile communications
Mobile communications
MTP3 – handles routing of SS7 messages at national level and operates in
connectionless mode each packet must carry besides OPC/DPC a full
description of the signaling message
SCCP – Signaling Connection Control Part – provides enhancements to
MTP3 for handling routing at international level and can it can operate in
connection oriented mode for reducing the overhead information needed by
simple MTP3 transfer
BSC MSC
MS1=TSx, ARFCnx
SCCP reference
for MS1
MS
SCCP reference
for MS1
Transaction 1
Unique
SCCP
connection
RR
connection
Transaction 2
Mobile communications
CR
Location updating request (SLR=10)+ IMSI
CC
Autentication request(SLR=35/DLR=10)
DT1
Authetication response(DLR=35)
DT1
Location updating accept (DLR=10)
Example of a SCCP connection
CR- connection request
CC- connection confirm
DT1 – data form 1
SLR – source local reference
DLR- destination local reference
BSC MSC
-for routing purposes SCCP provides an extra addressing field denoted
SSN- Subsystem Number (Example : VLR, HLR, EIR, AUC in GSM have
all distinct SSNs) for allowing non-call related signaling like database
interrogation procedures
-SCCP also adds to MTP3 a GTT (Global Translation Title) facility used
for simplified, incremental routing
-when using GTT the originator of the message might not be aware of the
DPC and for routing a GT (Global Title) is used.
-in GSM the GT is essentially the IMSI or the MSRN of the mobile
subscriber or a derivation of them following some conversion rules (E.212-
IMSI and E. 164- MSRN are most used)
-using GT and SSN a message can reach its final destination even if its
DPC is not known by the originator
Mobile communications
Mobile communications
MS
MS
MSC/VLR service area 2
HLR
DPC=?
Gateway
STP 1
Gateway
STP 2
Global title -> DPC Gateway STP 2
Routing
table
Routing
table
Country
B
Country AMSC
Global title + SSN -> DPC HLR
MTP3
MTP3
SCCP routing example – international location updating with different LAI and
MSC/VLR (E.212 –IMSI based GTT)
MS moves to a new service MSC/VLR service area and forwards its TMSI; the
new VLR retrieves the IMSI from the old VLR
-the new VLR must indicate its address to the HLR that it handles the MS; it builds
an SCCP message adding GT= IMSI and the HLR’s SSN (05)
MSC/VLR service area 1
MTP3
Mobile communications
-the MSC2 inspects the MCC field from IMSI and determines that
international signaling must take place and the message is forwarded to a
gateway STP (Gateway STP1)
-Gateway STP1 – based on the routing table it maintains determines the
address of Gateway STP2 (international STP for the HPLMN)
-Gateway STP2 - translates the GT and SSN into a DPC for the HLR and
builds an MTP3 message an relays the message to the relevant HLR
using MTP3
❑Besides addressing and routing SS7 provides higher layers: User Parts
that are used for call setup and release, for allowing concurrent transactions
to take place etc.
Mobile communications
Complete SS7 stack:
User parts: protocols that operate at the application layer level in the
OSI model and define the format and the way of exchanging
messages to establish and tear up calls (ISUP, TUP) or to transfer
signaling information in GSM (TCAP, BSSAP)
BSSAP (BSS Application Part): GSM specific, allows direct transfer of
CM and MM messages (DTAP – Direct Transfer Application Part) and
provides means for protocol interworking to take place (BSS Mobile
Application Part) in case of inter MSC handovers or paging
Mobile communications
❑Stack of protocols
5.6 Signaling inside NSS
❑Lower layers
SCCP
MTP (MTP1,MTP2,MTP3)
MAP
TCAP
SCCP
MTP
❑Application layers (OSI model)
MAP –Mobile Application Part
TCAP –Transaction Capability Application Part
- routing – done by MTP3 (national signaling) or by SCCP (international
using global title translation)
- connectionless transfer mode for signaling messages
Mobile communications
❑TCAP – Transaction Capability Application Part
- using TCAP a user can invoke a function that runs on a remote
machine and receive answer
- TCAP exchange of messages is structured in dialogues
Equip.2
INVOKE function1
REPLY answer1
function1
Equip.1
INVOKE function3
REPLY answer3
Dialog 1
Dialog 2 function3
Ex: GMSC receives two incoming calls:
