This page will cover basic concepts related to a typical GSM network, its key components, and the role of YateBTS in such a network. Furthermore, the following sections of this page will describe GSM elements such as: the UM interface, its logical channels, GPRS, protocols of Voice over IP and more.
- 1 GSM Network architecture
- 2 GSM frequency bands
- 3 Mobile Station (MS)
- 4 Base Station Subsystem (BSS)
- 5 Network Switching Subsystem (NSS)
- 6 Operations Support System (OSS)
- 7 GPRS
- 8 UM interface
- 9 Fundamental Um Transactions
- 10 Um security features
- 11 Protocols of Voice over IP
- 12 Notes
GSM Network architecture
GSM, also known as Global System for Mobile Communications, is a mobile communications standard set up by the European Telecommunications Standards Institute and contains the protocols that define 2G cellular networks. In time, GSM went beyond voice mobile telephony and now includes data communications, first through GPRS (General Packet Radio Services) and later through EDGE (Enhanced Data rates for GSM Evolution).
The architecture of a GSM network is comprised of the following:
- a Mobile Station (MS)
- a Base Station Subsystem (BSS)
- a Base Station Controller (BSC)
- a Base Transciever Station
- a Network and Switching Subsystem (NSS)
- a Home Location Register (HLR)
- a Mobile Switching Center (MSC)
- a Visitor Location Register (VLR)
- an Authentication Center (AuC)
- Equipment Identity Register (EIR)
- an Operations Support System (OSS)
Optionally, if the GSM network includes the transmission of IP packets for data, the GPRS core network needs to be added to the architecture. The GPRS components as a part of the network switching subsystem.
- the Serving GPRS Support Node (SGSN)
- the Gateway GPRS Support Node (GGSN)
- the GPRS tunnelling protocol (GTP)
- an access point
- a PDP context
- various reference points and interfaces
All these components will be described in depth below.
GSM frequency bands
GSM frequency bands have been designated by the ITU and allow GSM mobile stations to function.
There are four main classes of GSM bands:
- P-GSM, Standard or Primary GSM-900 Band
- E-GSM, Extended GSM-900 Band (includes Standard GSM-900 band)
- R-GSM, Railways GSM-900 Band (includes Standard and Extended GSM-900 band)
- T-GSM, Trunking-GSM
The 3GPP TS 45.005 standard, in its second chapter, identifies 14 GSM bands .
However, there are four globally standardized bands for commercial purposes.
|System||Band||Uplink (MHz)||Downlink (MHz)||Region|
|GSM 850||850||824 – 849||869 – 894||North America, the Caribbean and Latin America|
|E-GSM 900||900||880 – 915||925 – 960||Europe, the Middle East, Africa and Asia-Pacific|
|GSM 1800||1800||1,710 – 1 ,785||1,805 – 1,880||Europe, the Middle East, Africa and Asia-Pacific|
|GSM 1900||1900||1,850 – 1,909||1,930 – 1,989||North America, the Caribbean and Latin America|
Each frequency is divided in timeslots per each mobile phone. Therefore, each frequency has eight-full rate or 16 half-rate speech channels.
For roaming, mobile phones need to support multiple frequency bands.
Mobile Station (MS)
The mobile station (MS) is a mobile phone or mobile computer connected through a mobile broadband adapter to the mobile network.
A typical MS for GSM is comprised of the following components:
- Mobile termination (MT) – offers common functions such as: radio transmission and handover, speech encoding and decoding, error detection and correction, signalling and access to the SIM.
The IMEI code is attached to the MT. It is equivalent to the network termination of an ISDN access.
- Terminal equipment (TE) – relates to any device connected to the MS offering services to the user.
It does not contain any functions specific to GSM.
- Terminal adapter (TA) – Provides access to the MT as if it was an ISDN network termination with extended capabilities.
Communication between the TE and MT over the TA takes place using AT commands.
- Subscriber identity module (SIM) – is a removable subscriber identification token storing the IMSI, a unique key shared with the mobile network operator and other data.
The MT, TA and TE are enclosed in the same case in the mobile phone. Generally, different processors handle the MT and TE functions. The application processor serves as a TE, while the baseband processor serves as an MT, and the communication between both takes place using AT commands, which serves as a TA.
Base Station Subsystem (BSS)
The BSS takes the role of handling traffic and signalling between an MS and the network switching subsystem. It is comprised of a base transciever station and a base station controller.
Base Transceiver Station (BTS)
The BTS holds the equipment used for sending and receiving radio signals and equipment for performing the communication encryption and decryption with the base station controller. A typical BTS has the following components:
- a transceiver
- a power amplifier
- a combiner
- a duplexer
- an antenna
- an alarm extension system
- a control function and
- a baseband receiver unit
Each BTS deployed in the field acts as a single cell. The number of deployed BTSs is determined by taking into account the area and the number of subscribers that need to be served.
Base Station Controller (BSC)
The BSC has the role of allocating radio channels, receiving measurements from mobile stations and handling handovers from one BTS to another.
It is the anchor between mobile stations and the Mobile Switching Center (MSC). The BSC is able to manage up to hundreds of BTSs at the same time.
Network Switching Subsystem (NSS)
The NSS handles call switching and mobility management functions for mobile roaming, such as authentication. The components that form the NSS are owned and managed by mobile operators and allow mobile devices to communicate with each other and with other telephones in the public switched telephone network.
