GSM NETWORK ARCHITECTURE
A GSM network is composed of several functional entities, whose functions and
interfaces are specified. Figure 1 below shows the layout of a generic GSM network.
Fig.1. General Architecture of a GSM Network
The GSM network can be divided into three broad parts. The Mobile Station is carried by
the subscriber. The Base Station Subsystem controls the radio link with the Mobile Station. The
Network Subsystem, the main part of which is the Mobile services Switching Center (MSC),
performs the switching of calls between the mobile users, and between mobile and fixed network
users. The Mobile Station and the Base Station Subsystem communicate across the Um interface,
also known as the air interface or radio link. The Base Station Subsystem communicates with the
Mobile services Switching Center across the A interface.
MOBILE STATION
The mobile station (MS) consists of the mobile equipment (the terminal) and a smart card
called the Subscriber Identity Module (SIM). The SIM provides personal mobility, so that the
user can have access to subscribed services irrespective of a specific terminal. By inserting the
SIM card into another GSM terminal, the user is able to receive calls at that terminal, make calls
from that terminal, and receive other subscribed services.
The mobile equipment is uniquely identified by the International Mobile Equipment
Identity (IMEI). The SIM card contains the International Mobile Subscriber Identity (IMSI) used
to identify the subscriber to the system, a secret key for authentication, and other information.
The IMEI and the IMSI are independent, thereby allowing personal mobility. The SIM card may
be protected against unauthorized use by a password or personal identity number.
The Mobile Station and the Base Tranceiver Station communicate across the air interface,
Um. This interface uses LAPDm protocol for signaling, to conduct call control, measurement
reporting, Handover, Power control, Authentication, Authorization, Location Update and so on.
Traffic and Signaling are sent in bursts of 0.577 ms at intervals of 4.615 ms, to form data blocks
each 20 ms.
BASE STATION SUBSYSTEM
The Base Station Subsystem (BSS) is the section of a traditional cellular telephone network
which is responsible for handling traffic and signaling between a mobile phone and the Network
Switching Subsystem. The BSS carries out the transcoding of speech channels, allocation of
radio channels to mobile phones, paging, quality management of transmission and reception over
the air interface and many other tasks related to the radio network. The Base Station Subsystem
is composed of two parts, the Base Transceiver Station (BTS) and the Base Station Controller
(BSC). These communicate across the standardized Abis interface. The Abis interface is
generally carried by a DS-1, ES-1, or E1 TDM circuit. Uses TDM subchannels for traffic (TCH),
LAPD protocol for BTS supervision and telecom signaling, and carries synchronization from the
BSC to the BTS and MS. The Base Station Control and the Message Switching Center
communicate across the A interface. It is used for carrying Traffic channels and the BSSAP user
part of the SS7 stack. Although there are usually transcoding units between BSC and MSC, the
signaling communication takes place between these two ending points and the transcoder unit
doesn't touch the SS7 information, only the voice or CS data are transcoded or rate adapted.
BASE TRANSCEIVER STATION
The Base Transceiver Station, or BTS, contains the equipment for transmitting and receiving
of radio signals (transceivers), antennas, and equipment for encrypting and decrypting
communications with the Base Station Controller (BSC). Typically a BTS will have several
transceivers (TRXs) which allow it to serve several different frequencies and different sectors of
the cell. The BTSs are equipped with radios that are able to modulate layer 1 of interface Um; for
GSM 2G+ the modulation type is GMSK, while for EDGE-enabled networks it is GMSK and 8-
PSK.
A TRX transmits and receives according to the GSM standards, which specify eight TDMA
timeslots per radio frequency. A TRX may lose some of this capacity as some information is
required to be broadcast to handsets in the area that the BTS serves. This information allows the
handsets to identify the network and gain access to it. This signaling makes use of a channel
known as the BCCH (Broadcast Control Channel).
BASE STATION CONTROL
The Base Station Controller (BSC) provides, classically, the intelligence behind the BTSs. It
provides all the control functions and physical links between the MSC and BTS. The BSC
provides functions such as handover, cell configuration data, and control of radio frequency (RF)
power levels in Base Transceiver Stations. A key function of the BSC is to act as a concentrator
where many different low capacity connections to BTSs become reduced to a smaller number of
connections towards the Mobile Switching Center (MSC).
NETWORK SWITCHING SUBSYTEM
The first subsystem of the GSM Network is the Network Switching Subsystem (NSS).