Equip.1 = GMSC, Equip. 2 = HLR,
function 1 = function 3 =provision of
MSRNs; dialogues are identified by a
dialogue ID
Mobile communications
❑MAP – Mobile Application Part
- specially designed for GSM – GSM 09.02
- used in MSC/HLR/VLR/EIR; these entities communicate using MAP
messages in connection with:
management of mobility related information – updating of addresses in
HLR/VLR, location updating/registration/cancellation etc
inter MSC handovers
transfer of security related data (authentication, IMEI management etc)
handling of subscriber services (data/voice, SMS, SS etc)
- several MAP interfaces are defined – several message formats/contents
- MAP uses TCAP handling facilities to allow transfer of signaling information
between:
2 functional entities (peer to peer mode)
several functional entities
call handling
Mobile communications
MSC
MSC
VLR HLR AUC
EIR
GMSC
NSS
E
F
D
CGB
E
❑MAP interfaces
Mobile communications
5. 7 Signaling procedures
- the GSM specifications are indicating the succession of signaling messages
for achieving a given task in terms of procedures
- procedures are classified in terms of the involved layer 3 protocols ->
RR/MM/CM procedures
5.7.1 RR procedures
RR procedures are responsible for:
- establishment/maintenance/release of RR connections
(RR connection = bidirectional physical connection to support the dialogue
in between a MS and the network for exchange of upper layer information –
MM/ CM- messages)
- reception of unidirectional logical control channels (BCCH, SCH, FCCH,
AGCH, PCH)
- continuity preservation for ongoing calls - handovers
Functional entities involved: MS, BTS, BSC and MSC (for inter MSC
handovers)
Mobile communications
❑RR connection establishment
or whenever a MM/CM procedure is needed
- the procedure is initiated by the MS whenever it attaches to the network
- a MS can initiate such a procedure as a response to paging or at its own
initiative; a single RR connection may exist for each MS at a given instant
BTS BSC
(AGCH)
CHANNEL ACTIVATION (RR-DCM)
CHANNEL REQUIRED (RR-CCM)
CHANNEL ACTIVATION ACKNOWLEDGE
(RR-DCM)
IMMEDIATE ASSIGNEMENT (RR- CCM) – TS, ARFCn,random number , TA value
CHANNEL REQUEST (RACH)
Rand number and reason included
“Contention resolution
SABM (SDCCH)
MS
UA (SDCCH)
Mobile communications
- the request is forwarded by a BTS to BSC together with a TA estimate and
the TDMA frame number when the request was received
- the request is sent by a MS using RACH in a TS; the MS inserts a random
number and the reason for the access:
- answer to paging
- location updating
- originating call
- emergency call
- IMSI attach, SMS, SS management
- the BSC determines what channel must be employed (typically a SDCCH and
a SACCH) and activates a channel on a TRX within the BTS, activation is
carried out using RR/BTSM DCM messages and LAPD addressing facilities
(SAPI + TEI)
Steps :
Mobile communications
-if activation is successful the BSC constructs an assignment message
containing the channel description (TS, ARFCN, TSC, HSN, MAIO, list of
hopping frequencies, etc) which is sent to the MS together with a TA command;
the logical channel employed on the radio interface is AGCH (the message is
not interpreted by the BTS); distinction among several MSs placing demand on
the same time (same TDMA frame) is done by inserting the random number
sent previously on RACH and the TDMA frame number when request was sent
- the MS tunes on the allocated channel (SDCCH) and sends its identity (TMSI)
on a standard SABM LAPDm frame
- the BTS answers by piggybacking TMSI using an UA frame
- if more than one MS are getting the same channel indication only one of
them is allowed to access the network - contention resolution
- the most important Channel Activation information elements are:
- Channel type –SDCCH number
- ARFCn
- frequency hopping parameters: HSN, MAIO
- training sequence (TSC- Training sequence code)
Mobile communications
❑ The paging procedure
- the procedure used to signal incoming calls to MS; the MS is identified on the
radio leg by its TMSI
- the paging command is issued by a MSC on a location area basis
BTSMS MSCBSC
PAGING (include IMSI/TMSI si LAI)BSSMAPPAGING COMMAND(RR)
PAGING REQUEST (RR)
PAGING REQUEST (RR)
.
.
.
