Communication Systems 12: Chair of Communication Systems Department of Applied Sciences University of Freiburg 2008

Communication Systems
12th lecture
Chair of Communication Systems

Department of Applied Sciences
University of Freiburg
2008
1 | 52
Last lecture – GSM, BSS, SIM

Last call: End of registration period for the exam in
Communication Systems is the 27th June both for Master and
Bachelor students

Type of exam for Masters depends on the number of students (by
now we expext around 15 participants)

Master most probably will be oral exam (of 30 minutes)

Bachelor is oral exam

6th exercise sheet was handed out at the practical course on
Tuesday, please fetch one here or get it from the lectures home page
(due for the 4th July)
2 | 52
Last lecture – GSM, BSS, SIM

GSM – Global System for Mobile communication is a worldwide
standard
 GSM introduces a park of abbreviations :-)
 Defines a network infrastructure including Base Station Subsystem
BSS, containing the BTS (Base Transceiver Stations)
communicating over the air interface with the Mobile Stations (MS,
consisting of Mobile Equipment (ME) and SIM)
 SIM is the Subscriber Identity Module which keeps at least the
following data: IMSI (International Mobile Subscriber Identity), IMSI
(International Mobile Subscriber Identity) – both 15-digit, temporarily
TMSI and MSRN (Mobile Station Roaming Number)
 The card is an external hardware module which may store user data
like received SMS or phone book entries
3 | 52
Last lecture – GSM, logical structure of the network
4 | 52

The network subsystem contains the (G)MSC, (Gateway) Mobile
Switching Centers

In the Home Location, Visitor Location Registers user data
(MSISDN, configuration, ...) is kept permanently or temporarily

The Authentication Center (AUC) handles the user authentication
and cryptographic routines
 GSM has some shortcomings in security: User authenticates itself to
the server, network but not vice-versa to the user
 “IMSI catchers” may grab MS and reroute connection
 Hardware for air sniffing - http://www.ettus.com (USRP - Universal
Software Radio Peripheral, planned as a group project)
 GSM decoding - http://wiki.thc.org/gsm/decode
 Eavesdropping is possible because of leaked crypto algorithms and
unencrypted network links (setup and call destruction, paging ... are
not encrypted, ...)
5 | 52

Operation &
Maintenance
Subsystem (OSS) is
the whole systems
management layer
 Network
measurement and
control functions,
network
administration
 Security
Management, e.g.
Equipment Identity
Register (EIR)
management
6 | 52
Plan for this lecture

Data Services on top of GSM networks
 SMS – the most expensive 140Bytes ever
 HSCSD as a typical phone network inspired data service
 GPRS – an extension to existing GSM infrastructure to provide
packet orientated services while optimizing the use of the air
interface
 EDGE - Enhanced Data Rates for GSM Evolution
 MMS the SMS successor using the GPRS backend to offer
advanced messaging services to subscribers
 WAP – a protocol to bring Internet (like) services to the mobile
device
7 | 52
GSM and data services

GSM was the first fully digital wireless telephony network
 Structure of logical channels offers more than just voice

First very popular data communication was the Short Message
Service (the most expensive bytes of the communication era :-))
 Defined already in the GSM phase 1, first SMS was sent in 1992
 Defined to inform users on incoming messages on their voice box,
there was no idea to charge for it initially

SMS is store-and-forward service
 A designated SMS service center (SMS-SC) stores the messages –
there is no 1:1 communication between end user devices
8 | 52
GSM and SMS

SMS widespread and used for many applications
 1:1 message exchange between subscribers
 traditional informing the subscriber on received messages on

his box, it is possible to overwrite already received messages
with updates: “you have 2 new messages” with e.g. “you have
4 new messages”
 traditional information services: From the provider, subscribed
services like soccer results, stock quotes or just error
messages from important servers
 M-Commerce to pay services with the bill issued by the mobile
provider
 authentication – request a one time password
9 | 52
GSM and SMS

