GSM Bible

Copyright 1991, Michael Clayton All Rights Reserved No part of the contents of this document may be reproduced or distributed
in any form or by any means without the prior written permission of the author, or Security Domain Proprietary Limited.
GSM Bible
GSM - Global System for Mobile Communications
INTRODUCTION2
The purpose of this report is to describe in easy terms what GSM is and how it operates. It is intended that it will provide both management and technical staff with an understanding of the services that GSM can provide, the components that make up a GSM network and the way that these components interact. As such, it should be of benefit to all organisations that have a direct or indirect involvement with mobile communications, whether as service operators, providers, equipment manufacturers, vendors, consultants, regulators or, most importantly, users. Each major section begins with a high level overview of the subject, before descending into lower level technical descriptions. This is to allow readers to glean overview information about particular subjects or to use the document as a reference guide without having to wade through technical descriptions.
1.
Disclaimer3
GSM is still evolving and will continue to do so for a number of years. While the majority of the initial work to enable the system to function has been completed, subsequent services are being defined that may require a change in the operation as specified at the end of the Phase 1 work schedule. As a consequence, it should be noted that while every effort has been made to ensure the accuracy of the information within this document, the author, contributors, publishers and sponsor, in particular Security Domain Proprietary Limited and the sponsor of the report, Telecom Australia, their associates, employees and agents, are not responsible for errors or omissions, actions, or the results of any actions, taken or omitted to be taken upon the basis of information in this document. The author, contributors and publishers expressly disclaim all and any liability (whether arising by reason of negligence or otherwise) to any person or corporation whether in receipt of this document or not, in respect of anything and the consequence of anything done or omitted to be done in reliance, whether whole or partial, upon the whole or any part of the contents of this document. This document is produced as a guide only and for up to date changes, reference must be made to the documentation produced and issued by the European Telecommunications Standards Institute (ETSI).
1.2
Conventions Used4
This report follows, as far as possible, the conventions used within GSM
Copyright 1991, Michael Clayton
Page 1
GSM - Global System for Mobile Communications recommendations. This is done to ensure a familiarity with the terms used if the reader subsequently refers to the recommendations. Also, it should be noted that there is often an important distinction between two apparently similar terms or entities used within GSM, which may confuse the reader. Some of the more important ones are: Subscriber Identity Module (SIM) A Subscriber Identity Module is a smart card which holds all the information required to identify a particular subscription to a mobile service. Mobile Equipment Mobile equipment constitutes a device which has the ability to communicate with the GSM network, but which does not hold any subscriber related information. Mobile Station: A piece of mobile equipment with a valid Subscriber Identity Module (SIM) inserted is termed a Mobile Station. The distinction in this case is that a piece of Mobile Equipment cannot (ordinarily) make or receive calls, since no subscription information (stored in the SIM) is available. The insertion of a valid SIM into the mobile equipment, to make a Mobile Station, is required to enable accesses to the GSM network. PLMN: The GSM Network is termed a Public Lands Mobile Network, or `PLMN. In many GSM documents, references are made to the term network and the term PLMN, the meaning of which is dependent on the context. In this report the term PLMN refers to a GSM network only. Distinctions between different PLMNs is made by refering to the Home PLMN or HPLMN (the network which holds the subscription to the service) and Visited PLMN, or VPLMN (any roamed-to network). Network Operator: The term Network Operator refers to the Operator of a GSM PLMN. It is possible that this Network Operator could also be the operator of more than the GSM PLMN, but for the sake of clarity, in this report the term only refers to GSM. Reference to Operators of non-GSM networks, is made using the network type, i.e. Public Copyright 1991, Michael Clayton
Page 2
GSM - Global System for Mobile Communications Switched Telephone Network (PSTN) Operator. Where other important distinctions exist, they are indicated in the text. For further information see the glossary of acronyms at the end of this report.
Page 3
GSM STRUCTURE5
This section deals with the route by which the present GSM offering was reached. Much can be gleaned from analysing the history of how it grew, particularly in respect of the relationship between GSM and other technologies, present and future.
2.1
The Cellular Radio Concept6

In the early eighties, the concept of commercial cellular radio evolved. Prior to cellular, radio phones were limited to just the one transmitter covering a large area. While this was sufficient for pioneer users who needed to be specifically trained to use it, the service could not be sold to any great extent because of the limited capacity, the high cost, and the poor quality. Cellular radio differs from the radio phone service because, instead of one large transmitter, many small ones are used to cover the same area. Each has limited power output so that the coverage of one transmitter is restricted to a small area, known as a Cell. As a result, one of the first problems to solve is what happens when a person using the phone in one cell moves out of range of that cell. In the radio phone service there was no solution and the call was lost, which is why the service area was so large. In cellular the problem is solved by handing the call over to the next cell. This process is totally automatic and requires no special intervention by the user, but it is a complex technical function requiring significant processing power to achieve a quick reaction. Another reason for using small cells and limiting the power output from each, is to reduce the interference by one cell on others around it. In doing this, the available frequencies could be quickly used up, but this is avoided by allowing non-adjacent cells to use the same frequency. As long as they are far enough apart not to cause each other interference, the same frequencies can be re-used many times. So the service is a very efficient user of what is a limited resource, the RF spectrum. Once this was realised, the capacity of the cellular system could increase enough to make it a commercially viable proposition. Cellular systems sprang up around the world, but it was in Europe that the potential of cellular was most fully realised. Frequency Re-use in GSM2
Figure 1:
Page 4
GSM - Global System for Mobile Communications In the Scandinavian countries, and the United Kingdom (UK), the latent demand consistently outstripped predictions. Soon the networks were becoming congested, and the quality of service suffered. What was needed was a new system which had increased capacity and was versatile enough to incorporate any foreseeable future advances in telecommunications technology.
2.2
GSM Standardisation7
Over the period of evolution for cellular many different systems were born. In America the Advanced Mobile Phone Service (AMPS) was used, and in the Scandinavian countries the Nordic Mobile Telephone (NMT) system was devised. In the UK the AMPS system was adopted with some adaptions, and called Total Access Communications System (TACS). In France their system was called RC2000 and in West Germany (as it was then) the system was called NETZ-C. European Participants in GSM14
Figure 3:
Proponents of each different system tried to get their system adopted around Europe, with the result that small pockets of similar cellular networks grew. The significance of this was that each pocket was isolated from the next because the fundamental technical differences in the systems precluded roaming between them. The Scandinavian countries of Norway, Sweden and Finland led the way by showing how restrictive this situation was. Within the Scandinavian pocket of NMT in 1981, limited international roaming allowed subscribers from one country to use the cellular network of another. This was seen as a breakthrough because international roaming could open up the European markets, by reducing the dead time while travelling, especially within Europe. This would be even more important if a subscriber could receive calls on a different mobile network. At the same time Europe was consolidating into "One Market" and part of the process was to ensure an overall telecommunication standards policy, allowing universal interconnect. The force of such a move was apparent in the size of the potential market. It soon became clear that a similar policy could easily be applied to cellular, but the key to its success had to be standardisation of the many formats available, into one. Hence, in 1982, the Confrence Europanne des Administrations des Poste et Tlcommunications (CEPT) set up a group to study this harmonisation of a panEuropean cellular system. The group was named Groupe Spcial Mobile, from which the initials formed the acronym GSM. This initial mandate was to standardise the frequencies for use in cellular radio, but the work quickly moved on from there.
Page 5
GSM - Global System for Mobile Communications 2.2.1 Concept of GSM The aim of a GSM Public Lands Mobile Network (PLMN) is to ensure that, wherever the subscriber goes within coverage of a GSM system in any country, service will be available using just one subscription to GSM and one number, with all the charges referred back to this home subscription and charged in the home currency. This is no small task, since it involves many countries who wish to run autonomous national PLMNs. The minimum requirement to enable this international roaming was for these GSM PLMNs to be able to talk to each other, and for the mobile phones to be able to access any GSM PLMN. One way this could be done would be to define the interface between PLMNs and between the mobile phones and the PLMN, and then let each country and national Network Operator do what they wanted in between. The problem with this solution was that a consistent GSM service could not be guaranteed. The same service in different countries could look and act totally differently, confusing the subscriber. This was unacceptable and so it was stipulated that the GSM service, as a whole, should be uniform across all GSM PLMNs. There was only one way this could be achieved and that was to design a completely new network which was acceptable to all member countries and adopted by them. The adoption of GSM was taken care of by a GSM Memorandum of Understanding mentioned later, but it was up to the standards committees of CEPT to ensure the acceptability of GSM. Since the scope of the work was broad, four working parties were set up to ensure that all aspects of the study were covered by the most appropriate and expert people. These working parties are made up of interested members of CEPT, and later the European Telecommunications Standards Institute (ETSI) and range from operators of telecommunications networks, to manufacturers of telecommunications equipment. By this co-ordinated approach, the best solution possible was adopted and where compromises were inevitable, the most acceptable route was always taken.
2.3
ETSI-GSM8
The work continued under the control of the CEPT until 1988, when the European Telecommunications Standards Institute (ETSI) came into being. It was decided that GSM should be moved to ETSI, in line with the unified approach to telecommunications occurring in other fields, such as Integrated Services Digital Network (ISDN). A Project Team (PT12) was, therefore set up in ETSI to coordinate and support the work done in the working parties. Like most of the Project Teams within ETSI, PT12 is mainly made up of employees of ETSI members on secondment to ETSI.
Page 6
GSM - Global System for Mobile Communications 2.3.1 The Role of Working Parties The design procedure adopted by ETSI-GSM is that of a top-down approach. As a consequence, the definition of GSM standards normally starts with GSM1. This group, called the Services and Facilities group, defines the requirements for the system, ranging from the types of bearer services and supplementary services, to the facilities required to ensure that security is maintained. An important sub-group to GSM1 is the Subscriber Identity Module Expert Group (SIMEG). This group reports to GSM1 and concentrates on all aspects of the Subscriber Identity Module (SIM), the smart card used in GSM. The next working party is GSM2 named the Radio Interfaces group, which deals with the low level radio sub-system required to support GSM. Its work ranges from defining the types of channels needed for GSM to the channel coding used over them. The responsibilities of GSM3 are concerned with PLMN signalling, and it is divided into three distinct areas. Working party A is concerned with the signalling required for Mobile Station control (access, paging, location updating, etc.) Working party B is concerned with the signalling necessary within the PLMN and working party C deals with the supplementary service signalling requirements. Finally, GSM4 controls the data applications of GSM. These range from the requirements of standard synchronous and asynchronous data to specialised data applications such as the Short Message Service (SMS). This group holds an important responsibility, for it must design GSM to allow data to be transmitted with ease across the PLMN. When this is achieved, a potentially large market will be opened up for GSM. The work done in these groups is by no means complete. A frozen set of some 137 specifications exists for phase one of GSM, but there is much still to be done for phase two. New services have been outlined, which will utilise the existing system, and will considerably enhance the versatility of GSM. Indeed, in some cases, the services to be offered will exceed those offered in fixed ISDN telephone networks.
2.4
The GSM Memorandum of Understanding9

As work on the standards progressed, some of the parties involved began to realise that the potential of this technology was dependent on the universal adoption of GSM. Agreements sprang up between interested parties, the first being between Italy, France and West Germany in 1986. Very soon thereafter, the United Kingdom (UK) was added, and in 1987 a full Memorandum of Understanding (MoU) was signed by 13 members of GSM. At present the number of signatories is 22, but there are several potential additions.
Page 7
Figure 5:
The countries within Europe which are taking GSM6
The aim of the MoU is to ensure that GSM becomes a commercial product. As a consequence, one of the conditions of the MoU is an agreement to implement GSM within a particular timescale. The timescale set for start of services is by January 1st 1992, with an agreed list of services to be supported. In addition, several other dates have been identified, which correspond to the implementation of remaining services. However, there is no reason why these services can not be implemented prior to the dates set. The MoU is not a legally binding document. At the time of writing this report, some signatories have stated that they will not meet the deadline, but conversely some signatories have started service already. The apparent delay by some should be viewed in the light of the size and quality of the existing analogue networks, run by those signatories. It should also be noted that all signatories have emphasised that they are committed to the implementation of GSM. 2.4.1 MoU Sub-Groups Just as in the ETSI standards body, where the work is broken up into expert groups, so it is with the Memorandum of Understanding (MoU). These groups meet regularly and report back to the MoU Plenary. The MoU is essentially the commercial arm of GSM, and so under it come issues such as billing and type approval. However, commercial issues often impact on the technical specification (and vice versa), and so members of these Rapporteur Groups must understand the technicalities of GSM. As a consequence a close working relationship between ETSI and the MoU is maintained, sometimes to the extent that representatives attend both areas. A broad range of issues are covered by the MoU sub-groups, a list of which is shown in Annex 2. Some groups are more active than others at this stage of the implementation, but it is expected that all will have a major part to play in the near future.
Page 8
OTHER TECHNOLOGIES10
GSM is not alone in providing greater freedom for the mobile subscriber. There are other technologies which are in the process of being defined, or which are already in operation. This section deals with the most prominent ones.
3.1
GSM and Cordless Telephony11

Cordless Telephony is a technology which developed entirely separately from cellular and was designed for a different market. However, when it first hit the market there was no cellular alternative which tended to limit its possibilities. With the introduction and subsequent growth of demand for mobile communications as a result of cellular, cordless telephony took on a new impetus. Indeed, once some evolution had occurred, it was even seen as a cheaper alternative to cellular. An example of how this occurred can best be seen from examining the United Kingdom experience. During 1979, the United Kingdom (UK) saw the first cordless phones as illicit imports. People took to them immediately and by 1981 the flourishing black market came to the attention of the national operator, British Telecom (BT) and the government radio regulatory authority, the Department of Trade and Industry (DTI). The problem with the illicit phones was that the frequencies they used were already allocated for marine and broadcast television use, and these phones caused troublesome interference. Furthermore, the quality of speech was not good and there was no dialling security meaning that other people could easily use your account. These last two failings were perhaps two of the main reasons why British Telecom (BT) decided to take action, since invariably the operator was blamed for poor quality and disputed accounts. In pragmatic fashion, British Telecom (BT) in conjunction with the DTI devised a new specification for cordless telephony which would correct the deficiencies of the illicit phones and yet be competitive in price. This specification was called Cordless Telephony 1 (CT1), and in 1983 the product reached the market. It is worth noting at this point that, with the exception of France, the rest of Europe had adopted a different solution under the auspices of the CEPT. The differences between these systems are fundamental, but the main ones of note are the different frequencies used and the way channels are allocated. In CT1, the frequencies used are 1.7 MHz and 47.5 MHz, compared with the 914-960 MHz of the CEPT system. Also, in the CEPT system, the channels are allocated dynamically on a per call basis. Some of these features were thought to be
Page 9
GSM - Global System for Mobile Communications advantageous, and were subsequently adopted in the next generation of UK cordless phones - Cordless Telephony 2 (CT2). 3.1.1 Cordless Telephony 2 (CT2) The release of the CT1 phones solved the immediate problems with cordless telephony, but it was realised that another problem would soon become apparent. CT1 only allowed for 8 channels, and despite the limited range of 100m it was seen that, in urban areas, congestion would occur. Hence, British Telecom, again in conjunction with the DTI, set out to devise the next generation, CT2 at 864 MHz. As one might expect, the underlying technology was digital, since this is the most spectrum efficient commercially available technology at present. The exact details of the format of CT2 and how it works are outside the scope of this report, but it should be noted that it is substantially different to GSM. While CT2 may use a similar RF transmission format to GSM (Time Division Multiple Access (TDMA)), a great deal of the control is maintained in the handset in CT2 whereas in GSM this is done in the PLMN (Public Lands Mobile Network). It must be emphasised that CT2 was originally designed as an extension to the existing domestic fixed telephone line. However, as work progressed, it became apparent that there was another dimension to the CT2 technology, that of Telepoints. 3.1.2 Telepoints The scenario for Telepoints started from the versatility of CT2. A normal cordless phone package would comprise a base site and a matching mobile phone. With CT2, an added feature was the ability to add more handsets to the one base site, or perhaps to add temporarily a visitor's handset to the existing base site. It was only a short step from there to providing public base sites, for owners to log-on with their own phones and make outgoing calls. To be allowed to do this, a subscription was necessary with all call charges being billed directly to the user. It was an exciting time for cordless telephony, with several companies vying for a licence to operate such a service. It was seen as a cheap alternative to cellular which could be aimed at the domestic market. It is therefore ironic that the original concept, of a next generation cordless phone as an extension to the domestic line, was left by the wayside in the rush. However, there were still some problems to be resolved. British Telecom was not the only company concerned with CT2; Ferranti, Shaye, Motorola, and GPT were also involved and came up with a similar specifications to British Telecom (BT) and submitted then to the Department of Trade and Industry (DTI) which was required to adjudicate and choose between the competing systems. The result was Page 10 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications a compromise, since many of the companies went ahead with their own solution in any case. A clause was added to the licenses stipulating that they must be operating on a common standard by the end of 1990. The interested companies got together, and eventually came up with the Common Air Interface (CAI) which all agreed they would implement in time. In the meantime, both British Telecom (BT) and Ferranti put together consortia and both received a licence, with a third consrotium led by Mecury and fourth going to an independent consortia. Three operators, Phonepoint (BT consortium), PhoneZone (Ferranti consortium) and Callpoint (Mercury), started service with proprietry technology, whilst the fourth, Rabbit (formerly a Barclays/Phillips/Shell consortia which sold out to Hutchison Telecom), decided to wait for the emergence of the CAI technology. However, Telepoint has not fullfilled the potential which was forcast for it. Indeed, at the time of writing the status on Telepoint is that both Phonepoint and Callpoint have suspended operation (possibly indefinitely), ZonePhone has been sold and has an uncertain future and Rabbit has not started service. This situation is the direct result of the slow takeup of the service resulting from a poor perception in the market place. This in turn, is a result of the perceived problems with Telepoint, which are that it cannot receive incoming calls or perform handover. These shortcomings are in the process of being resolved both in the UK and in Europe, which may spearhead a new release of Telepoint. In Australia, with the Public Access Cordless Telephony Service (PACTS) it is expected that support of handover will remain restricted. However, from the UK perspective, the only thing required to complete the evolution of the CT2 standard, was adoption of it within Europe. After much selling in several forums this failed. Instead, CEPT invented their own cordless telephony standard. 3.1.3 Digital European Cordless Telephone (DECT) The European initiative in cordless telephony was begun in 1988. The CEPT decided that the Digital European Cordless Telephone (DECT) standard should not be based entirely on the UK CT2 (CAI) or the so called CT3 standard developed by the Swedish company Ericsson. Instead, the DECT standard was developed to incorporate the best of these two standards. The technology adopted by DECT is Time Division Multiple Access (TDMA) which is similar to that used in GSM and is described later in this report. However, while GSM is designed for diverse conditions and can cope with high interference factors, DECT is specifically designed for less demanding radio environments. Therefore, there is little provision of the complex features found in GSM to cope with dynamic reflections of signals, or the Doppler effect of fast moving mobiles.
Page 11
GSM - Global System for Mobile Communications Coupled with this is the low range of DECT. It is expected that DECT will operate in the 1.88-1.9 GHz frequency spectrum, at a power of approximately 250mW. (GSM has a maximum power limit of 20W). The range has been put at 500m (optimistically) to 100m (realistically). Some major differences to GSM are evident in the way DECT works. Whereas GSM employs pre-planned frequency allocation for each base site, DECT has a pool of frequencies and dynamically allocates them (as in CT2). The user's handset, in conjunction with the base site, automatically searches for a free channel which it seizes for the duration of the call. Once the call is finished, the channel reverts to the pool for general use. In Australia the Public Access Cordless Telephone Service (PACTS) is seen as a tethered radio technology insofar as inter-cell handover will not be allowed, whereas DECT will have this feature available as part of the standard. Handover is another area where DECT differs from GSM, because in DECT the handset defines when a handover should occur. In GSM, the PLMN makes that decision based on information provided by the Mobile Station. Finally, it should be remembered that DECT, like CT2, can also be used as an extension to a domestic fixed line or an office PABx (Private Automatic Branch Exchange). The use of DECT in the office could be an exciting application of cordless technology.
3.2
GSM and Personal Communications Networks (PCN)12

At the start of cellular service in 1984 in the United Kingdom, there was a huge latent demand. Nobody quite realised that such meteoric growth would occur, not least of whom were the Operators who had trouble keeping up with demand. The British Government were watching the scene with great interest, especially the profits being made. In effect, the demand for cellular radio was used to justify the decision to deregulate the telecommunications industry and introduce competition. However, the quality of service was not always what it could have been and one excuse given for this was the lack of spectrum available. If more cells are put in to cover the same area, the size of the cell has to be reduced. There is a practical limit to how small the cell can be since, in urban areas, signals can travel much further than desired due to reflections off buildings. While it is technically possible to overcome this, it is costly. Another way to squeeze more subscribers onto the cellular network is to increase the spectrum available and put more channels in. To this end, the Government negotiated for a temporary extension to the spectrum which was called Extended TACS (ETACS), where TACS stands for Total Access Communications System, the existing analogue network. Despite the success of TACS, the penetration of cellular radio into the United
Page 12
GSM - Global System for Mobile Communications Kingdom (UK) is quite low, at approximately 18 phones per 1000 head of population compared with Scandinavia where it is approximately 42. In Australia, it stands at approximately 15. The potential market was still large, but it was evident that the 900 MHz spectrum would not be large enough to cope with demand. Though there was little knowledge at the time on the effect the increased capacity of GSM might have on the cellular penetration, the Government decided to open up a new spectrum to allow further competition. This was in the range of 1710 MHz to 1900 MHz (~1.8 GHz), in line with the International perception that future mobile systems would operate at around 2 GHz. The emphasis of the Government was to open up the domestic market, or to provide residential delivery, to use their phraseology. Also, because of the nature of the 1.8 GHz spectrum, small handsets were seen as viable and this gave rise to the idea of personal communications carried in the pocket. These small mobile phones would work on a network specifically designed for them and this in turn gave birth to the Personal Communications Network (PCN). The British Government published a consultative document called Phones on the Move, and invited comments. Three things arose from this. First, it was evident that PCN had real potential which could be pursued immediately, or so it seemed at the time. Secondly, it was overwhelmingly thought that PCN should be based on a European standard and lastly, there was no real consensus at the time, as to what PCN really should look like. It is this last point which gives rise to much of the confusion over PCN that exists today. However, while the discussions continued about what PCN should be, there was work to be done to define what the technical content of it would be. The second point regarding a European standard was adopted, but should it be a new standard or an existing one? The timescales envisioned for PCN meant that an existing one had to be used, with the choice between GSM and DECT. The newly licensed British PCN Operators unanimously chose GSM. 3.2.1 Digital Cellular System (DCS 1800) The next step was to get it agreed in Europe which was not an easy task. The initial idea for PCN was to set up a sub-group within European Telecommunications Standards Institute (ETSI), separate from GSM. This fell on deaf ears for the simple reason that Europe was not convinced that Personal Communications Network (PCN) was really required. GSM was expected to open up the different market segments at which PCN was aimed. In most European countries, the analogue cellular networks had not attracted subscribers in anything like the numbers experienced in the United Kingdom. The question most asked of the PCN Operators was what the actual difference was between PCN and GSM and, in the end, the only tangible difference was the frequency used. There are some advantages to using the 1.8 GHz frequency for mobile communications, not least of which is its short range. Higher frequencies tend to Copyright 1991, Michael Clayton Page 13
GSM - Global System for Mobile Communications be attenuated quickly, but are reflected more easily, and this gives rise to containment of the RF signal to very small cells: micro-cells. Notwithstanding the marketing motivations for PCN, here was an advantage that could be utilised, and so it was decided to allow work to be done within the existing GSM working parties. To distinguish this work from the GSM work, it was called Digital Cellular System 1800 MHz, or DCS1800. It should be emphasised that there is no real difference, other than the frequency used, between GSM and DCS1800. The DCS1800 standard constitutes the GSM recommendation set, with 11 extra supplemental recommendations called Delta recommendations. However, there is a difference with regard to PCN that is worth noting. The roll out of DCS1800 (to form the PCN network) requires many more cells than GSM at 900 MHz. A figure of 2.7 times as many DCS cells than GSM cells to cover the same area, has been quoted. This is due to the limited range of 1.8 GHz, and makes DCS1800 expensive to implement, a lesson learnt by the PCN Operators. The solution to this was to introduce infrastructure sharing, not to be confused with roaming, which is also available for DCS1800. For roaming, the subscriber must choose which network to use, when outside the coverage of the home network. Infrastructure sharing involves an interconnection of two different networks, so that the subscriber can move from one to the other without knowing it, while appearing to stay on the home network. The idea behind this is to ensure that DCS1800 rolls out more quickly, by allowing different Operators to cover different areas, and to share each others coverage. Obviously, this applies more to the less profitable areas, since all Operators will cover the profitable areas. Also there must be agreements between the Operators and the Government to ensure that fair play occurs. However, the advantage to using this technique is that the cost of rollout is reduced in the short term, making DCS1800 more economical and possibly more competitive with some existing analogue networks. Even so, there is no real reason why GSM at 900 MHz cannot offer PCN services, and indeed some GSM Operators have said they will do so. Hence, PCN really will have to be marketed well before it realises its full potential. 3.2.2 What really is PCN? It has been mentioned that PCN can mean all things to all people, but effectively, from the author's point of view, it is a concept - an application of sophisticated marketing utilising the best of technology, at a competitive price. The key is the mass market and concentrating on this aspect is the most effective means of describing how it could be applied. Take a sample family of two adults and some children. Each of the members has a Mobile Phone which, when used around the home, is billed to the domestic Page 14 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications account. The analogy with what exists at present is a house with a cordless phone base site and several handsets. Indeed this is one way of implementing PCN around the home. However, a far more cost and frequency effective method is to use a micro-cell to cover a housing estate, for instance. In this way a charge, only slightly higher than domestic charges, would increase the range of communications for that family. The children could be reached at the playground or at school, and the adults could receive calls while at the local shops. It is envisaged here that each phone has a different telephone number, or sub-number attached to the domestic home number. When one, or both, parents commutes into work by car or train, then their phone would incur an extra subscription charge and higher call charges for those calls made while travelling. The possibility exists here for the phone to be put into an adapter, and in so doing utilise a different, and more suitable network. One of the difficulties with DCS1800 is that because of the smaller cells, more processing power is required for handover when travelling at speed. The 900 MHz spectrum is less prone to the speed limitation, since it does not need to handover quite so often. On arrival at the place of work, the same phone can then become the office phone, using the office number. Calls to the personal number still get through but in addition, business calls are also directed to that phone. There could be a process of logging-on to the business service, which could act as a clocking in reference, or it could be set up on a time basis wherever the subscriber is located. The timed logging-on may well be particularly appropriate for sales teams. In conjunction with the service offered, each member of the family would have a phone best suited to their needs. For instance, the children could have a phone limited to a few set numbers, such as parents, doctor, school, and some friends. The parents could have more sophisticated models, but all could be easily updated by buying new equipment and inserting the Subscriber Identity Module (SIM), for that person. With a little imagination, any service could be tailored to any need, but the key must be the mass market and economies of scale. As a rough estimate, the cost to implement some 500 DCS1800 cells in Europe, is put at about A$650 million. A great many calls must be made to pay back an investment such as that, and even then it is a long term return. It could be that a PCN as described above will come as an amalgamation of several existing services, such as GSM, DCS1800 and Digital European Cordless Telephone (DECT). However, eventually the service will come. In the meantime, GSM marks one of the first steps towards it.
Page 15
3.3
International Rivals to GSM13

