Cellular Telecommunications
• Architecture
• Background
• Air interfaces
• Network protocols
• Application: Messaging • Research
0
Cellular Systems
• Wireless access
– TDMA (IS-136, GSM)
– CDMA (IS-95)
– WCDMA (UMTS)
– OFDMA (LTE/IMT-2000)
• Connection oriented networks for voice – PSTN (ISDN) vice All-IP
• Packet overlay networks for data
– General Packet Radio Service (GPRS) – GSM and UMTS – Enhanced Version Data Only (EVDO) – CDMA
• Signaling protocols
– Air interfaces are specific to the standard: e.g. WCDMA (UMTS) – Signaling system no. 7 for voice and GPRS (think PSTN = SS7) – IETF (Internet Engr. Task Force) protocols
1
Wireless Standards Evolution to 3G
1G 2G 2.5G 3G
4G
Analog AMPS
IS-95-A/ cdmaOne
IS-95-B/ cdmaOne
IS-136 TDMA
136 HS EDGE
1XEV DO
HSPA+ (UMTS)
LTE
TACS
LTE-A
GSM GPRS
EDGE
GSM (TDMA)
HSPA (UMTS)
HSCSD
CDMA2000 (1X,2X)
WCDMA (UMTS)
2
Protocol Evolution
3
Global Adoption
4
Basic Network Architectures
GSM GPRS UMTS
EPS
Core Network
Circuit Switched
Packet Switched
Circuit Switched EPC
BSC RNC
Radio Access Network
TDMA
BTS
GERAN
WCDMA
UMTS
OFDMA
GSM
GPRS
LTE
NodeB
UTRAN
eNB
E-UTRAN
5
Terminology
• GSM – Global System for Mobile Comms (2G) • BTS – Base Transceiver Station (2G)
• BSC – Base Station Controller (2G)
• MSC – Mobile Switching Center (2G)
• GPRS – Global Packet Radio Service (2.5G)
• GERAN – GSM EDGE Radio Access Network (2.75G)
• EDGE – Enhanced Data rates for GSM Evolution (2.75G)
• UMTS – Universal Mobile Telecommunications System (3G)
• UTRAN – UMTS Terrestrial Radio Access Network (3G)
• RNC – Radio Network Controller (3G)
• NodeB (3G)
• eNB – evolved NodeB (4G)
• EPS/LTE – Evolved Packet System/Long Term Evolution (4G)
• TDMA – Time Division Multiple Access
• FDMA – Frequency Division Multiple Access
• OFDMA – Orthogonal FDMA 6
UMTS/LTE Architectures
4G
7
Terminology
• GGSN – Gateway GPRS Support Node (3G)
• SGSN – Serving GPRS Support Node (3G)
• MME – Mobility Management Entity (4G)
• SAE-GW – System Architecture Evolution – Gateway (4G)
8
Reference Architecture (GSM)
VLR
VLR
MSC HLR AC
MS BTS BSC
MSC
MS: mobile subscriber
BTS: base terminal station BSC: base station controller MSC: mobile switching center HLR: home location register AC: authentication center VLR: visitor’s location register
PSTN/ISDN
Wireless Network MSC HLR
9
Basic Network Architecture (GSM)
MSC
VLR
MSC VLR
BS
MS BS BS
Serving MSC
BS
Network HLR
Gateway MSC
• Gateway MSC receives incoming calls for mobiles
– if using a home MSC, it is permanently assigned
• Serving MSC: assigned based on location of MSC
• HLR: permanent registry for service profiles, pointer to VLR
• VLR: temporary repository for profile information, pointer to serving MSC
10
Reference Architecture (UMTS)
MSC
PSTN VLR
HLR AuC GGSN
Internet Internet
MS NodeB RNC
EIR
SGSN
MS: mobile subscriber
RNC: radio network controller
EIR: Equip ID Register
MSC: mobile switching center
HLR: home location register
AuC: authentication center
VLR: visitor’s location register SGSN: Serving GPRS Support Node GGSN: GW GPRS Support Node
11
Reference Architecture (LTE)
HSS
APNs
P-GW
Internet, IMS, etc.