For the transfer over the wireless interface SMS uses the packet
orientated, reliable Short Message Transfer Protocol (SM-TP)
 if there is no active voice communication a separate SDCCH
is used
 no reservation of a traffic channel is needed
10 | 52
GSM and SMS
 during voice session the SM-TP is multiplexed into the

SACCH, enabling the MS to receive messages during other
active connections
 within the core network the MAP (Mobile Application Part) and
SS7 is used

SMS allow 160 characters of a 7-bit alphabet (thus 140 Byte
message size)
 possible to allow interpretation as binary data (logo and such
stuff, ...), but not really standardized until EMS
 PDU (Protocol Description Unit) describes type, encoding and
length of the message
 It is possible to stipulate that SMS content is directly passed to
the SIM (for logo, device settings etc.)
11 | 52
GSM and EMS

EMS introduced around turn of century and available on all mobile
phones by now
 allows the transfer of formatted text, sounds of up to 80 notes,
pictures of 16x16 or 32x32 pixels monochrome and
concatenation of pictures for “animation”
 vCard and vCalendar data
 implemented through simple chaining of SMSes, thus avoiding
dedicated transport channel

MMS is discussed a little bit later, because of totally different
approach
12 | 52
GSM and IP data services

GSM can be used to offer pervasive data services (was much
more interesting in the pre WLAN era)

Voice is encoded as digital data stream, thus GSM is able to offer
other data services to its users too
13 | 52
GSM and IP data services

The “age” of GSM is detectable in the early definition of data
services
 the rather old standard from the end of the 80s offers just 9,6kbit/s
(netto data rate of a full traffic channel (TCH))
 with advanced channel coding 14,4kbit/s are possible
 but that is ridiculous for todays modern Internet web content and
multimedia applications

In the process of improving GSM the so called High-Speed Circuit
Switched Data (HSCSD) was introduced
14 | 52
GSM - HSCSD

HSCSD combines several time slots to achieve higher bandwidth
on the mobile interface
 4 channels of 14,4kbit/s add up to 57,6kbit/s
 rather simple in setup, predictable quality

But: high demands on resources
 infrequent used data channels blocked for voice traffic of other
users, thus the cell capacity is reduced
 so one data service user equals to four mobile voice users – imagine
on the charges needed to compensate

Thus HSCSD is standardized for a while now, but not every
network provider offers this service (only D2 and E+ in Germany)

Sinking importance due the growth of UMTS and EDGE service
15 | 52
GSM – HSCSD data rates

HSCSD data services are charged not for amount of data
transferred, but connect time

Data rates depend on the available traffic channel types (half
rate/full rate, advanced coding channel)
data rate TCH/H4.8 TCH/F9,6 TCH/F14,4

4,8kbit/s 1
9,6kbit/s 2 1
14,4kbit/s 3 1
19,2kbit/s 4 2
28,8kbit/s 3 2
38,4kbit/s 4
43,2kbit/s 3
57,6kbit/s 4
16 | 52
GSM – GPRS

Primary GSM data services follow the circuit switching network
model and reserve resources in advance – acceptable for voice
but not for IP

Extension to GSM introduced in GSM phase 2 - GPRS
 Started in 1999
 packet orientated approach to data switching

 allocation of channels request-driven – thus up to 115kbit/s
would be possible when using 8 time slots
 disadvantage – infrastructure has to be extended significantly,
new components are to be installed in BSS (Base Station
Subsystem)
17 | 52
GSM – GPRS
 Bandwidth of 53,6 kbit/s (4 full rate traffic channels à 13,4

kbit/s), up to 107,2 kbit/s with 8 channels
 GPRS usually operates asynchronous with more bandwidth
for down than for upstream
 Capabilities of a mobile device are expressed in class number,
e.g.