There are two main rivals to GSM in the international arena. In America, the extreme lack of available spectrum to introduce a new cellular standard has forced the USA to focus development on a digital enhancement to the existing analogue standard. Called Digital Advanced Mobile Phone Service (DAMPS), it is based on an interleaving of digital technology into the analogue spectrum. The increased capacity is expected to quadruple the channel usage that is possible with Advanced Mobile Phone Service (AMPS), though there have been some problems keeping the interference between the two technologies to an acceptable level. This is expected to be an issue in the future since some analogue channels will be retained to continue to allow inter-operator roaming, using dual mode mobile phones. The other contender is a Japanese system proposed by the Japanese state operator NTT. It is yet to be seen what form the overlay of a digital network onto the present analogue network will take, but the solution may be shortlived. The acutely limited spectrum available in Japan will probably be saturated by 19941995, and so the digital system could well be transplanted to 1.5 GHz. Indeed, such is the demand for spectrum in Japan that the new cordless telephone services could be introduced directly at 2.6 GHz.
Page 16
GSM COMPONENTS14
The complete GSM Public Lands Mobile Network (PLMN) is an extremely complex machine. It can be likened to a complete fixed telephone network, with the addition of a radio subsystem on the end to provide the mobility function. It is not surprising, therefore, that it is broken down into various functional layers dealing with specific areas. At the lower level of the PLMN is the radio subsystem, which provides radio coverage of a GSM service area. It is from within this specified coverage area, using the appropriate Mobile Station (MS) or mobile phone, that the subscriber can make calls. A limited resource, namely the radio channels, must service this large area, which could not be done unless the channels were used as efficiently as possible. In GSM, part of this efficiency is achieved by using standard cellular technology and providing many transmitters each with a limited transmitter power, so that the Radio Frequency (RF) signal does not travel very far. It is by doing this that the same RF channel can be used many times over in non-adjacent transmitters without much interference. The areas covered by the limited range transmitters are the radio cells of the system, each one serviced by a base site. Since the point of cellular radio is mobility, allowance must be made for the subscriber to move from cell to cell and still obtain, or continue to use, the GSM service. Consequently, there is a requirement for tracking of subscribers and handover of an ongoing call to the next cell. This is dealt with by the second layer of a GSM PLMN, the switching function. It is similar to that function found in a fixed telephone network, but with more versatility. This is provided by Mobile Services Switching Centres (MSCs). Finally, in order to monitor the status of particular mobile subscribers as they travel across the PLMN, information on them needs to be stored in a central place for easy access. This is done using Location Registers.
4.1
Base Station System (BSS)15

The Base Station System (BSS) constitutes the function used to give radio coverage for one particular, or a number of, cells. Radio traffic passes between the BSS and the Mobile Stations (MS) on the radio uplink (Mobile Station to PLMN) and the downlink (vice versa), to provide communications. The purpose of the BSS is to manage all aspects of this RF uplink and downlink. It allocates the channel for each Mobile Station to use for calls, and dictates the power each should use. It then monitors the link between them and finally
Page 17
GSM - Global System for Mobile Communications controls the release of the channel when the call is over. This last function would be in response to a command from the Mobile Services Switching Centre, either because the call has ended or the subscriber has been handed over to continue the call in another cell. The BSS also carries out the encryption of all data being transmitted, using an encryption key, which is also passed from the Mobile Services Switching Centre. A similar encryption function takes place in the Mobile Station. Other ancillary functions of the BSS relate to ensuring that the cells are run efficiently. Consequently, it defines the configuration of radio channels in respect of their use as traffic channels or signalling channels. It also collects data on the measurements of adjacent cells which are made by the mobile station and transmitted to the PLMN. These are analysed by the BSS to find out which cells the call could successfully be handed over to and the result is passed to the Mobile Services Switching Centre (MSC). This information is then used by the MSC to determine when it is appropriate for that Mobile Station to be handed over. When a handover is required, it is normally ordered by the Mobile Services Switching Centre, and simply controlled by the BSS. However, there is an option for a Network Operator to allow the BSS to perform autonomous internal handovers between different channels on the same cell, or between cells controlled by the same BSS. This may be required where a channel in use would be more appropriately used by another Mobile Station. The Base Station System is broken down functionally into two component parts, that of a Base Station Controller (BSC) and a Base Transmitter Station (BTS). A third part, the Transcoder, is normally associated with the BSS.
Figure 7:
Base Station System Configuration8
4.1.1 Base Station Controller (BSC) The BSS can control one or more cells. The Base Station Controller is the function within the BSS that controls the transmitter/receiver units within a BSS, which correspond to the cells. 4.1.2 Base Transmitter Station (BTS) The Base Transmitter Station (BTS), constitutes the physical equipment required to communicate with the Mobile Station. For each cell there is a BTS, and a number of these BTSs will be linked to a Base Station Controller, forming a Base Station System.
Page 18
GSM - Global System for Mobile Communications 4.1.3 Transcoder The nature of the encoder used to change speech into digital signals within GSM, is different from that used by fixed networks. On the fixed telephone network, the analogue speech is directly encoded into digital data as if it were a sound like any other. In GSM, the encoder has been designed to encode just speech, using particular characteristics of speech which allow the amount of data to be reduced. This means that a higher data capacity must be provided by the fixed network than is available in GSM. Because of the difference, a transcoder is used to change GSM speech data into fixed network speech data, for transmission over fixed lines. This function could be carried out at the BSS or at the Mobile Services Switching Centre, but in GSM, it is normally considered a part of the BSS irrespective of its geographical location.
4.2
Mobile Services Switching Centre (MSC)16

The Mobile Services Switching Centre (MSC) can be thought of as the interface between radio part and the fixed, or transit, part of the GSM Public Lands Mobile Network (PLMN). In some cases, it is also the interface between the GSM PLMN and other networks. As in the fixed network, GSM needs to route calls through the network by switching them to the correct destination. What makes the Mobile Services Switching Centre (MSC) different from switches in the fixed telephone network, is that the MSC must cope with the mobility of the subscriber. In the fixed telephone network, a dialled number will always be associated with a fixed location, but in GSM the dialled number is associated with a subscriber who could be anywhere. In order to make this task a little more orderly, each Mobile Services Switching Centre (MSC) has a service area under its control, containing several Base Station Systems (BSS). Within this area the MSC controls all the switching functions for Mobile Stations located in any of the cells, for incoming and outgoing calls. MSC Configuration10
Figure 9:
In addition, because of the mobility requirement of the Mobile Stations, the MSC has to perform extra functions on top of pure switching. These are concerned with monitoring of radio resources, and dictating when and where handoffs are to occur. The MSC must also register and update information kept in central storage entities. Since there is no guarantee that the Mobile Station will remain in one Copyright 1991, Michael Clayton Page 19
GSM - Global System for Mobile Communications place for any length of time, a note of its location is kept in a central storage entity. Any MSC trying to find a Mobile Station is able to go to the storage entity, get the location and then route through to it directly and quickly. This information is stored locally in a Visitor Location Register (VLR), and centrally in a Home Location Register (HLR). 4.2.1 Gateway MSC The configuration of a GSM PLMN can vary, but whatever form the PLMN takes, it is possible for calls to come into it from many different points. To deal with this, calls may be fed into the PLMN at the most convenient point, or into a few central points for distribution. Irrespective of the choice, it is unlikely that the operator of a PLMN will allow direct interrogation of the sensitive subscriber data stored in the Home Location Register. What is needed is an entity to act as a buffer, and it falls to the MSC to fulfil this function. When an MSC is used in this way, it is termed a Gateway Mobile services Switching Centre (GMSC).
Figure 11: Gateway MSC Configuration12
The choice of which Mobile Services Switching Centres (MSC) can act as Gateway MSCs is left as a national matter, or Network Operator option. However, it should be noted that there is nothing special about a GMSC and it is equally possible for all MSCs to act as Gateway MSCs, or for only a designated few to fill that role. The difference only comes down to the provision of an external link, with the interface being a commercial matter agreed between the Operators of the PLMN and the connecting network.
4.3
Visitor Location Register (VLR)17

Associated with each MSC is a Visitor Location Register. This is a database which temporarily stores information on each Mobile Station within all the MSC areas served by that VLR. The size of the VLR and the number of Mobile Stations stored will dictate whether a VLR serves just one MSC or several MSCs. The information stored in the VLR is temporary, and is only that required to enable the Mobile Station to make and receive calls while registered with the MSC. Thus the type of information stored is the Mobile Station identity, the location area in which the Mobile Station was last registered (ie. which cell) and some data associated with the subscription and supplementary services. Whenever a Mobile Station makes a call, the MSC refers to the VLR to make sure that the requested call is permitted. It could be that the user has not subscribed to that type of call, or perhaps a barring program set up by the subscriber precludes it. Whatever the reason, the VLR is used as the reference by which the call attempt is tested and allowed or denied. A similar process is done for incoming
Page 20
GSM - Global System for Mobile Communications calls, not normally by the VLR, but by another register called the Home Location Register (HLR). For incoming calls, the VLR mainly controls the paging of the Mobile Station. There are many VLRs in a GSM PLMN and so to avoid possible duplication in the PLMN, Mobile Station information is always referenced to a central database called the Home Location Register. When the Mobile Station roams into a new MSC area, the information on it is retrieved from the Home Location Register for that Mobile Station and, at the same time, the new location is stored in the Home Location Register.
4.4
Home Location Register (HLR)18

The Home Location Register is the central database for all subscribers to the GSM PLMN. In it is stored all the necessary information on the identity of each subscriber, what services each subscriber is entitled to use on the PLMN, all the parameters associated with those services and where the subscriber is located or was last registered. It is through this database that all administrative procedures are carried out by the Operator, since all PLMN functions involving the subscriber are ultimately referred back to it. Any new subscriptions or subscription changes are entered into the HLR and, from this point, the information is distributed to where it is required or requested within the PLMN. For each subscriber, the HLR stores and uses two important permanent numbers to route incoming calls: IMSI MSISDN International Mobile Subscriber Identity Mobile Station International ISDN Number
The IMSI is a unique number which identifies each subscriber on the PLMN and is only used within the GSM PLMNs. All information transfer involving the subscriber is done using the IMSI. The MSISDN is effectively the phone number of the Subscriber Identity Module (SIM), which when inserted into the mobile equipment, becomes the Mobile Station. Effectively, this MSISDN is the external identity of the subscriber. Any incoming calls to a particular subscriber's Mobile Station are identified as such by the HLR interpreting the MSISDN and linking it to an IMSI. Once the MSISDN has been used to identify the IMSI of the Mobile Station, the HLR looks up the subscription record of that Mobile Station. The HLR checks the call to see if it is allowed as part of the subscription, and if it is, the HLR passes back the last known location of the Mobile Station.
Page 21
GSM - Global System for Mobile Communications 4.4.1 Authentication Centre (AUC) As the name suggests, the Authentication Centre is an entity used in GSM to perform tests and ensure that Mobile Stations are who they claim to be. A special calculation function known only by the AUC and a module in the Mobile Station called a SIM, is performed in both using information known only by the HLR, AUC, and that one specific SIM. If the results of both correspond, then the authentication is accepted. The procedure is performed like this to ensure that no sensitive information is passed over the radio interface, where it may be overheard. By having the calculation function in both places, all that need be sent is a random number one way, and the result the other. There can be more than one Authentication centre in the Public Lands Mobile Network (PLMN), and they can be implemented together with other functions. However, due to the secure nature of their function, it is expected that they will normally be associated with a Home Location Register, which must itself be situated in a secure environment.
4.5
GSM Configuration19
Not all of these components are connected together. There is a hierarchy within the PLMN which corresponds to the levels in it. The Home Location Register (HLR) is connected to all Mobile Services Switching Centres (MSC) and Visitor Location Registers (VLR), as well as the Authentication Centre (AUC). The Visitor Location Register is connected to the HLR, other VLRs and the Mobile Services Switching Centres (MSC). Similarly, the MSCs are interconnected, with additional links to the HLR and VLRs. However, there is also a connection to the Base Station Systems (BSS) under its control. There is no interconnection between BSSs.
Figure 13: GSM Network Configuration14
4.6
Addressing20
Each and every component of a GSM Public Lands Mobile Network (PLMN) has some form of identity which is used as an address to access it. In some cases this is a local identity, such as the address of a Base Station System (BSS) from the controlling Mobile Services Switching Centre (MSC). These are normally Signal Point Codes and are not dealt with here. The larger components, however, need some form of identification which has Copyright 1991, Michael Clayton
Page 22
GSM - Global System for Mobile Communications local and international (global) significance. Addressing within one PLMN, or indeed perhaps one country, can be achieved using Signalling Point Code, which is out of the scope of this report. The second, universal address, is the Global Title. This Global Title is based on international standards principles (CCITT E.214), and can be formed using the International Mobile Subscriber Identity (IMSI) of a particular Mobile Station, which is the subject of the access. It is formed of three parts; a country code, a mobile network code, and a subscriber identification number. These translate internationally to a country code, a national destination code and a subscriber number respectively (CCITT E.164). This approach has been adopted so that flexibility can be put into the routing within different networks. As long as a network can understand the significance of the information contained in an address, it can route to the desired component. More importantly, for international access to the Home PLMN, this Global Title can be treated as an ordinary ISDN telephone number. Whenever this is done, the Global Title points only to the HLR to avoid confusion. Similarly, in the other direction from an HLR to a foreign Visitor Location Register (VLR), a similar Global Title is used. It is formed in the same way, but the IMSI of the Mobile Station which is the subject of the access is not used. Instead, a temporary number is used which identifies the correct Mobile Station in the foreign PLMN. Once connected to the VLR of the foreign network, this temporary number points to the IMSI of the required Mobile Station. This temporary number is called a Mobile Station Roaming Number (MSRN), and again acts like an ISDN telephone number.
4.7
Mobile Station21
This section primarily deals with the GSM components which make up the PLMN infrastructure. However, there are two components which are equally as important and without which the GSM PLMN is useless. These are two components are the mobile equipment and the Subscriber Identity Module. Both of these components are dealt with in separate sections, but it is worth briefly describing each here for the sake of completeness.
4.8
Mobile Equipment22
GSM differs from existing cellular systems in that the mobile equipment is essentially a dumb piece of equipment. There is no information programmed into the hardware of the device which identifies a subscription to the GSM PLMN. So, an attempt to access the GSM PLMN using just a piece of mobile equipment will normally fail. The only situation where mobile equipment can access the GSM
Page 23
GSM - Global System for Mobile Communications PLMN without subscriber information is for an emergency call, but this is a national option.
4.9
Subscriber Identity Module (SIM)23

Since the mobile equipment does not contain subscription details, these are supplied by the Subscriber Identity Module (SIM). This removable module contains all the information required to allow the GSM PLMN to identify the subscription to which call charges must be directed. It also contains functions which provide security in isolation to the mobile equipment, making the piece of mobile equipment useless without one. It can be seen therefore that, in order to make a call, a valid SIM must be inserted into the mobile equipment. This combination is referred to as a Mobile Station, with the mobile equipment supplying the physical means to access the GSM PLMN and the SIM providing the identity and subscription details. The significance of this is that GSM will now enable the subscriber to carry his subscription details on a credit card sized piece of plastic. The process of inserting the card into a piece of GSM equipment will allow any GSM phone to be that subscriber's own phone.
Page 24
5 GSM MOBILITY MANAGEMENT FUNCTIONS24

One of the major objectives of GSM cellular, is that the subscriber is allowed to go anywhere within coverage of any GSM Public Lands Mobile Network (PLMN), and still be able to make and receive calls. It follows, therefore, that GSM supports mobility management functions which allow this to be possible. This section deals with those functions which monitor the positions of the Mobile Stations across all GSM PLMNs.
5.1
First Registration25
Whenever the Mobile Equipment (ME) is turned on, it always checks if a Subscriber Identity Module (SIM) card is present. This SIM card holds all the necessary data to identify a mobile subscriber, and is required to prove the validity of the subscription to the PLMN. Effectively, a piece of Mobile Equipment (ME) becomes a Mobile Station only when a valid SIM is inserted. Using the information stored on the SIM, some of which is transferred to and stored in it, the Mobile Station it identifies which PLMN that subscription is valid for. This PLMN is termed the Home PLMN (HPLMN) for that subscription, and with the knowledge of this HPLMN the Mobile Station hunts for that network. In each cell, broadcast channels continuously transmit the identity of the PLMN together with other information which enables the Mobile Station to talk to it. These are the Broadcast Control CHannels (BCCH). In the course of hunting for the HPLMN, the Mobile Station identifies all those BCCHs it can receive, not just those of the Home PLMN. It then chooses the clearest BCCH of its Home PLMN and analyses the information contained in the messages broadcast. Part of this information is the organisation of the signalling channels used within that cell. Of the channels used in that cell, some will be traffic channels but others will be used for specific control purposes. Using this information, the Mobile Station knows where to find, amongst others, the Paging CHannel (PCH), the Access Grant CHannel (AGCH) and the Random Access CHannel (RACH). These channels, collectively known as the Common Control CHannels (CCCH), are the primary means for the Mobile Station to access the PLMN and for the PLMN to page the Mobile Stations. Once the Mobile Station knows where it is, it can inform the PLMN that it is now active, which it does using the Random Access CHannel. It is called the Random Access CHannel because the PLMN has no idea when such an attempt will be
Page 25
GSM - Global System for Mobile Communications made. Other Mobile Stations within that cell can also make attempts, and it is possible that two will try at the same time and collide. If this occurs, the PLMN ignores both attempts, and wait for the Mobile Stations to try again which they do after a random time interval dictated internally. If an attempt is successful the PLMN grants an access, on the Access Grant CHannel (AGCH), with a command to move to a different channel in order to keep the RACCH and AGCH free for access attempts by other Mobile Stations. This different channel is called a Dedicated Control CHannel (DCCH) The random access procedure is essentially the same for all types of access to the PLMN. However, within the access message sent, is an indication of the type of services required. This allows the PLMN to apply some order of importance to the access attempts received. In this case the indication is for a basic service such as Location Update.
5.2
First Location Updating26

Once the Mobile Station re-tunes itself to the Dedicated Control CHannel (DCCH), it is asked to identify itself. The PLMN needs to know enough information to know where the subscription details for that Mobile Station are kept, so that identification can be verified. The identification information can be given in two ways: by an International Mobile Subscriber Identity (IMSI), or by supplying data which has been stored from the last time the Mobile Station accessed the PLMN. The latter case is the preferred means of identification since it does not compromise the confidentiality of the subscriber. This is explained in the next section. However, if the registration is new and this is the first time the Mobile Station has been switched on, then the IMSI is the only information that is available. Even so, the Mobile Station still sends a normal Location Update message, with some fields left blank, which is passed via the Mobile Services Switching Centre (MSC) to the Visitor Location Register (VLR) associated with that MSC, for analysis. It is at this point that the VLR, noting that there is no information available on the last registration, requests that the Mobile Station identify itself with the IMSI. This is one of the very few times that an IMSI is sent over an open air interface. On receipt of the IMSI, the PLMN can work out where to find the registration information. It is assumed, for now, that the new registration is first activated in the coverage of the Home PLMN, but even if this is not so, the IMSI contains enough information to identify the correct Home Location Register (HLR) anywhere in the world. Once identified, an access is made to the HLR regarding this IMSI and the resulting subscription and security data is passed back to the VLR. The information is stored there and kept while the Mobile Station remains within its service area. Meanwhile, the HLR makes a note of where that Mobile
Page 26
GSM - Global System for Mobile Communications Station is now located so that it can route incoming calls to it. The Mobile Station is now known to the PLMN, but there has been no check as to its authenticity. Furthermore, any information sent so far has not been protected. The next step is for the PLMN to make the Mobile Station prove it is who says it is, and this is done by an Authentication Check. 5.2.1 Authentication Check This is the process by which the Mobile Station proves to the PLMN that it is the Mobile Station that it claims to be, and the process has been designed to be as secure as possible. It is also the point where the difference between a Mobile Station and mobile equipment becomes apparent, since all authentication procedures are performed entirely by the SIM, not the mobile equipment. The mobile equipment only acts as a medium for the information flow. Once the VLR has sufficient information about the subscription it sends an Authenticate message, via the MSC and the Base Station System (BSS), to the mobile station with a Random Number which is called RAND. The mobile equipment passes the Authenticate message and random number to the SIM. At some point, before the card is issued to the subscriber, an algorithm is embedded into a very secure part of the card. This is called the Authentication Algorithm or A3 algorithm. At a later stage, and also in a secure part of the card, the IMSI and an Authentication Key (Ki) are added. These are unique to each and every SIM card. When the SIM is given a command to Authenticate, it takes the random number and submits it, together with its Authentication key (Ki), to the A3 algorithm. This algorithm is a complex calculation, the result of which is an answer forming the response sent back to the PLMN. The mobile equipment passes the response (called Signed RESponse (SRES)) from the SIM to the VLR via the BSS and MSC. As part of the Location Updating the VLR will have pairs of RAND and SRES values stored for each Mobile Station. These are associated values of the Random Number (RAND), and the expected Response (SRES). The whole process relies on the fact a particular Ki is only known by one SIM, and so the result of presenting it, and the random number to the A3 algorithm, will be a unique Signed RESponse (SRES) for that SIM. So if the response from the Mobile Station matches that stored in the VLR for the associated Random Number (RAND), then the Mobile Station is positively authenticated. The used RAND/SRES pairs are then discarded by the VLR. 5.2.2 Ciphering Data Associated with the authentication process, is a cipher key generation process Copyright 1991, Michael Clayton Page 27
GSM - Global System for Mobile Communications which uses the same random number RAND and another algorithm known as the A8 algorithm to produce a Cipher Key (Kc). This is stored both in the SIM and in the mobile equipment for use in ciphering traffic between the Mobile Station and the Base Station System (BSS). Each time a Cipher key is produced, a counter called the Cipher Key Sequence number is incremented. The maximum value of this counter is four, after which it starts from zero again. A simple comparison of this number on both Mobile Station and PLMN side, is used later as a simple test for Cipher Key (Kc) compatibility. On the PLMN side, the Kc is stored in the VLR with the RAND/SRES pairs but, whereas the RAND and SRES are discarded after use, the Kc is passed to the BSS, to be used for the ciphering of data over the air interface. Assuming a positive authentication, the Mobile Station is now ready to start ciphering all data across the air interface. Up to this point nothing sensitive should have been sent with the exception, in abnormal cases like a first registration, where the IMSI is sent. Normally, the ciphering process is started as soon as the Base Station System (BSS) and the Mobile Station have a Cipher key (Kc). The actual process of ciphering is explained later, but here the way it is turned on is dealt with. The ciphering and deciphering processes need to be synchronised to avoid confusion. This is done by the BSS sending a command to start ciphering, after which it starts deciphering only. As soon as the Mobile Station successfully receives the command it simultaneously starts enciphering and deciphering.
Figure 15: Cipher Start Sequence16
Finally the PLMN starts enciphering once it receives a correctly ciphered message back, irrespective of its content. Thereafter, everything sent across the air interface for that session is protected. 5.2.3 Temporary Mobile Subscriber Identity (TMSI) The final process required for the first Location Update, is for the PLMN to allocate a local identity. As mentioned earlier, sending an International Mobile Subscriber Identity (IMSI) over the air interface is only done in abnormal cases. In all other situations, a temporary identification is used, which the Mobile Station is now given in the form of a Temporary Mobile Subscriber Identity (TMSI). The TMSI, as its name suggests, is only kept and used while the Mobile Station is within a given location area, normally that covered by an MSC/VLR combination. It has only local significance, which is why identification of the Mobile Station using a TMSI, should always be accompanied by the Location Area Identity (LAI) defining where the TMSI was valid. The TMSI is allocated by the VLR, and is passed to the Mobile Station only when Page 28 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications ciphering has been established, over a secure link. 5.2.4 Normal Service The Mobile Station is now ready to make and receive calls. If this is the intention of the person using the Mobile Station for the first time then, during the above process, a number may have been partly entered. However, it is unlikely that the SEND button will have been pressed before this stage. This being the case, the Mobile Station is released by the PLMN, to sit in idle mode, and monitor the Broadcast Control CHannels (BCCH) and the Common Control CHannels (CCCH) waiting for incoming calls.
5.3
Normal Location Updating27