Authentication Center (AuC)
The Authentication Center is a database that authenticates each SIM card that tries to connect to the GSM core network. As soon the the SIM is authenticated, the HLR takes over and manages the SIM and its services. Each authentication involves an encryption key used to secure all the wireless communications between the mobile station and the core network.
Home Location Register (HLR)
The HLR is a database that stores and manages all the subscribers of any given mobile operator, by holding all the details of every SIM card issues by that operator. The SIM card stores the IMSI, the shared secret authentication key and an integrated circuit card identifier (ICCID). Another identification data is represented by the MSISDN, which is the the phone number associated to a SIM card.
Mobile Switching Center (MSC)
The MSC is a central component of the NSS and is the main service delivery point for GSM. It responsible for routing voice calls and SMS, performs registration, authentication, handover and updates the location of a mobile station. The MSC also performs signalling, conference calls and generates billing information.
Visitor Location Register (VLR)
The VLR is a database of subscribers authenticated to its corresponding MSC. Most of the times, the VLR is part of the MSC and receives subscriber data from the HLR, or from the mobile station.
Whenever a mobile station enters the area served by a particular MSC, its VLR will request identification data from the HLR about the subscriber.
Equipment Identity Register (EIR)
The EIR is a database containing lists of IMEI numbers of mobile stations that have been reported stolen, unauthorized or defective. These IMEIs are either banned from the mobile network or monitored. The EIR is typically integrated in the HLR.
Operations Support System (OSS)
The OSS includes those operations that handle support management functions such as:
- network management systems
- service delivery
- service fulfilment – network inventory,activation and provisioning
- service assurance
- customer care
OSS enables mobile operators to analyze, monitor and control their mobile networks. It offers operators a centralized and automated network overview.
General Packet Radio Service (GPRS) is a packet oriented mobile data service. The core network is based on Internet Protocol (IP) so it can communicate through the internet to any other LAN network or the Internet Software providers.
The GPRS core network allows mobile networks to transmit IP packets to external networks (e.g. the Internet). GPRS components are a part of the GSM network switching subsystem.
The components of a classic GPRS network consist of:
- a BTS
- a BSC
- a Serving GPRS Support Node (SGSN) that manages the sessions between the mobile station and the network
- a Gateway GPRS Support Node (GGSN) that manages the IP addresses to GPRS sessions
The diagram below explains the general architecture of the classic GPRS data service versus the GPRS implemented in the Unified Core NetworkTM:
GPRS perform the following services:
- SMS messaging and broadcasting
- continuous Internet access
- Multimedia messaging service (MMS)
- Push to talk over cellular (PoC)
- instant messaging and presence-wireless village
- Internet applications for smart devices through wireless application protocol (WAP)
- Point-to-point (P2P) service: inter-networking with the Internet (IP)
- Point-to-Multipoint (P2M) service: point-to-multipoint multicast and point-to-multipoint group calls
If SMS over GPRS is used, an SMS transmission speed of about 30 SMS messages per minute may be achieved. This is much faster than using the ordinary SMS over GSM, whose SMS transmission speed is about 6 to 10 SMS messages per minute.
GPRS Supported Protocols
GPRS supports the following protocols:
- Point-to-point protocol (PPP):
When the mobile phone is used as a modem for a connected computer, the PPP tunnels the IP to the phone. This allows an IP address to be assigned dynamically (IPCP not DHCP) to the mobile equipment.
- X.25 connections:
This protocol is typically used for applications like wireless payment terminals, although it has been removed from the standard. X.25 can still be supported over PPP, or even over IP, but doing this requires either a network-based router to perform encapsulation or intelligence built into the end-device/terminal; e.g., user equipment (UE).
- When TCP/IP is used, each phone can have one or more IP addresses allocated.
GPRS will store and forward the IP packets to the phone even during handover. The TCP handles any packet loss (e.g. due to a radio noise induced pause).
Devices supporting GPRS are divided into three classes:
- Class A – can be connected to GPRS service and GSM service (voice, SMS), using both at the same time.
Such devices are known to be available today.
- Class B – Can be connected to GPRS service and GSM service (voice, SMS), but using only one or the other at a given time.
During GSM service (voice call or SMS), GPRS service is suspended, and then resumed automatically after the GSM service (voice call or SMS) has concluded. The majority of GPRS mobile devices are Class B.
- Class C – Are connected to either GPRS service or GSM service (voice, SMS).
Must be switched manually between one and the other service.
GPRS connection establishment is performed via an APN (access point name). The APN handles WAP access, SMSs, MMSs, as well as email and web access.
In order to set up a GPRS connection for a wireless modem, a user must specify an APN, optionally a user name and password, and an IP address, all provided by the network operator.
Upload and Download Speed
The factors conditioning the upload and download speeds are:
- the number of base station TDMA time slots assigned by the operator
- the channel encoding
- the maximum capability of the mobile device defined as a GPRS multislot class
Multiple Access Schemes
GPRS uses frequency division duplex (FDD) and TDMA as access methods. During a session, a user is assigned to one pair of uplink and downlink frequency channels, which, combined with time domain statistical multiplexing, allows more subscribers to share the same channel.
