lab 4. signaling protocols and procedures in gsm
TRANSCRIPT
Lab 4. Signaling protocols and procedures in GSM
4.1 Introduction
The GSM / GPRS / UMTS technical specifications (http://www.3gpp.org) establish all
the necessary rules for the exchange of signaling messages (signaling procedures) as a support
for the terminal mobility for the underlying cellular coverage. Regardless of the type of the
network, signaling procedures are classified and depend on the current state of the mobile
terminal. The GSM system defines the following possible states for the mobile station:
- idle - the mobile terminal is attached to the network but it doesn’t have a dedicated
channel allocated
- dedicated - in this case the mobile terminal has a dedicated channel dedicated
SDCCH or TCH
- attached / detached - the mobile terminal is switched on, respectively, off
While on idle state terminal mobility support is provided through location updating
procedures for the dedicated handover mechanisms are used to transfer the call from one cell
to another.
The purpose of the location procedures is to modify the current location area, stored at
VLR level for each IMSI (each mobile subscriber) residing on the correspondent MSC/VLR
service area. This type of procedure is always performed at the initiative of the mobile station,
whenever a change in location area occurs or if a predefined times expires.
Handover mechanisms deal with mobility in dedicated mode and decision is always
taken by the network (the serving BSC). GSM handovers are of MAHO (Mobile Assisted
Handover) type. Decisions taken by the network are based on measurement reports submitted
by mobile stations (link quality and power level for the downlink TCH / SDCCH and power
level on surrounding beacon frequencies indicated by the network) and the current base
station (link quality and power level uplink TCH / SDCCH). The measurement reports
include RXLEV - received power level, RXQUAL - current link quality (only for TCH /
SDCCH) and are reported in indexed form as shown in tables 1 and 2.
RXLEV Received power level [dBm]
0 <-110
1 -109
2 -108
.
.
.
63 >-48
Table 1. RXLEV values
RXQUAL BER
0 <2*10-3
1 2*10-3
-4*10-3
2 4*10-3
-8*10-3
3 8*10-3
-1.6*10-2
4 1.6*10-2
-3.2*10-2
5 3.2*10-2
-6.4*10-2
6 6.4*10-2
-1.28*10-1
7 >1.28*10-1
Table 2. RXQUAL values
The handover decisions are taken by the BSC following the general rules indicated in
[1] and are based on the following criteria:
- intracellular (i.e. inter-timeslot): high RXLEV and high RXQUAL; correspond to a
situation that accounts for high interference on the current TS. Usually the BSC will take the decision to switch the current TCH/SDCCH onto another TS, possibly on another transceiver of the same BTS
- high uplink and downlink RXQUAL; the current channel is transferred to another
cell
- low uplink and downlink RXLEV; the current channel is transferred to another cell 4.2 Signaling protocols
The signaling protocols implemented on the radio interface are shown below:
CC/SMS/SS - CM
MM
RR Layer 3
Data link layer
LAPDm
Physical layer
Fig.1 Stack of signaling protocols on the radio interface 4.2.1 RR- Radio Resource Management
RR messages are specific messages dedicated to dynamic radio resources allocation,
deallocation and management. The RR protocol specifies:
- the type and the format of the messages exchanged between mobile station and
network for establishing a dedicated channel for enabling the dialogue between the
mobile station and the network (RR connection)
- the type and the format of the messages transmitted on the BCCH, SCH, FCCH
logical channels
- the type and the format of the messages carried on the AGCH / PCH / RACH logical
channels
- the type and the format of the messages exchanged between a mobile station in
active state and the network for allowing implementation f handovers.
The GSM equipments that implement the RR protocol family are MS, BTS, BSC, and
all RR procedures take place only within the radio access network. 4.2.2 MM-Mobility Management
The GSM’s MM protocol is responsible for handling the mobility of the users through
location updating procedures (terminal in idle state ) and security and confidentiality
procedures (authentication, encryption).
Any MM procedure requires a prior or it triggers an RR procedure for allocation of a
dedicated channel (SDCCH), as a support for the transfer of messages defined by this
protocol. MM messages are transferred transparently over the access network (neither a BTS
or BSS do not interpret MM messages, instead they act as relays).