As the Mobile Station moves through the area covered by the GSM networks, its position in the PLMN is monitored by regular location updates. These occur each time it moves out of a designated location area, the size of which is defined by the configuration of the PLMN. In some cases it could correspond to just one cell, in others a number of cells, depending on how large the cells are in relation to the average number of subscribers in each. The Mobile Station constantly monitors the surrounding Broadcast Control CHannels (BCCH) while in idle mode as well as monitoring the CCCHs of its current cell for incoming calls. As it moves away from its current cell, the signals transmitted from that cell become weaker in relation to the signals from at least one of the surrounding cells. Those cells with increasing signal strength are identified as target cells, and are potentially the next cells for the Mobile Station to use. When the strength of the signal from one of the new cells reaches a certain level above that of the original cell (as defined by a special algorithm), the Mobile Station camps on the new one. It should be stressed that at this stage the Mobile Station is in idle with no call in progress. Where a call is in progress, the decision to re-tune to a new cell is taken by the PLMN. This procedure is called handover, (handoff) and is dealt with elsewhere. However, in the case where no call is in progress the Mobile Station merely re-tunes to the new cell and analyses the information transmitted. Part of the data transmitted constantly on the BCCH's is a Location Area Information element. When the Mobile Station camps on a new cell, it checks the Location Area of the cell against the value stored. If they differ, the mobile requests a Location Update. Location Updates can also occur periodically dependent on a timer in the Mobile Station, or in response to an Attach function signalled via the BCCH in the current serving cell. Attach/detach is dealt with separately.
Page 29
GSM - Global System for Mobile Communications 5.3.1 Location Updating in one MSC Area Location updating occurs when the Mobile Station has moved to a new location area, under the control of the same Mobile Services Switching Centre (MSC) as the old location area. In this case the the process can be viewed merely as an administration function on the MSC. The Mobile Station makes a random access to the PLMN using the Random Access CHannel (RACH) as before, with an indication that a basic service, such as location update, is required. The Mobile Station is allocated a Dedicated Control Channel (DCCH) and is then asked to identify itself and specify which service is required. It is possible for an Authentication to be performed at this point, though normally this is only needed in the more complex cases of Location Update. This however, is a simple case since, when the Mobile Station supplies identification on the DCCH, the Visitor Location Register (VLR) will recognise it as one about which it already has information.
Figure 17: Location Update in One MSC Area18
The Mobile Station is not only staying within the control of the same VLR, but the same MSC also. Hence, the procedure for Location Updating in this case is simplified to the allocation and ratification of a new Temporary Mobile Subscriber Identity (TMSI) and Location Area Identity (LAI) pair. Before the new TMSI can be sent across the air interface though, a ciphering process has to be initiated. As before, the same Cipher Key (Kc) is required on both the Base Station System (BSS) and the Mobile Station. This Kc is a product of the Authentication process performed by both the PLMN and Mobile Station. However, an Authentication procedure may not be applicable for such a simple location update. This is defined by the Network Operator. In this case, if a full authentication process is not required, a different process is used. Both the PLMN and the Mobile Station still have the old Kc, but this still needs to be verified at both ends. This is done using the cipher key sequence number. 5.3.1.1 Cipher Key Sequence Number
The Cipher Key Sequence Number is managed by the PLMN, and is included in the authenticate request message to the Mobile Station. It is merely a number incremented at each successful generation of Kc. Being cyclic, when it reaches four it is reset to zero once again.
Page 30
GSM - Global System for Mobile Communications The Mobile Station passes the Cipher Key Sequence Number to the PLMN in the Location Update Request and, if it corresponds to the one stored in the VLR, then the VLR knows which Kc is current. This corresponding Kc is then passed to the BSS and ciphering can commence. Once ciphering has commenced, the new TMSI and LAI are sent to the Mobile Station, where they are stored in the mobile equipment and the Subscriber Identity Module (SIM). Finally, the connection is dropped, and the Mobile Station returns to idle mode. 5.3.2 Location Updating Between Different MSC Areas The routing information used by the Home Location Register to put incoming calls through to the Mobile Station relies on knowing which Mobile Services Switching Centre (MSC) the Mobile Station is attached to, and how to identify that Mobile Station locally at that MSC. In this update scenario, where the new MSC is different but are both controlled by the same Visitor Location Register (VLR), new location information needs to be stored in the Home Location Register (HLR).
Figure 19: Location Update between MSC Areas20
On sensing that it is in a new Location Area, the Mobile Station requests a Location Update using the random access procedure described before. From the TMSI and Location Area Identity (LAI) supplied, the VLR recognises that a new TMSI and LAI are required and issues them, as before. Also, as before, encryption over the air interface must be initiated prior to sending the new data. The procedure of setting the cipher key is dependent on whether an Authentication has been initiated or not. This is a Network Operator option, since it is still possible in this case for the Cipher Key Sequence number to be used. Once the Mobile Station has received and acknowledged the new data, it is released. Finally, the VLR must inform the Home Location Register of the Mobile Station's new location to ensure that calls are routed to the correct MSC. It sends this new location information to the HLR to be stored there, and then changes its own reference to the old TMSI and LAI to the new ones. 5.3.3 Location Updating Between Different VLRs Invariably, the Mobile Station will cross the boundary between VLRs at some stage. In this case, it is the boundary existing between VLRs on the same PLMN, and so when the VLR examines the LAI from the Mobile Station, it recognises the same PLMN and will access the old VLR directly. The old TMSI is sent to the old VLR with a request for the corresponding International Mobile Subscriber Copyright 1991, Michael Clayton Page 31
GSM - Global System for Mobile Communications Identity (IMSI) and subscriber data for that Mobile Station. The old VLR hands over the data but does not delete any information at this stage.
Figure 21: Location Update between VLRs22
The subscriber information sent includes pairs made up of Random Number (RAND) and expected Signed RESponse (SRES) for use in Authentication. It also includes the corresponding Encryption Keys (Kc), for the RAND values and the Encryption Key Sequence number. The new VLR now has enough information to authenticate the Mobile Station. While it is possible to get by without using the Cipher Key Sequence Number, it is assumed here that a proper Authentication proceeds. This is a Network Operator option. The VLR provides a RAND from the pairs and requests the Mobile Station to respond. If the response, SRES, matches the one held in the new VLR, then the Mobile Station is positively authenticated and the new VLR passes the resulting encryption key Kc to the Base Station System (BSS). Ciphering is initiated, and Location Updating proceeds. The new VLR also allocates a TMSI to the Mobile Station, and passes it to the BSS for transmission to the Mobile Station. Only after an acknowledgement is received back, does the new VLR send the updated location information to the HLR of the Mobile Station and releases the Mobile Station. The HLR updates its own records and sends back an acknowledgement. It is then up to the HLR to inform the old VLR that it no longer has responsibility for that Mobile Station. It does this using a Cancellation message.
5.4
International Roaming28
When the Mobile Station crosses a Visitor Location Register (VLR) service area boundary, it could be crossing the boundary existing between VLRs of different networks, and even countries. As the Mobile Station seeks for BCCHs, the Location Area Identity (LAI) transmitted from the new cells denotes a different or foreign PLMN1. This is identified by the Mobile Station which must now must allow the user to make a selection of which PLMN is desired, prior to making an access. Two distinct possibilities are allowed for in GSM. These are Automatic Selection and Manual Selection which are described later in the chapter on Mobile Equipment.
The situation where a Mobile Station roams to a different PLMN in the same country is a special case. While this is technically possible using a similar procedure, this section only deals with the case where a roamed-to PLMN is foreign. In Australia, inter PLMN roaming in one country is considered a useful feature.
Page 32
GSM - Global System for Mobile Communications 5.4.1 International Location Update Once a selection of an available PLMN has taken place, the Mobile Station makes a random access in exactly the same way as it would on its Home PLMN. However, when the VLR examines the Location Area Identity (LAI) from the Mobile Station, it will not recognise it since it belongs to a different country and PLMN2. In this case, the Foreign VLR asks for the IMSI of the Mobile Station which contains enough information to identify the Home PLMN's (HPLMN) Home Location Register (HLR).
Figure 23: Location Update across International Borders24
The foreign VLR then requests subscriber data for that IMSI from the HLR, not the old VLR as was the case when both VLRs were in the same network. In response, the foreign VLR receives some new authentication triplets of RAND, SRES, and Kc. These will have been calculated expressly for the foreign VLR by the AUthentication Centre (AUC) associated with the HLR. The foreign PLMN then authenticates the Mobile Station in the same way as before and, assuming a positive response, it allocates a Temporary Mobile Subscriber Identity (TMSI) and provides Location Area Information (LAI). This data is passed to the Mobile Station once encryption of the air interface has been successfully initiated. Having completed the local procedure, the foreign VLR updates the location information held in the Home PLMN's HLR. In this case, the location information normally constitutes a Mobile Station Roaming Number (MSRN), which is the international phone number of the foreign Mobile Services Switching Centre (MSC) or VLR. If the international Location Update took place as a result of the Mobile Station moving across the country/Location Area boundary in idle mode, then the old VLR in the Home PLMN still has a reference to that Mobile Station. In this case the HLR of the Home PLMN cancels this reference.
5.5
IMSI Detach procedure29

When a Mobile Station is turned off, the PLMN has no way of knowing it. So, when an incoming call is made it is routed to the last known area, despite the Mobile Station not being able to hear any paging. This takes time, and delays can occur if subsequent actions are dependent on the Mobile Station being unavailable.
2
The foreign VLR will not directly access the old VLR unless an agreement exists between the two PLMNs, and GSM is adjusted to allow it. This is important where national roaming between different PLMNs is applied. This is an issue of discussion at present.
Page 33
GSM - Global System for Mobile Communications The IMSI Detach procedure allows the Mobile Station to indicate to the PLMN that it will be unavailable, by signalling to the PLMN prior to going inactive. It should be noted that the inactive state could be caused by turning off the Mobile Station, or indeed by just removing the Subscriber Identity Module (SIM) from the mobile equipment. In the latter case the removal of the SIM means that the mobile equipment has no subscription information. The requirement for IMSI Detach is indicated as part of the system information t ransmitted by the Broadcast Control CHannel (BCCH), and the Mobile Station complies wherever possible. However, situations can arise when it is delayed or even omitted. These occur where a mobile specific function, such as updating the SIM, which takes precedence over PLMN signalling, is required. Where a connection exists between the Mobile Station and the Base Station System (BSS), the turning off of the Mobile Station causes the PLMN to release the call, send the IMSI Detach message and then release the connection. If no connection exists, then the Mobile Station initiates one using a random access procedure just to detach. If, however, the access fails or the connection is lost, the IMSI Detach procedure is aborted and the Mobile Station turns off or the SIMless equipment goes into an idle mode. On the PLMN side, the IMSI detached information is either stored in the Visitor Location Register (VLR) with no information being passed to the HLR, or optionally, the HLR is informed and an IMSI detached flag is set in the HLR. No confirmation is sent back to the Mobile Station.
5.6
IMSI Attach Procedure30

Conversely, the IMSI Attach procedure is used by the Mobile Station to indicate that it has re-entered the active state. This is not only when the Mobile Station is turned on again, but also where a SIM is inserted into an active but idle piece of mobile equipment. One of the situations where IMSI Attach is useful is where a Mobile Station turns on in exactly the same place it was turned off. Here, because there is no difference between the stored LAI and that transmitted, no Location Update is initiated and the PLMN has no knowledge that the Mobile Station is once again active. An IMSI Attach signal on the BCCH, causes the Mobile Station to make itself known. If the option of setting the flag in the HLR is used, then re-entering of the active state by the Mobile Station requires a normal location updating from the Mobile Station to reset it. If the HLR IMSI Detach flag is not involved, then an update may not be required. It should be noted, though, that, unless the HLR is kept informed of IMSI Detach/Attach status, all incoming calls to a detached mobile always involves signalling to the VLR to determine its state before call handling
Page 34
GSM - Global System for Mobile Communications can be initiated. This can cause delay and increased signalling overheads.
5.7
Abnormal Cases31
There are a number of reasons why a location update may not be achieved. Some of these may be concerned with failures of signalling, or radio problems, for instance. In these cases, timers are used to ensure that neither the Mobile Station, nor the PLMN gets caught in infinite loops waiting for a response. However, there are occasions where the location update may be specifically disallowed. Cases like these could arise where the PLMN identifies a stolen piece of mobile equipment, or where the mobile equipment is causing interference problems to the PLMN. Whatever the reason, the Mobile Station is sent the message that this Location Area is not allowed. On receipt of this message, the Mobile Station adds the identity of the PLMN to a Forbidden PLMN list stored in the SIM. Part of the selection process for PLMNs is that the Mobile Station checks this list to see if it is allowed to access the PLMN. Depending on the type of selection (Automatic/Manual), presence of the chosen PLMN on this list stops the access attempt. This is to avoid unnecessary signalling. As a safety measure, the length of the list is limited to four and, as new PLMNs are added to the bottom of the list, the old PLMNs are dropped off the top. Also, it is possible for the list to be overridden, (using the manual selection process) and an access is attempted for that chosen PLMN. If this forced access attempt is allowed by the PLMN, then the reference to that PLMN in the list is deleted.
Page 35
GSM CALL HANDLING32

The primary purpose of any Mobile Station is to make and receive calls, but to do this a number of conditions must be met. The obvious conditions include a valid Subscriber Identity Module (SIM) is inserted into the mobile equipment and a valid subscription exists. Some more obscure ones include the mobile equipment (or SIM) is not blacklisted, or some types of calls are not being allowed for debt management reasons. Indeed, some supplementary services allow calls to be disallowed, and so this feature must not have been invoked by the subscriber if calls are to take place (see chapter 33). It has been assumed in this section that all the above conditions for making a call are met. Furthermore, it has been assumed the mobility management functions have been met also (i.e. any Location Updates are successful).
6.1
Outgoing Calls34
When the subscriber enters a number, the Mobile Station is in idle mode. It is monitoring the BCCHs around it and the Common Control CHannels in the cell presently giving service. As soon as the subscriber initiates the call, by pressing the SEND button or otherwise, the Mobile Station analyses the number to determine the type of call attempt requested. The choices for the type can be emergency call, set-up of supplementary services or just a standard outgoing call. It is the last case which is dealt with here. The next step is for the Mobile Station to establish a radio connection. This is done in the same way as for any access attempt to the Public Lands Mobile Network (PLMN), using the Random Access CHannel with an indication of what type of service is required. The service type is used by the PLMN to give some priority to the access attempts by Mobile Stations. On receipt of a successful access attempt, the PLMN allocates a Dedicated Control CHannel, which the Mobile Station seizes at the first opportunity. The Mobile Station sends a service request message to the PLMN giving details of exactly what type of service is required. In this message, the Mobile Station identifies itself using the Temporary Mobile Subscriber Identity (TMSI), and a Cipher Key Sequence number along with some supplementary information. Depending on the analysis of the information, the Visitor Location Register (VLR) can start a number of identity related procedures. For instance, it can request an identification of the Mobile Station, using the International Mobile Subscriber Identity (IMSI), or invoke an Authentication process. It should be noted that this is a generic procedure used for every access to
Page 36
GSM - Global System for Mobile Communications the network. It is by using this procedure that allows the PLMN to identify and/or authenticate the Mobile Station at any access attempt. It is unlikely, due to the signalling overheads, that a Mobile Station will be authenticated at every call attempt in its own network. The frequency of authentication is once again a Network Operator choice for subscribers in their own PLMN. However, roamers may well be treated differently since it is stipulated that they must be authenticated at least as often as on their own HPLMN. So, if New Zealand wishes their subscribers to be authenticated at every attempt, then this should be complied with in Australia, irrespective of the frequency used there. The differences between PLMN Operators is one area in which the GSM Memorandum of Understanding (GSM-MoU) will arbitrate. The ciphering process, however, must be initiated at every call attempt to protect the data. If the Mobile Station has just been authenticated, then a new Cipher Key (Kc) is available, and is sent to the Base Station System (BSS). If this is not the case, then the Cipher Key Sequence number sent in the service request is compared to the one held in the VLR. If the sequence number corresponds to the one stored in the VLR, then the VLR passes the corresponding Kc to the BSS and ciphering can commence. Only now is the Mobile Station ready to initiate the outgoing call, by sending a call set-up message containing all the information required by the PLMN to process the call. In particular, the called party's telephone number is sent, and is used by the Mobile Services Switching Centre (MSC), to route the call to the desired destination. The complete set-up message is passed to the VLR, which checks the subscription for non-allowed call attempts. This is called a subscription check, and is completed for all user-initiated PLMN accesses. It is different from Authentication, in that it checks the required service against that which has been paid for by the subscriber, or is allowed for general use. Another part of this process checks to see if the call conflicts with any supplementary services settings, such as call barring. If there is no conflict in either subscription or service settings, the call attempt is allowed to continue. 6.1.1 Traffic Channel Allocation At this stage, the Mobile Station is still on a control channel, the Dedicated Control CHannel (DCCH). Before the PLMN initiates call establishment in the fixed network, a Traffic CHannel (TCH) is be allocated to the Mobile Station. This is a specific type of channel which carries user data, such as speech, rather than a control channel which is set up purely for signalling. The BSS allocates an appropriate channel and signals this to the Mobile Station. The Mobile Station acknowledges the allocation and re-tunes to the Traffic CHannel (TCH) to make contact.
Page 37
GSM - Global System for Mobile Communications Once ringing, or other form of alerting, has been initiated at the called party side, the Network Operator may optionally connect the user to the channel if ring-tone i\ s sent by the remote end. Alternatively, the user is not connected to the channel and the tone is locally generated at the Mobile Station. In the latter case, the Traffic Channel is still reserved for when connection takes place. If there is no answer within a pre-determined time, the Mobile Station initiates call clearing. However, as soon as the called party answers, both are connected to allow the conversation to progress. 6.1.2 Off-Air Call set-up (OACSU) As an alternative, when the Mobile Station is still on the DCCH, there is a Network Operator's option of setting up the call without allocating a Traffic CHannel (TCH). This is called Off-Air Call set-up (OACSU), and is implemented to increase the call handling capacity of the PLMN. It involves allocating a Traffic CHannel at some time after call initiation. The extreme case of this is late assignment, where the TCH is not allocated until the called party has actually answered the call. \ In OACSU, once the alerting (ringing) at the called party end is passed back to the MSC, it initiates a signalling message to the Mobile Station to start alerting. The ring-tone, like many of the call indication tones, is generated locally at the Mobile Station. Once the call is answered, the MSC sends a Call Connected message to the Mobile Station which stops the local ring-tone and connects both parties to the channel. There are some restrictions which apply to OACSU. For instance, it should not be applied to international calls or calls from unknown networks. This is to avoid conflicts with release timers in the originating network which time-out waiting for allocation of the Traffic Channel. Also, cross compatibility between those mobile equipments and PLMN infrastructures which support OACSU and those which do not, should be ensured. The final restriction is that it should only be applied to telephony calls. Off air call set-up is not the same as call queuing, which may also be applied in GSM. In call queuing, once the call set-up information has been passed to the PLMN, the Mobile Station is put into a queue to wait for the next available TCH. Queuing is allowed in GSM to help increase efficiency, and it can apply to both incoming and outgoing calls. However, this may cause some delay and, for this reason, queuing should also not be applied to incoming calls via international circuits or from unknown network sources. Once again, this is to avoid conflicts with release timers in the originating network.
Page 38
6.2
Incoming Calls
35
Incoming calls can come from any number of places, but in all cases, whatever the \source, the first point of contact with the PLMN will be a Mobile Services Switching Centre (MSC). Wherever the call is from within the same network, the MSC is the one controlling the area in which the calling Mobile Station is located. Where the call is from outside the target PLMN, this first contact MSC will be a Gateway Mobile Services Switching Centre (GMSC) designated for that type of call. Therefore, for the sake of clarity, the first MSC will be referred to here as the GMSC.
Figure 25: Handling of Incoming Calls26
The dialled digits corresponding to the Mobile Station International ISDN Number (MSISDN), give enough information for the GMSC to locate the Home Location Register (HLR) for that Mobile Station. This is an important point; all incoming calls using an MSISDN must go via the called party's Home PLMN and Home Location Register (HLR), no matter what the source of the call. The HLR is then interrogated to find the status and location of the Mobile Station. Using the MSISDN, the HLR finds the corresponding International Mobile Subscriber Identity (IMSI) for the called Mobile Station. Thereafter, using this IMSI, it performs a subscription check to ensure that the call is allowed, and/or the service has been subscribed to. As part of this, a check is done regarding the activation status of supplementary services such as call forwards. Finally, if all this is positive, the HLR checks the status of the Mobile Station. If the Mobile Station is listed as detached or unavailable, then either the call attempt is rejected, or a conditional supplementary service set up earlier, is invoked. However, if the Mobile Station status is active the HLR finds the location of the called Mobile Station and passes it back to the GMSC. The location required is that of the MSC controlling the target Mobile Station, and it can be in two forms: a Signal Point Code (national only), or a Mobile Station Roaming Number (MSRN) which effectively corresponds to the phone number of the required MSC. Two possibilities exist here, as a PLMN option. Either the MSRN is stored at the HLR, or it is allocated on a per-call basis by the Visitor Location Register (VLR). In the latter case, the HLR must interrogate the VLR, to obtain it. This type of MSRN allocation requires that the HLR identify the correct Mobile Station, which it does using a Local Mobile Station Identity (LMSI). In the target MSC the LMSI Copyright 1991, Michael Clayton Page 39
GSM - Global System for Mobile Communications points to the correct IMSI and Temporary Mobile Subscriber Identity (TMSI) for the called Mobile Station, which the VLR passes back to the HLR. Alternatively, the HLR has an MSRN stored against that Mobile Station, which has been allocated to the it by the VLR and MSC combination. This MSRN is valid whilst the Mobile Station remains in the same service area. In this case the \
MSRN stored in the HLR points directly to the correct VLR and IMSI for the called Mobile Station. In either case, the HLR finds the MSRN for the called Mobile Station and passes this information back to the Gateway MSC. The call is then routed using this MSRN. 6.2.1 Paging Once the call has been passed to the MSC/VLR controlling the target Mobile Station, the VLR initiates a paging of the Mobile Station using a paging request on the Paging CHannel. The Mobile Station regularly listens to the Common Control Channels, and the Paging CHannel in particular. Upon receiving the Paging Request with its identity, the Mobile Station initiates what is called an immediate assignment procedure. 6.2.2 Immediate Assignment The immediate assignment differs from normal access attempts in that the PLMN is expecting a response and so, when the Mobile Station makes an access in answer, it is immediately assigned a Dedicated Control CHannel (DCCH). As soon as the Mobile Station captures the DCCH it sends a Paging Response message containing the identity of the Mobile Station, using the TMSI, with other information such as the Cipher Key Sequence Number. This is disimilar to outgoing calls, where, depending on the information required, Page 40 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications the VLR can start a number of identity related procedures such as authentication or a request for the IMSI. However, it is unlikely, due to the signalling overheads, that a Mobile Station will be authenticated at every incoming call attempt. The Mobile Station is then offered the call with the associated call related data, and the Mobile Station returns a Call Confirmed message if it is capable of receiving that call. Reasons for this not being the case could be that the Mobile Station is busy, or that the offered call does not match the mobile equipment (e.g. a Fax call to a non-Fax mobile). The ciphering process is expected to be initiated at every call attempt. Either as a result of Authentication or by using the Cipher Key Sequence number, a Cipher Key (Kc) is sent to the Base Station System (BSS) from the VLR, and encryption across the air interface is commenced. The next step is for the assignment of a Traffic CHannel (TCH), after the Mobile Station has confirmed the receipt of the call. The BSS assigns an appropriate channel and signals it to the Mobile Station. The Mobile Station, in turn, acknowledges the allocation, re-tunes to the TCH, and then alerts the user. As soon as the user answers, the Mobile Station sends a connect message to the MSC/VLR which acknowledges it and connects the calling party. 6.2.3 Off-Air Call set-up (OACSU) Off air call set-up for incoming calls is similar to that for outgoing calls, in that the Traffic CHannel (TCH) is allocated some time after it is known a call may be established to the Mobile Station. In this case, once the Mobile Station has been paged and it has accepted the call, the called subscriber is alerted using locally generated ring-tone. Thereafter, the PLMN decides when the TCH is allocated, which can be done at any time after ringing has commenced. In the most extreme case the TCH is allocated only when the called party answers, and the Mobile Station has sent the connect message to the Mobile Services Switching Centre (MSC). As soon as the TCH is allocated, the Mobile Station re-tunes to it, connects the user, and sends an acknowledgement back to the MSC. On receiving this, the MSC connects the calling party.
6.3
Emergency Calls36
There are two distinct ways for emergency calls to be initiated on a GSM PLMN. One is a GSM generic procedure, and the other is a national specific option.
6.3.1 Generic Emergency Calls In the generic procedure, a number sequence has been identified to specifically activate an emergency access. This number is 112, and is instantly recognised as Copyright 1991, Michael Clayton Page 41
GSM - Global System for Mobile Communications the emergency number by the Mobile Station once the SEND button is pressed. The Mobile Station requests an access on the RACCH, but this time the indication is for emergency, rather than basic, access. This difference is important because a Random Access would normally contain the TMSI and associated information which identifies a Mobile Station. However, it is possible using the 112 number, for a random access to be made where no Subscriber Identity Module (SIM) is present in the Mobile Station. In this case, no identification would normally be included in the Random Access. It is a national option, governed by the licence of the Operator, whether access by SIM-less mobile equipment is allowed. If the emergency access is allowed to continue, the Mobile Station is immediately allocated a DCCH, which it seizes. An option has been included here to authenticate and initiate ciphering if Mobile Station identification was included in the initial Random Access. This is to allow for subscription management and call records for those Operators who may wish to charge for emergency calls, and who are allowed to under the terms of their licence. The Mobile Station is now free to send an Emergency Set-up message across the air interface. Further actions are the same as for normal outgoing calls, with the call being routed to a place defined by a national agreement. The significance of this routing is related to those countries that have different national numbers for different emergency services. It was mentioned earlier that emergency random accesses are possible on most PLMNs, even when there is no SIM present. The SIM is, in a large way, responsible for the choice of PLMN and cell that the Mobile Station attaches to. In the case of no SIM being present no information is available to direct that choice. Hence, it has been made possible for emergency access using a piece of mobile equipment (without SIM), by ensuring the mobile equipment camps on the most appropriate cell. Where camping occurs no interaction takes place between the mobile equipment and PLMN. The mobile equipment merely monitors the cell, unless an emergency call is invoked. 6.3.2 National Specific Emergency Calls In the national specific case, an emergency call is invoked by the subscriber dialling a national emergency number just as is done in the fixed network. The limitation on this is that the mobile equipment cannot identify the call as an emergency call and so, when the random access is made to the PLMN, it is a basic access like any other call. Because of this, a SIM must be present to supply the Mobile Station identity which is required by the PLMN to allow the call. Using the national emergency number without a SIM would not result in a successful access attempt. The call set-up procedure for this type of call is the same as for a normal outgoing Page 42 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications call, with all the same Authentication and encryption procedures. The only difference is that, in those countries where the licence dictates it, no charge would be made for the call. The key difference between the generic and national emergency calls is the ability for the mobile equipment to recognise such a call from the dialled digits. It is quite possible that mobile equipment manufacturers will opt to include functions enabling the mobile equipment to recognise national specific emergency numbers and treat them in the same way as the generic number. While this could seemingly introduce country specific equipment rather than a universal product, careful programming would minimise this and at the same time result in a very userfriendly product.
6.4
Inter-cell Handover37
The concept of cellular developed around the ability for the user to move from place to place without any noticeable break in communication. This is achieved by the PLMN handing over the Mobile Station to another cell when it is considered that the new cell would give better service than the old one. This is called handover in GSM. The decision to handover is taken by the PLMN, but in order to do so it needs information from the Mobile Station side of the Radio Frequency (R.F.) link. This local information, is provided regularly by the Mobile Station itself during the call. It monitors the surrounding cells of the same PLMN1 in terms of signal strength and quality, and then passes the information back to the PLMN. A Slow Associated Control CHannel (SACCH) which is assigned to each Traffic CHannel, is used in the uplink direction for this purpose. On the basis of this information a decision is made as to which cell would be the most appropriate as the new cell. The Base Station System (BSS) then initiates a Handover Required message to the MSC, containing information such as the reason for handover, a list of preferred target cells, and radio environment information. The BSS continues to send this message on a regular basis until either the transmission quality improves, the handover command is received or, in the extreme case, the Mobile Station is lost. On receipt of the Handover Required message, the MSC determines the most appropriate target cell using the list of preferred cells given in the Handover Required message. Since this is ordered in terms of BSS preference, the one chosen is normally the first on the list.
It is assumed here that inter-PLMN handover is not provided. However, this is technically possible and moves are being made to include it as an option in the GSM specifications.
Page 43
GSM - Global System for Mobile Communications 6.4.1 Intra MSC Handover The old Mobile Services Switching Centre (MSC) and the new MSC in this case are the same, so all that is required is the reservation of resources at the target BSS. This target BSS is requested to allocate and reserve a channel appropriate to the call in progress, which it does from the available idle channels under its control.
Figure 27: Intra-MSC Handover28
If queuing is in operation at that cell, then the request is put into the queue at a level determined by the indicated priority. In most cases, the priority of a handover is only surpassed by that of an emergency call, and so the position in the queue is expected to be high. However, it is not until the resource is actually available, that the target BSS signals back to the MSC an acknowledgement with all the details. Once this is done the BSS waits for an access on that frequency by the correct Mobile Station. While the MSC waits for a response from the target BSS a timer is used in the MSC to allow for the resource allocation being delayed. If no response is received before the expiry of this timer, the MSC cancels the attempt, and continues the call on the present channel. Further attempts at handover are governed by reassessment of conditions and re-initiation by the old BSS. However, once the MSC has an acknowledgement of channel allocation from the target BSS, it can initiate the handover procedure, using a Handover Command. This is generated by the target BSS, and is contained in the acknowledgement to the MSC. To initiate the handover, the MSC simply forwards it to the old BSS for transmission to the Mobile Station. Contained in the Handover Command is all the information required to allow the Mobile Station to access the new channel. This includes characteristics of the new cell, synchronisation information, an initial power level to transmit at, an indication of the type of access procedure to be used, and finally a handover reference and a start time. The allocation of the reference can be by the Mobile Services Switching Centre (MSC) (target MSC in the case of inter-MSC handover) or Visitor Location Register (VLR), and the content depends on the manufacturer. The Mobile Station re-tunes to the allocated channel and makes an access, using one of two types of access, dependent on whether the two cells are synchronised or not (more is said about synchronisation in the section on Frame Alignment). In either case, the access is limited to the handover reference, which is what the target BSS is waiting for. The BSS checks this reference, and ignoring incorrect ones, it returns a Handover Detect message to the Mobile Station.
Page 44
GSM - Global System for Mobile Communications When a Handover Complete message is returned by the Mobile Station, the target BSS informs its MSC. The MSC in turn orders the release of the old channels at the old BSS. The Mobile Station and target BSS activate the channels and initiate ciphering. Finally, the channels are connected and transmission of user data is resumed. 6.4.2 Inter-MSC Handover The procedure for handover between cells from different MSCs is essentially the same, but some added complexity is introduced. Whereas before the controlling (old) MSC communicated directly to the target BSS, now all communications must go through the new MSC which controls the target BSS. The Handover Request from the old BSS is passed, via the controlling MSC, to the new one in a Perform Handover message. It is up to the new MSC to find the appropriate cell and manage the interface to the target BSS. In addition to the channel assignment information and the reference sent back to the controlling MSC, routing information for the call (a new Mobile Station Roaming Number (MSRN)), is included. Where two MSCs are involved in a handover, the reference could be supplied by the VLR of the new MSC rather than by the MSC itself. Whether this access to the VLR for handover reference is made depends on the type of PLMN implementation. 6.4.3 Subsequent Handover It is possible, depending on the Mobile Services Switching Centre (MSC) coverage area in the PLMN, for the continuing call to be handed over to a third MSC. That is, a call started on the controlling switch MSC-a was handed to MSCb and is then handed from MSC-b to MSC-c. In all handover situations there is a controlling MSC, which is the Mobile Services Switching Centre in whose area the Mobile Station was located at call initiation. This controlling MSC acts as the reference point for the duration of the call, and is used to co-ordinate call records for billing and to avoid a daisy-chain effect for call routing at handovers. In the case of several handovers, daisy-chains are avoided by always dropping the call back to the controlling MSC and rerouting from there.
Figure 29: Inter-MSC Handover30
In this instance the controlling MSC is MSC-a, but because the Mobile Station is in the service area of MSC-b it is the BSS-b which identifies that a handover is required. This information is passed to MSC-a, as the controlling MSC, which in Copyright 1991, Michael Clayton Page 45
GSM - Global System for Mobile Communications turn contacts MSC-c for channel assignment. Thereafter, the interactions are the same as before but with MSC-a acting as a gobetween.
6.5
Call Clearing38
There are two ways a call can be cleared: by the PLMN or by the Mobile Station. The PLMN initiates a call clearing by sending a Disconnect message to the Mobile Station. In response, the Mobile Station sends back a Release message and waits for an acknowledgement. This clears the call, but still leaves a radio channel and a signalling connection. At this point, it is possible for the radio channel to be maintained to enable further transactions, such as Short Message Service calls. If this is not the case, the radio channel is released, and the Mobile Station returns to Idle. A Mobile Station initiates clearing by sending a Disconnect message to the PLMN, which responds with a Release as before. The Mobile Station then acknowledges and waits for the command to relinquish the radio channel. The final procedure for the MSC after call clearing and/or radio channel release, is to collate a charging record. All charges incurred during the call are collected together to form a record entry which is sent back to the Home Location Register (HLR) for that Mobile Station. For outgoing calls the length of this would be substantial, but for incoming calls, the record would normally only include extra charges. These could be for the use of supplementary services, or for charges related to the re-routing of calls to the roaming subscriber. The information contained in a call and charge record is defined by ETSI-GSM to the extent necessary to allow the transfer of such information across the network. However, it is primarily up to the Network Operator to define exactly what constitutes a call or charge record.
6.6
Roaming39
The procedure for handling incoming and outgoing calls to Mobile Stations is a generic one, and is essentially the same for calls to and from subscribers roaming to a Visited PLMN. However, there are slight differences that should be mentioned. In terms of outgoing calls the only difference concerns the number dialled. Whereas in the Home PLMN, the user need only dial a national specific number, when in a foreign country an international number is required to reach the same destination as before. Added to this international charges are also incurred.
Page 46
For incoming calls to a roaming subscriber, the access to the HLR for a Mobile Station Roaming Number (MSRN) results in an international number to the visited network's Mobile Services Switching Centre (MSC). This is an international call with appropriate charges, but who actually incurs them? The calling party may not have known that the called subscriber had roamed to a foreign country. In this instance, one approach (and the most widely adopted one), is to charge the international roaming leg to the called, or roaming subscriber, not to the calling party. The calling party would be charged for the call up to the Gateway MSC.
Figure 31: Subsequent Handover32
An extreme scenario encompassing this is one where two subscribers from the same HPLMN are on the same Visited PLMN. When the one subscriber calls the other (e.g. X calls Y), the Mobile Station ISDN Number (MSISDN) of the called subscriber is an international number to the Home country and PLMN. On dialling this number, the call is routed back to the originating country and VPLMN, where the called subscriber is located. Hence, both the caller and the called are charged for an international call. There are many other such anomalies which arise because of the versatility of GSM. While the solutions to them are technically possible, other constraints often apply. They can be easily quantified, however, but they are beyond the scope of this particular report.
Page 47
BEARER SERVICES40
GSM is essentially concerned with carrying many types of data from one place to another, ensuring that whatever is input, is output safely at the other end. At the lowest level, this data can be described as a string of bits with the values 1 or 0, and thus it may appear that one type of channel could be designed to handle all types of data. Such a universal channel would suffer some penalties though, the most profound being the low speed of data transfer. Consequently, many transmission systems include ways to speed up the transfer by utilising characteristics of the data carried. Stripping out redundancy by finding repetitive strings is one way this can be done. Other aspects of the data content are also used for tailoring the channel to a particular data type. Speech, for instance, may need a continuous data stream, whereas text could be broken up and sent in packets with the gaps in between being used for another application. All of this means that GSM has to be versatile enough cope with most data types, and it does this using Bearer Services. In simple terms, the Bearer Services of GSM can be described as pipes down which data can be transmitted. There can be different types of pipe suited to carrying different types of data, or different capacities of pipe for different flow rates. However, there is normally no provision made for ensuring that the correct fittings exist at either end to insert and extract the data carried. The customer can choose which pipe to use, using certain descriptive characteristics of the pipes available, but it is up to the user to ensure that the pipe matches what is put into and received out of it. Within GSM, the pipe represents a capability to transmit data. Different sizes of pipe become the different data rates, but it is up to the subscriber to dictate which capability is appropriate to the data type, and data speed.
Figure 33: Bearer Services34
To aid the choice of service, Bearer Services are described using certain attributes of the services, which relate to the ability of the Services to carry particular data types. Two levels of attribute exist, high layer and low layer, which can be seen correspondingly as physical descriptions of the pipe itself, and the fittings and connections supplied at both ends. In the case of Bearer Services in GSM, the description is limited to the low layer attributes. The term low layers corresponds to the functions in GSM required to physically transmit the data from A to B over the channel. An international model exists to help define the function of data transfer, called the international Open Systems Interconnection (OSI) model. In GSM, the term lower layers corresponds to layers 1 to 3 of this model. Page 48 Copyright 1991, Michael Clayton
Low layer attributes are classified into four categories; information transfer (carrying the data), access (feeding in the data), interworking (far end interfacing), and general which covers all the non-technical, but no less important, issues. This last category would cover operation and commercial attributes, for instance. All of these attributes combine to form a generic description for all Bearer Services. In certain combinations, some of the attributes are superfluous because assumptions can be made. It is pointless putting high pressure steam into a plastic pipe, for instance. So, it is normally sufficient for the description of the Bearer Service to refer to the access protocol type (how data is put in), the transit signalling protocol (how data is carried), and the terminating protocol type (how it is taken out), with some information on the data type and the data speed. Hence, a GSM Bearer Service (GSM No. 2212) could be described as V22, 1200bit/s, duplex, transparent, into the Public Switched Telephone Network (PSTN). The V22 dictates which protocol type is being utilised both into the Mobile Station and out of the GSM Public Lands Mobile Network (PLMN). In some cases a different protocol type is used to face out into the destination network, but an assumption can normally be made that the same type will be used throughout. The 1200bits/s gives the maximum data speed. Transparent means that the data is passed through the PLMN as it is input. Duplex means data transfer occurs in both directions, and data is to be fed into the PSTN whatever the transit networks are. That same service can be described more comprehensively, using all of the Bearer Service attributes, as described in the following sections. These attributes are included for completeness, but unless there is a good reason for doing so, they are best left as a reference. Perhaps it should be emphasised here, that data transfer over any network is a veritable minefield, especially where interconnection between different networks is involved.
7.1
Information Transfer Attributes41