Class 8 devices are able to use up to four down- and one
upstream channel

Class 10 devices handle four down- and two upstream
channels
 Advantage of GPRS over HSCSD – more flexible,
development into direction of UMTS network
18 | 52
GSM – GPRS

GPRS bases on an additional infrastructure: GSN – GPRS
Support Nodes as an extension to GSM
19 | 52
GPRS components and interfaces

SGSN – serving GSN to support the MSC for localization, billing
and security

GGSN – gateway GSN is the gateway to the packet data network
– usually the Internet

GR – GPRS register to support the HLR (home location register),
used for user address mapping

Between the different components interfaces are defined
 Gb between BSS and SGSN and Gn between the different GSNs, Gi
is the Internet gateway
 GPRS defines a complete protocol architecture for the transport of
packetized data and allow handover between different BTS,
MSC/SGNS
20 | 52
GPRS sessions

For every session a PDP (Packet Data Protocol) context is
generated and stored in GGSN, it consists of
 type (usually IP v4)
 address of the MS (normally the IP address), which allows mapping
of PDP address to GSM address
 QoS parameters
 address of access point to external networks (GGSN)

Session setup is comparable to setup of mobile originated voice
calls

Channels have to be activated and the authentication procedure
to be passed
21 | 52
GPRS sessions

After the session setup as shown below:
 SGSN encapsulates the IP packet and routes it over the
GPRS backbone with the help of the PDP context defined
22 | 52
GPRS sessions
 depending on the routing decision the packet leaves the

GPRS network on a designated GGSN as a normal Internet
routeable IP packet
 at this point normally NAT/IP masquerading takes place (most
GPRS providers offer only addresses from the “private” IP
ranges to mobile subscribers
 the packet reaches the destination machine with standard IP
routing

The destination machine (usually) answers the request from the
MS and sends a packet back to the GGSN
 the GGSN looks up the position of the MS, encapsulates the
packet and routes the packet within the GPRS backbone to
the SGSN
23 | 52
GPRS components and interfaces
 the SGSN decapsulates the packet and hands it over to the BSS for
delivery to the MS
24 | 52
GPRS services and QoS

GPRS offers several services
 Point-to-Point connection orientated network service (PTP-CONS),
which keeps connections open even when cell handovers occur
 Point-to-Point connectionless network service (PTP-CLNS), similar
to UDP in the IP world, no handovers are required, provided
 Point-to-Multipoint is planned in Phase 2 and offers group
communication (conferences, ..., comparable to IP multicast)
 QoS profiles could be requested by the user
25 | 52
GPRS services and QoS
 Three QoS profiles available: low, medium, high

 They define: reliability class

loss probability of standard data units (SDU) ranges from 10-9 in
class 1 to 10-2 in class 3, same for corrupt SDU probability

duplicate and out of sequence packet probability ranges from 10-
9 in class 1 to 10-5 in class 3
 delay class

delays range from 0.5s in best up to 250s in worst class
 and user data throughput class
 No idea if really in use or theoretical option like QoS fields in IP
header, of course the enforcement of classes is much easier than in
the IP world
26 | 52
GSM data services and devices

The GPRS or HSCSD data rate is comarable to traditional wired
modem connections
 You might end up with download rates up to 5-6kByte/s, the upload
is often much slower
 GSM, GPRS is not able to cope with fast movement of the MS very
well
 The round trip times of packets are rather awful: a small ping packet
can take around 600-1000ms to travel (lot of protocols, stacks and
devices are included)
 Useable for traditional asynchronous services like email and web (at
least for low footprint sites), but not for interactive, high traffic
services, like TV, video conferences, ...

