A PLMN network supporting GPRS is divided into RAs. Each RA is defined by the operator of the PLMN network and may contain one or several cells. A LA is a group of one or several RAs. The RA defines a paging area for GPRS, while the LA defines a paging area for incoming circuit-switched calls. Actually, when the network receives an incoming call for a mobile not localized at cell level but localized at RA level, it broadcasts a paging on every cell belonging to this RA. The RA concept is illustrated in Figure 3.19.
Figure 3.19: RA concept.
If the MS moves to a new LA, it also moves to a new RA. Each RA is identified by a routing area identifier (RAI). This is made up of a location area identifier (LAI) and a routing area code (RAC). Figure 3.20 gives the structure of the RAI.
Figure 3.20: Structure of RAI.
The LAI identifies the LA, with the mobile country code (MCC) indicating the PLMN country, the mobile network code (MNC) identifying the PLMN network in this country, and the location area code (LAC) identifying the LA.
The RAI of each RA is broadcast on all cells belonging to this RA. This way, the MS is able to detect a new RA by comparing the RAI it had previously saved with the one broadcast in the new cell, and then to signal to the network its RA change.
The MS may also signal to the network the RA in which it is located upon expiry of a periodic timer. This procedure allows the network to check that the MS is within coverage of its RA. Owing to this procedure, the network knows if it may continue to route incoming calls for this MS toward this RA.
When an MS attached for circuit and packet services detects a new LA on the serving cell after having changed the cell, it will signal to the network its LA and RA change.
3.5.2 GMM States
Three global states are defined for GPRS mobility at the GMM layer level. These global states, GMM IDLE, STANDBY, and READY allow for characterization of the GMM activity of a GPRS mobile. They are managed in the MS and in the SGSN for each MS, and the transitions between states are slightly different on the MS and SGSN sides. A GPRS mobile is in GMM IDLE state when it is not attached for GPRS service. In this state, there is no GPRS mobility context established between the MS and the SGSN; this means that no information related to the MS is stored at SGSN level. In GMM STANDBY and READY states, a GPRS mobility context is established between the MS and the SGSN. A GPRS mobile is in GMM STANDBY state when it is attached for GPRS services and its location is known by the network at the RA level. A GPRS mobile is in GMM READY state when it is attached for GPRS services and its location is known by the network at the cell level.
A GPRS mobile goes to GMM IDLE state when it has just detached from GPRS. The SGSN goes to GMM IDLE state for a given MS upon receipt of the GPRS detach message, upon implicit detach when no MS activity is detected, or upon receipt of cancel location from HLR for operator purposes.
A GPRS mobile goes to GMM READY state when it has just sent a packet to the network. For each packet sent to the network, the MS reinitializes a READY timer. The SGSN goes to GMM READY state for a given MS when it receives an LLC PDU from it. For each LLC PDU received from the MS, the SGSN reinitializes a READY timer related to the MS.
A GPRS mobile goes to GMM STANDBY state from GMM READY state either upon expiry of the READY timer, or upon the receipt of an explicit request from the SGSN to force the GMM STANDBY state. The SGSN goes to GMM STANDBY state for one given MS either upon expiry of the READY timer, or upon explicit request from the network to force the GMM STANDBY state, or on an irrecoverable disruption of a radio transmission found at RLC layer level.
Figure 3.21 shows the transitions between the three GMM states.
Figure 3.21: Global states of GPRS mobility. (From— .)
Table 3.4 summarizes the list of authorized procedures relative to GMM states.
The three global states lead to different behaviors of the MS at the radio interface level. They are therefore sent to the RR management layer of the MS.
3.5.3 Overview of GMM Procedures
The network may page an MS for circuit-switched and packet-switched services. These two services are managed in the backbone network by two different nodes: the MSC for routing of circuit-switched calls and the SGSN for routing of packet-switched calls. If there is no paging coordination between the circuit-switched and packet-switched services, the paging for circuit-switched and packet-switched services will not necessarily arrive at the MS on the same logical channel over the radio interface. This implies that the MS has to simultaneously monitor several logical channels for paging detection, a difficult task for MS receivers. In order to ease the MS behavior with respect to paging detection, paging coordination between circuit-switched and packet-switched services may be implemented in the network by adding a new interface, called the Gs interface, between the MSC and SGSN. This interface enables an incoming circuit-switched call to be routed from the MSC to the SGSN; this will allow the mobile to detect the circuit-switched and packet-switched services in the same logical channel.