This attribute describes the ability of the Bearer to carry different types of information. It is broken into various parts, the first of which describes what types of information can be carried. Examples of this could be digital information with no restrictions, or perhaps speech information digitally encoded.
Figure 35: Information Transfer Attributes36
The second part of this attribute is the information transfer mode, which describes the way in which the information is transported. For instance, the information may need to be carried in a circuit type of connection, where a dedicated fixed resource is reserved just for that Bearer. Alternatively, a packet type of connection Copyright 1991, Michael Clayton Page 49
GSM - Global System for Mobile Communications could be specified, where the information is broken into small pieces to be sent separately and reassembled at the far end. The third part is concerned with the rate of information transfer over the PLMN and subsequent transit networks (e.g. ISDN) in between. Where circuit modes are used this is measured in bit rate, but in packet modes the term throughput rate is used. Next comes the structure of the information transfer. For example, this could be unstructured, where there is no preservation of data integrity, or structured, where certain protocols are introduced to ensure that structure is maintained. The best illustration of this is the packet mode transfer, where each packet needs to be identified so that the packets can be re-assembled in the same order at the far end. Where unstructured data mode is selected, the subscriber needs to provide protocols of their own, or risk confusion at the far end. The mode of establishment of communications comes next, and deals with how the Service is to be set up. The connection could be from the Mobile Station only (demand Mobile Originated only, MO), or only to the Mobile Station (demand Mobile Terminated, MT), or both (MO,MT). Communication configuration describes the distribution (spatial) arrangement for carrying information between different points. For point-to-point, only two access points are involved (A to B). For Point-to-multipoint several points are involved (A to B, C, D, etc...). It can be seen here, that this attribute also gives some indication of the direction of transfer (A to B rather than B to A). Another value this attribute can take is the broadcast communication value which illustrates this point well. However, it is up to the next attribute to complete the transmission direction picture. This is the symmetry attribute, and it describes the relationship of information flow between one or more reference points in the communications link. The values it can take can be unidirectional, bidirectional symmetric (information flow is the same in both directions), and bidirectional asymmetric (different in each direction).
7.2
Access Attributes42
The Access Attributes describe the way the data is fed into the Bearer Service. The first part of this attribute is the signalling access, which gives the low level protocol used over the signalling channel.
Page 50
Figure 37: Access Attributes38
It should be emphasised here that use of the Bearer Service guarantees that the data received reaches the far end intact (structure aside). However, some types of data may have a protocol introduced which is best matched to that of the Bearer Service, and so this attribute is included. The values it can take are: manual, or Vseries, X-series, and I-series, which refer to the appropriate CCITT international interworking standards. Then comes the information access part of this attribute. It comes in two parts, rate and interface. The rate, not unreasonably, refers to the rate of information transfer over the access point, as distinct from the rate within the PLMN given in the Information Attributes shown above. The value it can take is the appropriate bit or throughput rate. The second part of the information access part of this Attribute refers to the interface itself. This gives the protocol used over the interface into the Bearer Service, or the point of entry. The value it takes is either an appropriate V-series interface (CCITT as above), an appropriate X-series interface (CCITT as above), an Integrated Services Digital Network (ISDN) interface known as the S interface (ISDN standard), or an analogue 4-wire interface.
7.3
Interworking Attributes43
The Mobile end of a communications link is referred to as the Access Interface but at the far end, where the GSM PLMN feeds into the destination network, there is also an interface. This is referred to in GSM as the Interworking Function (IWF). For the Bearer Services in GSM this far end Interworking Function is described using the Interworking attribute.
Figure 39: Interworking Attributes40
The first part of it refers to the type of terminating network. The values applicable here are: Public Switched Telephone Network (PSTN), Integrated Services Digital Network (ISDN), Circuit Switched Public Data Network (CSPDN), Packet Switched Public Data Network (PSPDN), GSM PLMN, and direct access from PLMN into a private network. The second part of this attribute refers to the type of interface into the terminal Copyright 1991, Michael Clayton
Page 51
GSM - Global System for Mobile Communications network. The values here could be V-series, X-series, analogue 4 wire, or the S interface as used in ISDN.
7.4
General Attributes44
Applying the General Attributes of a Bearer Service allows for some of the anomalies that can be caused when using that Service. For instance, there may be Bearer Services which should not be associated with some Supplementary Services, as in the case of Call Waiting indication on a data connection. Another part of this attribute could be concerned with the quality of service, or some charging ramifications when using it. These areas are less well defined, and may well not be included in the technical description of the Bearer Service. This is a pity, as there is a school of thought which says they are the most important. After all, there is no good reason to provide a Bearer Service at all, if it cannot be charged for, or does not meet certain quality criteria.
7.5
Example of Bearer Service45

Earlier, a short description of Bearer Service 2212 was given. To apply the above attributes to the description of this Bearer Service gives the following result: Data circuit, duplex, asynchronous, 1200bits/s: circuit mode, unstructured, with unrestricted digital capability, transparent: with V22 DTE/DCE interface: into the Public Switched Telephone Network. Even in this description, certain information has been left out because it is obsolete and, as we have seen above, much more could be left out by making educated assumptions. There is a lesson to be learned here. If someone specifies a V22 modem at the access point, then there is a good chance that V-series will be used in the terminating network. Indeed, there is a good chance that the same V22 will be used unless a specific reason exists to do otherwise. Furthermore, when the terminating network is specified as Public Switched Telephone Network, then the number of terminating protocols starts to become limited, since the PSTN can only accept a limited range. Redundancy caused by assumptions such as these, is exploited by the Network Operators who tend to supply those Bearer Services that they perceive are sensible combinations. They also tend to supply those Bearer Services which they think are in regular use, but based on fixed network use rather than cellular use, since little experience is available in cellular data applications. This may seem like a limitation on the options available but, from a subscriber's point of view
Page 52
GSM - Global System for Mobile Communications these Bearer Services could probably be usefully limited still further. Time will tell which combinations sell and which do not but there is a good case for restricting the Bearer Services, and combining them with complete solutions to mobile data applications. Until these end-to-end data solutions emerge, which pass transparently over GSM, the market for cellular mobile data will remain under exploited. However, as a standard, GSM must meet the requirements of many applications until the popular few emerge. That is why so many options exist at this stage.
Page 53
TELESERVICES46
While the Bearer Services have to be versatile in order to deal with myriad different requirements, there are some services which can be described in quite fine detail. These are the GSM Teleservices. Using the analogy with pipes once more, these are pipes used to carry specific materials. The description may be, a high pressure steam pipe, or a gas pipe, with all the necessary fittings and monitoring requirements implicit in that description. So it is with the Teleservices, where the name gives all the necessary information for the Public Lands Mobile Network (PLMN) and all the subscriber need do is send the information. As can be seen below, whereas the Bearer Services cover the delivery of the data within the PLMN, the Teleservices offer an end-to-end delivery. An example of this is the speech Teleservice, where the options are purposely limited - either there is speech or there is not. Hence, the speech Teleservice provides for the digitising of speech, its coding, its transporting across the PLMN, its decoding, conversion back to analogue speech and finally sending it into the terminating (fixed telephone) network at the far end.
Figure 41: Relationship between Teleservices and Bearer Services42
There is no equivalent speech Bearer Service specifically provided for in GSM, but it is possible to send speech data over a Bearer Service. However, if this were done, the subscriber would have to define which Bearer Service that should be used for each call. This choice would have to take into account the many different types of speech digitising, as well as the many types of coding that abound. This is a great deal of trouble just to make phone call, and it is for this reason that GSM has provided the Teleservices.
8.1
Teleservice Attributes47
Generally, a Teleservice utilises the capabilities of a Bearer Service to transport the data across the PLMN. Note, it is the Bearer Service capabilities which are used, not the Bearer Services themselves. Therefore, a Teleservice must define which capabilities are required and how they should be set up. Not surprisingly, this is done using Teleservice attributes, which encompass the Bearer Service attributes as well as adding specific Teleservice descriptions. As a consequence, the Teleservice attributes cover higher layers as well as the lower layers used for Bearer Services. As has been mentioned previously, an
Page 54
GSM - Global System for Mobile Communications international model exists to help define the function of data transfer, called the international Open Systems Interconnection (OSI) model. It is used to give an orderly approach to the design of communications systems, and it is for this reason that GSM utilises the model to describe its different communication layers. In GSM, the term lower layers corresponds to layers 1 to 3 of this model, and higher layers refers to the rest. It is the higher layers that distinguish a Teleservice from a Bearer Service, since they also deal with aspects of the Mobile Station also. The Attributes of Bearer Services were addressed in some depth. This was done to emphasise the difficulty surrounding the definition of these GSM services. However, Teleservices were designed to overcome just this type of difficulty, and so it is not appropriate to delve too deeply into Teleservice attributes. There are some higher layer attributes which are worth noting, but they mainly refer to the type of user information which is to be carried. This is perhaps best highlighted by describing the Teleservices themselves. More details of the Teleservice attributes can be found in GSM recommendation 02.03.
8.2
Types of Teleservices48
The most distinct Teleservice is that of telephony, but it is by no means the only one. Teleservices also include specific data applications such as facsimile, teletex, videotex, some data such as electronic mail, and a service called Short Message Service. The telephony Teleservice (No.11), and Emergency Teleservice (No.12) cover normal speech calls. These are both the fundamental services for making ordinary telephone calls, but they are separated because of a special need for Emergency calls. When a call is made from a GSM Mobile Station, the type of service requested is indicated in the set-up message. This means that the PLMN has the option to treat emergency calls differently by allowing mobile equipment without a Subscriber Identity Module (SIM) to make them. Also, some Operators have requested that Emergency calls be charged for, which requires a subscription to a Teleservice for Emergency calls. If this subscription were included with normal telephony, it would cause problems for those Operators who are not allowed to charge as part of the terms of their licence. By separating them, both scenarios are allowed for. Despite the use of the term telephony in the telephony Teleservice, care needs to be exercised when relating this to the same service in the fixed telephone network. The use of the voice encoder designed specifically for GSM precludes the encoding of anything other than speech. While provision is made to allow telephone signalling tones to be transferred transparently over this Teleservice, other tones such as facsimile signals cannot be guaranteed. Consequently a
Page 55
GSM - Global System for Mobile Communications Teleservice is provided, (No.61) which is specifically designed for Group 3 facsimile. Group 3 covers the use of automatic facsimilies, but there may be occasions where a manual facsimile is used, in which case a speech call is required to inform the called party that connection to a facsimile is required. Rather than forcing two calls to be made, GSM has been set up to allow an alternate switching from facsimile to speech, enabling manually operated facsimile machines to be used. The Integrated Services Digital Network (ISDN), on which GSM is based, has a great deal of potential for other information and data services. These are the videotex, teletex, and electronic mail services. These are provided for in GSM by Teleservices videotex (Nos.41,42,43), teletex (No.51), and Advanced Message Handling Service (No.31). The last of these covers the electronic mail requirement. This electronic mail Teleservice is designed to allow quite long messages. GSM has one more Teleservice which is designed for short, paging type messages. This Teleservice is the Short Message Service.
8.3
Short Message Service49