The main types of MM procedures are:
- location updating
- IMSI attach / detach
- authentication, encryption etc.
Some upper layer CM procedure requires prior MM procedures (for example a user
user is authenticated before making the call).
4.2.3 CM-Connection Management
Family of protocols that defines the format and the type of messages used for the
dialogue between a MS and NSS for:
- call establishment/termination – CC (Call Control)
- transfer of short messages – SMS( Short Message Service) - supplementary services activation/deactivation/query –SS (Supplementary
Services)
4.3 The format of a layer 3 message over the radio interface
Irrespective of the family of protocols (RR/MM/CM) to whom the message belongs
to, a layer 3 message is encoded as follows [2]:
Octet 1 Transaction identifier/Skip indicator Protocol discriminator
Octet 2 Message type
Octet 3,... Information elements
Table 3. Format of a layer 3 mesage
The Protocol Discriminator field is encoded onto 4 bits and identifies the layer 3
protocol as indicated in [2]. The message type is encoded onto 8 bits and identifies a
particular message within the same family (a specific MM, CM or RR message; for example:
MEASUREMENT_REPORT 00101010). The field Transaction Identifier is used for
distinguishing along concurrent CM procedures and it is set to 0000 for MM and RR.
4.4 Most important signaling messages
4.4.1 RR messages
Broadcasted messages
SYSTEM INFORMATION TYPE 1 - carries general indications such as: rules to be used
for the random access, list of carriers used on the current cell
SYSTEM INFORMATION TYPE 2 - the main information carried in type of message
indicates the beacon frequencies in neighboring cells.
SYSTEM INFORMATION TYPE 3 - location area indication parameters: LAC (Location
Area Code) + MCC (Mobile Country Code)+ MNC( Mobile Network Code). The LAI
(Location Area Identifier) identifier is formed by concatenating the above fields and
represents a unique identifier for the current location area, unique within the whole GSM
service area. The same message indicates the mapping of logical channels on TS0; on most
situations channels are organized in the standard manner:
FSBBBBPPPPFSPPPPPPPPFSPPPPPPPPFSPPPPPPPPFSPPPPPPPPI
F-FCCH, S- SCH, B-BCCH, P –RACH (uplink), AGCH/PCH (downlink), I-Idle
SYSTEM INFORMATION TYPE 4 – some information included in the previous messages
is repeated and includes also cell broadcast messages.
All SYSTEM INFORMATION TYPE 1-4 messages are dedicated to mobile stations in idle
mode
SYSTEM INFORMATION TYPE 5 – sent only for mobile station in dedicated mode,
includes the list of neighboring beacons that must be monitored for eventual handovers (the c
Channels field). The message is sent on the SACCH allocated together with a TCH or a
SDCCH channel.
SYSTEM INFORMATION TYPE 6 – cell and location area identifies in dedicated mode -
Cell Identity, LAI, discontinuous transmission parameters etc.
The GSM standard specifies also other types of SYSTEM INFORMATION messages, the
complete description is included in [2].
Paging and channel allocation/deallocation messages
PAGING REQUEST TYPE 1,2,3 – indicate that a mobile station has an incoming call. The
called mobile subscriber is identified through TMSI or IMSI (if a TMSI is not available).
Paging messages are sent on a repetitive manner.
CHANNEL REQUEST – used by a MS to demand a channel as a response to paging or at
the MS’s own initiative. Such a request is encoded onto 8 bits, 3 of them being used for
indicating the reason and the rest of 5 to encode a number randomly picked by the MS The
message is sent on AGCH.
IMMEDIATE ASSIGNEMENT - used by the network for channel assignment. The
message included the following fields:
- the SDCCH parameters: SDCCH channel no., the timeslot, training sequence
code,
- the TDMA frame number
- frequency hopping parameters for the SDCCH channel. Among these
parameters the most important one are:
MA –Mobile Allocation – the list of carriers that will be used for frequency
hopping. The actual values of the frequencies are known from the SYSTEM
INFORMATION TYPE 1 messages
MAIO – Mobile Allocation Index Offset – initial carrier for frequency hopping
HSN – Hopping Sequence Number – a value among 64 possible that defines how
frequency hopping is actually performed. A value of 0 is associated to a cyclic use
of all the carrier used in the cell
- TA (Timing Advance) value – used for compensating for the varying distance
between the mobile station and the BTS
- The random number picked by the MS – for avoiding handling multiple
channel requests
PAGING RESPONSE – used by a MS to indicate that a paging message has been received.