The packets have a constant length, corresponding to a GSM time slot. The downlink uses first-come first-served packet scheduling, while the uplink uses a reservation scheme that requires colliding data to be retransmitted later.
The Um interface is the GSM specific air interface between the mobile station and the BTS. It bares this name because it is the mobile analog to the U interface of ISDN. Um also supports GPRS packet-oriented data.
As established in the GSM 04.01, Section 7 specifications, the Um interface is defined in the lower three layers of GSM:
- the physical layer (L1)
- the data link layer (L2)
- the network layer (L3)
Um Logical Channels
As established in the GSM 04.03 specifications, the non-GPRS Um logical channels belong to thee categories:
- Traffic Channels (TCH)
- Dedicated Control Channels (DCCHs)
- Common Control Channels (CCCHs)
The following diagram shows the main channel categories.
Traffic channels (TCH)
Traffic channels correspond to the ISDN B channel and are known as the Bm channels. They use 8-burst(Break) diagonal interleaving with a new block starting on every fourth burst and any given burst containing bits from two different traffic frames.
The coding of a traffic channel is dependent on the traffic or vocoder type employed, with most coders capable of overcoming single-burst losses. All traffic channels use a 26-multiframe TDMA structure.
Full-rate channels (TCH/F)
A GSM full rate channel uses 24 frames out of a 26-multiframe. The channel bit rate of a full-rate GSM channel is 22.7 kbit/s, although the actual payload data rate is 9.6-14 kbit/s, depending on the channel coding. This channel is normally used with the GSM 06.10 Full Rate, GSM 06.60 Enhanced Full Rate or GSM 06.90 Adaptive Multi-Rate speech codec. It can also be used for fax and Circuit Switched Data.
Half-rate channels (TCH/H)
A GSM half rate channel uses 12 frames out of a 26-multiframe. The channel bit rate of a half-rate GSM channel is 11.4 kbit/s, although the actual data capacity is 4.8-7 kbit/s, depending on the channel coding. This channel is normally used with the GSM 06.20 Half Rate or GSM 06.90 Adaptive Multi-Rate speech codec.
Dedicated Control Channels (DCCHs)
The Dedicated Control Channels correspond to the ISDN D channel and are known as the Dm channels.
Standalone Dedicated Control Channel (SDCCH)
The SDCCH is used for most short transactions, including initial call setup, registration and SMS transfer. It has a payload data rate of 0.8 kbit/s. Up to eight SDCCHs can be time-multiplexed onto a single physical channel. The SDCCH uses 4-burst block interleaving in a 51-multiframe.
Fast Associated Control Channel (FACCH)
The FACCH is always paired with a traffic channel. The FACCH is a blank-and-burst channel that operates by stealing bursts from its associated traffic channel. Bursts that carry FACCH data are distinguished from traffic bursts by stealing bits at each end of the midamble. The FACCH is used for in-call signalling, including call disconnect, handover and the later stages of call setup. It has a payload data rate of 9.2 kbit/s when paired with a full-rate channel (FACCH/F) and 4.6 kbit/s when paired with a half-rate channel (FACCH/H). The FACCH uses the same interleaving and multiframe structure as its host TCH.
Slow Associated Control Channel (SACCH)
Every SDCCH or FACCH also has an associated SACCH. Its normal function is to carry system information messages 5 and 6 on the downlink, carry receiver measurement reports on the uplink and to perform closed-loop power and timing control. Closed loop timing and power control are performed with a physical header at the start of each L1 frame. This 16-bit physical header carries actual power and timing advance settings in the uplink and ordered power and timing values in the downlink. The SACCH can also be used for in-call delivery of SMS. It has a payload data rate of 0.2-0.4 kbit/s, depending on the channel with which it is associated. The SACCH uses 4-burst block interleaving and the same multiframe type as its host TCH or SDCCH.
Common Control Channels (CCCHs)
The Common Control Channels are unicast and broadcast channels that do not a correspondent in ISDN. They are used almost exclusively for radio resource management. The AGCH and RACH together form the medium access mechanism for Um.
Broadcast Control Channel (BCCH)
The BCCH carries a repeating pattern of system information messages that describe the identity, configuration and available features of the BTS. BCCH brings the measurement reports it bring the information about LAI And CGI BCCH frequency are fixed in BTS.
Synchronization Channel (SCH)
The SCH transmits a Base station identity code and the current value of the TDMA clock. SCH repeats on every 1st, 11th, 21st, 31st and 41st frames of the 51 frame multi frame. So there are 5 SCH frames in a 51 frame multiframe.
Frequency Correction Channel (FCCH)
The FCCH generates a tone on the radio channel that is used by the mobile station to discipline its local oscillator. FCCH will repeat on every 0th, 10th, 20th, 30th and 40th frames of the 51 frame multiframe. So there are 5 FCCH frames in a 51 frame multiframe.
Paging Channel (PCH)
The PCH carries service notifications (pages) to specific mobiles sent by the network. A mobile station that is camped to a BTS monitors the PCH for these notifications sent by the network.
Access Grant Channel (AGCH)
The AGCH carries BTS responses to channel requests sent by mobile stations via the Random Access Channel.
Random Access Channel (RACH)
The RACH is the uplink counterpart to the AGCH. The RACH is a shared channel on which the mobile stations transmit random access bursts to request channel assignments from the BTS.