The Short Message Service (SMS) Teleservice was originally defined to utilise some spare signalling capacity in GSM. However, it soon became apparent that SMS would become a key service in differentiating GSM from any other cellular service. SMS is effectively an international paging service, overlaid on top of the GSM PLMN, with the capability to send, as well as receive, messages. There are three types of SMS, Mobile Terminated (MT), Mobile Originated (MO) and Cell Broadcast (CB). In GSM, a distinction is made to indicate the spread of the SMS, hence Mobile Terminated and Mobile Originated are described as Pointto-Point services (MT/PP, MO/PP). Cell Broadcast is a Point-to-multipoint service, though the acronym CB/PM is not normally used, and CB is sufficient. The GSM PLMN is regarded as merely providing a delivery service for SMS MT and MO. A service centre has been defined, which acts as a store and forward centre, to co-ordinate the messages sent to and from Mobile Stations. These centres are designed to be functionally separate from the GSM PLMN to enable them to be physically and economically separate. However, there is no reason for the Centre not to be integrated into the PLMN itself. Moreover, there can be more than one Service Centre on one PLMN. It is expected that, to use a Service Centre, people will need to subscribe to it. While the finer details have not been sorted out yet, there is a provision for the subscription to be held by the GSM subscriber, or a private individual who is not
Page 56
GSM - Global System for Mobile Communications a GSM subscriber, but may wish to send SMSs. Since this is at the discretion of the Service Centre Operator it is out of the scope of GSM, and consequently it is also out of the scope of this report. However, to see how the service could work, the reader needs to be aware of it. It should also be noted that the emphasis in SMS is on short messages. These messages can only be 160 characters long, but there is provision for a future option allowing several messages to be concatenated. 8.3.1 Mobile Terminated Messages Messages coming into a Mobile Station (MT), are sent to the Service Centre by any means provided for by the centre's Operator. This could be by fixed telephone, facsimile, telex, from a GSM Mobile Station, or by any other method defined by the Service Centre Operator. Also, at the time of presentation, an expiry time is set for the message, either by the person sending it or by the Service Centre in the form of a default value. The messages are then reformatted into the format required for transmission to the Mobile Station, and are forwarded to the GSM PLMN. The identification of the recipient (MT), is simply the directory number (MSISDN) of the mobile subscriber, and so the sender does not need to know in which country the recipient is currently located. In the PLMN, an access is made from the Gateway Mobile Services Switching Centre (GMSC) to the Home Location Register (HLR), to find the whereabouts of the recipient. In the HLR, the directory number supplied is used to obtain the International Mobile Subscriber Identity (IMSI) for that Mobile Station, which is then used to perform subscription checks for the SMS service, and to find the required Mobile Station. If at this stage the Mobile Station is found to be unavailable, then this is indicated to the Service Centre. In this case, a flag is set at the HLR to then notify the Service Centre when the Mobile Station becomes available once more. As a failsafe mechanism, a timer is also used in the Service Centre to periodically try and deliver the message up to the expiry time for that SMS. After this time expires the message is deleted, but there remains a reference to that message so that the originator can enquire about the result. If the Mobile Station is, or becomes, available, the SMS is forwarded to the MSC which is controlling it. The Mobile Station is paged and after the customary access procedure, the message is delivered. The process used is the same as if an incoming call was to be delivered. However, since the message is small (160 characters) it can be delivered even during a call, over the signalling channel. Finally, an acknowledgement of receipt is sent back by the Mobile Station. This is, in turn, forwarded to the Service Centre as a confirmation of delivery. It does not prove that the message has been read, although services such as this are planned in the future. In addition, another service may be supported in GSM in Copyright 1991, Michael Clayton Page 57
GSM - Global System for Mobile Communications the future, by which a pre-paid reply could accompany the SMS sent. This will make SMS a versatile service indeed. 8.3.2 Mobile Originated Messages Sending an SMS message from a Mobile Station is as easy as receiving one. All the subscriber need do is formulate a message and send it to a Service Centre. The identity of the Service Centre is given by its telephone number, and so the GSM process of sending an SMS is exactly like the outgoing call set-up already described. The SMS message is passed to the MSC and then forwarded via the PLMN to the correct Service Centre. A message received by the Service Centre is first acknowledged, and then is reformatted into an appropriate form, to be passed on to the recipient. This could imply that the GSM subscriber also has a subscription to the Service Centre since the SMS message needs to be reformatted in a form that the recipient can receive. This is not a problem if the receiving end is another GSM Mobile Terminal, but there may be cases where the recipient, who is not a GSM subscriber, can only be contacted by facsimile, for instance. In cases such as this, a subscriber to the Service Centre can define the format to use for some regularly used contacts. Another point worth noting is the method of inputting an SMS message. In the case of mobile originated SMS messages, the content needs to be formulated somewhere and the most likely place is via the Mobile Station key pad. Mobile manufacturers have made major advances in the man-machine interface, but any attempt to write a message 140 characters long using the Mobile Station will be frustrating to say the least. Entering personal names against telephone numbers on present analogue phones is bad enough as it is. So, some means of easily entering outgoing SMS messages may well be a precursor to the success of mobile originated SMS messages. 8.3.3 Cell Broadcast Messages The Cell Broadcast Teleservice is different from the other two forms of SMS, in that the messages are sent from one point and can be received by any Mobile Station, hence the point-to-multipoint description. Also, as the name implies, the information is broadcast on a cell by cell basis, which allows for information to be delivered to a specific area only. This is ideal for information services such as traffic updates, where the information is valid for a particular area. Other information services which could be given over Cell Broadcast are weather reports, sports results, news updates, share market indicators and even network information. The different message types are transmitted in a cyclic order only when there is spare capacity on the GSM signalling channels and so reception is not guaranteed. Also, these messages are broadcast without any request for service, and reception is controlled entirely by the Mobile Station. For both these reasons it may be Page 58 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications difficult to charge separately for Cell Broadcast. Each of the different information items is characterised by a service identity number, which has been centrally allocated by the GSM Memorandum of Understanding (GSM-MoU). The GSM subscriber would just need to choose the message types, using a Mobile Station function, and these would be received and stored. 8.3.4 Mobile Equipment Considerations SMS messages, when received at the Mobile Station, would first be stored before the incoming SMS indication is given. There is no formal limitation on the mobile equipment as to how many may be stored and no specification as to how they are to be manipulated or formulated. This is left to the mobile Manufacturer as a means of product differentiation. Indeed, even the provision of SMS on the mobile equipment is not compulsory. However, there are some specifications regarding the Subscriber Identity Module (SIM) and SMS. It has been provided for SMS messages to be stored on the SIM itself. These are stored indefinitely, unless they are overwritten, but there is a limit as to how many may be stored. It is not a fixed limit and depends on the configuration of the card, which is a Network Operator's option. Also this limit is likely to increase with technology advances over time. The space available can be used either for SMSs or for the user's personal telephone directory, and so the more SMS messages that can be stored, the fewer telephone numbers are available. The SIMs, that will be initially available for GSM, will typically be able to store approximately eight messages and some frequently dialled numbers. Sooner or later, the combined mobile equipment/SIM (Mobile Station) store will be full, and an incoming message will be received. In this case, unless the Mobile Station allows for messages to be deleted (read or unread), the incoming SMS will be rejected with the cause. On the PLMN side, once the message is rejected, a specific non-acknowledge message is sent back to the Service Centre. The Service Centre stores these messages until it is informed that the Mobile Station can receive them, or they become out of date. The Mobile Station options are up to the manufacturers, but could include functions to indicate that the store is full, and that because of this an SMS message has been rejected. If the user then deletes a message, this is not indicated to the PLMN until a subsequent reference is made to that Mobile Station. Alternatively, a second attempt is made after the expiry of a timer in the Service Centre.
Page 59
SUPPLEMENTARY SERVICES50
The Teleservices and Bearer Services provide the ability to send information across the GSM Public Lands Mobile Network (PLMN), by making calls. In its basic form, a call is either accepted by the called Mobile Station or it is rejected for whatever reason. However, there may be occasions when the subscriber knows that his Mobile Station will be unavailable, and may wish to have calls delivered elsewhere. Alternatively, the subscriber may wish not to receive calls in particular circumstances. This corresponds to tailoring the services to meet specific subscriber requirements, and is the reason that Supplementary Services have been defined. This section deals with Supplementary Services, and describes what they do. In doing so, there is also reference made to how they do it where appropriate, but there must be a word of caution included here. GSM has not finished the evolutionary process and changes are being made to integrate the new services that are now being defined. However, in order to meet the deadline set by the Memorandum of Understanding, a Phase 1 documentation set was produced covering the essential services for launch. This has relevance to the Supplementary Services, since only the Call Forwarding Services and the Call Barring Services were included in this release. The rest of the Supplementary Services are intended to be included in subsequent phases, though this does not mean they will be late in being implemented. As soon as a Service is stable and frozen, irrespective of its designated Phase, it can be implemented. In terms of this report, however, the uncertainty does mean that complete accuracy cannot be guaranteed. A list of planned Supplementary Services, to date, is given in Annex 3.
9.1
Call Forwarding51
The call forwarding Supplementary Service is used to divert calls from the original recipient to another number, and is normally set up by the subscriber himself. It can be used by the subscriber to divert calls from the Mobile Station when the subscriber is not available, and so to ensure that calls are not lost. A typical scenario, would be when a salesperson turns off his mobile phone during a meeting with customers, but does not wish to lose potential sales leads while he is unavailable. To cope with the various scenarios in which the subscriber may wish to forward calls, there are several conditional forwarding services which have been defined. The best way to illustrate them, is to deal with them separately. Indeed, it is
Page 60
GSM - Global System for Mobile Communications entirely up to the Operator whether the conditional forwarding services are offered separately or as a package. Provision has been made to check subscriptions for them in isolation of each other. 9.1.1 Call Forward Unconditional As the name suggests, this service is used to forward calls whatever happens. In this case, no calls of the type specified are accepted by the subscriber while it is operative. Instead they are sent to the number(s) specified when the service is set up. The capability for the subscriber to make outgoing calls remains unaffected by Call Forward Unconditional (CFU). The subscriber to the service has one option. This concerns the notification to the caller if their call is being forwarded. The person receiving the forwarded call receives a notification of this, as a matter of course. The method of setting up this service requires three pieces of information. The first is the identity of the call forward unconditional service itself (No. 21), the second is the number to which the calls are to be forwarded, and the third is the single, or group of, Bearer and Teleservices to which it should apply. It is possible to forward different types of calls to different numbers so, for example, speech calls can go to a secretary, and fax calls to the office fax. There is one point that the subscriber should be aware of: it is the owner of the Subscription who defines that the call is to be forwarded, and the caller will not know if call forwarding has been invoked prior to making the call. Hence, it is inappropriate to charge the caller for the forwarded portion of the call. So any charges incurred for this part are expected to be charged to the called subscriber (the person who set up the forwarding service). This applies to all forwarding services. When a call is made to the subscriber, it is invariably referred to the Home Location Register (HLR) to find out where that person is. If at this point the call forwarding unconditional service is found to be in operation for that type of call, the call is diverted accordingly. In this case the original call only goes as far as the HLR and the called party is never paged. 9.1.2 Call Forward on Subscriber Busy For this, and all other forwarding services, a condition must be met before incoming calls are diverted. In this case, the call is only diverted when the called person is busy on another call. This diversion occurs without the call being offered to the subscriber. There is another service, called the call waiting service, which indicates an incoming call. The subscription options for this call forward service are twofold. The first refers to the indication given to the caller that their call is being forwarded, as described Copyright 1991, Michael Clayton Page 61
GSM - Global System for Mobile Communications above. The second refers to the notification, given to the subscriber, that a call to them is being diverted. As in Call Forward Unconditional (CFU), this service requires three pieces of information. These are the service code (No. 67), the forwarded-to number and the Basic or Teleservices to which the service should apply. For this service the call is routed via the HLR to the Mobile Services Switching Centre (MSC) and Visitor Location Register (VLR) controlling that mobile. At this point the call would normally be directed to the Mobile Station, but when it is determined that there is a call in progress, the Call Forward on Subscriber Busy (CFB) service is invoked. There is no attempt to offer the call to the subscriber, despite their being informed that a call is being forwarded if that option was chosen at subscription time. 9.1.3 Call Forward on No Reply As the name suggests, the condition to be met for this service (CFNRy) to be invoked, is a no reply situation from the Mobile Station. For this to be ascertained, the call has to be offered to the Mobile Station, which means that the call has progressed through all the normal stages of a call set-up, and has caused the phone to ring. Only then, after a set period of time, is this service put into effect. Because of the additional parameter of the length of time for ringing, this service needs four pieces of information: the service code (No. 61), the forwarded-to number, the Bearer/Teleservices for which it is applicable, and a time after which the subscriber is deemed not to have replied. If this is not specified, a default value is set by the Network Operator. The options available at subscription time are the same as those for the Call Forward on Subscriber Busy (CFB), i.e. notification to the calling party, and notification to the forwarding party. 9.1.4 Call Forward on Subscriber Not Reachable
The Call Forward on Subscriber Not Reachable (CFNRc) service is provided for those instances where the network determines that the subscriber is not registered or would normally be available but cannot currently be reached. The main scenarios for this service deal with situation where the subscriber is out of radio coverage, or is in an area of congestion, or indeed, if the subscriber is known to have turned the mobile off. Because of the many possible reasons for the subscriber not being reachable, this service varies in terms of how it works. For the simplest situation, the incoming call is referred to the HLR, and if it is known that the subscriber is not available Page 62 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications then the service is invoked there and then. For the HLR to know the status of the Mobile Station, the PLMN needs to use the IMSI Detach/Attach function. This function requires the Mobile Station to notify the PLMN when it is turned off and subsequently when it is turned back on again. The only other way that the PLMN can ascertain if a subscriber is not reachable is if they are paged and no response is received. The one subscription option for the call forwarding when not reachable service, is that of informing the calling party that the call is being forwarded. The person receiving the forwarded call receives a notification of this, as a matter of course. To register this conditional call forward three pieces of information are required: the service number (No. 62), the forwarded-to number and the Bearer/Teleservices to which it applies. 9.1.5 Special Considerations and Interactions Some common characteristics occur in all of the forwarding services, which should be mentioned. The first refers to the input of information in conjunction with the service. Apart from the setting of the service in the GSM PLMN, there is a need for the forwarded-to number to be entered. The format of this number is important since it may be used from within a foreign country, where the national format of the home country is not valid. While it is possible to enter a national specific number (08 811 9334), this number must be converted to an international form (+61 8 811 9334) when used in the foreign country. This can either be done automatically by the PLMN when the subscriber roams, or be done by the subscribers themselves. In the latter case some education is necessary. In addition, when a forwarded-to number is set for call forwards, there is no requirement for the number given to be checked for validity. So calls can be forwarded to a non-valid number without the subscriber knowing it. This will occur consistently until the subscriber corrects any error, so it is important that the number is correctly entered in the first place. To avoid the situation where the subscriber forgets that a call forwarding service is active and operative, an indication is given to the forwarding party each time an outgoing call is made. It is expected that there will be one indication for Call Forwarding Unconditional and another common indication for the rest of the call forwarding services. This is necessary since the Call Forward Unconditional will result in no incoming calls at all, whereas the conditional forwards at least will result in some incoming calls. The distinction made above between active and operative is also important. Interactions exist between specific call forwarding services and the many other Supplementary Services which have been defined in GSM. A primary example of this is the interaction between Call Forward Unconditional and a Supplementary Service to bar all outgoing calls. If both these services are active and operational Copyright 1991, Michael Clayton Page 63
GSM - Global System for Mobile Communications at the same time then the Mobile Station would not be able to receive or make any calls. It has been defined, therefore, that if one is active the setting of the other is disabled, with an indication that an incompatibility has occurred. However, a further situation may occur where a call forward service overrides one already set and which is active. In this case the less dominant service becomes quiescent and only becomes operational again if the dominant service is cancelled. This is the difference between active (i.e. it has been set) and operational (i.e. it is has not been temporarily overridden). For further information on the interactions between Call Forwarding and other Supplementary Services, the GSM recommendations should be consulted. There are many intricate conditions that are clearly defined in the 02.80 series, but which may be subject to change. To include them here may mislead the reader.
9.2
Call Barring52
The concept of barring certain types of calls might seem to be a Supplementary DISSERVICE rather than Service. However, there are times when the subscriber is not the actual user of the Mobile Station, and as a consequence may wish to limit the functionality, so as to limit the charges incurred. Alternatively, if the subscriber and user are one and the same, then Call Barring may be useful to stop calls being routed to international destinations when they are roaming. The reason for this is because it is expected that the charges incurred for international rerouting of calls will be paid by the roaming subscriber. So GSM devised some flexible services that enable the subscriber to conditionally bar calls. They are grouped into two main areas: barring of incoming calls and barring of outgoing calls. These are further sub-divided into barring programs to provide the flexibility required, but each barring program is handled as if it were a single Supplementary Service.
9.2.1 Barring of Outgoing Calls The barring of outgoing calls allows the subscriber to be selective with the calls made from the Mobile Station under certain conditions. A typical scenario could be the use of the Mobile Station in a company where a manager wants to limit the access capability to reduce unauthorised calls. Hence a condition, which may be associated with this barring service, could be barring of outgoing international calls. This would leave free access to national calls, but stop the more costly international calls. The conditions for the barring service are combined to form barring programs, and they are chosen at the time of subscription. The conditions are:
Page 64
GSM - Global System for Mobile Communications 1 2 3 Barring of all outgoing calls (BAOC) Barring of outgoing international calls (BOIC) Barring of outgoing international calls except those directed to the Home PLMN country (BOIC-exHC).
These barring programs are self evident, but there are some points which could be clarified. The barring of all outgoing calls does not affect the ability to make emergency calls. Also, the barring of outgoing international calls does not preclude the user from making calls to the PLMN or fixed network where the user is located. So, if an Australian subscriber roams to Singapore, they may make calls to Singapore, but not to New Zealand. Furthermore, they may make calls to a Singapore subscriber irrespective of where that subscriber has roamed, but not to a New Zealand subscriber standing right next to them. The reason for this is that to call a New Zealand subscriber, the number must be an international call to New Zealand, which is then routed back to Singapore. With the Barring of International Calls Except those directed to the HPLMN program, calls are allowed from the roamed-to country back to the home country. In subscribing to the service, options exist to allow all logical combinations of the conditions above. (e.g. 1, 2, 3, 1&2, 1&3, etc.) In the scenarios given above, the barring service is used by the subscriber to restrict service, but this implies that there is some form of security to stop the user of the Mobile Station from resetting the barring program. Hence GSM has added a password for use with the call barring service, which is also defined at the time of subscription. The Phase 1 description of this barring service allows for the control of barring settings by the Service Provider only, or by the subscriber using this password. At a later time this may change to allow full control by the subscriber, when a proposed parallel service is defined giving similar controls to the Service Provider. The use of the same password is extended to the barring of the incoming call services. The operation of barring outgoing calls is very simple. The call set-up progresses as described above, until the type of call attempt is given by the Mobile Station on the control channel (after ciphering). This type is then checked against the types of allowed calls, as stored in the Visitor Location Register (VLR), and is barred where appropriate with an indication to the user if the call is not allowed. As with most of the Supplementary Services, GSM provides a section on the applicability of each of the Supplementary Services on the various Bearer and Teleservices. For barring of outgoing calls, the applicability is to all services, with the exception of emergency calls. Also, it is possible to have the barring program working on one, or a group of, Bearer/Teleservices, with the others unaffected. In this way, facsimile calls may be barred but telephony calls of the same type allowed.
Page 65
GSM - Global System for Mobile Communications 9.2.2 Barring of Incoming Calls The barring of incoming calls is effectively the same as the above service, but for incoming calls. Once again there is one service, but this time with just two conditions. These are: 1 2 Barring of all incoming calls (BAIC) Barring of incoming calls when roaming outside the Home PLMN country (BIC-Roam).
The first barring condition means, as one would expect, that all incoming calls to that Mobile Station are stopped. The second condition means that all the calls to the Mobile Station are stopped if the subscriber is roaming outside the Home PLMN country. It is this second condition which would be used to stop charges being incurred on the international portion of redirected calls to roaming subscribers. As with the barring of outgoing calls, the subscription allows for combinations of the two barring conditions, attached to one, or groups of, Bearer/Teleservices. Also, the barring on incoming calls is applicable to all types of Bearer/Teleservices. The same password options and conditions as used in the barring of outgoing calls, apply to the barring of incoming calls. When an incoming call is made to the subscriber, it is always referred to the Home Location Register (HLR). It is here that the call type is compared with what has been set, and the call stopped if a conflict arises. 9.2.3 Special Considerations and Interactions Once again, there are some situations arising from the interaction of the barring services and other Supplementary Services. For the outgoing call barring service there is an interaction with call forwarding. In effect, it should not be possible to activate outgoing calls and the forwarding of incoming calls as this would stop all calls to the Mobile Station. Another point worthy of note is a similar situation implied (but not specifically stated) in the interaction between barring of all incoming and all outgoing calls. In addition, the process of forwarding a call can look like an outgoing call, and so when such a forward conflicts with a barring program it should be barred. This may also be stopped by not allowing simultaneous activation of forwarding and barring services where a conflict is obvious. The interaction between call forward unconditional and barring of incoming calls is also worthy of note. Once again, simultaneous activation of the two services is not allowed on the same subscription. However, another interaction can occur if a call is forwarded to a subscriber who has invoked the incoming calls barred service. In this case the forwarded call is treated as if it was a normal incoming Page 66 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications call and set-up is denied. There are further interactions, some quite subtle, between the barring services and other Supplementary Services, which can be deduced by common sense. These are best referred to directly in the ETSI-GSM recommendations.
9.3
Phase 2 Supplementary Services53

There are a number of other Supplementary Services that have been identified, and which are at various stages of development. Some of these services have been frozen and are deemed to be complete but have not yet been released. It would be inappropriate to give too many details.
In the meantime the name of each and a brief description is given below. Number Identification Supplementary Services (GSM Recommendation 02.81) Calling Line Identification Presentation (CLIP) This first service deals with the presentation of the calling party's telephone number. The concept is for this number to be presented, at the start of the phone ringing, so that the called person can determine who is ringing prior to answering. The person subscribing to the service receives the telephone number of the calling party. Calling Line Identification Restriction (CLIR) The calling line restriction service is subscribed to by a person not wishing their number to be presented. In the normal course of events, the restriction service overrides the presentation service. Connected Line Identification Presentation (COLP) This service is provided to give the calling party the telephone number of the person to whom they are connected. This may seem strange since the person making the call should know the number they dialled, but there are situations (such as forwardings) where the number connected is not the number dialled. The person subscribing to the service is the calling party. Connected Line Identification Restriction As may be expected there are times when the person called does not wish to have their number presented, and so they would subscribe to this service. Normally, this overrides the presentation service.
Page 67
GSM - Global System for Mobile Communications Malicious Call Identification (MCI) The malicious call identification service was provided to combat the spread of obscene or annoying phone calls. The victim would subscribe to this service, and then they could cause known malicious calls to be identified in the PLMN, using a simple command. This identified number could then be passed to the appropriate authority for action. The definition for this service is not stable.
Call Completion Supplementary Services (GSM Recommendation 02.83) Call Waiting The call waiting service, allows the subscriber to be notified of an incoming call when they are in the middle of another call. The subscriber can then accept or reject the call. Call Hold The call hold service allows the subscriber to put an existing call on hold to perform some other function (such as answer a waiting call, or make another call), and then to subsequently retrieve the original call. Completion of Calls to Busy Subscribers When a subscriber makes a call and the called party is busy, this service, once set, allows them to be notified when the called party is free, and to have the call automatically re-initiated. This is a difficult service to implement in the mobile environment.
Multi-Party Supplementary Services (GSM Recommendation 02.84) Multi-Party Service This service is similar to a conference type service, in that several calls may be connected with all parties talking to each other. However, there are enough differences, caused by its application to the mobile environment, for it to be known by a different name. It should be noted here that there are no restrictions for any GSM subscriber to be a part of an ISDN Conference call, which has no limit on the number of conferees. It is expected that ISDN will be used for planned or large conference calls, whereas GSM will be used for impromptu multi-party calls.
Page 68
GSM - Global System for Mobile Communications Community of Interest Supplementary Service (GSM Recommendation 02.85) Closed User Group This service is provided on GSM to enable groups of subscribers to only call each other. In this way, intrusions can be limited only to those members who wish to talk with each other.
Charging Supplementary Service (GSM Recommendation 02.86) Advice of Charge There are many people who receive a shock when the phone bill for mobile services is received. This service was designed to give the subscriber an indication of the cost of the services as they are used. Furthermore, this service can also be utilised, in a slightly different form, by those Service Providers who wish to offer rental services to subscribers without their own Subscriber Identity Module (SIM).
Additional Information Recommendation 02.87)
Transfer
Supplementary
Services
(GSM
User-to-User Signalling This service allows the subscriber to send and receive information to and from the person with whom they have an active call. The amount of information is limited, but may include text (such as names and addresses), and numbers (such as telephone numbers). This service does, however, require more investigation.
Call Offering Supplementary Services (GSM Recommendation 02.82) The call forwarding services also come under this heading. Call transfer and Mobile Access Hunting have been separated because they are not a phase one service, and are not stable.) Call Transfer The call transfer service allows the subscriber to transfer a call to another party. This party can be either another GSM Mobile Station, or indeed a person on a different network. One of the difficulties with this service is the billing ramifications. If A calls B, and B asks to be transferred to C, then it is not clear who should be charged for the rest of the call (A, who initiated the call but is no longer a participant, or B, who asked for the call transfer. To charge B is technically difficult).
Page 69
GSM - Global System for Mobile Communications Mobile Access Hunting The definition of this service is not yet stable. The concept behind it is to allow a call placed by a subscriber to be offered to several Mobile Stations in a predetermined order. Once a Mobile Station accepts the call, normal call procedures are adopted.
9.4
Using Supplementary Services54

To make the application of Supplementary Services universal in the GSM recommendations, each service is described in terms of seven functions. These functions cover the requirements for each service to make it work, and range from how it is provided for use by the Operator, to how it is actually set in motion. The first function is provision, which refers to the action required of the Operator to make this service available to the subscriber. While it is implicit that a charge is made for the provision of the service, this is entirely a matter for the Operator. This function should not be confused with implementation of a Supplementary Service, where it is loaded onto the PLMN. Provision is really the way a subscriber may gain access to the service. The opposite of this is withdrawal which makes up the second function. Next comes the registration of the service, which involves the programming of information required for it to function. This can be under subscriber control or under Operator control. An example of the sort of information that may be registered is the forwarding number, and the Bearer/Teleservice for which the Supplementary Service is to be set. The opposite of registration is erasure, in which the registration information is deleted. A special condition exists here since, in order for some services to work, the information registered needs to be present. If an erasure takes place then this information is not available and the service cannot operate. So, whenever a service is erased, it is also deactivated at the same time if it is operative. After registration comes activation, or the turning on of the service. It depends on the service whether this is a separate function or not. As in the case of erasure, it is possible for activation and registration to occur concurrently. The opposite function to activation is termed deactivation. Finally, there is another function which covers the setting in motion of the service. This is invocation, and it is a function carried out either by the user or automatically by the PLMN. As an example of the use of these functions, a call forward may be subscribed to (provisioned), have the forwarding number stored for speech calls (registered), been turned on (activated), but only be invoked when an incoming call is made to that Mobile Station.
Page 70
GSM - Global System for Mobile Communications Not all of these functions are required in the use of some Supplementary Services, and so they are left out or combined. For instance, call waiting does not require any supplementary information to work and so there is no registration. Conversely, call forwards require all of the above functions.
Page 71
10 PLMN SECURITY55
By virtue of the open nature of radio communications, security is an important feature of GSM. There are two areas of security provided in GSM; one concerned with impersonation of valid Subscriptions and the corresponding fraudulent use of Public Lands Mobile Network (PLMN) resources, and another concerned with eavesdropping. To combat these two areas, GSM provides Authentication and Ciphering over the air interface.
10.1 Authentication56
This process is designed to be as secure as circumstances allow. The procedure takes place between the Subscriber Identity Module (SIM) and the Visitor Location Register (VLR) in the PLMN, with all information passed transparently by the components in between. It should be emphasised that the Authentication procedure at the Mobile Station is done purely by the SIM, not the mobile equipment. Embedded in the SIM, at time of manufacture, are algorithms, or complex oneway calculations. They are one-way in the sense that, given a series of inputs and the corresponding results, it is very difficult or impossible to work out the key by which the results are reached. The algorithm for GSM authentication is called the A3 algorithm. The A3 algorithm needs two inputs to reach a result: a random number supplied by the VLR, and an Authentication Key (Ki) which is unique to the subscriber. The Ki is stored in the SIM at pre-personalisation and in the PLMN in a secure environment, so that only the PLMN and the SIM know the secret key. The random number and Ki are applied to the A3 algorithm, and the result issues from it. In GSM terminology, the Random Number is called RAND and the result is called SRES (Signed RESponse). This calculation is done both in the PLMN and the SIM, with only the RAND and SRES being exposed to the insecure air interface. If the response from the SIM matches that in the PLMN, then the Mobile Station is positively identified as being the one claimed. 10.1.1 PLMN Side On the PLMN side, two options exist to generate the RAND and SRES pairs. The first involves an AUthentication Centre (AUC), which would normally be attached to an Home Location Register (HLR) but be located in a secure environment. Within this functional component, the IMSI's and Ki's for all subscribers to that network are known. Also, in the case where more than one Page 72 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications Authentication Algorithm is used, the identity of this too is linked to the appropriate IMSI/Ki pairs. All the AUC does is to generate several RAND/SRES pairs for a given International Mobile Subscriber Identity (IMSI) at a time, and pass them back to the inquirer. In most cases, this is the HLR for that subscriber, which in turn passes out the pairs to a VLR for storage and subsequent use. All the VLR does is to select a RAND/SRES pair, send the RAND to the SIM, and compare the result sent back with the SRES stored. It then discards the pair. The advantage of this method is that the VLR does not have to know the Ki or even the algorithm, to be able to authenticate a Mobile Station. This is especially useful where international roaming comes into play and foreign networks need to authenticate roaming subscribers. 101.2 Transmission of Authentication Key This leads on to the second method, which is less secure and therefore less likely to be used. The method revolves around having the algorithm stored in the VLR and sending the Ki to the VLR on request. In the case where several algorithms are used, the details of the algorithm which should be used, are also included. Using this method, the calculation is done in real time each time the Mobile Station is authenticated. However, security must be compromised, not least because the VLR would not normally be as secure as the AUC. It is a network Operator option as to which method to implement.
10.2 Ciphering57
The second security function provided in GSM is that of ciphering, or encryption, of data over the air interface. This does not stop eavesdropping, but ensures that what is heard is unintelligible. There are several areas where protection of user data is required, but the primary areas are protection of user identification signalling data (e.g. TMSI, LAI), and protection of user data, such as speech. The same mechanism is used in both areas: that of ciphering the raw bit-stream data sent over the air interface. However, this means that the mechanism is a low level function, with the consequence that deciphering takes place as soon as data is received. This is to allow signalling messages to be understood at the Base Station System (BSS). It should be noted, therefore, that this mechanism does not provide end-to-end protection; only protection over the air interface.
Page 73
GSM - Global System for Mobile Communications 10.2.1 The ciphering method The ciphering method relies on adding together the data, and a known bit stream which is derived from a cipher algorithm. The same cipher algorithm is run independently at the other end with the same parameters, so that the known bit stream, which was added, is available there also. All that needs to be done is to take away the known bit stream from the received data, resulting in the original data once more. In fact, a bit by bit binary addition is used in both cases, which results in the original data without the necessity of a subtraction. An example is shown below. At the local end the cipher stream is added to user data. Cipher stream 101001 User Data + 110101 = 011100 Ciphered data
At the far end, the same cipher stream is added to the ciphered data to retrieve the user data. Ciphered data 011100 + Cipher stream 101001 To ensure that the added Cipher bit stream is the same at both ends, the same algorithm must be used at both ends. In GSM, this algorithm is known as the A5 algorithm, and it is implemented in the mobile equipment. To work, it needs a Key called the Cipher Key (Kc), which, although known at both ends, is not itself sent over the air interface. 10.2.2 Cipher Key (Kc) setting Mutual key setting is the procedure that allows the Mobile Station and the PLMN to agree on the Cipher Key (Kc) to use in the A5 cipher and decipher algorithms. The setting of the new Kc is indirectly obtained from authentication. During authentication, a random number is generated in the PLMN and sent to the SIM. This is put through the A3 algorithm with the Authentication Key (Ki) to obtain a response as described above. To obtain the Cipher Key, Kc, this same random number is put through a different algorithm with the Ki. The different algorithm is called the A8 algorithm, and is only implemented on the SIM. Remember that Ki is only known by the SIM and the PLMN, and is never sent over the air interface. This gives the procedure security. On the PLMN, values of Kc are computed at the same time and in the same place (for example the Authentication Centre) as the RAND/SRES values. Whenever Page 74 Copyright 1991, Michael Clayton = 110101 User data
GSM - Global System for Mobile Communications RAND/SRES pairs are supplied within the PLMN, the Kc values are given also, and they are stored together. As a consequence, the RAND/SRES/Kc values are known as Triplets. The key Kc may be stored, and used, by the mobile station until it is updated at the next authentication, or when the SIM is taken out. While the key setting is normally triggered by the authentication procedure, another mechanism exists to allow agreement without running the authentication procedure, using the Cipher Key Sequence number. In this case, the last Kc is used, and it is just a matter of ensuring that both ends still have this key. The Cipher Key Sequence number is incremented every time the A8 algorithm is run up to a value of four after which it returns to zero. To ensure that the Kc is the same at both ends, this sequence number is sent over the air interface and compared. 10.2.3 Starting of the ciphering and deciphering processes The Mobile Station and the BSS must choose to start ciphering in a coordinated way, to ensure that the user data can be retrieved. Normally the process is started on the Dedicated Control CHannel (DCCH), and is always initiated by the PLMN. As soon as the Kc is identified, it is sent to the BSS, which immediately sends a message to the Mobile Station to start ciphering. This is done quickly, since no sensitive information can be sent until ciphering is in place. As soon as the message to the Mobile Station has been sent, the BSS starts to decipher information received from the Mobile Station.
Figure 43: Cipher Start Sequence44
On receipt of the Start Cipher message, the Mobile Station starts ciphering and deciphering simultaneously. Finally, the ciphering process on the Base Station System (BSS) side starts as soon as a frame or a message from the Mobile Station has been correctly received, and deciphered, at the BSS. When a Traffic CHannel is allocated to the Mobile Station for transmission of user data, the key used for ciphering is the one set up during the preceding DCCH session (Call Set-up). In this case, the ciphering and deciphering processes start immediately. 10.2.4 Synchronisation Synchronisation of the ciphering stream at one end, and of the deciphering stream at the other, is required for the ciphering and the deciphering bit streams to coincide. This is achieved by controlling the A5 cipher algorithm using an explicit time variable as an input to the algorithm in addition to the Kc. This timing is indicated in the message to the Mobile Station to start ciphering.
Page 75
GSM - Global System for Mobile Communications 10.2.5 Handover When a handover occurs, the necessary information (e.g. key Kc, initialisation data) is transmitted within the system infrastructure to enable the communication to proceed from the old BSS to the new one. The key Kc remains unchanged at handover.
11 MOBILE EQUIPMENT58
The report has so far dealt mainly with the GSM infrastructure and only touched on the Mobile Station in terms of its functionality. However, there are several areas which are not be covered under infrastructure but which are, nonetheless important. In this section, the mobile equipment is dealt with in isolation from the Subscriber Identity Module (SIM), as well as in conjunction with it. Hence it is prudent, once more, to emphasise the difference between a piece of mobile equipment and a Mobile Station. Mobile equipment becomes a Mobile Station when a SIM associated with a valid subscription is inserted. It is also worth pointing out that ETSI-GSM has allowed a fair degree of latitude to the mobile manufacturers, to allow product differentiation, despite what the manufacturers may claim. However, there are some mandatory features and functions, which will be type approved. The appropriate ETSI GSM recommendation for reference is 11.10.
11.1 Mobile Equipment Features59