Thus upgrade – EDGE (Enhanced Data Rates for GSM Evolution)
27 | 52
Next Generation GPRS - EDGE

EDGE/EGPRS implemented as enhancement for 2G and 2.5G
GSM and GPRS networks for relatively easy upgrade

Implementation started 2003 (first in the U.S.)
 Problematic for some carriers because of direct competition to the
expensive (license wise) UMTS

Superset to GPRS to function on any network with GPRS
 no changes in core networks needed – all changes are made to
physical and data link layer only (OSI 1&2 layers)
 base stations (BS) and base station controllers (BSC) have to be
modified for EDGE compatible transceiver units
 requires new mobile terminal (MT) hardware and software for
decode/encode the new modulation and coding schemes
 Additionally to Gaussian minimum-shift keying (GMSK) higher-order
PSK/8 phase shift keying (8PSK) for the upper five of its nine
modulation and coding schemes used
28 | 52
EDGE – coding and data rates

EDGE produces a 3-bit word for every change in carrier phase
and thus effectively triples the gross data rate

Like GPRS rate adaptation algorithms used for modulation and
coding scheme to match the radio channel quality
 Implements Incremental Redundancy - sending more redundant
information instead of resending disturbed packets
 Increases probability of correct decoding and thus produces more
robustness of data transmission

EDGE carries up to 236.8kbit/s for 4 timeslots, theoretical
maximum is 473.6kbit/s for 8 timeslots in packet mode

Because of physical layer enhancements HSCSD data rates
increased too
29 | 52
EDGE – coding and data rates

Further speedups - EDGE Evolution
 Latencies reduced by lowering the Transmission Time Interval by
half (from 20ms to 10ms)
 Bit rates increased up to 1MBit/s peak rate, while latencies down to
100ms

using dual carriers

higher symbol rate

higher-order modulation (32QAM and 16QAM instead of 8-PSK)

turbo codes to improve error correction
 signal quality improved using dual antennas
30 | 52
GPRS and enhanced mobile data services

The introduction of “high bandwidth” data services allows more
than SMS or EMS services
 Mobile service providers have to find additional way to earn
revenues from their networks in a market environment with
sinking fees they can charge for voice services
 SMS was a really successful offering, so a successor was
defined

MMS is the abbreviation for Multimedia Messaging Service
 Defined by several organizations for GSM and UMTS
networks
 Common standard for the mobile phones of different vendors
31 | 52

MMS allows the addressing via
 MSISDN (persistent telephone number of the mobile
subscriber)
 Or just an email address defined in RFC822
 IP should be supported in near future

MMS is able to handle
 Formatted text, different fonts and text encodings
 Voice encoded with Adaptive Multi Rate codec (as used with
UMTS)
 Graphics in several formats
32 | 52

MMS uses a container format for the multimedia content
 SMIL (Synchronized Multimedia Integration Language), XML based,
which defines several modules for layout, timing, synchronization (of
graphics, animation, text and speech or sound ...)
 WML (Wireless Markup Language) for the presentation like in WAP
browser

A MMS Center (MMS-C) or MMS relay/server handles the
messages basically in a similar way like SMS
 Store-and-forward architecture which sends and receives messages
to and from a mobile subscriber
33 | 52

MMS Center may exchange data with external (MMS, email, FAX,
value-added services) servers

It looks up user settings and preferences from the Home Location
Register (HLR)
34 | 52

MMS data exchange is handled directly over GPRS
 Using e.g. IP/TCP/HTTP
 Or indirectly linking in a WAP gateway before then using

HTTP
 The MMS relay/server may transform data format into mail
format or vice versa
 So the same service is charged differently (GPRS data
services uses simply another Access Point (AP) than MMS) ...
as long as the user can be maked to believe ...
 Some years ago German computer magazine “ct”
demonstrated a charge free data connection over the MMS
gateways within the GPRS backbone
35 | 52
GPRS, HSCSD and WAP

The Wireless Application Protocol was defined to bring Internet
like services to the mobile platform
 GPRS data rate is rather restricted as usually the display and
compute power of the MS is
 Thus a specific protocol was defined by Ericsson, Motorola,
Nokia & Unwired Planet in 1997
 WAP 1.0 was released in 1998, but nobody really used it (to
expensive for to restricted services offered)
 The initial standard was extended to WAP version 1.1, 1.2,
1.2.1 (not really compatible and available on every mobile
device)
 After long series of failures WAP 2.0 was defined in 2001
integrating well defined and agreed upon Internet standards
36 | 52
GPRS, HSCSD and WAP