Paging modes are defined by the recommendations to allow different paging implementations in the network. These paging modes take into account parameters such as the paging coordination method between circuit-switched and packet-switched services and the presence or absence of PCCCH paging channels. The paging mode is broadcast by the network on each GPRS cell.
Three network modes of operation (NMOs) are defined for paging:
The network operates in mode I when the Gs interface is present between the MSC and the SGSN. In this mode, the network sends the paging messages on the same logical channels for circuit-switched and packet-switched services. When an MS both IMSI- and GPRS-attached is in idle mode, it monitors for any kind of incoming calls (circuit-switched and GPRS) the PCCCH channels if they are present, and the CCCH channels otherwise. Figure 3.22 illustrates a paging in idle mode when the network operates in mode I.
Figure 3.22: Paging in idle mode with CCCH/PCCCH for network operation mode I.
In mode I, when an MS both IMSI- and GPRS-attached is in packet transfer mode, the circuit-switched paging occurs on the PACCH of the TBF in progress. Figure 3.23 illustrates a paging in packet transfer mode when the network operates in mode I.
Figure 3.23: CS paging in packet transfer mode for network operation mode I.
In network operation mode II, the Gs interface is not present between the MSC and the SGSN, and the PPCHs are not present in the cell. In this mode the network sends paging messages for circuit-switched and packet-switched services on CCCH paging channels.
In the case of a packet transfer in progress, the MS may receive a circuit-switched paging on the CCCH paging channels. The MS then has the choice either to regularly suspend its packet transfer for listening to the CCCH paging channel or ignore the circuit-switched paging. The network may also send the circuit-switched paging on the PACCH; in this case the MS need not suspend its packet transfer for the paging decoding. Figure 3.24 illustrates a paging in idle mode when the network operates in mode II.
Figure 3.24: Paging in idle mode for network operation mode II.
In network operation mode III, the network sends circuit-switched paging messages on CCCH channels and packet-switched paging messages on PCCCH channels if they are present, or otherwise on CCCH channels. The Gs interface is not present.
In the case of a packet transfer in progress, the MS may receive a circuit-switched paging either on the CCCH paging channels or on PACCH. The MS behavior is the same as that defined in mode II during a packet transfer.
In the case of a circuit-switched call in progress, the MS is not able to monitor PCCCH paging channels if they are present, or otherwise CCCH paging channels for a packet-switched paging. The MS is not authorized to suspend its circuit-switched call for listening PCHs. Figure 3.25 illustrates a paging in idle mode when the network operates in mode III.
Figure 3.25: Paging in idle mode for network operation mode III.
184.108.40.206 GPRS Attach
In order to access GPRS services, an MS performs an IMSI attach for GPRS services to signal its presence to the network. During the attach procedure, the MS provides its identity, either a temporary identifier or packet temporary mobile station identity (P-TMSI) previously allocated by the SGSN, or an IMSI identifier when P-TMSI is not valid. When the MS is GPRS-attached, an MM context is established between the MS and the SGSN. This means that information related to this MS (i.e., IMSI, P-TMSI, cell identity, and RA) is stored in the SGSN. A GPRS-attached mobile is localized by the network at least at RA level and may be paged at any moment in GMM STANDBY state.
In network operation modes II or III, the MS both IMSI- and GPRS-attached is obliged to initiate separate attach procedures for circuit-switched and packet-switched services with MSC/VLR and SGSN entities.
In network operation mode I, there is a combined IMSI and GPRS attach procedure for MSs wishing to be configured in class A or in class B. In this case, the MS initiates an attach procedure for circuit-switched and packet-switched services with the SGSN. As the Gs interface is present between the MSC/VLR and SGSN, the latter is able to forward the IMSI attach request to the MSC/VLR.
220.127.116.11 GPRS Detach
A GPRS MS can no longer access GPRS service when it is GPRS-detached. The detach may be explicit or implicit. It is explicit when signaling is exchanged between the MS and the network. The detach is implicit when the network detaches the MS without any notification, and it may occur when the network does not detect any activity related to the MS for a certain amount of time.
An MS both IMSI- and GPRS-attached (MS configured in class A or class B) in a network that operates in network operation modes II or III is obliged to initiate separate procedures for IMSI detach and GPRS detach with MSC/VLR and SGSN entities.