There is a minimum requirement, in terms of features, which must be present for the mobile equipment to be deemed a GSM mobile terminal. In fact they are so limited, that mobile equipment merely conforming to them could well be considered archaic. They are: Display of called number This refers to the display of the number input, prior to pressing the SEND button. It is also only mandatory for mobile terminals which require a human attendant.
Page 76
GSM - Global System for Mobile Communications Indication of call progress signals These are the tones, recorded messages and text displays from the Public Lands Mobile Network (PLMN). Country/PLMN indication This is merely an indication of which country and PLMN the Mobile Station is attached to. The form this indication takes is actually being coordinated under the control of the MoU-SERG group, and normally takes the form of a 2-3 country letter indication and a PLMN name. While it implicitly indicates when roaming has occurred, there is no reason for a specific roaming indication not to be supplied as well. Country/PLMN selection This refers to the means by which the subscriber chooses which PLMN to access when roaming and given the choice. A special section deals with this later. Subscription identity management This is a little esoteric, but essentially deals with the scenarios regarding the removal of the SIM and safeguarding the identity of the IMSI. It involves identifying what information needs to be deleted once the SIM is removed. Invalid PIN indicator This is a display feature to indicate that an invalid Personal Identification Number (PIN) has been entered. A small point worth noting here is that, when the PIN is changed, the SIM only accepts the old one and the new one. It is up to the mobile equipment to manage the means by which the new PIN is verified, (e.g. entered twice) before it is presented to the SIM. International Mobile Equipment Identity (IMEI) This is a unique Identity sealed into the equipment, and which may be transmitted to the PLMN when requested. It is on the basis of this that stolen equipment may be identified. Service indicator This is an indication of the adequacy of the signal to allow calls to be made. This is not a simple process because pure signal strength in a Time Division Multiple Access (TDMA) system is not always a good indicator. The only sure way is to make an access and test the errors received.
Page 77
GSM - Global System for Mobile Communications Emergency call capabilities This refers to the capability for the Mobile Station or the mobile equipment to make emergency calls. The mandatory portion is the use of an emergency signal to gain access to emergency services with or without a SIM. However, despite this, it is up to the PLMN Operator, using their licence as the terms of reference, to determine whether to allow SIM-less mobile equipment to make emergency calls. Self testing The self testing is required to ensure that the mobile equipment is ready to operate properly. In doing so the mobile equipment should not affect the PLMN by radiating any signal. Control of Supplementary Services There is a set of universal commands, which allow the Supplementary Services to be set up using just a 0-9, * and # keypad (ETSI-GSM 02.30). This must be supplied on every mobile, irrespective of the Manufacturer methods for accessing these services. The Man-Machine interface deals with this in more depth. The above are the mandatory features for the mobile equipment, some of which require the presence of a SIM card. In the same recommendation dealing with mandatory features (ETSI-GSM 02.07) a number of optional features have also been identified. However, the list is by no means exhaustive and represents only part of the wishlist for a GSM mobile terminal. It is expected that PLMN Operators will have individual wishes that match what will be available on the their own network. If all of these Operators had their way then the mobile equipment would be versatile indeed, but suffice it to say that most mobile manufacturers will be realistic but eager to please. Their offerings should surpass what is laid-down in the GSM recommendations.
11.2 Man-Machine Interface60

One of the main difficulties facing users of mobile equipment is the difference in the way mobile phones achieve similar functions. For some, retrieving the number of the phone could be RCL #, but on another it could be FCN 51. So imagine the problem facing GSM subscribers, who are used to a universal service yet have different commands to access it. It may seem improbable at this point that a subscriber will change phones often enough to worry, but the advent of the Subscriber Identity Module (SIM) means that this is more likely to occur than before. Moreover, past experience has taught Operators that if there is a problem with the setting of a service, sooner or later they are asked to solve it. This is more efficiently done if the same control procedure can be used on any GSM Mobile Station.
Page 78
GSM - Global System for Mobile Communications Consequently, GSM has a standard Man-Machine Interface (MMI) which can be accessed by any GSM terminal with a key pad or some means of entering 0-9, *, # and +. It is cumbersome in some respects, and it is fully expected that the mobile Manufacturers will think of more user friendly ways of achieving the same ends. However, it is the safety net that the Operators believe is imperative. The concept behind the GSM MMI is that a well defined signalling system is used to send the information from the Mobile Station to the PLMN, irrespective of how the information is input. Therefore, the same information elements are required for both the standard MMI and any Manufacturer-specific MMI. In describing the Man-Machine Interface, much use is made of the words SEND and END, to signify the use of the buttons used to start and finish a call. In GSM, the presence of a key pad on the Mobile Station is not mandatory, but there must be some means of entering 0-9, *, #, +, and SEND and END. In this section, where SEND and END are used, the appropriate function is meant irrespective of how it is instigated. 11.2.1 Setting up Supplementary Services It can be seen from the section on Supplementary Services that there are different actions required to make them work. These are provision, registration, activation and invocation. For the purposes of this section, we are only concerned with registration, activation and sometimes, invocation. A distinction often made between different Supplementary Services concerns those services which merely require a command to make them work, and those which require additional information. Whereas the call hold service only requires an activation command, the call forwarding service requires a forwarding number in order to work, and therefore also needs a registration command. The distinction is sometimes highlighted using the terms in-call services and out-of-call services, where call hold would be one of the former and call forwarding one of the latter. However, for the sake of accuracy, the generic approach is adopted here, and it is left to the reader to refer to the ETSI-GSM recommendations (02.30 and 02.80 series) to find out which functions are applicable to which Supplementary Services. Also, the examples given below are generically correct, but some GSM services may differ slightly. This is another reason why the reader should refer to the ETSI-GSM recommendation. 61...1 Registration The general procedure for setting Supplementary Services occurs in two stages: the registration of information required by the service to operate, and the actual activation of that service. An example of registering information is the registration of the number to which calls should be forwarded, and the service for which this forwarding applies. In the standard MMI, registration is performed using:
Page 79
GSM - Global System for Mobile Communications ** NN(N) * Si # SEND Where the ** denotes a Registration command, the NN(N) is the Supplementary Service code, the * is used as a separator between elements, Si gives the supplementary information, the # denotes the end of information, and the SEND refers to the button on the Mobile Station used to send the information. It is quite likely that more than one piece of information could be input, in which case it would be input in a specific order with each element being separated by a *. An example is given below of call forward unconditional (service code 21), for the Fax service (service code 13), to the telephone number 08 123 4567. ** 21 * 081234567 * 13 # SEND 62...2 Activation The second stage is the activation, or turning on, of the service. For instance, the forwarding of calls may not always be applicable and so it may be turned off and on at will. The generic procedure for activation is: * NN(N) * Si # SEND The single * denotes the activation command, and once again the NN(N) gives the Supplementary Service code. Also included in this procedure is the supplementary information field Si. This is here since it was decided that, in most cases, services being set up would normally be activated at the same time as registration. In separating registration and activation, two commands would be required just to set up a service. So, it was decided to allow the activation procedure to also contain the supplementary information which would be registered as part of the activation. If no such information is included in the activation command, then the last supplementary information registered is used. Using the same example as above, an example of activation for call forward to 012345678 for Fax is given below. * 21 # SEND or * 21 * +6181234567 * 13 # SEND It is assumed that a valid subscription exists for each service to be set up. If this is not the case then any attempt to utilise the service is rejected by the network. Note that in the second example, the forward-to number is given as an international number not a national specific number.
Page 80
GSM - Global System for Mobile Communications 63...3 Erasure/Deactivation Erasure of a service deletes any information in the network and also deactivates the service. Conversely, deactivation of the service can be used to turn off the service without deleting the information. The identifier for erasure is ## (the opposite of registration **) and for deactivation # is used (the opposite of activation *). The generic procedures for erasure and deactivation are:## NN(N) * Si # SEND (Erasure) # NN(N) * Si # SEND (Deactivation) In practice, there is no real need for the supplementary information unless it is required to ensure the correct set-up is being deleted or deactivated. There is also a general deactivation command for most out-of-call Supplementary Services; for example, the call forward version is #002#SEND. 11.2.2 In-Call Supplementary Services The in-call Supplementary Services are handled a little differently from the generic approach. While the definition of some of these services is still going on, and what follows may well change before this is complete, there is some justification for showing how it looks now to give some indication of how it may look when completely stable. Some indication of the stability of recommendations is given in Annex 3. For all of these supplementary services, the principle is that one or two digits followed by the SEND function dictates the command. There is no need to add any stars or hashes to identify the activation, since in most cases all that is required is an invocation of the service. Also, there is no need to identify the service requested, because the commands are context dependent (e.g. a waiting call cannot be accepted unless one is waiting). 64...4 Call Waiting Once a call is indicated as waiting there is a time limit in which the subscriber needs to give a command. After this timer expires the keystroke becomes invalid, and subsequent call handling operations follow. If the subscriber wishes to clear the existing call and accept the new call, then all that is required is to press END after which the waiting call starts to ring as a normal call. To accept this call the subscriber must enter SEND. However, if this too cumbersome, then the two functions of ending the current call and accepting the new call can be started by entering 1 SEND. If the subscriber wishes to keep the existing call and merely find out who else is calling, then 2 SEND puts the existing call on hold and answers the waiting call. Copyright 1991, Michael Clayton Page 81
GSM - Global System for Mobile Communications Thereafter the call scenario is that of the call hold service with the corresponding commands. Finally, if the subscriber definitely does not wish to accept the waiting call, then a 0 SEND rejects the waiting call. Alternatively, the subscriber can just ignore the waiting call. 65...5 Call Hold During a call the subscriber may wish to contact someone else briefly, which would require them to put the existing call on hold. This is easily done by entering the required number and then pressing SEND. Once the call is set up, the subscriber can then shuttle between the calls, without connecting them, by entering 2 SEND. If at some stage the subscriber wishes to clear one call, then a 0 SEND clears the held call, or 1 SEND clears the active call and return the held call. At any time the subscriber can connect all parties by entering 3 SEND. This is the method used for building up a multi-party call. 66...6 Multi-Party A multi-party call is essentially an extension of the call hold and call waiting services, since it is through these two services that a multi-party call is built up. Entering 3 SEND connects a held call and an active call, but the subscriber may wish to connect a third or fourth call, up to a limit of five calls (six parties including the controller). The process for connecting each call is essentially the same. All that is required is for the subscriber to enter the required number and press SEND. This puts all the active calls on hold and sets up the new call. Thereafter by entering 3 SEND, the new call is added to the held calls and they all become active once more. If at any stage a party wishes to leave the multi-party call, all they need do is enter END. Where the subscriber wishes to end the call, then entering END clears all calls. However, if a specific party is to be released then entering 1x SEND can be used, where x is the specific call numbered in the order of set-up. 11.2.3 Type of Numbers It has been mentioned among the requirements for the key pad, that the + key, or some means of entering it is needed. The reason for this is that it is used to indicate an outgoing international call. The method of indicating an international call on the fixed telephone network is done by a specific access code. However, this is not standard across the world (0011 in Australia, 010 in the United Kingdom (UK) etc.) Rather than making the subscriber remember all the myriad Page 82 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications access code combinations, the + indicates an international call, which is signalled to the PLMN as a Type of Number (TON) in the call set-up message. This TON can take other values than just International, and these have been identified as, National Number, Network Specific, Dedicated PAD, or Unknown. There is also some redundancy left for future extensions. In the normal course of events, the Mobile Station defaults to one value, with the only other value being International, accessed by a +. It may be surprising, but the probable default value would normally be Network Specific, with national specific numbers accessed as a subset of this. The main reason for this is that the PLMN Operator will wish to have some special services accessed by special numbers, in addition to national numbers. The only way this can be done would be indicate a Network Specific number and let the PLMN filter out the special numbers. However, this is not done entirely by TON. In conjunction with it is another indicator called Number Plan Identifier (NPI). One of the values it can take is ISDN/telephony Numbering Plan, corresponding to internationally recognised numbering plans. It may appear at first that telephone numbers have no special structure, but they have an explicit function to identify the end destination. Invariably, these numbers are used in different networks, nationally and internationally, to allow parties to contact one another. As a consequence, the structure of numbers was standardised to give some order to the process, and hence Number Plans were devised. The NPI can take other values these being: ISDN/telephony (E.163/E.164), Data (X.121), Telex (F.69), National, Private and Unknown. It is the National number plan which would allow the Operator to add their own special numbers, and at the same time include the ISDN/telephony (E.163/E.164) as a subset for normal telephone numbers. There are some interesting possibilities regarding the TON and NPI, and as this report is written they are still being developed. There is some provision for TON and NPI to be used in the Subscriber Identity Module (SIM) on the Abbreviated Dialling Number Data-field. However, for the purposes of this section, there is no MMI to utilise them, other than the +, leaving the options open for the mobile manufacturers to exploit.
11.3 PLMN Selection67

One of the first things a Mobile Station does when switched on is to look for a PLMN on which to register. Initially it normally looks for the Home PLMN first but in the process of doing this, it identifies up to 30 Broadcast Control CHannels (BCCH) from any PLMN giving service. If one of these is the last registered PLMN or the Home PLMN, then the Mobile Station starts the procedure as Copyright 1991, Michael Clayton Page 83
GSM - Global System for Mobile Communications described earlier to register. However, if none of these belong to the last registered or HPLMN, then another PLMN needs to be chosen. There are two methods which apply to GSM, Manual and Automatic selection, and the Mobile Station can be programmed by the subscriber to swap from one mode to the other. Once the top 30 BCCHs list has been constructed, it is analysed to find which PLMNs each belongs to, and a list of available PLMNs results. This list of PLMNs is used as the basis for both manual and automatic modes. In the Manual PLMN selection mode, the subscriber is presented with this list, given as a country code of two or three letters and the name of the PLMN, and prompted to choose one PLMN. The means for choosing the requested PLMN are left to the mobile manufacturer, but once it is chosen the Mobile Station attempts registration as before. In Automatic mode, the user does not need to do anything. On the SIM is a preferred PLMN selection list, in which the subscriber (or the Operator) has stored all the PLMNs in various countries in the order that access attempts should be made. The Mobile Station compares the preferred list starting from the top, against the available PLMNs until a match is found. It then attempts to make an access. For whatever reason, it is possible that the access attempt could fail, in either mode. In cases such as this, GSM has built in a safety mechanism to reduce the amount of signalling over the air interface when the Mobile Station is in Automatic mode. When a registration fails, the Mobile Station stores the identity of the PLMN in a Forbidden PLMN list kept on the SIM. It contains only four PLMNs, and the addition of a new one causes the oldest one to drop off the end. In Automatic mode, each time a match between the available PLMN list and the preferred list is found, prior to the access attempt it is checked against the forbidden list. If the identified PLMN is on the forbidden list, it is disregarded and the Mobile Station moves on to the next available PLMN. A side effect of the whole process is that, in Automatic mode, any PLMNs on the forbidden list never get chosen. The only way to override this is to change to Manual mode. In Manual mode, the presence of forbidden PLMNs in the list of identified PLMNs may cause that PLMN to be marked as forbidden. However, there is nothing to stop the subscriber still requesting that PLMN, whereupon a registration attempt is made. If this attempt is successful, the entry in the Forbidden List is deleted. There are commercial ramifications to the PLMN selection list that should be mentioned. Because this list dictates the order in which the available PLMNs should be tried, an advantage is gained by an Operator having their PLMN listed above their competitor's on the SIMs of subscribers roaming to that country. This Copyright 1991, Michael Clayton
Page 84
GSM - Global System for Mobile Communications may be exploited by Operators through mutual agreement so that, by default, each will carry the traffic of the other's subscribers when roaming into its area of coverage.
11.4 Mobile Station Access Class Mark68

Congestion is a problem in any network, and may well occur at some stage with GSM. One important consideration in a congestion situation is to stop the PLMN from overloading to the extent that it falls over. The best way of doing this is to prevent groups of users from attempting to access the PLMN, but how can these groups be identified? This is done in GSM using access classes, which are stored on the SIM. There are fifteen of them, 0 to 9, and 11 to 15 (class 10 does not exist). Normal subscribers will have a class between 0 and 9, and so when a group of subscribers needs to be barred temporarily from a particular area of the PLMN, one or more of these classes can be chosen. If this is done then the Broadcast Control CHannel (BCCH) broadcasts a list of authorised access classes. The Mobile Station checks the allowed class against its own and, if not allowed, it does not attempt to make a call. The only time this can be overridden is if an emergency call is requested. However, also indicated on the BCCH is whether emergency calls are allowed from all Mobile Stations or only from special classes. These special classes are in the range from 11-15. They must be specially programmed by the Operator and their use is restricted to the HPLMN and Home country. Any high access class Mobile Station roaming internationally must revert back to a normal, 0-9 access class. Despite their parochial nature, their use has been defined. Class 11 is for PLMN use, and class 15 is for PLMN staff. Class 12 is reserved for security services, class 13 for public utilities (e.g. gas, water, etc.), and class 14 is for emergency services. It follows that classes 12, 13 and 14 are valid within one country, whereas classes 11 and 15 are only valid in one PLMN.
11.5 R and S Interfaces69

Data transfer over GSM has been designed to be flexible, and so it is expected that the interconnection with the Mobile Station for data communications would be reasonably easy. To this end two data ports have been incorporated in the Mobile Station, the R and the S interface. While the physical connection has not been standardised, which may cause some difficulties, the protocol has. The S interface is effectively the same as would be found on an Integrated Services Digital Network (ISDN) terminal. The R interface is equivalent to a standard nonISDN interface such as the CCITT V or X series. However, there is a limited amount of functionality that can be incorporated in a Mobile Station, and the provision of the R and S interfaces is optional. It is quite Copyright 1991, Michael Clayton Page 85
GSM - Global System for Mobile Communications possible that one or both of these interfaces involves an extra adapter to give the required input to the Mobile Station. This is, once again, entirely up to the mobile manufacturer.
11.6 International Mobile Identity Number (IMEI)70

The IMEI is the electronic number that uniquely identifies the mobile equipment. It is the electronic serial number of the equipment, and is not normally used by the PLMN for standard procedures. However, provision has been made for the PLMN to request the IMEI at any time during a call, including during the call initiation procedure. This is for two reasons. Primarily, the IMEI is used to identify those mobile terminals that have been type approved. Secondly, the IMEI also enables the Operator to identify stolen equipment. The responsibility for this IMEI has been given to the manufacturer of the equipment, who must ensure that each IMEI is unique, and keep detailed records of released mobile equipment. This may seem like a large task but, when a piece of mobile equipment passes through type approval, it is given a type approval number which forms part of the IMEI. All the Manufacturer need do is add the actual unit and manufacturer number. 6 Digits <> TAC 2 Digits <> FAC 6 Digits <> SNR 1 Digit <> SP
15 Digits <>
Figure 45: Composition of the IMEI46
The TAC is the Type Approval Code, and it is determined by a central body, yet to be identified. The Final Assembly Code (FAC), is used to identify the place of manufacture and final assembly. The Serial Number (SNR) is the manufacturer defined unit number within the TAC and FAC and finally, the SP is a spare digit for future use. The IMEI is not part of the subscriber's data unless it is expressly desired, and even then at the discretion of the Operator. However, some guidance is given regarding white, grey and black lists of IMEIs. The white list contains all number series issued from different participating GSM countries (i.e. those mobile terminals which have been type approved in that country). The black list contains Copyright 1991, Michael Clayton
Page 86
GSM - Global System for Mobile Communications individual IMEIs that need to be barred for whatever reason (e.g. stolen mobiles). The grey list records those pieces of mobile equipment that may be faulty. They are not barred but reported to the operation and maintenance staff with the International Mobile Subscriber Identity (IMSI). The staff may wish to call the subscriber using the equipment to ask them to have it checked. Alternatively, if the equipment causes too much disruption, it can be black listed. While this guidance is given, there is no specification as to how it must be implemented. This is an issue which remains to be discussed within the GSM Memorandum of Understanding (GSM-MoU).
Page 87
12 SUBSCRIBER IDENTITY MODULE71

The use of a Subscriber Identity Module (SIM) marks a major departure from the existing situation in most cellular communications networks. Whereas in existing cellular systems the Mobile Phone contains the subscription identity, in GSM this is now kept in a small credit card sized smart card, or SIM. This card can be removed from the mobile equipment by the user, and placed in a different piece of mobile equipment. In this way, any piece of GSM mobile equipment which can take the card, becomes the Mobile Station for that subscription. It can make calls and receive calls for that subscriber and have them billed to the subscription of that SIM. As the glossy advertising puts it, with some slight exaggeration, with the GSM SIM any phone is your phone. Exaggeration apart, the importance of the SIM cannot be ignored, either commercially, or technically. This section deals with the content of the SIM and its functional characteristics. It then goes on to talk about the commercial ramifications.
12.1 Description72
Physically, the SIM has been designed to be inserted or removed by the subscriber. It comes in two forms which are functionally identical, but differ in size. The IC card SIM is the size of a credit card with a set of six standard contacts diagonally on the left hand side, slightly above the middle line of the card. The Plug-in SIM is much smaller (~25mm square) with the contacts central to the card. The two SIMs have been physically designed to fulfil two distinct roles. The IC card SIM is intended to be inserted and removed from the Mobile Station on a regular basis. To facilitate this and give flexibility, the IC card SIM conforms to international smart card standards (ISO 7816 series). The Plug-in SIM, however, has been specifically designed for GSM to fulfil a role similar to that of existing cellular systems. The small size allows for the module to be placed semi-permanently in the mobile equipment, although the subscriber can remove it. For the Plug-in SIM only, ISO 7816/3, which defines electrical and protocol characteristics, applies. There is a further scenario which GSM has taken into account. While it is expected that the Plug-in SIM is semi-permanently inserted in the mobile
Page 88
GSM - Global System for Mobile Communications equipment, it may be possible for this equipment to also take an IC card SIM, allowing a subscriber with a full sized SIM to borrow a phone without having to disturb the owner's plug-in SIM. They would simply insert their own SIM and that phone would become theirs as long as their SIM remains inserted. In this case the larger IC card SIM inserted takes precedence over the Plug-in SIM. Once the IC card is removed, the Plug-in SIM takes over. While it is unlikely that an IC card will be inserted during a call, the inserted card will only take over once that call has been cleared. As is the case normally, if the IC card SIM is removed during a call the call is terminated; thereafter the Plug-in SIM takes over.
12.2 Internal Electronics73

A SIM consists of a small microprocessor embedded in plastic, which is able to manipulate and store data. The power supply to the card is supplied via the same contacts used for data transfer. There are six contacts in all. Like a microprocessor in a personal computer, the SIM microprocessor has instruction sets and an operating system. It has a storage medium, some of which is permanent, some semi-permenant, and some of which is volatile. Also like a personal computer, the data fields it stores are set up in a directory structure, where certain data is kept in partitioned areas. Sometimes there is some security included, ensuring that the data field is only accessed by the appropriate entity. The SIM data storage scheme has been designed to be flexible, even to the extent that GSM-related data resides in a subdirectory so that the SIM may also support other applications. Hence, from the root directory stem two application directories; the GSM Applications Directory (GSM-AD) and the Telecom Applications Directory (Tel-AD). The GSM-AD contains such things as the International Mobile Subscriber Identity (IMSI) and the last Location Area Identity. The Tel-AD could contain the user's telephone directory, or the Short Message Service (SMS) storage field. The information stored in the GSM-AD is secure to varying degrees, whereas the Tel-AD has limited access so that other telecommunication technologies can access the data. However, access by other applications, such as banking applications, is not allowed. This allows the applications of the SIM to grow and not be limited to one situation or application.
12.3 SIM Content74

The SIM, being the functional component of the subscription, needs to store a great deal of information. Some of this is static and some of it is frequently updated, but all of it must be non-volatile. Serial Number Copyright 1991, Michael Clayton Page 89
GSM - Global System for Mobile Communications This is used to identify the card itself. It contains information regarding the manufacture of the SIM, and allows identification of some internal variances in the SIM such as the operating system version. It is stored electronically, though it may also appear as part, or all, of the printed serial number. Status of SIM This refers to whether the SIM has been blocked by successive incorrect Personal Identification Number (PIN) entry attempts used to unlock the card. Service code This refers to the service (e.g GSM) to which the application data field relates. Authentication Key (Ki) This is the key used in conjunction with the A3 Authentication Algorithm to positively identify the Mobile Station. It cannot be read out of a SIM. Cipher Key (Kc) This is the Key generated using the A8 algorithm, which is passed to the Mobile Station and used in the A5 Encryption Algorithm to provide a secure RF link. Cipher Key Sequence number At every Kc generation this number is incremented. It is used as a quick check to ensure that both the Mobile Station and the Base Station System (BSS) have the same key, without passing details of the key over the air interface. IMSI This is the International Mobile Subscriber Identity, which is used to uniquely identify each and every subscriber on any Public Lands Mobile Network (PLMN). TMSI This is the temporary identification given to the Mobile Station while it is in the service area of a particular MSC/VLR. It has local significance and so is normally used in conjunction with an Location Area Identity (LAI) for identification purposes. LAI The Location Area Identity of where the Mobile Station was last registered, is stored on the SIM to allow the PLMN to find the reference to the TMSI used in identification. Periodic Location Update Timer The Mobile Station has a clock which determines how often it needs to perform a Location Update, assuming that one has not occurred since the timer was started. This timer is independent of the periods when the Mobile Station is turned off, during which the counter is frozen and the value stored. Update Status This piece of data refers to the Location Update status of the Mobile Station. It can Page 90 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications indicate whether it was updated, and also the reasons for Update Failure. Preferred PLMN list This is a list of PLMNs stored in the order that the user wishes the Mobile Station to look for and try to access PLMNs when roaming. Forbidden PLMNs This is a list of PLMNs which have been forbidden to the Mobile Station, at Location Update time. The list is not fixed, since the it can be overridden and deleted if a subsequent successful update occurs. Also, it only contains four PLMNs and once a new PLMN is added, an old one drops off the end. Subscriber Access Control class In times of emergency, the PLMN can be configured to allow access only to certain Mobile Stations, identified by this class mark. It should be noted that, due to their sensitive nature, the programming of certain emergency classes must be carried out specifically by the Operator. PIN enabled/disabled indicator This field indicates whether the Personal Identification Number function is required or not. PIN Disabling allowed/not allowed indicator This field indicates whether the Personal Identification Number function is allowed to be disabled or not. PIN This is the Personal Identification number used to restrict access to the SIM. PIN Error counter Every time an incorrect PIN entry attempt is made this counter is incremented. If three consecutive incorrect attempts are made, the card is blocked. A correct PIN resets this counter to zero. PIN Unblocking Key (PUK) This is used to unblock the PIN after it has been blocked by three consecutive erroneous PIN entry attempts. Unblocking Counter This keeps a count of unblocking attempts. After ten incorrect consecutive attempts, the card is locked, possibly forever. Inter-PLMN roaming allowed/not allowed This is an indicator defining when inter PLMN roaming is not allowed. The GSM Memorandum of Understanding (GSM-MoU) dictates, at present, that international roaming must be supplied for all subscription options, so this field is included for Copyright 1991, Michael Clayton Page 91
GSM - Global System for Mobile Communications completeness, and is for further study. Pre-Personalisation and Re-Personalisation data This is data which is specific to a particular SIM and gives details of the Personalisation functions. It refers to several administrative data fields and is included for completeness. Pre and Re-Personalisation Keys These are keys that control the access to the SIM for the purposes of personalisation of the card. These cannot be read out of the SIM. This list is by no means exhaustive, and there are many administrative data fields not listed. Also not included are those data fields related to supplementary services and those used for subscriber controlled data. Examples of these are the Abbreviated Dialling Number field, the Short Message Service (SMS) storage field, Fixed Dialling Number field, and the Charging Counter.
12.4 Lifecycle of SIMs75