Two types of services are defined: traditional web like and push
service
37 | 52
GPRS, HSCSD and WAP

Data reduction is handled by the use of optimized protocols

The Internet protocols are translated into their counterparts in the
WAP standard via translation tables:
HTTP-Header: Accept: application/vnd.wap.wmlc
WSP-Header: 0x80,0x94
HTTP-Header: Accept-Language: en;q=0.7
WSP-Header: 0x83,0x02,0x99,0x47
HTTP-Header: Accept-Language: en,sv
WSP-Header: 0x83,0x99,0x83,0xF0
38 | 52
GPRS, HSCSD and WAP

Hash tables translated each WSP header into its HTTP
counterpart

A designated gateway is needed as translation device
39 | 52
WAP 1.X helper protocols

Of course the webserver has to offer WAP user agent (UA), the
so called Wireless Application Environment (WAE) optimized
content
 try out the www.google.de or www.bahn.de with a WAP UA to
see two good examples
 The OSI session layer is presented by WSP, the Wireless
Session Protocol, a transaction layer by WTP (Wireless
Transaction Protocol)
 A security layer is provided with WTLS, the Wireless Transport
Layer Security (thus a secure connection of a WAP UA and a
secure website may consist of two parts with unpacking at the
WAP gateway)
 The transport layer is handled by Wireless Datagram Protocol
(WDP)
40 | 52
WAP 1.X helper protocols

We see: A whole new protocol stack was invented to translate the
existing protocols in optimized ones in mobile phone networks
 The reduction rate compared to the existing internet protocols is
rather good
 When connections get faster and devices get better displays nobody
cares so much

The whole design was rather complex, error prone and the
gateway software proprietary
 There are only few content providers (of course the mobile providers
with their “community portals”) which made bigger investments (for a
rather small user group) and thus use of the technology
 By now no much specific WAP/Internet offers of any provider left
41 | 52
WAP 2.0 standard

WAP 2.0 simply replaces the complex architecture with a WAP
proxy which is mostly HTTP compatible
 The standard protocol methods like GET, POST, CONNECT, HEAD
& OPTIONS are supported

Content is formatted with WAP optimized style sheets
42 | 52
WAP 2.0, GPRS and cool add-on packages

Thus the mobile service provider offered a HTTP like service over
their GPRS infrastructure (history by now, but still available in
other coutries like Greece, but nice example for protocol stacking)
 Trying to push the mobile Internet special tariffs were introduced
(understanding pricing in mobile communication is as easy as
understanding the German tax system)
 O2 (aka viag interkom) offers a WAP package for just 5EUR flat
compared to a GPRS MB charged significantly more
 Of course they use another AP than for normal GPRS (same like
with MMS)
 Of course other protocols than WAP are forbidden to use (but how to
distinguish?)
43 | 52
WAP 2.0, GPRS and cool add-on packages

OpenVPN is an open source VPN software which is able to offer
services over HTTP CONNECT proxies
 Invented to get a pass-through on rather restricted firewalls
 The OpenVPN has just to present the correct UA identifier the
provider expects to see
44 | 52
WAP 2.0, GPRS and cool addon packages

Even normal web traffic can pass the provider proxy, if the correct
identifier string is presented, e.g.
Mozilla/1.22 (compatible; MSIE 5.01; PalmOS 3.0
EudoraWeb 2.1
Profile:
http://wap.sonyericsson.com/UAprof/P800R102.xml
 The Internet forums are full of discussions on pass through, lists
of allowed user agents are easily available
 Disclaimer: Use this information for demonstrations on
suboptimal firewall setup and offered services issues only

Setup was developed and proved as a “Studienarbeit” at the
professorship (will be published in Linux Magazine soon)
45 | 52

Each modern mobile phone can be used as a “modem” to
connect TE (any Terminal Endpoint) to the wireless data service
 Term “modem” is not correct, because the digital data stream has
not to be modulated onto an analogous signal
 Other devices like CardBus, PCMCIA, PCIe cards available too
 Pictures are older examples :)
46 | 52
 Older phones or PCMCIA, CardBus cards may not offer