An MS both IMSI- and GPRS-attached (MS configured in class A or class B) in a network that operates in network operation mode I may perform an IMSI and GPRS combined detach procedure. As Gs interface is present in mode I between the MSC/VLR and SGSN entities, the request of IMSI detach included in the request of combined detach is forwarded to the MSC/VLR entity by the SGSN entity.
18.104.22.168 Security Aspects
Principles of Authentication and Kc Key Establishment
The authentication procedure is equivalent to that existing in GSM, with the difference being that it is handled by the SGSN entity. This procedure allows the LLC layer between the MS and the SGSN to be protected against unauthorized GPRS calls. The GPRS authentication uses a nonpredictable number provided by HLR/AUC. From this random number, the MS and the HLR/AUC calculate a number called the SRES by using an algorithm A3 and a key Ki specific to the GPRS subscriber.
The establishment of ciphering key Kc for a GPRS subscriber is also performed during authentication procedure from the random number provided by HLR/AUC. The ciphering key Kc is also computed from the random number by using an algorithm A8 and a key Ki belonging to the GPRS subscriber. The principle of GPRS authentication is illustrated in Figure 3.26.
Figure 3.26: Principle of GPRS authentication.
User Identity Confidentiality
The network guarantees user identity confidentiality while accessing GPRS radio resources. The user identity confidentiality is ensured by identifiers such as the P-TMSI and temporary logical link identity (TLLI). These identifiers are solely known between the MS and the SGSN, and are used on the radio interface to identify the called or calling MS.
P-TMSI is locally allocated by the SGSN. As this attribute is handled locally at the SGSN level, the change of P-TMSI may take place at every SGSN change. The P-TMSI reallocation can be performed during the attach procedure, during the RA update procedure, or during the P-TMSI reallocation procedure requested by the network.
TLLI allows for identification of a GPRS subscriber. This identifier is deduced from the P-TMSI structure. The relation between TLLI and IMSI is only known by the MS and the SGSN. This identifier is calculated by the GMM entity and is sent to the RLC/MAC entity in the MS and the BSS. The SGSN may send a P-TMSI signature to the MS during the GPRS attach procedure or during the RA update procedure.
In this case, the MS must include this signature in the next attach procedure or in the next RA update procedure. The P-TMSI signature conveys the proof that the P-TMSI returned by the MS is the one allocated by the SGSN. The SGSN checks the signature sent by the MS and the one sent previously to the MS. If these values do not match, then the SGSN initiates a MS authentication procedure.
The SGSN may ask for MS identity if the Gf interface is present between the SGSN and the EIR entity. That way, the SGSN may compare the IMEI identifier returned by the MS and the one saved in the EIR database.
The network provides the call confidentiality by ciphering it. The data ciphering for GPRS is performed at the LLC frame level between the MS and the SGSN, unlike in GSM, where the ciphering is performed on the radio interface between the MS and the BTS.
During GPRS ciphering, an XOR operation is performed between an LLC frame and a mask. This latter has the same length as the LLC frame. During the GPRS deciphering, an XOR operation is performed between a ciphered LLC frame and the same mask used for ciphering. The mask for the ciphering and deciphering procedures is calculated from ciphering algorithm A5 with the following input parameters:
The ciphering and deciphering procedure is illustrated in Figure 3.27.
Figure 3.27: Ciphering and deciphering procedure.
22.214.171.124 Location Updating Procedures
When a GPRS MS camps on a new cell, it reads the cell identifier (CI), the RAI, and the LAI. If at least one of these identifiers has changed, the MS may initiate one of the GPRS location procedures:
If a GPRS-attached MS detects a new cell within its current RA, it performs a cell update procedure when it is in GMM READY state.
If a GPRS-attached MS detects a new RA, it performs an RA update procedure. This procedure may also occur at the expiry of a periodic timer or at the end of a circuit-switched connection. In fact, during a circuit-switched connection, if the MS changes RA then the SGSN is not notified of this change.
If an MS that is both IMSI- and GPRS-attached has detected a new LA in a network that operates in network operation mode I, then it performs a combined RA and LA update procedure.
If an MS both IMSI- and GPRS-attached has detected a new LA in a network that operates in network operation modes II or III, then it first performs an LA update procedure, and then an RA update procedure. The LA update is performed by the MM entity and requires the establishment of a dedicated connection.
If a GPRS MS detects a new cell in a new RA, then it performs an RA update procedure. This procedure may also occur at expiry of a periodic timer or at the end of a dedicated connection.