1

ECEG 5301,
Telecommunication
Networks

6. Public Land Mobile

Network (PLMN)

Dr. Eng. Yihenew Wondie

December, 2015
AAiT
 Outline
2

 Introduction to PLMN
 Cellular Concept
 Architecture of Mobile Network
 Random Access in Mobile Network
 Multiplexing vs Multiple Access
 Security Measures in Mobile Network
 Mobile Network Identifiers
 Cellular concept

A cellular network contains a large number of cells with a

base station (BS) at the center of each cell to which
mobile stations (MS) are connected during a call.
If a connected MS (MS
in call phase) moves
B B between two cells, the
S S M
S call is not dropped.
Instead, the network
performs a handover
B B (USA: handoff).
S S

3
 Mobility concept

A cellular network is divided into location areas (LA),

each containing a certain number of cells.
As long as an idle MS
Location Area 1 (idle = switched on)
Location moves within a location
Area 2 area, it can be reached
through paging.
If an idle MS moves between
two location areas, it cannot be
Location Area 3 reached before it performs
location updating.

4
 Architecture of a mobile network

CS core network
GSM

PSTN
BSS MSC GMSC
VLR

MS HLR
AuC
3G EIR

Internet
RAN
PS core network

5
 The serving mobile switching center (MSC) is
the mobile counterpart to the local exchange in
the PSTN.
Serving MSC This is the MSC that is currently serving a
mobile user.

CS core network
GSM

PSTN
BSS MSC GMSC
VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

6
The visitor location register stores
temporary information on mobile users
roaming in a location area under the VLR
control of the MSC/VLR.

CS core network
GSM

PSTN
BSS MSC GMSC
VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

7
 The gateway MSC (located in the home PLMN of a mobile
Gateway MSC user) is the first contact point in the mobile network when
there is an incoming call to the mobile user.

CS core network
GS

PSTN
M MSC GMSC
BSS VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

8
The home location register stores
information on mobile users belonging to
this mobile network (e.g. subscription data HLR
and present VLR under which the mobile
user is roaming).
CS core network
GSM

PSTN
BSS MSC GMSC
VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

9
The authentication center safely stores
authentication keys (Ki) of mobile
subscribers belonging to this mobile AuC
network.

CS core network
GS

PSTN
M MSC GMSC
BSS VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

10
 The equipment identity register stores
information on stolen handsets (not stolen
EIR SIMs).

CS core network
GS

PSTN
M MSC GMSC
BSS VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

11
 SIM

CS core network
GS

PSTN
M MSC GMSC
BSS VLR
SIM
HLR
AuC
3G EIR

Internet
RAN
PS core network

Important mobile user information is stored in the subscriber identity

module within the handset.
12
The CS core network architecture is basically the same
in 2G (GSM) and 3G mobile networks.
In North America, IS-MAP signalling is used instead of CS core network
GSM-MAP signalling.
Europe: GSM core network
N. America: ANSI-41 core network
CS core network
GSM

PSTN
BSS MSC GMSC
VLR
HLR
AuC
3G EIR

Internet
RAN
PS core network

13
 Basic functions in a mobile network

Radio Resource Management (RRM) Number refers to

following slides
1 Random access and channel reservation in the the slide
Handover management set
Ciphering (encryption) over radio interface

Mobility Management (MM)

IMSI/GPRS Attach (switch on) and Detach (switch off)
Location updating (MS moves to other Location Area)
Authentication
3
2
Call Control (CC) MOC, MTC 4
Session Management (SM) PDP Context
Later lecture

14
 Range of functions

RRM CS core network

CC
GS
M
BSS MM
or
3G SM
RAN PS core network

15
1 Random access in a mobile network

Communication between MS and network is not possible

before going through a procedure called random access.

Random access must consequently be used in:

Network-originated activity
• paging, e.g. for a mobile terminated call (MTC)
MS-originated activity
• IMSI attach, IMSI detatch
• GPRS attach, GPRS detach
• location updating
• mobile originated call (MOC)
• SMS (short message service) message transfer
16
1 Random access in action (GSM)

1. MS sends a short access burst over the Random Access

CHannel (RACH) in uplink using Slotted Aloha (in case of
collision => retransmission after random time)
2. After detecting the access burst, the network returns an
”immediate assignment” message which includes the
following information:
- allocated physical channel (frequency, time slot) in
which the assigned signalling channel is located
- timing advance (for correct time slot alignment)
3. The MS now sends a message on the dedicated signalling
channel assigned by the network, indicating the reason for
performing random access.
17
 Multiplexing vs. multiple access

In downlink, multiplexing (e.g. TDM)

Network decides channel…

In uplink, multiple access (e.g. TDMA)

Network decides channel also in this case

Multiple access is always associated with random

access. MS requests signalling channel, and network
decides which channel (e.g. time slot) will be used.