HSCSD and newer services classes for GPRS/EDGE
 But device handling is rather similar to traditional modem or
ISDN dial-in connections
 A “hayes” compatible AT command set is used to setup and
close the data connection, there are GSM specific commands
to enter the PIN (for enabling the access to the SIM card
plugged into PCMCIA) or to get information on signal strength
 When the connection is established the PPP (Point-to-Point
protocol) is used to pass IP and DNS configuration
47 | 52

Snippet from a Linux GPRS modem call script
...
SAY „\ndefining PDP context...\n" \
OK 'AT&F' \
OK 'ATV1E0S0=0&D2&C1' \
OK AT+CMEE=1 \
OK 'AT+cgdcont=1,"IP","wap.viaginterkom.de"' \
OK-AT-OK ATD*99***# \
SAY "\nwaiting for connect...\n"
...

Specific AP is choosen (here wap.viaginterkom.de)
48 | 52

The “dial” command does not use a typical telephone number (to
reach a certain service) but addresses a stored profile in the
mobile phone for the GPRS/EDGE access
Connect: ppp0 <--> /dev/rfcomm1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x71179e05> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <pcomp> <accomp> <auth pap>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth pap>]
rcvd [LCP ConfRej id=0x1 <magic 0x71179e05>]
sent [LCP ConfReq id=0x2 <asyncmap 0x0> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <pcomp> <accomp>]
sent [LCP ConfAck id=0x2 <asyncmap 0x0> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x2 <asyncmap 0x0> <pcomp> <accomp>]
...
49 | 52
...
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [LCP ProtRej id=0x4 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
rcvd [IPCP ConfReq id=0x1 <addr 10.49.48.62>]
sent [IPCP ConfAck id=0x1 <addr 10.49.48.62>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
rcvd [IPCP ConfNak id=0x2 <addr 10.45.48.63>]
...
local IP address 10.49.48.66
remote IP address 10.49.48.67

Thus the IP setup is easily compatible to known PPP
implementation
50 | 52
Future of mobile communication

GSM is a technology defined in the end of the 80th

Even with enhancements like EDGE the
 Bandwidth
 Packet delays for data services

 Security

... 2G is not state-of-the-art any more ...

Some of the shortcomings were seen in the 90th and the definition
of a third generation (3G) real global mobile network started

Planned: Worldwide standard to include countries like U.S. and
Japan with different technology 2G networks

Next lecture: On UMTS
51 | 52
GPRS, WAP literature

Text books (german language):
 Jochen Schiller, Mobilkommunikation
 Bernhard Walke, Mobilfunknetze und ihre Protokolle,

Grundlagen GSM, UMTS, ...

Check the last communication systems lecture of 2006 for more
literature hints:
http://www.ks.uni-freiburg.de/php_veranstaltungsdetail.php?id=11

Next lectures: 1st July and 4th July

Next (practical) exercises: 8th, 11th July (seminar room -114 in the
computer center)
52 | 52

Communication Systems 12: Chair of Communication Systems Department of Applied Sciences University of Freiburg 2008

Uploaded by

Communication Systems 12: Chair of Communication Systems Department of Applied Sciences University of Freiburg 2008

Uploaded by

Communication Systems

Chair of Communication Systems

 traditional informing the subscriber on received messages on

 during voice session the SM-TP is multiplexed into the

data rate TCH/H4.8 TCH/F9,6 TCH/F14,4

 packet orientated approach to data switching

 Bandwidth of 53,6 kbit/s (4 full rate traffic channels à 13,4

 depending on the routing decision the packet leaves the

 Three QoS profiles available: low, medium, high

 Or indirectly linking in a WAP gateway before then using

 Older phones or PCMCIA, CardBus cards may not offer

 Packet delays for data services

 Bernhard Walke, Mobilfunknetze und ihre Protokolle,

You might also like