MS eNB MME S-GW
MS: mobile subscriber
eNB: evolved NodeB
S-GW: Serving Gateway
P-GW: Packet Data Network Gateway HSS: Home Subscriber System
APN: Access Point Name
12
Cellular Services
• Automatic call delivery – find a user, deliver a call
• IN-type services
– e.g., call forwarding
• Messaging
– short message service
• Connection oriented user data transfer – voice, fax, circuit-switched data
• Packet data
– Enhanced Version Data Only (EVDO) for CDMA systems
– General Packet Radio Service (GPRS) for GSM/UMTS system
13
Key Components (GSM)
VLR
MS BTS BSC MSC HLR
• Mobile Station – user handset
• Base Terminal Station – terminates the air interface
• Base Station Controller – frequency control, BTS handover management, call setup • Mobile Switching Center – central intelligence, manages mobility, provides services • Home Location Register – stores permanent service profile, points to current VLR
• Visitors Location Register – stores temporary service profile, current location (MSC)
14
Key Components (UMTS)
VLR MS NodeB RNC SGSN GGSN HLR
• Mobile Station – user handset
• Radio Network Controller – radio resource management, some mobility management
• SSGN – packet routing & transfer, attach/detach, location management (stores loc info, user info), mobility management for standby mode mobiles (RA – RA)
• GGSN – acts as a router to external networks (GPRS to IP or X.25), anchor point (equivalent of home agent), converts GPRS packets to PDP format and vice versa, IP pool management, PDP context
• PDP Context: – IP Address
– IMSI
– Tunnel Endpoint ID (TEID) at the GGSN – TEID at the SGSN
15
Key Components (LTE)
HSS
MS eNB MME S-GW
P-GW
• Mobile Station – user handset
• MME – Mobility Management Entity, brains – track location of UEs (TA), similar to MSC
server , interacts with HSS, Authentication, Authorization, tells S-GW to setup bearer
• S-GW – Serving Gateway, local or mobility anchor that forwards packets received from P- GW to serving eNB for a particular user and (vice versa) – user plane uses GTP
• P-GW – Packet Data Network Gateway, similar to a GGSN and home agent, assigns IP address (IPV4 or 6), IP anchor, enforces QoS policy received from Policy Control Rules Function (PCRF)
• HSS – Home Subscriber Server, similar to HLR, uses all-IP protocols and uses Diameter protocol (vice HLR using SS7), database
16
High Level Call Flow
• Mobile user registers – power up/down
– movement
– periodic updates
• Call recipient located
– call routed to gateway or home MSC, RNC, MME
– gateway MSC searches for called mobile (via HLRs and VLRs) – mobile user is pages (determines current base station)
• Call delivered
– uses standard SS7 procedures
17
Basic Network Architecture
MSC
VLR
MSC VLR
BS
MS BS BS
Serving MSC
BS
Network HLR
Gateway MSC
• Gateway MSC
– receives incoming call
– queries HLR to find mobile station
• HLR- queries VLR to find mobile station • Serving MSC
– pages mobile station
18
GSM Protocols
VLR Mobility Management Protocols GSM-MAP, ANSI41-MAP
MS BTS BSC
Air interfaces GSM, IS136, IS95
MSC HLR
PSTN/ISDN
SS7
19
Mobile Registration – High Level
Old Serving MSC
Old VLR
Update Location
Cancel Location
HLR
VLR
MSC
BS
MS
Authenticate
20
Mobile Call Delivery – High Level
Gateway MSC
HLR VLR
BS
MS
MSC
Call request
Request Routing Info
Routing Number
SS7 Call Delivery
Call request
Page
Connect
21
Attach Procedure (GSM/UMTS)
22
Attach Procedure (GSM/UMTS)
23
Attach Procedure (LTE)
24
Hierarchy of Location Information (GSM)
Registration Registration
MSC MSC
VLR
MSC
Temporary Routing #
Phone number
G-MSC
paging
HLR
VLR
25
Location/Routing Area (GPRS/UMTS)
26
LTE Tracking Areas
27
Voice path
MS BTS
Coded voice
Full rate voice (64 Kbps)
VLR
BSC MSC HLR
PSTN/ISDN
28
Voice Encoding – GSM-FR/PCM/G.711
Pulse Code Modulation (PCM) is the basis for GSM Full-Rate (GSM-FR) voice encoding.