The SIM card goes through several distinct stages during its lifetime. The emphasis in this report is given to those stages necessary to get the SIM into the hands of the subscriber. 12.1.1 Production The first of these stages is production which is really outside the scope of this document. However, some aspects of the production are worth noting. Once the card is manufactured, it is blank and needs to be formatted in much the same way as a blank floppy disk used in personal computers needs to be prepared for use. This is the stage where the directory structure is added to the card and a unique serial number is written to it. Finally, before the SIM leaves the Manufacturer, it is locked so that only authorised personnel can access the card. This makes the card less vulnerable in transit. 12.1.2 Pre-Personalisation The next step is to allocate an International Mobile Subscriber Identity (IMSI) and Authentication Key (Ki), which is done at the Pre-Personalisation stage. This is performed in a secure environment, and requires the Pre-Personalisation Key. Once it is completed the Pre-Personalisation Key is rendered inactive and a RePersonalisation Key is added for subsequent use. Apart from the more secure information above, Pre-Personalisation is used to set up some internal workings of the card. These include the Personal Identification Page 92 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications Number (PIN) disabling allowed/not-allowed function, the initial PIN, the personal unblocking key, the PIN error counter, and the status indicator of the SIM. The latter provides a second layer of security if required. 12.1.3 Personalisation This stage corresponds to the point where a Subscription and a subscriber are associated with the SIM. Therefore, the type of information loaded includes subscriber related information, some Personalisation data such as the date, and the subscriber Access Control Class. This stage is also aligned with management procedures for setting up the subscriber's account, and it is possible that both will occur at the same time. In this case, the line between the Pre-Personalisation and Personalisation stages becomes blurred, since the distribution characteristics of SIMs have changed. Whereas in the analogue system, the mobile equipment contained all that was necessary to access the network, in GSM this is contained in the SIM. The Network Operator has full control over the subscription, what goes into it and what does not, rather than having to rely on third parties to program the equipment. However, the penalty paid is extra lead time in getting cards from the Network Operator to the sales outlet, or capital investment in having preprogrammed cards waiting idle at the sales outlet. These are significant problems which need to be addressed. 12.1.4 Normal Operation Once the SIM is issued to the subscriber and inserted into the mobile equipment, it enters the normal operation stage. Assuming that nothing untoward happens it should give several years of service before it needs replacing. There is one situation, however, which can prematurely render the card useless. From the data fields included on the SIM, it can be seen that there is the option for the SIM to require a PIN before the mobile equipment can utilise it. If this PIN is incorrectly entered three times the card is blocked. To unblock the card a similar operation is utilised where a PIN Unblocking Key (PUK) is used. Whereas after only three incorrect attempts the SIM is blocked, to unblock it ten failed attempts to unblock it are allowed. After the tenth failed attempt the card is then locked, and in this situation the card is rendered useless, probably forever.
12.5 SIM Security76

Security on the SIM is not taken lightly. Data such as the Authentication Key (Ki) and subscriber related secret data must be protected at all times. The consequences of this include ensuring that the GSM Application Data Files are physically separate from other areas, especially when different applications also Copyright 1991, Michael Clayton Page 93
GSM - Global System for Mobile Communications use the card. This security must be set up internally to the card, in such a way that the SIM does not recognise any commands other than the specified GSM commands. In the case of multi-application cards this must also be context dependent ensuring that no overlapping commands, which are similar in each application, compromise the security of any of these. The outward facing security must be equally stringent. All subscriber related information stored in the mobile equipment and used in GSM PLMN operations must be deleted on removal of the SIM or when the mobile equipment is turned off. This is probably quite a severe requirement especially when the SIM is the Plug-in type and is seldom removed. In this case the data is passed back and forth between the same SIM and mobile equipment combination every time the Mobile Station is turned off. It was suggested that this information is left intact when the mobile equipment is switched off, but there is no fail-safe function that explicitly deletes the subscriber information if a different SIM is then inserted. This could make the information vulnerable. At this stage, the requirement that the information is deleted each time the mobile equipment is turned off remains, but it takes time to transfer data across the SIM/mobile equipment interface, and time will determine if this requirement remains in the future.
12.6 Start up procedure77

In the GSM application, the SIM always acts as slave and the mobile equipment takes the role of the master. This does not mean that the SIM blindly carries out any mobile equipment command; the security function precludes that, by only acting on known commands. It merely means that the mobile equipment initiates the SIM interaction, and the SIM provides results. A good example of this is the session initialisation procedure for the SIM/mobile equipment interface. The mobile equipment requests the PIN enabled/disabled status and, if enabled, the mobile equipment starts the routine to check the PIN. In the resulting exchange with the subscriber, it is the mobile equipment that governs the method of asking for the PIN, which is then presented to the SIM. The SIM responds with a yes or no answer and then opens up the access to the appropriate data files, but it doesn't just supply the data; it waits for the mobile equipment to ask for it. Consequently, the mobile equipment must request the Temporary Mobile Subscriber Identity (TMSI), then the Location Area Identity (LAI), and finally the Cipher Key and the Sequence number. Further requests result in the transfer of the Broadcast Control CHannel (BCCH) information, some administration data, an IMSI (if requested by the PLMN), access control information, forbidden PLMN list, SIM capability information and update status data. Only after all this has been transferred is the Mobile Station ready for PLMN operations. Page 94 Copyright 1991, Michael Clayton
In reverse, the above information must be transferred back and stored when the Mobile Station is deactivated. After this transfer the connection between the SIM and the mobile equipment is broken, and the Mobile Station powers down. It is worth noting here that no guarantee is made for the situation when the SIM is removed without warning. In this case there is a high probability that some information may be lost, depending on the in-session updating carried out by the mobile equipment, which could result in resynchronisation difficulties.
Page 95
13 RADIO FREQUENCY LAYER IN GSM78

It has been mentioned that there is an international model which helps to describe telecommunications systems by breaking them down into layers, each dealing with specific functions. This is the Opens Systems Interconnection (OSI) model. It is not really necessary to go into any depth regarding this model, apart from understanding the terms used in GSM. The term lower layers is used a great deal in the GSM Recommendations and it refers to the first three layers of the OSI model. The Radio Frequency (RF) layer(s) in GSM applies to layers one to three of this model. Effectively, it covers all the necessary requirements to enable data to be transferred across the air interface between the Mobile Station and the Base Station System. This chapter describes how data is transferred using channels and how the channels are physically realised.
13.1 Logical Channels79

The report so far has dealt with data transfer on Traffic CHannels, or Control CHannels. These are referred to as Logical Channels in GSM, and can be regarded as the pipes for information transfer. They represent a specified portion of the information carrying capacity of the GSM Public Lands Mobile Network (PLMN). The physical realisation of these channels is complex and is dealt with later, but before this is done, it is worth explaining what Logical Channels are, and what they do. They are split into two groups; those which are configured as Traffic Channels and those which are configured as Control Channels. 13.1.1 Traffic Channels The Traffic Channels are configured to carry user data. This data can be in the form of speech or in the form of pure digital data, for example, from a computer terminal. This leads to the two main channel types called, not surprisingly, speech channels and data channels. The speech channels also come in two forms, Full Rate and Half Rate, corresponding to the two data rates available from the two methods of speech encoding. The Half Rate speech encoder is in the process of being defined at present, as part of GSM Phase 2 definition. Consequently, it is expected that the Half Rate speech channel will not be utilised for some time, but allowance has been made for it now to avoid cross-phase compatibility problems.
Page 96
GSM - Global System for Mobile Communications The Data Channels also come in half rate and full rate, but this time the choice of which type to use is dictated by consideration of the most efficient use of resources for the user's raw data rate. For instance, a raw data rate of 4.8kbit/s could be carried on either full or half rate, whereas raw data rates higher than that would only be carried on a full rate channel. 13.1.2 Control Channels The control channels are designed to carry signalling information only, and are split into three types: Broadcast, Common, and Dedicated control channels. There are specific channels within these categories which are defined in the following sections. 80...7 Broadcast Channels The broadcast channels cover those channels used by the Mobile Station to identify, and enable access to, the PLMN. The first is the Frequency Correction CHannel (FCCH), which sends out information allowing the Mobile Station to fine tune its frequencies to that of the Base Station System (BSS). Both the R.F. carrier frequencies and the data timing frequencies are obtained using the FCCH. GSM relies on ensuring that the timing in the Mobile Station matches that of the PLMN, a situation which, due to the vagaries of the R.F. link, always needs to be monitored and adjusted. The FCCH controls the frequency between the Mobile Station and the BSS, but there are other areas where synchronisation needs occur. Information is sent over the air interface in packets, which need to be synchronised with the BSS. The Synchronisation Channel (SCH) takes care of this and at the same time is used to identify the PLMN. The identification is given in the form of a Base transceiver Station Identity Code (BSIC), and synchronisation is supplied by packet numbering information. The last of the Broadcast channels is the Broadcast Control CHannel (BCCH) itself. This channel is used to transmit general information regarding the configuration of the Base Transceiver Station, on a cell by cell basis. The sort of information it transmits includes what control channels are supplied and how they are configured, and also how often paging takes place. 81...8 Common Control Channels Like the Broadcast channels, three types of channel come under this heading. The Paging CHannel (PCH) is used only in the downlink direction (BSS to MS) to page Mobile Stations for incoming calls. In contrast, the Random Access CHannel (RACH) is used only in the uplink direction for Mobile Stations to make first contact with the PLMN. Leading on from there, the Access Grant CHannel (AGCH) is used to reply to a Mobile Copyright 1991, Michael Clayton Page 97
GSM - Global System for Mobile Communications Station making a random access on the RACH. This channel, like the PCH, is only used in the downlink direction. 82...9 Dedicated Control Channels (DCCH) Dedicated Control Channels are the signalling workhorses of GSM, through which interaction between the PLMN and the Mobile Station occurs. It is using these channels that the Mobile Station is authenticated, location updates are performed and calls are initiated. Their very nature as the major signalling medium over the air interface means that there are many types. Some of these control channels are associated with Traffic CHannels, to enable in-call functions such as Handovers. Others are standalone, and are used for signalling. This does not require a Traffic CHannel (TCH), unlike Location Updating. Not unreasonably, the stand alone types are known as Stand Alone Dedicated Control CHannels (SDCCH) and those associated with TCHs are known as Associated Control CHannels (ACCH). The Associated Control CHannels come in two forms, fast and slow. The difference between them is that the Fast Associated Control CHannels (FACCH) actually steal resources from the Traffic CHannel, whereas the Slow Associated Control CHannels (SACCH) wait for resources to become available. 83...10 Cell Broadcast CHannel (CBCH)
The one remaining control channel is the Cell Broadcast CHannel (CBCH). It is used only in the downlink direction, and is specifically used for the GSM Short Message Service cell broadcast feature.
13.2 Physical Channels84

The radio spectrum is the physical medium used by GSM to transfer information. In the GSM band, radio channels have been created by partitioning this frequency spectrum. These are radio frequency channels available to the GSM system as a whole, and each is numbered. Subsets of these frequency channels correspond to particular allocations to cells and/or Mobile Stations. 13.2.1 Time Division Multiple Access (TDMA) The radio channels are effectively the same as those that an analogue cellular system would use. However, while an analogue cellular system uses one frequency channel for one call, GSM uses the same frequency channel to support several calls. This is achieved by allowing each call, in turn, to use the same radio frequency Copyright 1991, Michael Clayton
Page 98
GSM - Global System for Mobile Communications channel for a short period, called a timeslot. So, for eight calls there would be eight timeslots, with a different call being transmitted one after another in each one. There is a limit to how many calls can be put on the same R.F. channel of course, otherwise the calls start to break up. In GSM, the number of calls is 8 and the use is cyclic, which means that after call number 8 has transmitted data, then call number 1 would transmit once again.
Figure 47: Time Division Multiple Access48
At the receiving end, each timeslot is received and separated so that all the timeslots of the different calls can be reassembled to form a continuous stream. This process is called Time Division Multiple Access (TDMA). 13.2.2 Timeslots and Frames The timeslots used in GSM are very short in duration, only half a millisecond long (~0.577 mS) and so synchronisation is important. To ensure that the Mobile Station and Base Transmitter Station (BTS) transmit in the correct timeslot, each timeslot is numbered, T0 to T7 inclusive. A set of 8 of these timeslots (i.e. a cycle from T0 to T7) is defined as a frame, and lasts for 4.62 milliseconds. It is therefore apparent that a physical channel in GSM corresponds to a frequency, and a timeslot number in which to transmit. However, one would expect that the same channel (timeslot number) would be used in both the uplink and downlink but, to do this, the Mobile Station and Base Station System (BSS) would need to receive and transmit at the same time. To avoid this, a delay of 3 timeslots is built in between the reception of data and the transmission on the same timeslot number. At the BSS, this delay is fixed. However, for reasons which will become apparent, at the Mobile Station the delay is variable. 13.2.3 Frame Alignment/Timing advance The key to the TDMA process working is synchronisation. The received pieces of data must all arrive at the correct time or they start to overlap, and interfere. The problem is that it takes time for a transmitted piece of data to travel from the Mobile Station to the BSS. If the Mobile Station transmits at the correct time, then by the time it reaches the BSS, it will be late and will interfere. If, however, the Mobile Station transmits early, then this extra time can be used in travelling to the BSS. So, the Mobile Station must advance its timing by the same amount of time that the signal takes to travel to the BSS, and hence the pieces of information arrive at exactly the right time.
Page 99

Figure 49: Adaptive Frame Alignment50
In fact it is the BSS which tells the Mobile Station by how much to advance its timing, since it can measure the difference between the time when a piece of information was due and the time when it actually arrived. The process is called adaptive frame alignment, and is continually monitored and adjusted by the BSS. To avoid start up problems, the random access is designed to have leeway built in to allow for transmission delay, so that interference does not occur. Thereafter, an alignment message is calculated and sent to the Mobile Station. Similar precautions are also built in for handover. In finely synchronised cells a quick calculation is done to determine what the difference of frame alignment between the Mobile Station and the two cells could be. From that, the alignment for the new cell is estimated and any discrepancies quickly ironed out once transmission starts. In cells which are not finely synchronised, a special handover access is used which, like the random access, has some leeway built in. 13.2.4 Frame Numbers The TDMA frames in the GSM system, consisting of 8 timeslots, are also numbered in a cyclic fashion. Using this numbering, multiframes, superframes and hyperframes are defined. The smallest is the multiframe, next comes the superframe and finally there is the hyperframe. Multiframes and Superframes There are two types of multiframes, 26 TDMA frames and 51 TDMA frames, which are used to support Traffic channels and Signalling channels respectively. These multiframes are built into a superframe of 1326 frames, in different ways. A superframe can consist of 51 of the Traffic channel multiframes (51x26 frame multiframes), or 26 of the Signalling channel multiframes (26x51 frame multiframes).
Page 100
GSM - Global System for Mobile Communications 1 - 26 1 - 26 1 - 26 1 - 26 1 - 56 1 - 56 1 - 56 <> 26 Frame Multiframe <> 51 Frame Multiframe 1326 Frame Superframe <>
Figure 51: ???52
The reasoning for this revolves around the need for the Mobile Station to be able to monitor every Broadcast Control CHannel (BCCH) in the GSM PLMN. Because the BCCH needs to be found easily it is always located in timeslot T0. If a Mobile Station is also using timeslot T0, but on a different frequency, then they would always be transmitting at the same time, and so that BCCH would never be monitored. This is solved by using every thirteenth frame in the multiframe sequence as a Slow Associated Control CHannel (SACCH), on which the results of monitoring and a few other things, are reported back to the PLMN. For a 26 frame multiframe this SACCH might occur, for example, in frames 13, 26, 39, 52, and back to 13. However, in the 51 frame multiframe, the SACCH would occur in 13, 26, 39, and then, because the multiframe is only 51 frames long, the SACCH would then occur in frames 1, 14, 27, and so on. After the first multiframe the SACCHs do not occur together, and they appear to slip in relation to each other. It is not until the end of the superframe, when the slip has occurred across the whole superframe, that they once more coincide. Hyperframes The hyperframe is much larger, consisting of 2048 superframes. The reason for this much longer time frame (~3 hours 48 mins) is due to the use of the frame number as an input to the ciphering process. A time frame less that this reduces the difficulty of cracking the code. The definition of a physical channel can, therefore, be extended to become an R.F. channel, a timeslot number to transmit on, and a frame number. The addition of the frame number is now required because of the SACCH on every thirteenth frame. 13.2.5 Transmission Bursts It has been mentioned that a transmission of data occurs in a timeslot. To take this Copyright 1991, Michael Clayton
Page 101
GSM - Global System for Mobile Communications a little further, the physical content of this transmission is referred to as a burst. This burst is divided up into approximately 156 bits (156.25), of which there are 147 which can be utilised. There are several types of burst, with different characteristics, used for specific purposes. For instance, the frequency burst just consists of fixed information used for timing purposes. The synchronisation burst, on the other hand, carries some encrypted information as well as some fixed data and tail bits. A dummy burst has also been defined and is similar to the synchronisation burst but carries mixed bits instead of data. Finally, a normal burst and access burst complete the list of different types. The normal burst, which is used for carrying voice and data traffic, has 4 useful sections. There are two sections of encrypted data, a trailing sequence and some tail bits. The rest is called the guard period, and allows for very slight variances, and time for the transmitter to ramp up to the required transmission power. The last of the bursts is the access burst. It is different from all the rest because it has fewer data bits and a much larger guard period (68.25 bits as apposed to 8.25 bits). The extended guard period is to allow for the maximum travel time since, at the time when a random access is made, there is no frame advance information available to stop bursts overlapping at the Base Station System (BSS). Annex 1 gives a list of the various bursts and their make up.
13.3 Mapping of Logical to Physical Channels85

It follows that the Physical Channels are used to support the Logical Channels, and this is done by allocating a timeslot, and number, on which the Logical Channel data should be transmitted. However, there are some extensions to this. For instance, there is one frequency reserved in each cell which is defined as the Broadcast Channel Frequency, and is the RF channel on which the Broadcast Control CHannel (BCCH) data is transmitted. On this RF channel, timeslot T0 is always used for the BCCH. However, the BCCH may not need to transmit on all the consecutive frames in the Hyperframe. The frames not used for the BCCH can be used for other channels, and so several different control channels can be mapped onto one physical channel. In the cases where no data is available to be sent on the BCCH, and no other control channel utilises this free frame, a dummy burst is inserted. This burst has been specifically defined to ensure that a transmission occurs in every frame, thus enabling any Mobile Station listening in to monitor the RF characteristics of the channel. Several other combinations have been defined which involve a mixture of Traffic Page 102 Copyright 1991, Michael Clayton
GSM - Global System for Mobile Communications CHannels and control channels (given in Annex 1), though generally these are restricted to combinations of TCHs, FACCHs, and SACCHs. 13.3.1 Frame Interleaving The mapping of Traffic CHannel data to the content of a burst is also worthy of note. In a full rate channel, it is possible to fill the available space in the burst with the data of one packet. In this case, the data stream is cut up into packets to fit the burst. However if that same packet is cut in half, then half could be sent in one burst and half in the next burst. By doing this, if the burst is lost, then only half the data is lost and there is a good chance that the entire packet can be rebuilt using what is left. Data frames AA BB XX YY CC DD / \ / \ BB XX YY CC Transmission bursts
Figure 53: Frame Interleaving54
This process is called interleaving. Later, when half rate coding is used, it is expected that interleaving will not be appropriate. In that case, half of the burst will be filled with one call and the other half filled with a different call enabling a doubling of capacity. 13.3.2 Frame Stealing There are two control channels which are always associated with a dedicated logical channel resource. These are the Slow Associated Control CHannel (SACCH) and the Fast Associated Control CHannel (FACCH). The SACCH is incorporated into the logical channel (TCH or SDCCH) by utilising every thirteenth frame. This method is used to report signal strengths around the Mobile Station or for gradually changing the power levels transmitted by the Mobile Station. The FACCH, however, is used for handovers amongst other things, and so it cannot wait for the thirteenth frame. In this case a frame of normal data is stolen from the associated channel. FACCH data is inserted, with an indication of what has happened, and sent off. At the receiving end the Base Station System (BSS) identifies that a frame has been stolen, and diverts it to the appropriate function for action.
Page 103
13.4 Frequency Hopping86

In an ideal world there is always a line-of-sight between the transmitter and the receiver. However, this is not an ideal world, and so all manner of things cause interference. The interference could be as a result of multi-path propagation, where the reflections of one transmission, delayed by different path lengths, interact to cancel out the signal. Alternatively, it could be as a result of shadow fading, where something gets in the way of the signal. Whatever the cause, certain frequencies and/or RF channels could be subjected to worse interference than others. Over a range of RF channels in one cell, some subscribers will get a good RF channel and some will get a bad one. Indeed, some subscribers on a good channel may drive behind a bus at a junction and experience interference while waiting for the lights to change. Frequency hopping was therefore introduced to average out the vagaries of RF, and to give all subscribers a good service by sharing the bad patches. It should be noted here that, being digital, GSM can absorb much more interference before degradation of call quality is noticed, but only up to a limit. By sharing out the interference between a number of RF channels, the interference on any one channel is reduced to manageable proportions. As the name might suggest, the procedure involves hopping from one RF channel to the next while still keeping the same timeslot. The function is managed by the BSS which defines the RF channels and sequence for hopping, and applies this structure purely on a cell by cell basis. The only restriction applied to frequency hopping is that timeslot T0 on the BCCH RF channel must not hop. This is the timeslot used by the BCCH and does not move since this is the channel that transmits frequency hopping details, amongst other things, so it must be easily found. This limitation is applied by reducing the hopping options in the sequence on timeslot T0 by one; the BCCH RF channel.
13.5 Speech Coder87

The coder used in GSM is quite special. In normal conversion from analogue to digital data, the analogue data is sampled at a very high speed, with each measurement in time converted to a digital value of the amplitude. These measurements are sent to the destination and reassembled in the same order to reform the analogue data again. The crux of this method is the speed of sampling. If a sample of voice was taken every 2 seconds, then a great deal of information would be lost. For example the sentence I went down to the shops today, might come out as Copyright 1991, Michael Clayton
Page 104
GSM - Global System for Mobile Communications I...en...wn...o..t..sh..ay. Now, if samples were taken at two times per second it might come out as I..wen..own..to..the..sho..oda. As the sample speed is increased more information is sent and the reassembled sound gets closer to the original. To increase this to realistic figures, the sound could be sampled at 64,000 times a second, whereupon the difference between the digital transmission and the analogue transmission would not be noticeable, except that the digital sound would be crystal clear. The clarity is due to the digital signal not picking up noise in transmission, whereas the analogue signal does. As the sample rate increases, however, so does the amount of information that needs to be sent and the data rate increases. One of the charactersitics of the radio transmission of digital data is that the higher the data rate, the wider the channel width needed to send it. Using an analogy with a pipe, if the drain of a shower is too small, then the water would not run out quickly enough to stop the shower cubicle from overflowing. If the size of pipe (bore diameter) is increased then more water is allowed to flow. The equivalent bore diameter in radio is the channel width required and, if too much is required the limited radio spectrum is used up too quickly. GSM needed a way to keep the data rate down, but keep the quality of speech high. This is done in GSM using a specially designed voice coder, often called a vocoder. 13.5.1 GSM Vocoder Speech is created by a vibration in the vocal chords making a noise, which is then manipulated by the vocal tract. This noise from the vocal chords is caused by a vibration which is similar to a series of fast pulses. What the encoder does is to pass the speech through a series of electronic filters which try to gradually remove the voice tract manipulation. In doing this, the values set on each filter vary in line with the speech, to try and match it exactly. This process is called Long Term Prediction, after the way in which the filter settings are derived. At the end of this process all that should be left is the hum of the original vocal chord excitation. In this way, the actual voice information is stripped off, leaving some minimal residual information. To transfer the speech, the settings on the filters are sent to the destination, with some indication of the type of vocal chord excitation including the residual information. The settings are applied to an exact copy of the filters at the far end and the system is excited as if by vocal chords (i.e. regular pulses). What comes out is the same speech that went in. Consequently, the name of this coder is a Regular Pulse Excited - Long Term Prediction (RPE-LTP) coder. The advantage with this voice coder is that the amount of information sent is hugely reduced, being limited to some filter settings and a bit of residual information. However, there is also a penalty to be paid. This vocoder is specialised to code Copyright 1991, Michael Clayton Page 105
GSM - Global System for Mobile Communications just voice, hence the term Vocoder. What this means is that anything other than voice may not be correctly encoded. If the voice tract of a human cannot make the sound, then the vocoder will not be able to match the sound, and errors will occur. In effect, humans cannot match the preciseness of tones, and consequently these get distorted if sent through a vocoder. It is for this reason that tones in GSM are sent as signals (e.g. start tone, stop tone), to be generated synthetically at the far end.
13.6 Discontinuous Transmission88

Another clever trick utilised in GSM is Discontinuous Transmission (DTX). It was included to help preserve battery life in the Mobile Station and to reduce overall interference on the air. Whenever there is a pause in speech, perhaps where one party is giving a long and detailed explanation, no useful speech is transmitted from the other, silent party. With Discontinuous Transmission the transmitter is switched off during these silences which helps to preserve the battery, since the transmitter is power hungry. Also, because there are no signals being transmitted unnecessarily, the overall amount of RF transmissions is reduced so less interference is caused on the air interface. To do this, the feature uses a Voice Activity Detector (VAD) included in the Mobile Station, which identifies whether speech data is present on a frame by frame basis. Frames are marked as containing speech, or not, by a flag. When the flag is set to the value 1, then that frame contains speech and is transmitted. When the flag is set to 0 then that frame does not contain speech and it is not transmitted. There is one problem that arises from DTX, however. At the receiving end, when transmission stops, the far end party geta silence. This is quite disconcerting especially when the non-talker is in a noisy environment, since every time the transmission stops the background noise stops and it goes quiet. What generally happens in cases like this is that the far end party thinks that the call has dropped and hangs up. This scenario has been solved in GSM by using comfort noise. 13.6.1 Comfort Noise When the VAD detects silence, this is indicated by changing the flag from 1 to 0. Instead of doing this immediately, the next few frames are still sent with the flag at 1 indicating speech, while a special frame is made up. This frame is called the Silence Descriptor frame (SID), and it gives an evaluation of the background noise around the user of the Mobile Station. Once this has been prepared, it is passed to the radio transmitter function with the flag set to 0. The transmitter function analyses the flag and sends the first frame which is set to 0, thereafter not transmitting anything. This remains the case until speech is detected or an updated SID is passed for transmission. Page 106 Copyright 1991, Michael Clayton
At the receiving end, the flag is also analysed and, if it is a 1, the frame is sent straight to the speech decoder. If the flag is a 0 the frame is separated and used to generate comfort noise, using information in the now identified SID frame. This is inserted into the speech path instead of pure silence, thus making the far end party think that the Mobile Station is still transmitting as normal.
Page 107
14 MOBILE SUBSCRIBER DATA89