The message is used also for indicating to the network some technical characteristics of the
mobile terminal itself (supported encryption algorithms, supported frequency bands
GSM/DCS, power classmark, SMS, 3G capabilities etc). The message includes also a number
(Ciphering Key Sequence Number CKSN), that indicates in an indexed manner the actual
chipering key stored on the SIM card.
Classmark enquiry/Classmark change – dedicated messages for the query and indication of
the set of technical parameters used/to be used by the mobile termination for transmission
over the radio interface.
MEASUREMENT REPORT - handover related messages. They are sent on the SACCH
channel based on a measurement cycle with duration of 0.5 s. For all the carriers indicated on
a SYSTEM INFORMATION TYPE 5 message the mobile includes the RXQUAL parameter,
for the current channel both the RXQUAL and RXLEV are reported. For the neighboring
cells the measured values are indexed by the decoded BSIC values. Measurements are
performed on two modes (full – all the TSs, sub – only the TSs during which the MS is not
performing discontinuing transmission).
ASSIGNMENT COMMAND – used in the downlink direction for allocation of a traffic
channel. The message includes a full description of the TCH channel: timeslot, ARFCn,
frequency hopping parameters, the initial power level to be used by the MS. The successful
reception of the message is confirmed by the MS using an ASSIGNEMENT COMPLETE
message sent on the newly allocated FACCH channel.
HANDOVER COMMAND – used for initiating the transfer of a channel to another
frequency or to another TS. The message includes:
- the beacon frequency of the new cell ( the associated ARFCn)
- description of the newly allocated channel (TS, ARCFn, channel type:
TCH+SACCH, training sequence code, BSIC), access mode (access burst should
be employed or not for accessing the new channel). The new channel is allocated
previously by the BSC on a TRX
- handover reference – random number allocated by the BSC
HANDOVER ACCESS – includes the received handover reference. It is sent on the uplink
direction for allowing a BTS to estimate the TA value. Its correct reception is acknowledged
by the BTS using LAPDm supervisory frames.
PHYSICAL INFORMATION – (optional) – transfer of TA value to the MS HANDOVER COMPLETE – final confirmation sent by the MS that the handover procedure
was successfully completed.
4.4.2 MM messages
The transfer of MM messages is carried out over dedicated signaling channels
(SDCCH). LOCATION UPDATING REQUEST – sent on the SDCCH in uplink. The message
includes the LAI identifier from the SIM card and the old TMSI identifier. The new LAI is
concatenated by the BSC and the dynamic mapping cell <-> LAI identifiers is performed
using operation and maintenance tasks. Using the data included in the message, the
MSC/VLR establishes the GSM identity of the mobile subscriber (IMSI), stores the new LAI
to the IMSI, stores authentication data and detects is further signaling must take place with the
HLR.
LOCATION UPDATING ACCEPT – includes the new LAI code that will be stored on the
SIM card. If the MSC/VLR service area changes also, the message includes a new TMSI. AUTENTHICATION REQUEST - sent by the network, includes a 128 bit random number
(RAND). Upon reception of the message the MS calculates a signature (SRES) using the
authentication algorithm (A3). On the same message the network includes a CKSN number
for indexing onto the SIM card the new encryption key.
AUTENTHICATION RESPONSE - response from the MS station that includes the
computed signature (SRES)
CIPHERING MODE COMMAND – message sent in the downlink direction that initiates
ciphered message exchange over the radio interface. The message includes indication about
the plain text message (typically IMEI) that will be used by the MS for establishing ciphered
message exchange. Previously decryption is initialized at BTS level with the same
parameters.
CIPHERING MODE COMPLETE –message sent by the MS that includes the indicated
text in clear. The message is encrypted by the MS decrypted by the BTS with their own
ciphering keys.
