<<

. 28
( 132 .)



>>

by the MS
- length : 06 (06h)
- Split pg cycle on CCCH not supported
- value (hex) : 05 47 47 53 4E 31
- no non-DRX mode after transfer state
TLLI
- Random TLLI
- Value: 52 67 34 DE
LLC-PDU:
ACT. PDP CONTEXT ACCEPT (GPRS SM)
LLC Serv. Access point Id
- SAPI 3
Quality of Service
- length: 3 (03h)
- Reliab. class: Unack. GTP and LLC Ack. RLC
Protected data
- Delay class: Delay class 4 (best
effort)
- Precedence class: High priority
- Peak throughput: Up to 2 000 octet/s
- Mean throughput: 200 octet/h
Radio Priority
- Priority level 3


Figure 4.30 PDP context request trace across Gb. Reproduced by permission of NetHawk
Oyj
126 GENERAL PACKET RADIO SERVICE


4.8 GPRS TUNNELLING PROTOCOL (GTP)

Figure 4.31 shows a layered model of the Gn interface. Layers 1 and 2 are the physical and
datalink protocols. This is not speci¬ed and can be an Ethernet 100baseTX connection, an
ATM connection, frame relay or other transport mechanism. In many cases the SGSN and
the GGSNs will be in the same room or building, thus Ethernet, with its limited distance
but high speed and simple network con¬guration, is commonly used. In other cases the
GGSNs may be remote, and there may be a leased line or ATM network connecting
the GGSN to the SGSN over a vast distance. Above this layer is the network layer
which runs the IP. Above this is the connectionless UDP protocol, which is the transport
mechanism for the GPRS tunnelling protocol (currently GTP version 1, also referred to
as Release 99). Since UDP is connectionless it does not require acknowledgements and
can therefore provide higher throughput than TCP; it is assumed that the core network is
over-dimensioned and very reliable. Support has recently been introduced (in Release 99)
for a PPP PDP context which allows transfer of packets other than IP, such as AppleTalk
or IPX, over the cellular network (the SDU size for these is 1502 bytes; whereas the
SDU size for IP is 1500 bytes). In the original speci¬cation (also referred to as Release
97) there was support for X.25 protocol PDP contexts. In this case, it was required that
the GTP protocol be carried over TCP as opposed to UDP as packet order consistency
is a requirement for this type of traf¬c. The support for X.25 has been removed from
GTP version 1.0; this has resulted in GTP being carried only over UDP. The single port
number 3386/udp was originally used for both control and user data in GTP version 0
(Release 97). This is as originally used for GPRS/GSM. However, for GTP 1, as used in
GPRS/UMTS, the destination device will be designated port number 2152/udp for GTP-U
and 2123/udp for GTP-C. The source port number can be dynamically assigned. Clearly,
a GGSN will need to have a daemon listening to both ports to make it compatible with
both 2G and 3G GPRS networks.
Mobile devices such as those used in a GSM network are uniquely identi¬ed worldwide
by their International Mobile Equipment Identity (IMEI). The user of such a device is also
uniquely identi¬ed by their IMSI, which is stored on the SIM card. If the user chooses to
use another mobile device, they can simply place their SIM card in the new mobile device,
thus transferring the IMSI. The user can be contacted at the same telephone number and
the charges will go on the standard bill. When the mobile device requests a connection
to the network, its IMSI is transferred across the air interface and onwards to the core

SGSN GGSN
GTP GTP
UDP UDP
IP IP
L2 L2
L1 L1
Gn
Interface

Figure 4.31 SGSN to GGSN interface
4.8 GPRS TUNNELLING PROTOCOL (GTP) 127


network (CN) to authenticate the user. Once a connection is established, a temporary
number, the TMSI, is now used for security purposes rather than transmitting the IMSI
continuously over the air interface where it can easily be captured. In direct parallel with
the TMSI used on the GSM core network, another temporary number, the packet-TMSI
(P-TMSI) is used on the GPRS CN. Note that usually GSM (and GPRS) transmissions
are encrypted and thus merely obtaining the IMSI will not be suf¬cient to allow a hacker
to intercept a call in progress over the air interface.
Figure 4.32 indicates the points of encryption on both the GSM and GPRS networks
and also the identi¬ers (P-TMSI, TLLI and tunnel end point identi¬er, or TEID) used to
transport the user IP packets at the lower layers.
In the case of a GPRS connection, where the mobile device will connect to an IP
network, it will need to have an IP address with which it can also be identi¬ed. This
address is used at Layer 3 of the OSI and is not currently used as an end system identi¬er
(ESI) for the mobile device. On a ¬xed network, the ESI corresponds to the MAC address,
which is globally unique and generally burned into the hardware of a network interface.
On the GPRS network, this ESI corresponds to the IMSI. On a ¬xed IP network, a link is
required between a device™s IP and MAC addresses. This binding is generally achieved via
a dynamic mapping protocol known as the address resolution protocol (ARP). Similarly,
on a GPRS network, a link between the IP address and the TEID (or TMSI or TLLI)
is also required. The GPRS equivalent of ARP is usually achieved by mapping the IP
address to the TEID in the GGSN. Therefore, when data is sent to the mobile device, it
will be routed over the various intermediate networks, for example the Internet, based on
the IP address. Once it reaches the mobile network GGSN, a lookup of the associated
TEID is required, and this can be seen as analogous to an ARP entry lookup. The GGSN
can now route the packet to the correct SGSN based on the SGSN™s IP address. When

GSM
TMSI
Backbone
PSTN
GSM BSS
G-MSC
Encryption MSC




GPRS
Mobile Backbone
BTS BSC
Station
Internet

SGSN GGSN
GPRS Encryption

P-TMSI or TLLI identifier for mobile Tunnel Endpoint Identifier IP

IP source and destination (e.g. mobile device and web server)