The term mobile subscriber data is used to cover all types of information associated with allowing the subscriber to use the service. This ranges from identification of the subscriber, authenticating the subscription, locating the Mobile Station, routing calls, handling calls, and charging for them. Some of this is permanent data which is only changed by administrative means (e.g. subscription level), and other data is temporary and changes as a result of normal operation of the Public Lands Mobile Network (PLMN) (e.g. location area identifier). Of all this subscriber data, the most often used are the International Mobile Subscriber Identity (IMSI), Temporary Mobile Subscriber Identity (TMSI), and Mobile Station ISDN Number (MSISDN). All of these point to the identity of the subscriber, for the purpose of making calls. For this reason alone, this data has been singled out for attention here. It should be noted that nearly every facet of subscriber information is stored in the Home Location Register (HLR), with only particular data kept locally at the Visitor Location Register (VLR). This particular data is only that which is required for the subscriber to access the PLMN, and it is only kept temporarily while the Mobile Station is under control of that VLR.
14.1 IMSI90
The International Mobile Subscriber Identity is the most important. It uniquely identifies the subscription, and hence the subscriber, anywhere in any of the GSM PLMNs in the world. It also identifies the source of further information on that subscriber, by pointing unequivocally to the HLR. The way this is done is by breaking down the digits that makeup the IMSI into sections. The entire number is made up of numerical characters (0-9), and is no longer than fifteen digits. The first three digits give the Mobile Country Code (MCC), which uniquely identifies the country of origin for this subscription. The next one or two digits are the Mobile Network Code (MNC), which identify the PLMN for this subscription. The next ten digits correspond to the Mobile Subscriber Identification Number (MSIN). As a sub-set of the IMSI, another identity has been defined, the National Mobile Subscriber Identity (NMSI). This consists of the Mobile Network Code and the Mobile Subscriber Identification Number only.
Page 108
GSM - Global System for Mobile Communications IMSI not more than 15 digits <> MCC MNC MSIN NMSI <>
Figure 55: The Structure of the IMSI56
Because of the way the IMSI is constructed, the component parts can be issued by different bodies. The Mobile Country Code as defined within CCITT, the Mobile Network Code is a matter for the national authority, and the Mobile Subscriber Identification Number is left to the PLMN Operator. This makes the issue of these numbers much more flexible.
14.2 TMSI91
The Temporary Mobile Subscriber Identity (TMSI) has only local significance to an Mobile Services Switching Centre (MSC) and Visitor Location Register (VLR) combination, and consequently the structure is really up to the Operator and National Authority. However, there are some guidelines which should be adhered to. They refer to the length of the TMSI, and other parameters which avoid confusion, and provide enough information for the PLMN to refer back to the MSC/VLR which assigned it. A TMSI can be allocated only after a successful authentication, and changed at any time while under the control of the same MSC/VLR combination. However, as soon as the Mobile Station is successfully handed over to a new MSC/VLR combination, the new MSC/VLR issues a new TMSI and passes this to the HLR for storage in a location update. The HLR then contacts the old MSC/VLR combination to ensure that the old TMSI reference is deleted.
14.3 MSISDN92
The Mobile Station ISDN Number (MSISDN) is the telephone number used by callers wishing to contact the Mobile Station. The number plan used by the Operator has to fit into a national and international scheme, or else it is difficult for callers to and from that network to contact each other. For instance, if the PLMN had a number plan with 30 digits, and the fixed network only allowed 10 to be sent, then the callers from the fixed network would not able to call into the PLMN. So, an international standard was devised which allows flexibility while ensuring Copyright 1991, Michael Clayton Page 109
GSM - Global System for Mobile Communications a standard approach. In fact, several plans have been devised for different applications. There is, for instance, an ISDN/telephony (E.163/E.164) plan, a Data (X.121) plan, and a Telex (F.69) plan. Using these plans as subsets, countries can build national numbering plans, or private companies can devise their own. In GSM, the particular number plan used when dialling can be changed and this is identified using a Number Plan Identifier (NPI). More is said about this in the section on Types of Numbers. When a call comes to the Mobile Station, the MSISDN is passed to the HLR which then cross-refers it to an International Mobile Subscriber Identity (IMSI), and it is this IMSI which is thereafter used to identify the Mobile Station during that call. Because of this, it can be seen that more than one MSISDN can be applied to the same Mobile Station and IMSI. This gives rise to Single and Multinumbering PLMNs. 14.3.1 Single and Multi-Numbering Plans One of the most versatile features of Integrated Services Digital Networks (ISDN) is that the type of call coming into a terminal is identified in the call set-up. Using this feature, telephone, and facsimile can be connected to the same line, and the calls can be directed to the correct machine as they come in. GSM is based on ISDN, and so the same feature is available, but a problem occurs in identifying the type of call made. Quite often a call will be made to the PLMN from the Public Switched Telephone Network, which does not contain information identifying the type of call. Hence a facsimile call could be offered to a Mobile Station which has no capability of receiving it. It is for this reason that the idea of a multi-numbering scheme has been devised. When the subscriber pays for an additional Bearer/Teleservice, another number is allocated giving one number for telephony, one for fax, one for data etc. but all pointing to the same IMSI. Each time a person wants to send a facsimile to that subscriber, they ring the facsimile number which is passed to the HLR. Here the HLR cross references the facsimile MSISDN to the IMSI for that number and includes the type of incoming call. Once identified, this call type is passed to the Mobile Station on call set-up, for it to accept or reject as appropriate. This does not stop a call to the telephony number from still being identified as a facsimile call. Indeed, this is how PLMNs which use single numbering schemes have been designed to work. The multi-numbering scheme is the safety net until ISDN becomes widespread.
Page 110
15 OPENING OF GSM SERVICE AND ANOMALIES93

In June 1991, GSM service opened in several countries in Europe. It is doubtful that this occurred without some problems, and it will take time to sort out some of the GSM service anomalies. There are many issues to sort out regarding the interaction of Supplementary Services, some of which are amusing, some frustrating. However, this should not be seen as in any way unusual; all new networks suffer from this, and almost all are much less complex than GSM. What is unusual in GSM though, is the speed with which the standards have been put together. It was not hastily done, but methodically, logically yet speedily, and it was achieved by uncompromising co-operation. Co-operation between Governments, Government Authorities, Operators, Manufacturers and a great many experts brought in to solve specific problems. It is a tribute to European harmony, but it should not stop there. Still, there is a great deal of work to do be done to complete the task and realise the full potential of GSM. The European Telecommunications Standards Institute (ETSI) have shown that they are willing to allow other countries around the world to take part by introducing associate1 membership. It is now up to the rest of the world to get involved.
Australia is first nation to gain status as associate members of ETSI via the Australian CCITT Committee (ACC). This was granted in March 1991.
Page 111
16 CONCLUSION94
The basis for much of the content of this report is the time I spent in the ETSI GSM committees, helping to define the standards for this next generation of cellular system. I was once told during my degree, that standards work was boring though it did have a silver lining in the form of the foreign travel required. I must say here that the lecturer is no longer correct in that analysis; it is no longer boring. The people I had the pleasure of working with showed a very high degree of professionalism, but at the same time displayed a human face, and a sense of humour. As an indication of the underlying humour, there is an unwritten convention used in GSM recommendations. In the documents from GSM1 the third person pronoun used is always the feminine (e.g. ...when the subscriber is informed, she must....). GSM3, in retaliation, ensured that in their documents that the masculine third personal pronoun was used (e.g. ...when the subscriber is informed, he must....). GSM4, not to be left out, decided to settle on the impersonal pronoun (e.g. ...when the subscriber is informed, it is important that....)! I would like to thank all the people of ETSI-GSM for all they taught me, not just about the system, but also about how people can work together to achieve something. The world must have standards, and they must be completed quickly. GSM, to my mind, is a good example of the way to achieve this. In case any students read this, and are considering a career in standards; the lecturer was right about one thing. It involves a great deal of foreign travel.
Page 112
ANNEX 1
RF CHANNEL DATA
Traffic channels (TCH's)

(i) Full rate traffic channel (TCH/F). This channel carries information at a gross rate of 22.8 kbits/s. (ii) Half rate traffic channel (TCH/H). This channel carries information at a gross rate of 11.4 kbit/s. Traffic channels defined to carry encoded speech: (i) (ii) Full rate traffic channel for speech (TCH/FS). Half rate traffic channel for speech (TCH/HS).
Traffic channels defined to carry user data: (i) Full rate traffic channel for 9.6 kbit/s user data (TCH/F9.6).
(ii) Full rate traffic channel for 4.8 kbit/s user data (TCH/F4.8). (iii) Half rate traffic channel for 4.8 kbit/s user data (TCH/H4.8). (iv) Half rate traffic channel for 2.4 kbit/s user data (v) Full rate traffic channel for 2.4 kbit/s user data (TCH/H2.4). (TCH/F2.4)
Control Channels
Broadcast Type Channels Frequency correction channel (FCCH) Synchronisation channel (SCH) Broadcast control channel (BCCH) Cell Broadcast Channel (CBCH)
Note that CBCH is not normally referred to as part of the BCCH channels. It is purely used for the Short Message Service (SMS) and is listed here as a broadcast type channel. Copyright 1991, Michael Clayton Page 113
GSM - Global System for Mobile Communications Common Control Type Channels Collectively known as Common Control CHannels (CCCH) when combined as a common control channel: Paging CHannel (PCH): Downlink only, used to page mobiles. Random Access CHannel (RACH): Uplink only, used to request allocation of a SDCCH. Access Grant CHannel (AGCH): Downlink only, used to allocate a SDCCH or directly a TCH.
Dedicated control channels Slow, TCH/F associated, control channel (SACCH/TF) Fast, TCH/F associated, control channel (FACCH/F) Slow, TCH/H associated, control channel (SACCH/TH) Fast, TCH/H associated, control channel (FACCH/H) Stand alone dedicated control channel (SDCCH/8) Slow, SDCCH/8 associated, control channel (SACCH/C8) Stand alone dedicated control channel, combined with CCCH (SDCCH/4) Slow, SDCCH/4 associated, control channel (SACCH/C4)
Timing and Frame Numbering

Timeslot duration: TDMA frame: 3/5200 seconds (577 ms). ~4.62 ms in duration.
Eight timeslots form a TDMA frame Timeslots in a TDMA frame are numbered from 0 to 7 and a particular timeslot shall be referenced by its timeslot number (TN). TDMA frames are numbered by a frame number (FN).
Page 114
GSM - Global System for Mobile Communications Hyperframe Superframe Multiframe Control channel multiframe consists of 51 TDMA frames Traffic channel multiframe consists of 26 TDMA frames 26 control channel multiframes. 51 traffic channel multiframes. 1326 TDMA frames The frame number shall be cyclic and shall have a range of 0 to FN_MAX called Hyperframe. FN_MAX = (26 x 51 x 2048) -1 = 2715647 Frame number is incremented at the end of each TDMA frame. Consists of 2048 superframes
RF Transmission Bursts
Timeslot is divided into 156.25 Bits. Numbering from 0 to 156, with last 1/4 bit numbered with bit 156. Lowest numbered bit transmitted first.
Frequency Correction Burst Tail Bits Fixed Bits Tail Bits Guard Bits Synchronisation Burst Tail Bits Encrypted Bits Training Sequence Encrypted Bits Tail Bits Guard Bits 3 39 64 39 3 8.25 3 142 3 8.25
Page 115
GSM - Global System for Mobile Communications Dummy Burst Tail Bits Mixed Bits Training Sequence Mixed Bits Tail Bits Guard Bits Normal Burst Tail Bits Encrypted Bits Training Sequence Encrypted Bits Tail Bits Guard Bits Access Burst Tail Bits Synch. Sequence Bits Encrypted Bits Tail Bits Guard Bits 8 41 36 3 68.25 3 58 26 58 3 8.25 3 58 26 58 3 8.25
Allowed Channel Combinations

The following are the permitted ways in which channels can be combined onto basic physical channels (numbers appearing in parenthesis after channel designations indicate sub-channel numbers):
Page 116
GSM - Global System for Mobile Communications TCH/F + FACCH/F + SACCH/TF TCH/H(0,1) + FACCH/H(0,1) + SACCH/TH(0,1) TCH/H(0) + FACCH/H(0) + SACCH/TH(0) + TCH/H(1) FCCH + SCH + BCCH + CCCH FCCH + SCH + BCCH + CCCH + SDCCH/4(0...3) + SACCH/C4(0...3) BCCH + CCCH SDCCH/8(0 ..7) + SACCH/C8(0 .. 7)
Note: CCCH = PCH + RACH + AGCH
Page 117
ANNEX 2
GSM COMMITTEE SUB-GROUPS
Memorandum of Understanding (MoU) Sub-Groups

MoU-BARG MoU-MP MoU MoU-EREG Intellectual Property Rights harmonisation of precurement policy lists of recommendations and version numbers used in contracts. European Roaming mobile numbering plans routing of mobile terminated calls and signalling messages technical implications of tariff principles on international interworking establishment of international signalling links interworking between PLMNs. Billing and Accounting Rapporteur Group administration of subscribers billing harmonisation credit control fraud prevention accounting operation statistics definition of billing software harmonisation. Marketing Planning presentation of coverage information identification of selling features commissioning of market surveys co-ordination of awareness campaigns GSM name and logo Procurement.
MoU-CONIG Conformance of Network Interfaces lists and definitions of tests for conformance of interfaces harmonisation of test activities. MoU-TAP Type Approval Administrative Procedures
Page 118
GSM - Global System for Mobile Communications harmonisation of procedures regarding Type Approval review of existing or emerging directives identification of possible difficulties with directives control and issue of IMEIs.
MoU-TADIG Transfer Account Data Interchange detailed specification of file interchange mechanism between billing entities specification of billing data format specification of standard sets of protocols for billing data interchange. MoU-SERG MoU-SG Services Expert Rapporteur Group maintenance of GSM recommendations transferred to GSM-MoU control allocation and review of implementation dates for GSM services review of compatibility of services in the roaming situation definition of principles of customer relations and education. Security Group administration of non-disclosure undertakings for GSM Algorithms maintenance of algorithms and test sequences monitoring adequacy of system security and proposing of enhancements if required. Radio Interface Co-ordination Co-ordination of technical aspects of type approval including interpretation of GSM recommendations resolution of technical problems with type approval organisation of compatibility of testing mobile equipment to ensure adequacy of type approval review of GSM validation results and effects on implementation plans review of system simulator activities.
MoU-RIC -
Page 119
ANNEX 3
GSM SERVICES
Bearer Services
Below is a list of groups of the principle Bearer Services. These are used to identify the Bearer service when used in conjunction with Supplementary Services. A more comprehensive list may be found in the ESTI-GSM recommendation 02.02. Service Code All bearer services All async services All synch services 3.1 kHz ex PLMN All data circuit synch All data circuit async All data packet synch All PAD access 12 kbit/s unrestricted digital 20 21 22 23 24 25 26 27 29
Teleservice
Below is a list of the Teleservices within the GSM PLMN. Once again, it is not intended as a comprehensive list, but an indication which includes the Service Code for use in conjunction with Supplementary Services. A comprehensive list is available in the ETSI-GSM recommendation 02.03. Service Code All teleservices Telephony All data teleservices Facsimile services Videotex Teletex Short Message Services All data teleservices except SMS All teleservices except SMS 10 11 12 13 14 15 16 18 19
Page 120
Supplementary Services
The list of Supplementary Services is given below with the GSM service code. For some Supplementary Services, the service code is not applicable, in which case they are marked as NA. In other cases, the Supplementary Service is not well defined as yet, in which case they are marked as NC, not completed. In the latter case, this does not necessarily mean that a code will be assigned. Finally, the letter F denotes those frozen Phase 1 services. The letter S gives some indication of which services have a reasonably stable Phase 1 description. Subsequent changes could be made as a result of implementation considerations. Service Code Number Identification S.S. (02.81) Calling number identification presentation Calling number identification restriction Called number identification presentation Called number identification restriction Malicious call identification Call Offering S.S. (02.82) Call forwarding unconditional Call forwarding on mobile subscriber busy Call forwarding on no reply Call forwarding on mobile subscriber not reachable Call transfer Mobile Access Hunting Call Completion S.S. (02.83) Call waiting Call hold Completion of calls to busy subscribers Multi Party S.S. (02.84) Multi-Party Service Community of Interest S.S. (02.85) Closed user group Charging S.S. (02.86) Advice of charge Additional Information Transfer S.S. (02.87) User-to-user signalling Copyright 1991, Michael Clayton
NA S NA S NA S NA S NC
21 F 67 F 61 F 62 F NC NC
43 S NA S NC
NC
NC
NA S
NC Page 121
Call Restriction S.S. (02.88) Barring of all outgoing calls Barring of outgoing international calls Barring of outgoing international calls except those directed to the home PLMN Barring of all incoming calls Barring of incoming calls when outside home PLMN
33 F 331 F 332 F 35 F 351 F
Page 122
ANNEX 4
STRUCTURE OF STANDARDS
Page 123
GLOSSARY OF TERMS
AB ACC AGCH AMPS AoC AUC BAOC BAIC BCC BCCH BIC-Roam BN BOIC BOIC-exHC BSC BSIC BSS BTS CA CAI CB CBCH CCBS CCCH CCITT CEPT CFB CFNRc CFNRy CFU CLIP CLIR COLP Access Burst Australian CCITT Committee Access Grant Channel Advanced Mobile Phone Service (USA analogue cellular system) Advice of Charge AUthentication Centre Barring of All Outgoing Calls Barring of All Incoming Calls Outside the Home PLMN Country Base Transceiver Station Colour Code Broadcast Control CHannel Barring of Incoming Calls when Roaming Bit Number Barring of Outgoing International Calls Barring of Outgoing International Calls except those directed to the Home PLMN Country Base Station Controller Base Transceiver Station Identity Code Base Station System Base Transceiver Station Cell Allocation Common Air Interface Cell Broadcast Cell Broadcast Channel Completion of Call to Busy Subscriber Common Control CHannel Comit Consultatif International Tlgraphique et Tlphonique Confrence Europanne de Administration des Poste et Tlcommunications Call Forwarding on mobile subscriber Busy Call Forwarding on mobile subscriber Not Reachable Call Forwarding on No Reply Call Forwarding Unconditional Calling Line Identification Presentation Calling Line Identification Restriction Connected Line Identification Presentation Copyright 1991, Michael Clayton
Page 124
GSM - Global System for Mobile Communications COLR CSPDN CT CT1 CT2 CT3 CUG CW DAMPS DECT DCCH DCS 1800 DTX ETACS ETSI FAC FACCH FACCH/F FACCH/H FN FB FCCH GSM-AD GMSC HPLMN HLR HOLD HSN IMEI IMSI ISDN IWF Kc Ki LAI LMSI Connected Line Identification Restriction Circuit Switched Public Data Network Call Transfer Cordless Telephony 1 (First generation) Cordless Telephony 2 (Second generation) Proprietary cordless technology designed Ericsson Closed User Group Call Waiting Digital Advanced Mobile Phone Service (AMPS) Digital European Cordless Telephone Dedicated Control CHannel Digital Cellular System at 1800 MHz Discontinuous Transmission Extended TACS European Telecommunications Standards Institute Final Assembly Code (used in IMEI) Fast Associated Control Channel FACCH Full rate channel FACCH Half rate channel Frame Number Frequency Correction Burst Frequency Correction Channel GSM Applications Directory (on SIM) Gateway Mobile Services Switching Centre Home PLMN Home Location Register Call Hold Hopping Sequence Number International Mobile station Equipment Identity International Mobile Subscriber Identity Integrated Services Digital Network InterWorking Function cipher key authentication key Location Area Identity Local Mobile Subscriber Identity
by
Page 125
GSM - Global System for Mobile Communications MA MAH MAI MAIO MCC MCI ME MMI MNC MO MoU MPty MS MSC MSIN MSISDN MSRN MT MP/PP NB NETZ-C NPI NMSI OACSU OSI PACTS PABx PAD PCH PCN PLMN PSPDN PSTN PT12 PUK RACH RAND RPE-LTP RF RFCH Mobile Allocation Mobile Access Hunting Mobile Allocation Index Mobile Allocation Index Offset Mobile Country Code Malicious Call Identification Mobile Equipment Man-Machine Interface Mobile Network Code Mobile Originated Memorandum of Understanding (for GSM) Multi-Party (conference call) Mobile Station Mobile Services Switching Centre Mobile Subscriber Identity Number Mobile Station ISDN Number Mobile Station Roaming Number Mobile Terminated Mobile Terminated/Point-to-Point Normal Burst German analogue cellular network Number Plan Identity National Mobile Subscriber Identity Number Off-Air Call Set-Up (international) Open Systems Interconnection Public Access Cordless Telephone Service Private Automatic Branch Exchange Packet Assembler-Disassembler Paging Channel Personal Communications Network Public Lands Mobile Network Pack Switched Public Data Network Public Switched Telephone Network Project Team 12 (ETSI co-ordinating team for GSM) PIN Unblocking Key Random Access Channel RANDom number (used for authentication) Regular Pulse Excited-Long Term Prediction (GSM voice encoder) Radio Frequency Radio Frequency Channel Copyright 1991, Michael Clayton
Page 126
GSM - Global System for Mobile Communications RFN SACCH SB SCH SDCCH SDCCH/TF SDCCH/TH SCN SCH SID SIM SIMEG SMS SMSCB SNR SP SRES TAC TACS Tel-AD TCH TCH/F TCH/FS TCH/F9.6 TCH/H TCH/HS TCH/H4.8 TDMA TMSI TN TSC UK UUS VAD VLR Index Reduced Frame Number Slow Associated Control Channel Synchronisation Burst Synchronisation CHannel Stand-alone Dedicated Control Channel SDCCH for Traffic channel Full rate SDCCH for Traffic channel Half rate Sub-channel Number Synchronisation Channel SIlence Descriptor frame Subscriber Identity Module Subscriber Identity Module Expert Group Short Message Service Short Message Service Cell Broadcast Serial Number (used in IMEI) SPare digit (used in IMEI) Signed RESponse (used in authentication) Type Approval Code Total Access Communications System analogue cellular) Telecom-Applications Directory Traffic Channel Traffic Channel/Full rate Traffic Channel/Full rate for Speech Traffic Channel/Full rate for Data 9.6Kb/s Traffic Channel/Half rate Traffic Channel/Half rate for Speech Traffic Channel/Half rate for Data 4.8Kb/s Time Division Multiple Access Temporary Mobile Station Identity Timeslot Number Training Sequence Code United Kingdom User-to-User Signalling Voice Activity Detector Visitor Location Register Cellular Radio Concept
(UK
Index
Page 127
Contents List
Table of Contents
1 95.1 96.2
INTRODUCTION 1 Disclaimer........................................................................................................... 1 Conventions Used............................................................................................... 1
2 GSM STRUCTURE 3 97.1 The Cellular Radio Concept................................................................................3 98.2 GSM Standardisation.......................................................................................... 4 99.3 ETSI-GSM.......................................................................................................... 6 100.4 The GSM Memorandum of Understanding........................................................ 7 3 OTHER TECHNOLOGIES 10 101.1 GSM and Cordless Telephony.......................................................................... 10 102.2 GSM and Personal Communications Networks (PCN).................................... 12 103.3 International Rivals to GSM............................................................................. 15
Schlumberger Private
4 GSM COMPONENTS 17 104.1 Base Station System (BSS)............................................................................... 17 105.2 Mobile Services Switching Centre (MSC)........................................................19 106.3 Visitor Location Register (VLR)...................................................................... 21 107.4 Home Location Register (HLR)........................................................................22 108.5 GSM Configuration...........................................................................................23 109.6 Addressing........................................................................................................ 24 110.7 Mobile Station...................................................................................................25 5 GSM MOBILITY MANAGEMENT FUNCTIONS 26 111.1 First Registration...............................................................................................26 112.2 First Location Updating.................................................................................... 27 113.3 Normal Location Updating............................................................................... 30 114.4 International Roaming.......................................................................................33 115.5 IMSI Detach procedure..................................................................................... 35 116.6 IMSI Attach Procedure..................................................................................... 35 117.7 Abnormal Cases................................................................................................ 36 6 GSM CALL HANDLING 37 118.1 Outgoing Calls.................................................................................................. 37 119.2 Incoming Calls.................................................................................................. 39 120.3 Emergency Calls............................................................................................... 42 121.4 Inter-cell Handover........................................................................................... 43 122.5 Call Clearing..................................................................................................... 46
-1-
GSM - Global System for Mobile Communications 123.6
Contents List
Roaming............................................................................................................ 47
7 BEARER SERVICES 48 124.1 Information Transfer Attributes........................................................................ 49 125.2 Access Attributes.............................................................................................. 50 126.3 Interworking Attributes.....................................................................................51 127.4 General Attributes............................................................................................. 52 128.5 Example of Bearer Service................................................................................52 8 TELESERVICES 54 129.1 Teleservice Attributes....................................................................................... 54 130.2 Types of Teleservices........................................................................................55 131.3 Short Message Service...................................................................................... 56 9 SUPPLEMENTARY SERVICES 59 132.1 Call Forwarding................................................................................................ 59 133.2 Call Barring.......................................................................................................62 134.3 Phase 2 Supplementary Services.......................................................................64 135.4 Using Supplementary Services......................................................................... 68 10 PLMN SECURITY 70 136.1 Authentication................................................................................................... 70 137.2 Ciphering...........................................................................................................71 11 MOBILE EQUIPMENT 74 138.1 Mobile Equipment Features.............................................................................. 74 139.2 Man-Machine Interface.....................................................................................76 140.3 PLMN Selection................................................................................................80 141.4 Mobile Station Class Mark............................................................................... 81 142.5 R and S Interfaces............................................................................................. 82 143.6 International Mobile Identity Number (IMEI)..................................................82 12 SUBSCRIBER IDENTITY MODULE 84 144.1 Description........................................................................................................ 84 145.2 Internal Electronics........................................................................................... 85 146.3 SIM Content...................................................................................................... 85 147.4 Lifecycle of SIMs..............................................................................................87 148.5 SIM Security..................................................................................................... 88 149.6 Start up procedure............................................................................................. 89 150.7 Distribution....................................................................................................... 89 13 RADIO FREQUENCY LAYER IN GSM 90 151.1 Logical Channels...............................................................................................90 152.2 Physical Channels............................................................................................. 92 153.3 Mapping of Logical to Physical Channels........................................................ 95 154.4 Frequency Hopping...........................................................................................97 155.5 Speech Coder.................................................................................................... 97
-2-
Contents List 156.6
Discontinuous Transmission............................................................................. 99
14 MOBILE SUBSCRIBER DATA 100 157.1 IMSI................................................................................................................ 100 158.2 TMSI............................................................................................................... 101 159.3 MSISDN..........................................................................................................101 15 16 OPENING OF GSM SERVICE AND ANOMALIES CONCLUSION RF CHANNEL DATA GSM COMMITTEE SUB-GROUPS GSM SERVICES STRUCTURE OF STANDARDS 103 104 105 109 111 113
ANNEX 1 ANNEX 2 ANNEX 3 ANNEX 4
GLOSSARY OF TERMS 114 INDEX 118

-3-
Table of Figures
Table of Figures
Figure 1: Figure 2: Figure 3: Figure 4: Figure 5: Figure 6: Figure 7: Figure 8: Figure 9: Figure 10: Figure 11: Figure 12: Figure 13: Figure 14: Figure 15: Figure 16: Figure 17: Figure 18: Figure 19: Figure 20: Figure 21: Figure 22: Figure 23: Figure 24: Figure 25: Figure 26: Figure 27: Figure 28:
Frequency Re-use in GSM................................................................................4 European Participants in GSM......................................................................... 5 The countries within Europe which are taking GSM....................................... 8 Base Station System Configuration................................................................ 18 MSC Configuration........................................................................................ 19 Gateway MSC Configuration......................................................................... 21 GSM Network Configuration......................................................................... 24 Cipher Start Sequence.....................................................................................29 Location Update in One MSC Area................................................................31 Location Update between MSC Areas........................................................... 32 Location Update between VLRs.....................................................................33 Location Update across International Borders............................................... 34 Handling of Incoming Calls............................................................................40 Intra-MSC Handover...................................................................................... 44 Inter-MSC Handover...................................................................................... 46 Subsequent Handover..................................................................................... 47 Bearer Services............................................................................................... 48 Information Transfer Attributes......................................................................49 Access Attributes............................................................................................ 51 Interworking Attributes.................................................................................. 51 Relationship between Teleservices and Bearer Services................................54 Cipher Start Sequence.....................................................................................73 Composition of the IMEI................................................................................83 Time Division Multiple Access...................................................................... 92 Adaptive Frame Alignment............................................................................ 93 ???................................................................................................................... 94 Frame Interleaving..........................................................................................96 The Structure of the IMSI.............................................................................101

GSM Bible

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GSM Bible

Uploaded by

Copyright:

Available Formats

Copyright 1991, Michael Clayton All Rights Reserved No part of the contents of this document may be reproduced or distributed

GSM - Global System for Mobile Communications

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

The Cellular Radio Concept6

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

The GSM Memorandum of Understanding9

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

The countries within Europe which are taking GSM6

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

GSM and Cordless Telephony11

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

GSM and Personal Communications Networks (PCN)12

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

International Rivals to GSM13

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

Base Station System (BSS)15

Copyright 1991, Michael Clayton

Base Station System Configuration8

Copyright 1991, Michael Clayton

Mobile Services Switching Centre (MSC)16

Visitor Location Register (VLR)17

Copyright 1991, Michael Clayton

Home Location Register (HLR)18

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

Subscriber Identity Module (SIM)23

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

5 GSM MOBILITY MANAGEMENT FUNCTIONS24

Copyright 1991, Michael Clayton

First Location Updating26

Copyright 1991, Michael Clayton

Normal Location Updating27

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

IMSI Detach procedure29

Copyright 1991, Michael Clayton

IMSI Attach Procedure30

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

GSM CALL HANDLING32

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications

Copyright 1991, Michael Clayton

Figure 27: Intra-MSC Handover28

Copyright 1991, Michael Clayton

Copyright 1991, Michael Clayton

GSM - Global System for Mobile Communications