Overview of the GSM System and Protocol Architecture

One-line summary: An overview of the GSM architecture is presented; system issues, architectural issues, protocol issues, and security issues are presented in a terse yet overly specific manner.

Overview/Main Points

• Coarse structure: The GSM system uses the standard hexagonal grid N cell reuse pattern. Elements of the architecture are the mobile station (MS) subscribers, base-station subsystems (BSSs) that provide physical radio connectivity for a number of cells, and mobile switching centers (MSCs) that link BSSs together and provide handoff, call signaling and processing, and other such centralized control. MSCs are connected by either PSTNs or other such packet-switched networks.
• HLRs and VLRs: Home location registers (HLR) are databases that keep information specific to a subscriber, such as that subscriber's current location, service profile, and equipment identity register (EIR). VLRs, usually collocated with a MSC, are used to support roaming subscribers of remote HLRs. Finally, authentication information is kept in an authentication center (AC).
• Cell phone numbering: Cell-phone numbers are split into country codes (CCs), "national destination codes" (NDCs), and subscriber numbers (SNs). The aggregation of these numbers is called the mobile station ISDN (MSISDN). CCs and NDCs are used to locate the HLR for the given cell-phone, which in turn routes the call to the cell-phones current location. Since a cell-phone may have moved, broadcast is performed over some number of cells around the phone's last known location.
• Radio channel: FDMA is used to define two 25 MHz bands, each of which is split into 124 200 kHz carriers. Within a carrier, 8 way TDMA is used to define 8 slots within a frame; each slot lasts 0.577 ms. On top of this TDMA structure is defined a multiframe structure; a multiframe consists of 26 time frames spanning a total of 120 ms. The multiframe is used to define a ridiculously complex array of control channels and traffic channels. SACCHs and FACCHs (slow and fast associated control channels) are associated with a traffic channel (TCH) and carry link control information between the mobile and the BSSs. A number of different bit rate TCHs are defined in the standard. A second multiframe structure (51 frames long) is also defined to derive dedicated control setup, broadcast, synchronization, frequency control, paging, random access, and access granting control channels.
• Handoffs: Handoffs are controlled by the MSC (if between BSSs) or by the BSS (if within a BSS). Signal strength measurements and cell congestion information are used by the MSC/BSS to determine when a handoff should occur. Handoff notifications are sent to VLRs, which in turn forward them to HLRs.
• Call routing and setup: Calls to a MS are routed first to the HLR by using the information in the MSISDN (optimizations for direct routing to VLRs for local calls exist). The HLR then identifies the correct MSC by identifying a temporary ID given to the mobile by the VLR; this temporary ID is used for anonymity. The call is then forwarded to the VLR, which initiates the paging procedure, and the MSC broadcast pages the MS via BSSs. The MS, on receiving the set-up page, returns a confirmation to the network, which then sets up a TCH (or defers setup to a later stage). The connection message is propagated back to the initiator, and the connection is active.
• Protocol layers: The GSM protocol stack has a physical layer on the bottom, on top of which is layered a LAPDm link layer. LAPDm uses no flags or bit stuffing, and takes advantage of the frame delimitation done by the physical layer. On the MS, a message layer consisting of three sublayers completes the GSM stack. The three sublayers provide connectivity to BSSs, MSCs, and across MSCs; the radio resource management sublayer (RR) terminates at the BSS and is used to establish physical connections over the radio for call-related signaling and traffic channels between the MS and BSS. The mobility management sublayer (MM), on top of the RR, is terminated at the MSC and is used to establish, maintain, and release connections between the MS and the network MSC. On top of MM lies the connection management sublayer (CM); each CM connection instantiates its own MM connection, although the paper does not fully describe the purpose of the CM layer. The BSSs have a LAPDm and RR layer to talk to the MS, but use a separate stack to communicate with MSCs. This stack consists of an MTP layer (presumably physical and link layers between BSSs and MSCs), and BSSAP and SCCP sublayers, which replace the RR layer on the MS. The BSSAP and SCCP sublayers implement call, resource, and signaling management and messaging between the BSS and MSC.

Relevance

Flaws

• Given the needless complexity of the GSM architecture and protocol stack, I would venture a guess that the system was designed by committee. Hidden behind a mountain of acronyms and protocol stack sublayers, however, is the familiar HLR/VLR/BS/MSC model used in most cellular architectures; only details of control and authentication seem to differ radically.
• This paper attempted to condense critical information about the GSM system into 9 pages, but didn't entirely succeed. Isolated pockets of needless detail were provided, rather than a 20-mile overview, meaning that a conceptual understanding of the GSM architecture was difficult to glean from the paper. If extreme detail is presented, it should be accompanied by a far-reaching implication, otherwise it should be left out (IMHO).
• I don't think the GSM design committee exhausted the entire space of all possible 3-5 letter acronyms; they should definitely try harder next time.