Network Switching Subsystem, or NSS, is the component of a GSM system that carries out
switching functions and manages the communications between mobile phones and the Public
Switched Telephone Network. It is also responsible for the subscriber data handling, charging
and control of calls. It is owned and deployed by mobile phone operators and allows mobile
phones to communicate with each other and telephones in the wider telecommunications
network. The architecture closely resembles a telephone exchange, but there are additional
functions which are needed because the phones are not fixed in one location.
The Network Switching Subsystem, also referred to as the GSM core network, usually
refers to the circuit-switched core network, used for traditional GSM services such as voice calls,
SMS, and Circuit Switched Data calls. There is also an overlay architecture on the GSM core
network to provide packet-switched data services and is known as the GPRS core network. This
allows mobile phones to have access to services such as WAP, MMS, and Internet access.
All mobile phones manufactured today have both circuit and packet based services, so
most operators have a GPRS network in addition to the standard GSM core network.
MESSAGE SWITCHING CENTER
The central component of the Network Subsystem is the Mobile services Switching
Center (MSC). It acts like a normal switching node of the Public Switched Telephone Network
(PSTN) or International Switched Data Network (ISDN), and additionally provides all the
functionality needed to handle a mobile subscriber, such as registration, authentication, location
updating, handovers, and call routing to a roaming subscriber. The MSC provides the connection
to the fixed networks (such as the PSTN or ISDN). Signaling between functional entities in the
Network Subsystem uses Signaling System Number 7 (SS7), used for trunk signaling in ISDN
and widely used in current public networks. The Signaling System Number 7 will be discussed in
Section 4.
HOME LOCATION REGISTER
The Home Location Register or HLR is a central database that contains details of each
mobile phone subscriber that is authorized to use the GSM core network. There is one logical
HLR per PLMN, although there may be multiple physical platforms.
The HLR stores details of every SIM card issued by the mobile phone operator. Each SIM has a
unique identifier called an IMSI which is the primary key to each HLR record. The next
important items of data associated with the SIM are the MSISDNs, which are the telephone
numbers used by mobile phones to make and receive calls. The primary MSISDN is the number
used for making and receiving voice calls and SMS, but it is possible for a SIM to have other
secondary MSISDNs associated with it for fax and data calls. Each MSISDN is also a primary
key to the HLR record.
VISITOR LOCATION REGISTER
The Visitor Location Register or VLR is a temporary database of the subscribers who
have roamed into the particular area which it serves. Each Base Station in the network is served
by exactly one VLR; hence a subscriber cannot be present in more than one VLR at a time.
The data stored in the VLR has either been received from the HLR, or collected from the
MS. In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC
and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary
interface.
EQUIPMENT IDENTITY REGISTER
The EIR (Equipment Identity Register) is often integrated to the HLR. The EIR keeps a
list of mobile phones through their IMEI which are to be banned from the network or monitored.
This is designed to allow tracking of stolen mobile phones. In theory all data about all stolen
mobile phones should be distributed to all EIRs in the world through a Central EIR. It is clear,
however, that there are some countries where this is not in operation. The EIR data does not have
to change in real time, which means that this function can be less distributed than the function of
the HLR.
AUTHENTICATION CENTRE
The Authentication Centre or AUC is a function to authenticate each SIM card that
attempts to connect to the GSM core network. Once the authentication is successful, the HLR is
allowed to manage the SIM and services described above. An encryption key is also generated
that is subsequently used to encrypt all wireless communications between the mobile phone and
the GSM core network.
If the authentication fails, then no services are possible from that particular combination
of SIM card and mobile phone operator attempted.
The AUC does not engage directly in the authentication process, but instead generates
data known as triplets for the MSC to use during the procedure. The security of the process
depends upon a shared secret between the AUC and the SIM called the Ki. The Ki is securely
burned into the SIM during manufacture and is also securely replicated onto the AUC. This Ki is
never transmitted between the AUC and SIM, but is combined with the IMSI to produce a
challenge/response for identification purposes and an encryption key called Kc for use in over
the air communications.
OPERATION SUPPORT SUBSYSTEM (OSS)
The Operations and Maintenance Center (OMC) is connected to all equipment in the
switching system and to the Base Station Control as shown in Figure 2 below. The
implementation of OMC is called the operation and support system (OSS).
Fig.2. Illustration of the Operations and Maintenance Center (OMC)
The OSS is the functional entity from which the network operator monitors and controls
the system. The purpose of OSS is to offer the customer cost-effective support for centralized,
regional and local operational and maintenance activities that are required for a GSM network.
An important function of OSS is to provide a network overview and support the maintenance
activities of different operation and maintenance organizations.
Here are some of the OMC functions:
Administration and commercial operation (subscription, end terminals, charging and
statistics).
Security Management.
Network configuration, Operation and Performance Management.
Maintenance Tasks.