Allowed channel combinations
The multiplexing rules of GSM 05.02 allow only certain items of logical channels to share a physical channel. The allowed items for single-slot systems are listed in GSM 05.02 Section 6.4.1. Additionally, only certain of these items are allowed on certain timeslots or carriers and only certain sets of items can coexist in a given BTS.
The most common combinations are:
- C-I: TCH/F + FACCH/F + SACCH – This combination is used for full rate traffic. It can be used anywhere but C0T0.
- C-II: TCH/H + FACCH/H + SACCH – This combination is used for half rate traffic when only one channel is needed. It can be used anywhere but C0T0.
- C-III: 2 TCH/H + 2 FACCH/H + 2 SACCH – This combination is used for half rate traffic. It can be used anywhere but C0T0.
- C-IV: FCCH + SCH + BCCH + CCCH – This is the standard C0T0 combination for medium and large cells. It can be used only on C0T0.
- C-V: FCCH + SCH + BCCH + CCCH + 4 SDCCH + 2 SACCH – This is the typical C0T0 combination for small cells, which allows the BTS to trade unnecessary CCCH capacity for a pool of 4 SDCCHs. (5x1)+(5x1)+(1x4)+(3x4)+(4x4)+(2x4)+1idle= 51 frame multiframe. It can be used only on C0T0.
- C-VI: BCCH + CCCH – This combination is used to provide additional CCCH capacity in large cells. It can be used on C0T2, C0T4 or C0T6.
- C-VII: 8 SDCCH + 4 SACCH.[(8x4)+(4x4)+3idle=51frame multiframe] – This combination is used to provide additional SDCCH capacity in medium and large cells. It can be used anywhere but C0T0.
YateBTS supports the C-I, C-V, and C-VII channel combinations.
YateBTS Channel Configurations
Typical YateBTS channel configurations for 1-TRX and 2-TRX are illustrated in the diagram below.
Fundamental Um Transactions
Basic speech service in GSM requires five transactions:
- radio channel establishment
- location update
- mobile-originating call establishment
- mobile-terminating call establishment
- call clearing
Radio channel establishment
Unlike ISDN's U channel, Um channels are not hard-wired, so the Um interface requires a mechanism for establishing and assigning a dedicated channel prior to any other transaction. The Um radio resource establishment procedure is defined in GSM 04.08 Section 3.3 and this is the basic medium access procedure for Um. This procedure uses the CCCH (PCH and AGCH) as a unicast downlink and the RACH as a shared uplink. In the simplest form, the steps of the transaction are:
- Paging – The network sends a RR Paging Request message (GSM 04.08 Sections 9.1.22-9.1.23) over the PCH, using the subscriber's IMSI or TMSI as an address.
GSM does not allow paging by IMEI (GSM 04.08 Section 10.5.1.4). This paging step occurs only for a transaction initiated by the network.
- Random Access – The mobile station sends a burst on the RACH. This burst encodes an 8-bit transaction tag and the BSIC of the serving BTS.
A variable number of most-significant bits in the tag encode the reason for the access request, with the remaining bits chosen randomly. In L3, this tag is presented as the RR Channel Request message (GSM 04.08 9.1.8). The mobile also records the TDMA clock state at the time the RACH burst is transmitted. In cases where the transaction is initiated by the MS, this is first step.
- Assignment – On the AGCH, the network sends the RR Immediate Assignment message (GSM 04.08 Section 9.1.18) for a dedicated channel, usually an SDCCH.
This message is addressed to the MS by inclusion of the 8-bit tag from the corresponding RACH burst and a time-stamp indicating the TDMA clock state when the RACH burst was received. If no dedicated channel is available for assignment, the BTS can instead respond with the RR Immediate Assignment Reject message, which is similarly addressed and contains a hold-off time for the next access attempt. Emergency callers receiving the reject message are not subject to the hold-off and may retry immediately.
- Retry – If the RACH burst of step 2 is not answered with an assignment or assignment reject in step 3 within a given timeout period ,usually on the order of 0.5 second, the handset will repeat step 2 after a small random delay. This cycle may be repeated 6-8 times before the MS aborts the access attempt.
Note that there is a small but non-zero probability that two MSs send identical RACH bursts at the same time in step 2. If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio signals will not be demodulable and both MSs will move to step 4. However, if there is a sufficient difference in power, the BTS will see and answer the more powerful RACH burst. Both MSs will receive and respond to the resulting channel assignment in step 3. To ensure recovery from this condition, Um uses a "contention resolution procedure" in L2, described in GSM 04.06 188.8.131.52 in which the first L3 message frame from the MS, which always contains some form of mobile ID, is echoed back to the MS for verification.
This procedure normally is performed when the MS powers up or enters a new Location area but may also be performed at other times as described in the specifications. In its minimal form, the steps of the transaction are:
- The MS and the base station perform the radio channel establishment procedure.
- On the newly established dedicated channel, the MS sends the MM Location Updating Request message containing either an IMSI or TMSI. The message also implies connection establishment in the MM sublayer.
- The network verifies the mobile identity in the HLR or VLR and responds with the Location Updating Accept message.
- The network closes the Dm channel by sending the Channel Release message.
