Transcript Slide 1

Basic Concepts of Cellular
Networks and Mobile IP
Aug 31, 2005
Cellular Networks: Agenda
• Evolution of Cellular Networks
• Architectures
– AMPS
– GSM
• Security Mechanisms in GSM
Origin of Wireless Communications
• Wireless communications gained popularity in
1930’s
– Mainly used for public safety by police and other
government organizations
– Not connected to the PSTN (Public Switching
Telephone Networks)
• First public mobile telephone service started in
1946 in United States
– Using a single high power transmitter and large tower
to cover an area of 50 km
Concept of Cellular Networks
• A single high power
transmitter services one
larger area  multiple low
power transmitters service
multiple smaller areas
(Cells)
• Frequency can be reused
by cells far away from each
other  improve usage
• A set of cells that do not
share frequency form a
cluster
• The cluster is then
replicated throughout the
desired communication
area
Evolution of Cellular Networks
1G
2G
Analog
Circuit-switching
2.5G
3G
Digital
Packet-switching
4G
1G Systems
• Goal: To develop a working system that could
provide basic voice service
• Time frame: 1970-1990
• Technology: FDMA/FDD
• Example Systems:
– Advanced Mobile Phone System (AMPS-USA)
– Total Access Communication System (TACS-UK)
– Nordic Mobile Telephone (NMT-Europe)
• Incompatible analog systems
2G Systems
• Goal: Digital voice service with improved quality
and also provide better data services
• Time Frame: 1990- 2000
• Technology: TDMA/TDD, CDMA
• Example Systems:
– Global System for Mobile (GSM-Europe)
– IS-136(TDMA)
– IS-95 (CDMA)
2.5G Systems
• Goal: To provide better data rates and wider
range of data services and also act as a
transition to 3G
• Time frame: 2000-2002
• Systems:
–
–
–
–
IS-95B
High Speed Circuit Switched Data (HSCSD)
General Packet Radio Service (GPRS)
Enhanced Data rates for GSM Evolution (EDGE)
3G Systems
• Goal: High speed wireless data access and
unified universal standard
• Time frame: 2002• Two competing standards
– One based on GSM, IS-136 and PDC known as
3GPP
– Other based on IS-95 named 3GPP2
• Completely move from circuit switching to packet
switching
• Enhanced data rates of 2-20Mbps
4G Systems
• Future systems
• Goal:
– High mobility, High data rate, IP based
network
– Hybrid network that can interoperate with
other networks
AMPS
•
•
•
•
•
1G system developed by Bell Labs
Analog system used FDMA/FDD
40Mhz of spectrum
842 channels
rate: 10kbps
AMPS: Architecture
BTS
Public
Switched
Telephone
Network
BTS
MTSO
(MSC)
BTS
BTS
MTSO: Mobile Telecommunication Switching Office
Also known as MSC (Mobile Switching Center)
BTS: Base Transceiver Station
AMPS:
Conventional Telephone  Cell Phone
BTS
Public
Switched
Telephone
Network
BTS
MTSOPaging
(MSC)message
BTS
BTS
AMPS:
Conventional Telephone  Cell Phone
• Call arrives at MSC via the PSTN
• MSC then sends out a paging message via all
BTS on the FCC (Forward Control Channel).
• The paging message contains subscriber’s
Mobile Identification Number (MIN)
• The mobile unit responds with an
acknowledgement on the RCC (Reverse
Control Channel)
• MSC directs BS to assign FVC (Forward Voice
Channel) and RVC (Reverse Voice Channel)
AMPS:
Cell phone initializes a call
• Subscriber unit transmits an origination
message on the RCC
• Origination message contains
–
–
–
–
MIN
Electronic Serial Number
Station Class Mark
Destination phone number
• If BTS receives it correctly then it is passed on to
MSC
• MSC validates the information and connects the
call
GSM: Architecture
• GSM system consists of three interconnected subsystems
– Base station Subsystem
• Mobile station (MS)
• Base Transceiver Station (BTS)
• Base Station Controllers (BSC)
– Network Switching Subsystem (NSS)
•
•
•
•
Mobile Switching Center (MSC)
Home Location Register (HLR)
Visitor Location Register (VLR)
Authentication center (AUC)
– Operation Support Subsystem
• Operation Maintenance Centers
GSM
BTS
BTS
BTS
BSC
BTS
BTS
BTS
BSC
BTS
BTS
Base Station Subsystem
•The BTS provides last mile connection to the MS
and communication is between the BTS and MS
•BSCs connect the MS to the NSS
•Handover between BTS within same BSC is handled by the BSC
GSM
Network Switching Subsystem
HLR
BTS
VLR
AUC
BTS
BTS
BSC
BTS
MSC
Public Networks
BTS
BTS
BSC
OSS
BTS
BTS
Base Station Subsystem
Operation Support Subsystem
Security in GSM
• Principles
– Only authenticated users are allowed to access the
network
– No user data or voice communication is transmitted in
“clear text”
• The subscriber identity module (SIM) card is a
vital part of GSM security. It stores
–
–
–
–
–
International Mobile Subscriber Identity (IMSI)
Ciphering Key Generating Algorithm (A8)
Authentication Algorithm (A3)
Personal Identification Number
Individual Subscriber Authentication Key (Ki)
Security in GSM
• Mobile station contains
– A5 algorithm and IMEI
• The network stores
– A3, A5, A8 algorithms
• The Authentication Center stores
– IMSI
– Temporary Mobile Subscriber Identity (TMSI)
– Individual Subscriber Authentication Key (Ki)
Security in GSM: Authentication
Channel Establishment
Mobile
Station
Identity (TMSI or IMSI)
Authentication Request (RAND)
Network
SIM
Run Authentication
Algorithm (RAND)
Response
(SRES,Kc)
Authentication Response (SRES)
•RAND is 128 bit random
sequence
•SRES is signed response
generated for
authentication
Authentication based on RAND
At the Network end
Transmitted to mobile
RAND (challenge)
A3 Algorithm
Ki (128 bit)
Proper authentication
completed if result is zero
At the Mobile user end in the SIM
RAND (challenge)
A3 Algorithm
Ki (128 bit)
A8 Algorithm
Transmitted
back to base
station
Kc used for encryption
of user data and
signaling data
Security in GSM: Authentication
• Ki is known only to the operator who programs
the SIM card and is tied to IMSI
• IMSI should be transmitted as less as possible.