8 kHz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse Excitation – Long Term Prediction (RPE-LTP).
Converted back to 64 kbps at MSC prior to Release 4.
– Changes in the core towards “TrFO” for all IP.
29
Air interface functions
• Control
– read system parameters – authenticate
– update location
– receive and originate calls – manage handoffs
• Dedicated traffic – voice, data
• Shared traffic
– messaging, data
30
FDD and TDD modes for forward and reverse channels
• FDD: Frequency division duplex
– Two distinct bands of frequency for each user (forward and reverse)
– Frequency Separation between forward and reverse constant for all channels
– reverse channel typically at lower frequency than forward channel (so that the mobile device can transmit at lower power)
• TDD: Time division duplex
– each duplex channel has a forward timeslot and reverse timeslot for bi-directional
communication
– simplifies subscriber equipment
– rigid timing required for time-slotting
31
Analog vs Digital
Phone systems are generally classified as either analog or digital.
– What exactly does that mean?
This is all about how data is represented and delivered through the
network.
Analog is the translation of voice/sound into electrical impulses.
– Pure waveform representations of sounds.
Digital is an approximation of this waveform, represented in 0s and 1s.
32
Analog vs Digital – Tradeoffs
Analog
– Inexpensive – think cheap home phones
– Bandwidth constrained – very limited amount of data can be
sent
– Noise – every link introduces noise, reduces clarity
Digital
– Expensive – relatively speaking
– Improved voice clarity – signal arrives exactly as approximated
– Higher bandwidth – compression of data.
33
Background – AMPS
• Advanced Mobile Phone System
– analog channels
– Frequency Modulation (FM)
– 1 channel per carrier (1 conversation)
fc
34
TDMA Background
• Combination of FDMA and TDMA
• System operated within certain frequency bands
• Within system bands
– many carrier frequencies are defined
– each carrier is divided into time slots
– a channel is defined by a set of time slots on a carrier frequency
• Forward (downlink) and Reverse (up link) channels use different carriers • Information is digitally coded
35
TDMA Background
t
One carrier
• Co-channel interference
• Inter-symbol interference
• Capacity limited by number of carriers, slots
One slot
f
Uplink
Downlink
System Bandwidth FDMA
36
TDMA
TDMA
• Single carrier frequency is shared with several users
• Data transmission occurs in bursts, resulting in lower battery consumption
• High synchronization overhead is necessary because of burst transmissions
• Discontinuous transmissions also make handoffs simpler since the mobile device can listen to other base stations during idle time slots
• Due to high transmission rates, inter-symbol interference is common and needs equalization
37
CDMA Background
• Carrier is modulated at a chip rate to spread the frequency spectrum
– each channel has a different spreading sequence
– each channel looks like noise to others
– individual channels are extracted by de-spreading with the same sequence
• System is interference limited
• Processing gain, G = Rc/Ri = received de-spread power/spread power
f
fc
t
38
CDMA Encode/Decode
data bits
sender
code
Zi,m= di.cm
slot 1 channel output
d0 = 1
channel output Zi,m
slot 0 channel output
1
11
1
11
1
d1 = -1
-1
-1 -1
-1
-1
-1
-1 -1
1
1
1
1
1
1
1
1
-1
slot 1
slot 0
-1
-1
-1
-1
-1
-1
-1
M.
Di = Zi,m cm m=1
received input
code
receiver
M
1
11
1
11
1
1
-1
-1 -1
-1
-1
-1
-1 -1
slot 1 channel output
slot 0 channel output
1
1
1
1
1
1
1
1
1
-1
slot 1
slot 0
-1
-1
-1
-1
-1
-1
-1
d1 = -1
d0 = 1
39
CDMA Privacy
Given that all signals look like noise unless you have the despreading sequence, what sort of privacy does CDMA give you?
– IS-95 operates at 1.2288 Mcps and has a long code of 42 bits
– 242 – 1 = 4,398,046,511,103 sequence period length (~ 41 days)
Ideally, you should get a 2N search space…
– …based on an ideal pseudo-random generator
Zhang et al show that this can actually be cracked by capturing 42
frames and solving 42 linear equations.