There are many possible elaborations on this transaction, including:
- TMSI assignment
- queries for other identity types
- location updating reject
Mobile-Originating Call (MO) establishment
In its simplest form, the steps of the transaction are:
- The MS initiates the radio channel establishment procedure and is assigned to a Dm channel, usually an SDCCH.
This establishes the connection in the L3 RR sublayer. The MS will then send a Connection Mode service request containing the subscriber ID (the IMSI or TMSI) and a description of the service it requests (the MO in this case).
- The MSC will verify in the HLR the subscriber's provisioning and will reply with an Accept message.
Therefore, a connection in the L3 MM sublayer is established.
- The MS sends the Setup message, which includes the called party number.
- If the called party is correct, the core network will reply with a Call Proceeding message.
- The network sends an Assignment message to move the transaction off of the SDCCH and onto a TCH+FACCH.
- Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with an Assignment Complete message.
This is the point when the FACCH takes over all control transactions.
- The core network sends the Alerting message when the called party alerting has been verified.
- When the called party answers, the network sends the Connect message.
- The MS replies with the Connect Acknowledge message and the call becomes active.
The TCH+FACCH assignment can occur at any time during the transaction, depending on the assignment type used by the network.
There are three defined approaches to channel assignment for speech calls:
- Early Assignment – The network starts the call on the SDCCH and assigns the TCH+FACCH after sending CC Call Proceeding. Call setup then completes on the FACCH. This allows the use of in-band patterns, like the ringing or busy patterns, generated by the network.
- Late Assignment – The network starts the call on the SDCCH and does not assign the TCH+FACCH until after alerting has started. This forces the MS itself to generate the patterns locally since the TCH does not yet exist to carry the sound.
- Very Early Assignment – The network makes an immediate assignment to the TCH+FACCH in the initial RR establishment and performs the entire transaction on the FACCH. The SDCCH is not used. Because immediate assignment starts the FACCH in a signalling-only mode, the network must send the RR Channel Mode Modify message at some point to enable the TCH part of the channel. This approach gives faster call establishment and is slightly more reliable since it does not require a channel change in the middle of the call setup operation.
As of release 2.0, YateBTS supports only Very Early Assignment.
Mobile-Terminating Call (MT) establishment
Below are the main steps in performing an MT call:
- The network initiates the radio channel establishment procedure and assigns the MS to a Dm channel, an SDCCH or FACCH depending on the assignment type. This establishes the connection in the L3 RR sublayer.
- The MS sends the Paging Response message on the new Dm. This message contains a mobile identity (IMSI or TMSI) and also implies a connection attempt in the MM sublayer.
- The MSC checks the subscriber in the HLR and verifies that the MS was indeed paged for service. The network can initiate authentication and ciphering at this point, but in the simplest case the network can just send the Setup message to initiate call control.
- The MS responds with Call Confirmed.
- The network sends an Assignment message to move the transaction off of the SDCCH and onto a TCH+FACCH.
- Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the RR Assignment Complete message. From this point on, all control transactions are on the FACCH.
- The MS starts alerting the subscriber of the call and sends the Alerting message to the network.
- When the subscriber answers, the MS sends the Connect message to the network.
- The network response with the Connect Acknowledge message and the call becomes active.
As in the MO, the TCH+FACCH assignment can happen at any time, with the three common techniques being early, late and very early assignment.
The call clearing transaction is the same whether initiated by the MS or the network, the only difference being a reversal of roles:
- Party A sends the CC Disconnect message.
- Party B responds with the CC Release message.
- Party A responds with the CC Release Complete message.
- The network releases the RR connection with the RR Channel Release message. This message always comes from the network, regardless of which party initiated the clearing procedure.
Mobile-Originated SMS (MO-SMS)
In the simplest case, error-free delivery outside of an established call, the transaction sequence is:
- The MS establishes an SDCCH using the standard RR establishment procedure.
- The MS sends a CM Service Request.
- The MS initiates multiframe mode in SAP3 with the normal LAPDm SABM procedure.
- The MS sends a CP-DATA message (L3, GSM 04.11 Section 7.2.1), which carries an RP-DATA message (L4, GSM 04.11 Section 7.3.1) in its RPDU.
- The network responds with a CP-ACK message (L3, GSM 04.11 Section 7.2.2).
- The network delivers the RPDU to the MSC.
- The MSC responds with an RP-ACK message (L4, GSM 04.11 Section 7.3.3).
- The network sends a CP-DATA message to the MS, carrying the RP-ACK payload in its RPDU.
- The MS responds with a CP-ACK message.
- The network releases the SDCCH with the RR Channel Release message. This implies a closure of the MM sublayer and triggers the release of L2 and L1.
Mobile-Terminated SMS (MT-SMS)
The transaction steps for MT-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest case, error-free delivery outside of an established call, the transaction sequence is:
- The network pages the MS with the standard paging procedure.
- The MS establishes an SDCCH using the standard RR paging response procedure, which implies a CC sublayer connection.
- The network initiates multiframe mode in SAP3.
- The network sends the RP-DATA message as the RPDU in a CP-DATA message.
- The MS responds with the CP-ACK message.
- The MS processes the RPDU.
- The MS sends a CP-DATA message to the network containing an RP-ACK message in the RPDU.
- The network responds with a CP-ACK message.