4.4.3 CM/CC messages
SETUP- the message is sent in the downlink direction for indicating to a specific MS to
initiate the establishment of a call (MT calls) or in the uplink direction for MO call
establishment. The message includes the supported parameters for the desired service (voice
codecs, data rates for a bearer service) and the MSISDN of the called/calling subscriber. CALL CONFIRMED – message sent by a called MS, indicating that the call can be
accepted. Technical data related to the type of call are included (implemented voice codecs,
implemented data rates, QoS parameters etc). The network can choose one of these
parameters.
ALERTING – used for indicating to the calling party that the call can be accepted and that
the called party has been alerted.
CONNECT/CONNECT ACKNOWLEDGE – indications about the fact that both sides
have accepted the call.
CM SERVICE REQUEST– used during an MO call for indicating the type of call. In the
message the MS indicates the type of call (voice call, emergency call, SMS, data call), its
identity (TMSI) and some of its general capabilities (classmark). The request is acknowledged
by a CM SERVICE ACCEPT message and a further exchange of SETUP –like messages
will be used to negotiate a particular codec for the desired service.
CALL PROCEEDING - used by the network to indicate to the MS that no other request can
pe processed until the completion of the current procedure.
4.5 Signaling procedures in idle state
The Ericsson TEMS Investigation application will be used in order to visualize and
study selected signaling procedures. The GUI of the application is shown in fig.2.
1
3
2
Fig.2 TEMS investigation GUI
Signaling procedures can be captured only using TEMS compatible devices. For the
current lab several procedures were captured and stored in .log files. The available log files
are shown below:
Fig.3 Log files and signaling procedures
Once such a log file has been selected it can be sequentially displayed as shown in Fig.
4; several windows will be made available in the application, allowing inspection of the state
of the MS, of the signaling messages flow and of the content of each message.
Fig.4 Signaling messages and MS states in the TEMS application
Questions
1. Use the TEMS Investigation application and open the auth_2g.log. This file includes
messages captured during a location updating signaling procedure performed on the Orange
Romania PLMN.
2. Analyze the messages exchanged between the MS and the network and complete the
following simplified diagram with the most important signaling messages. Indicate for each
message its most important parameters and its role. MS
BSS MNSSS
Message 11
Messsage n
Params. mes.1/Mes.1 functions
Params. mes.n/Mes.n functions
Use the explanations include in §5.4 and [2] and start the analysis from the idle state of the
mobile station.
4.6 Signaling procedures in the dedicated state
The file ho_02.log includes the signaling messages captured during a handover
procedure taking place on an experimental network.
Fig.5 Signaling messages included in the ho_02.log file
Questions
1 Analyze the messages exchanged between the MS and the network and draw a simplified
diagram representing the most important signaling messages and the network entities that are
generating them receiving them. For each message, indicate the most important parameters
and the role.
2. Which is the criterion used for performing the handover? How many cells do exist in the
experimental network?
4.7 MT calls
The file mt_02.log includes the signaling messages exchanged during an MT call
establishment procedure, taking place on an experimental network.
Fig.6 MT call on an experimental network
Questions
1. Use as starting point the Cell Reselection event as shown in fig.6 and analyze the exchange
of signaling messages for the MT call. Use a simplified diagram to illustrate the most
important signaling messages, indicating their role and their main parameters.
4.8 MO calls
The file mo_2.log includes the signaling messages exchanged during an MO call
establishment procedure, taking place on an experimental network
Fig.7 MO call on an experimental network
Questions
1. Use as starting point the Idle state event as shown in fig.7 and analyze the exchange of
signaling messages for the MO call. Use a simplified diagram to illustrate the most important
signaling messages, indicating their role and their main parameters.
The hopping.log file includes the signaling messages involved in a MO call
establishment procedure taking place on the Orange Romania PLMN.
Questions
1. Which are the differences between the two above described MO call establishment
procedures?
2. Explain the role of the supplementary messages occurring on the real network.
References
1. ETSI/GSM Recommendations 05.08, “Digital cellular telecommunications system
(Phase 2+); Radio subsystem link control”
2. ETSI/GSM Recommendations 04.08 “Digital cellular telecommunications system
(Phase 2+); Mobile radio interface layer 3 specification”, version 8.4.0, 1999.