– That can be done in 840 ms
40
CDMA: benefits
Higher capacity
– interference limited => high efficiency
– uses voice activity detection to reduce transmission bandwidth
Improved quality
– soft handoff
– CDMA has frequency, spatial, and time diversity to adapt to wireless errors – EVRC coding at 8kbps of voice includes error correction etc.
Ease of deployment
– no frequency planning since frequency reuse=1 Greater coverage
– cost effective in sub-urban and rural areas Increased privacy
– spreads small signal (9.6kbps) over large spectrum (1.25Mbps) so that signal appears like noise Increased talk time
– power control (performed 800 times a second) ensures that the mobile station transmits at optimum power resulting in longer battery life
41
3G CDMA Air Interfaces
CDMA2000 (3GPP2/TIA/TTA I)
• Chip rate: 1.2288,3.6864/… Mc/s • Channel Bandwidth: 1.25/5MHz
• Network synchronous (base stations synchronized using GPS)
• 3G3X uses 5 MHz direct spread, 3G1X uses 1.25 MHz multicarrier
• 20 ms frames
• Common cdm pilot
• Power control (800 Hz)
WCDMA (3GPP/ETSI/ARIB/TTA II)
• Chip rate: (4.096)/ 3.84/… Mc/s • Channel Bandwidth: 5MHz
• Network Asynchronous (base stations not synchronized)
• Direct Spread
• 10 ms frames
• Dedicated tdm pilot
• Power control (1600 Hz)
42
Observations: CDMA2000
• CDMA2000 as the 3G air interface is compatible with IS95
• CDMA2000 networks can be deployed as overlay on existing 2G
spectrum
• Network architecture/protocols designed to gracefully migrate from IS95 • Network architecture is more IP friendly than UMTS but still not all-IP
• 3G1X, 3G1X EV-DO (HDR), 3G3X high data rate options for evolution
43
Observations: WCDMA
• WCDMA is the UMTS air interface and is a disruptive change from GSM • GPRS allows for evolution to higher data rates from GSM, and uses
UMTS network architecture but does not use WCDMA air interface
• Network architecture is not pure “IP” and is not IETF friendly
• All IP wireless network architecture is the current predominant theme
44
WCDMA Observations
Regulations allow full UMTS (5Mhz) deployment only in new frequency spectrum.
– WCDMA 1900 has 3.84 MHz channels. Providers have paid huge amounts for UMTS spectrum.
– The most recent 700 Mhz auction raised approximately $US 19.6 billion.
– “Block D” (10 MHz bandwidth) did not meet its reserve price and will be open to auction again sometime in the future.
Tremendous money and effort is being poured in!
– Financial issues dictate deployment speed…
45
Wireless Access Basics
• Frequency Division Multiple Access (FDMA): e.g. the analog cellular system: 1G
• Time Division Multiple Access (TDMA): e.g. IS-54 and IS-136, GSM, PDC: 2G GPRS: 2.5G
UWC-136, EDGE: 3G
• Code Division Multiple Access (CDMA): e.g. IS-95A,B (cdmaOne) : 2G
IS-2000 (cdma2000), WCDMA : 3G
46
LTE Background
LTE Multiple Access Schemes
• OFDMA on downlink
• SingleCarrier(SC)-FDMAontheuplink(lowpeak-to-averageratio) • Sub-carriersareorthogonal
Peak download rates up to 299.6 Mbit/s and upload rates up to 75.4 Mbit/s
Low data transfer latencies (sub-5 ms latency for small IP packets in optimal conditions) and handoffs Support for high mobility
• terminals moving up to 350 km/h or 500 km/h depending on the frequency band
OFDMA used for 802.11 and 802.16, WiFi
Assigned sub-carriers (parallel TX)
47
LTE Background: Orthogonality of Sub-carriers
1/T 1/T
No intercarrier interference (ICI)
Δf = 1/T
T = symbol period
freq
48
LTE Background: Cyclic Prefix
Cyclic Prefix:
• Extends symbol period
• Helps prevent multi-path overlap
(ISI)
• Helps overcome ICI
49
LTE Background
7×12 LTE – DL
Resource Block
50