- The network releases the SDCCH with the RR Channel Release message. This implies a closure of the MM sublayer and triggers the release of L2 and L1.
Um security features
GSM 02.09 defines the following security features on Um:
- authentication of subscribers by the network
- encryption on the channel
- anonymization of transactions (at least partially)
Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security feature but has the practical effect of adding significant complexity to passive interception of the Um link. Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber. Copies of Ki are held in the SIM and in the Authentication Center (AuC), a component of the HLR. The Ki is never transmitted across the Um. An important and well-known shortcoming of GSM security is that it does not provide a means for subscribers to authenticate the network. This oversight allows for false basestation attacks, such as those implemented in an IMSI catcher.
Authentication of subscribers
The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM 03.20 Section 3.3.1 and contains the following steps
- The network generates a 128 bit random value, RAND.
- The network sends RAND to the MS in the MM Authentication Request message.
- The MS forms a 32-bit hash value called SRES by encrypting RAND with an algorithm called A3, using Ki as a key. SRES = A3(RAND,Ki). The network performs an identical SRES calculation.
- The MS sends back its SRES value in the RR Authentication Response message.
- The network compares its calculated SRES value to the value returned by the MS. If they match, the MS is authenticated.
- Both the MS and the network also compute a 64-bit ciphering key, Kc, from RAND and Ki using the A8 algorithm. Kc = A8(RAND,Ki). Both parties save this value for later use when ciphering is enabled.
Note that this transaction always occurs in the clear, since the ciphering key is not established until after the transaction is started. The authentication process is one-way only, as only the core network can authenticate the MS.
GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio bursts, at a very low level in L1, after forward error correction coding is applied. This is another significant security shortcoming in GSM because:
- the intentional redundancy of the convolutional coder reduces the Unicity distance of the encoded data and
- the parity word can be used for verifying correct decryption.
A typical GSM transaction also includes LAPDm idle frames and SACCH system information messages at predictable times, affording a Known plain text attack. The GSM ciphering algorithm is called A5.
There are four variants of A5 in GSM, only first three of which are widely deployed:
- A5/0: no ciphering at all
- A5/1: strong(er) ciphering, intended for use in North America and Europe
- A5/2: weak ciphering, intended for use in other parts of the world, but now deprecated by the GSMA
- A5/3: even stronger ciphering with open design
Ciphering is a radio resource function and managed with messages in the radio resource sublayer of L3, but ciphering is tied to authentication because the ciphering key Kc is generated in that process. Ciphering is initiated with the RR Ciphering Mode Command message, which indicates the A5 variant to be used. The MS starts ciphering and responds with the RR Ciphering Mode Complete message in ciphertext. The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GSM 02.09 Section 3.3.3).
Anonymization of subscribers
The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the clear on Um. The TMSI is assigned by the BSC and is only meaningful within specific network. The TMSI is assigned by the network with the MM TMSI Reallocation Command, a message that is normally not sent until after ciphering is started, so as to hide the TMSI/IMSI relationship. Once the TMSI is established, it can be used to anonymize future transactions.
Note that the subscriber identity must be established before authentication or encryption, so the first transaction in a new network must be initiated by transmitting the IMSI in the clear.
Protocols of Voice over IP
VoIP is a technology that allows carrying voice communications and other multimedia sessions (text messages, fax etc.) via IP networks. VoIP has similar functional principles as those behind digital telephony, however, in the case of the former, voice calls are transmitted as IP packets over a packet-switched network, and not a circuit-switched one.
VoIP has the great advantage of lowering both the operational costs and the costs for the end-user, while also connecting more users at the same time (through real time conferences) and enabling access to various features such as: caller ID, voice mail, contact lists, multi-ring, online account management etc.
Nevertheless, getting a seamless voice quality is uncertain and unreliable, due to VoIP not having a mechanism that prevents packets from being lost, and voice calls can experience jitter and high latency.
Some popular examples of VoIP applications are Skype and Google Talk or a large number of smartphone apps such as: Viber, Magic App, WhatsApp etc.
User Datagram Protocol
The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite (the set of network protocols used for the Internet). With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without prior communications to set up special transmission channels or data paths. The protocol was designed by David P. Reed in 1980 and formally defined in RFC 768.
UDP uses a simple transmission model with a minimum of protocol mechanism. It has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program. As this is normally IP over unreliable media, there is no guarantee of delivery, ordering, or duplicate protection. UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram.
UDP is suitable for purposes where error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system. If error correction facilities are needed at the network interface level, an application may use the Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP) which are designed for this purpose.
UDP is used in this instance because:
- It is transaction-oriented, suitable for simple query-response protocols such as the Domain Name System or the Network Time Protocol.
- It provides datagrams, suitable for modeling other protocols such as in IP tunnelling or Remote Procedure Call and the Network File System.
- It is simple, suitable for bootstrapping or other purposes without a full protocol stack, such as the DHCP and Trivial File Transfer Protocol.
- It is stateless, suitable for very large numbers of clients, such as in streaming media applications for example IPTV
- The lack of retransmission delays makes it suitable for real-time applications such as Voice over IP, online games, and many protocols built on top of the Real Time Streaming Protocol.