• Only TMSI is used for authentication
• TMSI is periodically updated
Security in GSM: Data Encryption
• GSM uses symmetric cryptography
– Data is encrypted using an algorithm which is seeded
by the ciphering key Kc
• Kc is known only to base station and mobile
phone and is frequently changed
• The A5 algorithm is used for ciphering the data
• Along with Kc the algorithm is ‘seeded’ by the
value based on the TDMA frame
• Internal state of the algorithm is flushed after a
burst
Security in GSM: Authentication
Xor
Kc (from A8 algorithm)
A5 algorithm
Count
(from TDMA frame)
User Data
Encoded
message
Mobile IP: Agenda
• Why Mobile IP?
• Basic Principle of Mobile IP
• Route Optimization
IP Addressing
Internet
ISU: 129.168.*.*
Gateway
PSU:
130.203.*.*
Host 1
129.168.105.126
Gateway
MH
129.168.105.124
Host 2
130.203.4.112
• Internet hosts/interfaces are identified by IP address
– Domain name service (DNS) translates host name to IP
address
– IP address identifies host/interface and locates its network
Problems
• A host move to another network requires different
network address
– But this would change the host’s identity
– How can others still reach the moving host? How can ongoing connections to the moving host be not interrupted?
• Applications
– GPRS (2.5G), 3G cellular networks
– Mission-critical applications
• IP devices held by police, ambulance, coast guards are always
connected when moving
– Moving offices, …
Routing for Mobile Host
MH = mobile host
CH
CH = correspondent host
Foreign network
Home network
MH
How to direct packets to moving hosts transparently?
CH
Home network
Foreign network
MH
Mobile IP: Basic Idea
• An analogy: what do you do when moving from one
apartment to another?
– Leave a forwarding address with your old post-office!
– The old post-office forwards mails to your new postoffice, which then forwards them to you
• Mobile IP:
– Two other entities – home agent (old post-office), foreign
agent (new post-office)
– Mobile host registers with home agent the new location
– Home agent captures packets meant for mobile host, and
forwards it to the foreign agent, which then delivers it to
the mobile host
A MH Moves to a Foreign Network
MH = mobile host
HA = home agent
CH = correspondent host
FA = foreign agent
CH
130.203.*.*
129.186.*.*
Home network
HA
MH
Foreign network
FA
129.186.105.216
130.203.4.112
•MH discovers a FA in the foreign network.
•MH seeks a care-off address from the FA
•MH registers/authenticates its care-off address to the HA in its home
network.
Packets towards MH
MH = mobile host
HA = home agent
CH = correspondent host
FA = foreign agent
CH
Home network
HA
Foreign network
FA
MH
•HA receives packets for the MH.
•HA tunnels packets to FA
•FA decapsulates packets and delivers them to MH
Packet Addressing
Packet from CH to MH
Source address = address of CH
Destination address = home IP address of MH
Payload
Home agent intercepts above packet and tunnels it
Source address = address of HA
Destination address = care-of address of MH
Source address = address of CH
Destination address = home IP address of MH
Original payload
If MH Moves Again
CH
Home network
HA
Foreign network #1
FA #1
MH
Foreign network #2
FA #2
MH
•MH registers new address (FA #2) with HA & FA #1
•HA tunnels packets to FA #2, which delivers them to MH
•Packets in flight can be forwarded from FA #1 to FA #2
Packets from MH
Mobile hosts also send packets
CH
Home network
HA
Foreign network
FA
MH
•Mobile host uses its home IP address as source address
-Lower latency
-Still transparent to correspondent host
-No obvious need to encapsulate packet to CH
-Triangle Routing
Route Optimization
CH
Home network
HA
Foreign network
FA
MH
•When HA receives a packet (from CH) to tunnel to FA:
•It sends a binding message to CH with the care-of address
of the MH.
•CH caches the address, and forward later packets directly
to the care-of address.
Route Optimization
• When a FA receives a tunneled message,
but sees no visitor entry for the mobile
host, it generates a binding warning
message to the appropriate HA
• When a HA receives a warning, it issues
an update message to the CH, which
removes the care-of address from its
cache.
Notice
• Topic of next class: Wireless LAN and
Mobile Ad Hoc Network
• Reminder: pick the papers you want to
present (with preferred dates if you want)
ASAP.