(PCH)
(PCH)
RR connection establishement procedure
PAGING RESPONSE
SABM frame
PAGING RESPONSE
RR (RLM)
PAGING RESPONSE
(BSSAP) + CGI
Mobile communications
- continuity of incoming calls (terminal mobility component)
- only MSs in dedicated mode are concerned and involves quick switching of
the radio dedicated traffic channel
- hard handover are employed in GSM – the mobile station stops emitting on
the old channel before emitting on the new one
- the main criteria for handovers is the link quality (RXQUAL) and the power
level (RXLEV); traffic balancing based algorithms might be implemented also
❑ Handovers
- the PAGING RESPONSE message includes the MS classmark (its
capabilities in encoded format) and its TMSI
- the message is sent to the MSC and an SCCP connection is established for
further exchange of signaling messages
- decision is taken by the serving BSC and is based on measurement reports
built by MS (downlink ) for its current channel (RXQUAL, RXLEV) and adjacent
beacon frequencies (RXLEV) and by BTS (uplink) for the current traffic channel
- as a result of handover procedures a location updating procedure might
be required after the call has ended
- may involve several MSCs (inter- MSC handovers)
Intra BTS (intra-cell) handovers
- frequency changes performed when signal quality is poor and on
neighboring cells quality is not better; can occur in between different bands for
example in between GSM 900 and DCS 1800
Intra BSC handovers
- a TCH is to be switched from the current cell (BTS) to a target cell controlled
by the same BSC
- even if not involved, the serving MSC is informed after handover is
performed
Intra/Inter MSC handovers – new TCH on different BSC/MSC
Mobile communications
Mobile communications
Steps involved in an intra BSC handover:
- measurements are taken by the MS for the current cell and for neighboring
cells (indicated by the network on SACCH downlink)
- measurements are forwarded on SACCH (uplink) to the serving BTS; only
the best received beacon frequencies on which the MS has decoded the BSIC
are reported
- complete measurement reports from MS (downlink) and BTS (uplink) are
built and forwarded to BSC
- a new TCH is activated on the new BTS
- the BSC decides that the MS will be better served on another cell
- the MS is informed that a handover is to be performed and is asked to tune
to the newly activated channel (TS, frequency, TSC)
Mobile communications
- the MS sends several messages on the new channel using access bursts;
the main purpose is to allow the BTS to estimate TA information for non
synchronized handovers
- the new BTS informs BSC; BSC may send supplementary information to
the MS (TA information , emission power level)
- the MS sends a LAPDm SABM frame on the new channel; acknowledgment
is provided by BTS (UA type LAPDm frame) ; BSC if informed that the MS has
switched on a new channel
- the MSC is informed that a internal BSS handover was performed – the target
cell identity is included in the message; the MSC/VLR keeps track
of the cell for further signaling needs (for example another call arrives)
BTSnewMS MSCBTSold
.
.
.
BSC
MEASUREMENT REPORT (RR)(uplink SACCH)
MEASUREMENT REPORT (RR)
(uplink +downlink)
CHANNEL ACTIVATION
AKNOWLEDGE (RR-DCM)
CHANNEL ACTIVATION (RR-DCM)
HANDOVER COMMAND (RR)
HANDOVER ACCESS (RR)
HANDOVER PERFORMED
PHYSICAL INFORMATION
(RR)
HANDOVER COMPLETE (RR)
BSSMAP
HANDOVER ACCESS (RR)
FACCH
SABM (LAPDm)
UA (LAPDm)
Signaling messages for an intra BSC handover
Mobile communications
Mobile communications
Intra MSC handovers
- the serving BSC takes the decision as for intra –BSC handovers
- same MSC different BSCs
Steps involved:
- the MSC plays an active role; channel activation in the new BSC is done
under supervision of MSC
- the serving BSC identifies that the new cell its not under its supervision
and indicates to the MSC that a handover is required
- once resources are activated the MSC constructs a handover command and
sends it to MS using its old channel
- the MSC constructs an assignment message for the new BSC
- the MS tunes onto the new channel as for intra-BSC handovers
- on completion MSC is informed and commands clearing of old resources on
the old BSC/BTS
Mobile communications
BSCnewMS MSC BSCold
(uplink SACCH)
MEASUREMENT REPORT (via old BTS)
HANDOVER REQUEST
AKNOWLEDGE (RR)
HANDOVER REQUEST (RR)
HANDOVER COMMAND (RR)
HANDOVER COMPLETE (RR)
HANDOVER REQUIRED (BSSMAP)
Access on the new channel
HANDOVER COMPLETE (RR)
CLEAR COMMAND (BSSAP)
CLEAR COMPLETE (BSSAP)
Channel activation
Signaling messages for an intra MSC handover
Mobile communications
- needs a prior establishment of a RR connection
❑ The authentication procedure
- main purpose : to support mobility of users and to ensure confidentiality
- are taking place between MS and VLR
- prevents access of unauthorized users that do not dispose of a valid SIM
card
- can take takes place on each call attempt (MO/MT/calls between GSM
users) when location updating is performed or when a user changes the status
of its supplementary services
- entities involved : MS and VLR (via BSS /MSC)
- through MM signaling messages VLR verifies if a “signed response ” –SRES
-computed by the MS using as parameter a random number (RAND) is the
same as SRES stored on VLR ; access is granted if responses coincide
5.7.2 Examples of MM procedures
Mobile communications
- verification is carried out by VLR; MSC/VLR are communicating using
MAP/B messages
BSSMS MSC
AUTHENTICATION REQUEST (MM/DTAP)
RAND includedA3 (Ki from SIM)
AUTHENTICATION RESPONSE (MM/DTAP)
SRESMS included
VLR
RR connection establishment
procedure
- authentication takes place optionally on each location updating and each call
setup; the standard defines also a selective authentication procedure
Mobile communications
❑ The ciphering mode setting procedure
- needed for synchronizing the start of encrypted messages exchange at the
MS and BTS
- performed after authentication
BTS
RR connection establishment
Authentication procedure
encrypted text
MS
ENCRYPTION COMMAND (RR)
Kc
CIPHERING MODE COMMAND (RR)
text in clear
CIPHERING MODE COMPLETE (RR)
BSC
CIPHER MODE COMMAND (BSSMAP)
Kc
CIPHER MODE COMPLETE (BSSMAP)
MSC