- Works well in unidirectional communication, suitable for broadcast information such as in many kinds of service discovery and shared information such as broadcast time or Routing Information Protocol
Session Initiation Protocol (SIP)
The Session Initiation Protocol (SIP) is a plain text ASCII signalling communications protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP) networks. It is a newer generation of protocols used in VoIP than H.323. SIP has been developed and standardized in RFC 3261 in 2001 under the auspices of the Internet Engineering Task Force (IETF). It was originally designed by Henning Schulzrinne and Mark Handley. It is continuously improved and updated, and many proprietary versions of SIP were developed.
SIP borrows many of it's functionalities from HTTP- the status codes; from DNS- the SRV records and from SMTP - the address formatting MIME
The Basic functions of SIP are:
- It locates users and resolves their SIP address to an IP address.
- Negotiates capabilities and features along all session participants.
- It allows changing parameters during the call.
- Manages the setup and tear-down of calls for all users in the session.
SIP is used in conjunction with SDP.
Session Description Protocol
SDP is intended for describing multimedia communication sessions for the purposes of session announcement, session invitation, and parameter negotiation. SDP does not deliver media itself but is used for negotiation between end points of media type, format, and all associated properties. SDP is designed to be extensible to support new media types and formats.
Real-time Transport Protocol
The Real-time Transport Protocol (RTP) defines a standardized packet format for delivering audio and video over IP networks. RTP is used extensively in communication and entertainment systems that involve streaming media, such as telephony, video teleconference applications, television services and web-based push-to-talk features.
RTP is used in conjunction with the RTP Control Protocol (RTCP). While RTP carries the media streams (e.g., audio and video), RTCP is used to monitor transmission statistics and quality of service (QoS) and aids synchronization of multiple streams. RTP is one of the technical foundations of Voice over IP and in this context is often used in conjunction with SIP and SDP which assists in setting up connections across the network.
RTP is originated and received on even port numbers between 16384 to 32767 and the associated RTCP communication uses the next higher odd port number.
The RTP specification describes two sub-protocols and two optional protocols:
- The data transfer protocol, RTP, which deals with the transfer of real-time data
- The control protocol RTCP
- An optional signalling protocol such as H.323, Session Initiation Protocol (SIP), or Jingle (XMPP)
- An optional media description protocol such as Session Description Protocol
Adaptive Multi-Rate audio codec
The Adaptive Multi-Rate audio codec is an audio data compression scheme optimized for speech coding. AMR encodes signals in the 200--3400 Hz range at variable bit rates. It is one of the codecs that have been adopted as a standard in GSM. There are a total of 14 modes of the AMR codec, 8 are available in a full rate channel (FR) and 6 on a half rate channel (HR). Of them, EFR or GSM-EFR or GSM 06.60 offers the highest bitrate (12.20 kbit/s).
GSM Full Rate Speech Transcoding
Full Rate (FR or GSM-FR or GSM 06.10 or sometimes simply GSM) was the first digital speech coding standard used in the GSM digital mobile phone system. The bit rate of the codec is 13 kbit/s, or 1.625 bits/audio sample (often padded out to 33 bytes/20 ms or 13.2 kbit/s).
The quality of the coded speech is quite poor by modern standards, but at the time of development (early 1990s) it was a good compromise between computational complexity and quality, requiring only on the order of a million additions and multiplications per second. The codec is still widely used in networks around the world. Gradually FR will be replaced by Enhanced Full Rate (EFR) and Adaptive Multi-Rate (AMR) standards, which provide much higher speech quality with lower bit rate.
- Wikipedia contributors . ”GSM”. Wikipedia, The Free Encyclopedia, 2014 Jul 04, 18:00 UTC [cited 2014 Jul 09]. Available from: http://en.wikipedia.org/wiki/GSM.
- 3GPP TS 45.005 version 10.0.0 Release 10. "2. Frequency bands and channel arrangement", p. 14; 2011 Apr. Available from: http://www.etsi.org/deliver/etsi_ts/145000_145099/145005/10.00.00_60/ts_145005v100000p.pdf
- Wikipedia contributors. ”Mobile station”. Wikipedia, The Free Encyclopedia, 2013 Dec 16, 13:44 UTC [cited 2014 Jul 09]. Available from: http://en.wikipedia.org/wiki/Mobile_station.
- Wikipedia contributors. ”Base transceiver station”. Wikipedia, The Free Encyclopedia, 2014 Apr 21, 09:13 UTC [cited 2014 Jul 10]. Available from: http://en.wikipedia.org/wiki/Base_transceiver_station
- Wikipedia contributors. ”Base Station Subsystem - Base station controller”. Wikipedia, The Free Encyclopedia, 2014 Apr 22, 16:34 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Base_Station_Subsystem#Base_station_controller
- Wikipedia contributors. ”Network switching subsystem”. Wikipedia, The Free Encyclopedia, 2014 Jun 24, 01:02 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Network_and_Switching_Subsystem.
- Wikipedia contributors. ”Network switching subsystem - AuC”. Wikipedia, The Free Encyclopedia, 2014 Jun 24, 01:02 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Network_switching_subsystem#Authentication_center_.28AuC.29
- Wikipedia contributors. ”Network switching subsystem - HLR”. Wikipedia, The Free Encyclopedia, 2014 Jun 24, 01:02 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Network_switching_subsystem#Home_location_register_.28HLR.29
- Wikipedia contributors. ”Network switching subsystem - MSC”. Wikipedia, The Free Encyclopedia, 2014 Jun 24, 01:02 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Network_switching_subsystem#Mobile_switching_center_.28MSC.29.
