The Mobile Station (MS)
is made up of two components:
Mobile Equipment (ME) This refers to the physical phone itself. The
phone must be able to operate on a GSM network. Older phones operated on a
single band only. Newer phones are dual-band, triple-band, and even quad-band
capable. A quad-band phone has the technical capability to operate on any GSM
network worldwide.
Each phone is uniquely identified by the International Mobile Equipment
Identity (IMEI) number. This number is burned into the phone by the
manufacturer. The IMEI can usually be found by removing the battery of the
phone and reading the panel in the battery well.
It is possible to change the IMEI on a phone to reflect a different IMEI. This
is known as IMEI spoofing or IMEI cloning. This is usually done on stolen phones.
The average user does not have the technical ability to change a phone's IMEI.
Subscriber Identity Module (SIM) - The SIM is a small smart card
that is inserted into the phone and carries information specific to the
subscriber, such as IMSI, TMSI, Ki (used for encryption),
Service Provider Name (SPN), and Local Area Identity(LAI). The SIM
can also store phone numbers (MSISDN) dialed and received, the Kc (used
for encryption), phone books, and data for other applications. A SIM card can
be removed from one phone, inserted into another GSM capable phone and the
subscriber will get the same service as always.
Eadch SIM card is protected by a 4-digit Personal Identification Number (PIN).
In order to unlock a card, the user must enter the PIN. If a PIN is entered
incorrectly three times in a row, the card blocks itself and can not be used.
It can only be unblocked with an 8-digit Personal Unblocking Key (PUK), which
is also stored on the SIM card.
Base Transceiver Station (BTS) - The BTS is the Mobile Station's access
point to the network. It is responsible for carrying out radio communications
between the network and the MS. It handles speech encoding, encryption, multiplexing
(TDMA), and modulation/demodulation of the radio signals. It is also
capable of frequency hopping. A BTS will have between 1 and 16 Transceivers
(TRX), depending on the geography and user demand of an area. Each TRX
represents one ARFCN.
One BTS usually covers a single 120 degree sector of an area. Usually a tower
with 3 BTSs will accomodate all 360 degrees around the tower. However,
depending on geography and user demand of an area, a cell may be divided up
into one or two sectors, or a cell may be serviced by several BTSs with
redundant sector coverage.
A BTS is assigned a Cell Identity. The cell identity is 16-bit
number (double octet) that identifies that cell in a particular Location
Area. The cell identity is part of the Cell Global Identification (CGI),
which is discussed in the section about the Visitor Location Register (VLR).
120 ° Sector
The interface between the MS and the BTS is known as the Um
Interface or the Air Interface.
Um Interface
Base Station Controller
(BSC) -
The BSC controls multiple BTSs. It handles allocation of radio channels,
frequency administration, power and signal measurements from the MS, and
handovers from one BTS to another (if both BTSs are controlled by the same
BSC). A BSC also functions as a "funneler". It reduces the number of
connections to the Mobile Switching Center (MSC) and allows
for higher capacity connections to the MSC.
A BSC my be collocated with a BTS or it may be geographically separate. It may
even be collocated with the Mobile Switching Center (MSC).
Base Station Controller
The interface between the BTS and the
BSC is known as the Abis Interface
Abis Interface
The Base Transceiver Station (BTS) and the Base Station Controller
(BSC) together make up the Base Station System (BSS).
Base Station System
Mobile Switching Center (MSC) - The MSC is the heart of the GSM netowrk.
It handles call routing, call setup, and basic switching functions. An MSC handles
multiple BSCs and also interfaces with other MSC's and registers. It also
handles iner-BSC handoffs as well as coordinates with other MSC's for inter-MSC
handoffs.
Mobile Switching Center
The interface between the BSC and the MSC is known as the A
Interface
Gateway Mobile Switching Center (GMSC)
There is another important
type of MSC, called a Gateway Mobile Switching Center (GMSC). The GMSC
functions as a gateway between two networks. If a mobile subscriber wants to
place a call to a regular landline, then the call would have to go through a
GMSC in order to switch to the Public Switched Telephone Network (PSTN).
Gateway Mobile Switching Center
For example, if a subscriber on the Cingular
network wants to call a subscriber on a T-Mobile network, the call would have
to go through a GMSC.
Connections Between Two Networks
The interface between two Mobile Switching Centers (MSC) is called the E
Interface
Home Location Register (HLR) - The HLR is a large database that
permanently stores data about subscribers. The HLR maintains
subscriber-specific information such as the MSISDN, IMSI, current location of
the MS, roaming restrictions, and subscriber supplemental feautures. There is
logically only one HLR in any given network, but generally speaking each
network has multiple physical HLRs spread out across its network.
Visitor Location Register (VLR) - The VLR is a database that contains a
subset of the information located on the HLR. It contains similar information
as the HLR, but only for subscribers currently in its Location Area. There is a
VLR for every Location Area. The VLR reduces the overall number of queries to
the HLR and thus reduces network traffic. VLRs are often identified by the
Location Area Code (LAC) for the area they service.
Visitor Location Register
Location Area Code (LAC)
A LAC is a fixed-length code (two octets) that identifies a location area
within the network. Each Location Area is serviced by a VLR, so we can think of
a Location Area Code (LAC) being assigned to a VLR.
Location Area Identity (LAI)
An LAI is a globally uniqe number that identifies the country, network
provider, and LAC of any given Location Area, which coincides with a VLR. It is
composed of the Mobile Country Code (MCC), the Mobile Network Code (MNC), and
the Location Area Code (LAC). The MCC and the MNC are the same numbers used
when forming the IMSI.
Cell Global Identification (CGI):
The CGI is a number that uniquely identifies a
specific cell within its location area, network, and country. The CGI is
composed of the MCC, MNC, LAI, and Cell Identity (CI)
The VLR also has one other very important
function: the assignment of a Temporary Mobile Subscriber Identity (TMSI).
TMSIs are assigned by the VLR to a MS as it comes into its Location Area. TMSIs
are unique to a VLR. TMSIs are only allocated when in cipher mode.
The interface between the MSC and the VLR is known as the B Interface and
the interface between the VLR and the HLR is known as the D Interface.
The interface between two VLRs is called the G Interface.
B & D Interfaces
Equipment Identity Register (EIR) - The EIR is a database that keeps tracks
of handsets on the network using the IMEI. There is only one EIR per network.
It is composed of three lists. The white list, the gray list, and the black
list.
The black list is a list if IMEIs that are to be denied service by the network
for some reason. Reasons include the IMEI being listed as stolen or clonedor if
the handset is malfunctioning or doesnt have the technical capabilities to
operate on the network.The gray list is a list of IMEIs that are to be monitored for suspicous
activity. This could include handsets that are behaving oddly or not performing
as the network expects it to.The white list is an unpopulated list. That means if an IMEI is not on the
black list or on the gray list, then it is considered good and is "on the
white list".
The interface between the MSC and the EIR is called the F Interface.
Equipment Identity Register
Authentication Center (AuC) - The AuC handles the authentication and
encryption tasks for the network. The Auc stores the Ki for each IMSI on the
network. It also generates cryptovariables such as the RAND, SRES, and Kc.
Although it is not required, the Auc is normally physically collocated with the
HLR.
Authentication Center
There is one last interface that we haven't
discussed. The interface between the HLR and a GMSC is called the C
Interface. You will see it in the full network diagram below.This completes
the introduction to the network architecture of a GSM network. Below you will
find a network diagram with all of the components as well as the names of all
of the interfaces.
Full GSM Network