Lookup Table
P-TMSI TEID
1000234 52005678


Figure 4.32 GPRS network identi¬ers
128 GENERAL PACKET RADIO SERVICE


8 1
Version PT 0 E S PN
Message Type
Length 1st octet
Length 2nd octet
Tunnel Endpoint Identifier 1st octet
Tunnel Endpoint Identifier 2nd octet
Tunnel Endpoint Identifier 3rd octet
Tunnel Endpoint Identifier 4th octet
Sequence Number 1st octet
Sequence Number 2nd octet
N-PDU Number
Next Extension Header Type

Figure 4.33 GTP header

the packet arrives at the SGSN, the TEID is associated with a P-TMSI5 or TLLI and this
is used for the onward journey across the BSS.
The GTP protocol actually consists of two parts, the GTP-C and the GTP-U. The
GTP-C carries control data for creating, modifying and deleting GTP tunnels, while the
GTP-U transports user data and some control information. The header for both of these is
of variable length, the minimum length being 8 bytes. Three separate bits (E, S and PN)
indicate the presence of additional ¬elds. The format of the header is shown in Figure 4.33.
The version number is used to determine the version of this header; the GTP protocol is
backward compatible. The current version is version 1 (Release 99) but there is a version
0 (Release 97).
The protocol type (PT) bit is used to indicate whether this is standard GTP or GTP .
The GTP protocol is used for charging purposes in the Ga interface.
The extension header (E) bit is used to indicate whether there is an extension header
present.
The sequence number (S) bit is used to indicate whether there is a GTP sequence
number ¬eld.
The N-PDU number (PN) bit is used to indicate whether there is an N-PDU number.
The message type ¬eld indicates what type of message is being carried in this packet.
Examples of message types include echo request, node alive request, create PDP context
request, delete PDP context request, sending routing information etc.
The length ¬eld indicates the length of the payload in bytes.
The TEID unambiguously identi¬es the end points of the tunnel.


4.9 CONNECTION MANAGEMENT
The initial connection for GPRS is essentially the same as for GSM. The main difference
between the two is that for GPRS registration the mobile device will be dealt with by the
5
Further information is also required for the journey across the BSS which will identify the actual
process in the mobile device. This will include the SAPI and NSAPI identi¬ers.
4.9 CONNECTION MANAGEMENT 129


SGSN rather than the MSC which is used for GSM. A mobile device that has both GSM
and GPRS capabilities will generally make a connection to a GSM network via the MSC
followed by a connection to the GPRS network via the SGSN. This requires that the mobile
device be authenticated twice and that requests back to the home network™s HLR are also
made twice. As well as this, requests by the mobile device have to be made twice over the
air interface. Since the air interface is a scarce resource and a major bottleneck with regard
to bandwidth, this can present a problem. The GPRS standards allow an optional interface
between the MSC and SGSN known as the Gs interface. If a network supports this option
then a single attach is required. Details of the Gs interface are presented in Section 4.4. In
this case, the mobile device will register with the SGSN, which will authenticate the SIM
and check the status of the mobile device. The HLR is updated with the details of the
SGSN that is serving the mobile device for GPRS connections. Using the Gs interface, it
can now update the MSC/VLR of the mobile device™s location and explain that authen-
tication has already been done. The VLR can update the HLR that is serving the mobile
device for GSM calls. This method reduces the amount of signalling over the air interface.
A mobile device will know that a cell has GPRS capability and that it should contact the
SGSN rather than the MSC, since a cell broadcasts its GPRS capability on the (P)BCCH.


4.9.1 Mobility management
In 2G systems, mobility management has been performed by the core network. The
location of the mobile device is known within the MSC/VLR for those devices which are
circuit-switched-connected, and in the SGSN for those that are packet-switched-connected.
For the packet switched network, GPRS introduces a new location entity, known as a
routing area (RA). Any LA (circuit switched) or RA (for packet switched) updates from
the mobile device are passed transparently over the BSS to the core network to be stored in
the correct device (MSC or SGSN). In this way, paging for a mobile device is achieved by
¬rst ¬nding the correct MSC/VLR or the correct SGSN. Either of these devices will know
the location of a mobile device to a precise cell, or to a number of cells (the LA or RA),
depending on the state the mobile device is in. This can introduce a lot of signalling traf¬c.
As shown in Figure 4.34, an RA is a subset of an LA, and is de¬ned within the SGSN
and not the MSC. An RA can be the same size as an LA but it cannot be larger, i.e.
an RA cannot overlap separate LAs. There is no direct correlation between MSCs and
SGSNs and the RA is identi¬ed by the following formula:
Routing area identi¬er (RAI) = Mobile country code (MCC)
+ Mobile network code (MNC)
+ Location area code (LAC) + Routing area code (RAC)
There are three basic mobility states that a GPRS device can be in: idle, standby and
ready state, as shown in Figure 4.35.

Idle mode
In the idle state the mobile device is not attached to the network and therefore the network
holds no valid location or routing information for the device. Since the network does not
130 GENERAL PACKET RADIO SERVICE



MSC 1 MSC 2




BTS BTS BTS BTS
RA
RA
LA1 LA2


BTS BTS
BTS BTS
RA RA
SGSN 1


Figure 4.34 GPRS routing area


IDLE IDLEMode
IMSI:?
Mode LA:?
SGSN:?
GPRS
GPRS
Detach
Attach
IMSI:known
MSC/VLR
Standby
VLR:?
READY
Timer
SGSN:?
Mode
Expires HLR

<<

. 28
( 132 .)



>>