- Wikipedia contributors. ”Network switching subsystem - VLR”. Wikipedia, The Free Encyclopedia, 2014 Jun 24, 01:02 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Network_switching_subsystem#Visitor_location_register_.28VLR.29.
- Wikipedia contributors. ”Network switching subsystem - EIR”. Wikipedia, The Free Encyclopedia, 2014 Jun 24, 01:02 UTC [cited 2014 Jul 11]. Available from: http://en.wikipedia.org/wiki/Network_switching_subsystem#Equipment_identity_register_.28EIR.29.
- Wikipedia contributors. ”Operations support system”. Wikipedia, The Free Encyclopedia, 2014 Jul 08, 23:19 UTC [cited 2014 Jul 14]. Available from: http://en.wikipedia.org/wiki/Operations_support_system
- Wikipedia contributors. ”General Packet Radio Service”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 17]. Available from: http://en.wikipedia.org/wiki/GPRS.
- Wikipedia contributors. ”General Packet Radio Service - Services offered”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 18]. Available from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service#Services_offered.
- Wikipedia contributors. ”General Packet Radio Service - Protocols supported”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 18]. Available from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service#Protocols_supported.
- Wikipedia contributors. ”General Packet Radio Service - Hardware”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 18]. Available from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service#Hardware.
- Wikipedia contributors. ”General Packet Radio Service - Addressing”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 18]. Available from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service#Addressing.
- Wikipedia contributors. ”General Packet Radio Service - Coding schemes and speeds”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 18]. Available from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service#Coding_schemes_and_speeds.
- Wikipedia contributors. ”General Packet Radio Service - Coding schemes and speeds”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 18]. Available from: http://en.wikipedia.org/wiki/General_Packet_Radio_Service#Multiple_access_schemes
- Wikipedia contributors. ”Um interface”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 14]. Available from:http://en.wikipedia.org/wiki/Um_interface.
- Wikipedia contributors. ”Um interface - Traffic channels (TCH)”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 15]. Available from:http://en.wikipedia.org/wiki/Um_interface#Traffic_channels_.28TCH.29.
- Wikipedia contributors. ”Um interface - Dedicated Control Channels (DCCHs)”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 15]. Available from:http: //en.wikipedia.org/wiki/Um_interface#Dedicated_Control_Channels_.28DCCHs.29.
- Wikipedia contributors. ”Um interface - Common Control Channels (CCCHs)”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 15]. Available from: http: //en.wikipedia.org/wiki/Um_interface#Common_Control_Channels_.28CCCHs.29.
- Wikipedia contributors. ”Um interface - Allowed channel combinations”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 15]. Available from: http://en.wikipedia.org/wiki/Um_interface#Allowed_channel_combinations.
- Wikipedia contributors. ”Um interface - Radio channel establishment”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 16]. Available from: http://en.wikipedia.org/wiki/Um_interface#Radio_channel_establishment.
- Wikipedia contributors. ”Um interface - Location updating”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 16]. Available from: http://en.wikipedia.org/wiki/Um_interface#Location_updating.
- Wikipedia contributors. ”Um interface - Mobile-originating call (MOC) establishment”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 16]. Available from: http://en.wikipedia.org/wiki/Um_interface#Mobile-Originating_Call_.28MOC.29_establishment.
- Wikipedia contributors. ”Um interface - Mobile-terminating call (MTC) establishment”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 16]. Available from: http://en.wikipedia.org/wiki/Um_interface#Mobile-Terminating_Call_.28MTC.29_establishment.
- Wikipedia contributors. ”UM interface - Call clearing”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 21]. Available from: http://en.wikipedia.org/wiki/Um_interface#Call_clearing.
- Wikipedia contributors. ”UM interface - Mobile-Originated SMS (MO-SMS)”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 21]. Available from: http://en.wikipedia.org/wiki/Um_interface#Mobile-Originated_SMS_.28MO-SMS.29.
- Wikipedia contributors. ”UM interface - Mobile-Terminated SMS (MT-SMS)”. Wikipedia, The Free Encyclopedia, 2014 Jul 07, 10:07 UTC [cited 2014 Jul 21]. Available from: http://en.wikipedia.org/wiki/Um_interface#Mobile-Terminated_SMS_.28MT-SMS.29.
- Wikipedia contributors. ”Um interface - Um security features”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 17]. Available from: http://en.wikipedia.org/wiki/Um_interface#Um_security_features.
- Wikipedia contributors. ”Um interface - Authentication of subscribers”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 17]. Available from: http://en.wikipedia.org/wiki/Um interface#Authentication of subscribers.
- Wikipedia contributors. ”Um interface - Um encryption”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 17]. Available from: http://en.wikipedia.org/wiki/Um interface#Um encryption.
- Wikipedia contributors. ”Um interface - Anonymization of subscribers”. Wikipedia, The Free Encyclopedia, 2014 Jan 14, 18:26 UTC [cited 2014 Jul 17]. Available from: http://en.wikipedia.org/wiki/Um interface#Anonymization of subscribers.