18
 Security measures in a mobile network

1) PIN code (local authentication of handset

=> local security measure, network is not involved)
2) Authentication (performed by network)
3) Ciphering of information sent over air interface
4) Usage of TMSI (instead of IMSI) over air interface
IMSI = International Mobile Subscriber Identity
(globally unique identity)
TMSI = Temporary Mobile Subscriber Identity
(local and temporary identity)

19
 Authentication in GSM
20

• A3 – used for subscriber authentication.

 A5 – used for ciphering/deciphering. This algorithm
is standardized throughout all GSM networks.
 A8 – used for cipher key generation. This algorithm
is defined by the PLMN.
 2 Basic principle of authentication

SIM Air Network (algorithm

(in handset) interface running in AuC)

Challenge RAN Random number

D
Algorithm Response Algorithm
SRESS
Authentication key Authentication key
Ki SRES Ki
A

The same? If yes,

authentication is successful

21
22
2 Where does the algorithm run?

Algorithm for calculating SRES runs within SIM (user

side) and AuC (network side). The authentication key (Ki)
is stored safely in SIM and AuC, and remains there during
authentication.

The two SRES values are compared in the VLR.

Air interface

RAND

SIM SRESS SRESA AuC

Ki VLR Ki

23
2 Algorithm considerations

Using output and one or more inputs, it is in practice not

possible to calculate “backwards” other input(s),
“brute force approach”, “extensive search”

Key length in bits (N) is important (in case of brute force

approach 2N calculation attempts may be needed)

Strength of algorithm is that it is secret => bad idea!

“Security through obscurity”

Better: open algorithm can be tested by engineering

community (security through strong algorithm)
24
 Mobile network identifiers (1)

MSISDN = CC NDC SN E.164 numbering format

Globally CC = Country Code (1-3 digits)

unique NDC = National Destination Code (1-3 digits)
number SN = Subscriber Number

Mobile station ISDN (MSISDN) numbers are based on the

ITU-T E.164 numbering plan and can therefore be used for
routing a circuit-switched call.
When the calling (PSTN or PLMN) user dials an MSISDN
number, the call is routed to the gateway MSC (GMSC)
located in the home network of the called (mobile) user.
25
 Mobile network identifiers (2)

MSRN = CC NDC TN E.164 numbering format

Temporarily CC = Country Code (1-3 digits)

allocated NDC = National Destination Code (1-3 digits)
number TN = Temporary Number

Mobile station roaming numbers (MSRN) are also based on

the ITU-T E.164 numbering plan and can therefore be used
for routing a circuit-switched call.
The MSRN is selected by the MSC/VLR serving the called
(mobile) user, sent to the GMSC, and used for routing the
call from the GMSC to the serving MSC.
26
 Mobile network identifiers (3)

IMSI = MCC MNC MSIN E.212 numbering format

Globally MCC = Mobile Country Code (3 digits)

unique MNC = Mobile Network Code (2 digits)
number MSIN = Mobile Subscriber Identity Number
(10 digits)

The international mobile station identity (IMSI) is based on

the ITU-T E.212 numbering plan and cannot be used for
routing a circuit-switched call (exchanges or switching
centers do not understand such numbers).
The IMSI is stored in the HLR and SIM of the mobile user.

27
 Mobile network identifiers (4)

LAI = MCC MNC LAC E.212 numbering format

Globally MCC = Mobile Country Code (3 digits)

unique MNC = Mobile Network Code (2 digits)
number LAC = Location Area Code (10 digits)

The location area identity (LAI) points to a location area

belonging to a certain MSC/VLR. This identity must be
stored in the HLR so that mobile terminated calls can be
routed to the correct serving MSC/VLR.
IMEI ≈ ”Serial number of handset” (not SIM)

28
4 Case study: Mobile terminated call (1)

1. Using the MSISDN number (dialled by the calling

user located in the PSTN or the PLMN of another
operator) and standard SS7/ISUP signalling, the call
is routed to the GMSC in the home network of the
called mobile user.

2. HLR 3.
4. 4. VLR
1. 5. 6.
GMSC Serving MSC

29
4 Mobile terminated call (2)

2. The GMSC contacts the HLR of the called mobile

user. The SS7/MAP signalling message contains the
MSISDN number which points to the mobile user
record (containing IMSI, LAI where user is roaming,
etc.) in the HLR database.

2. HLR 3.
4. 4. VLR
1. 5. 6.
GMSC Serving MSC

30
4 Mobile terminated call (3)

3. Using global title translation (GTT), the HLR

translates the IMSI and LAI information into the
signalling point code of the serving MSC/VLR.
The HLR sends SS7/MAP request “Provide roaming
number” (i.e. MSRN) to the VLR.
2. HLR 3.
4. 4. VLR
1. 5. 6.
GMSC Serving MSC

31
4 Mobile terminated call (4)

4. The VLR selects a temporary MSRN. Note that there

must be binding between MSRN and IMSI in the
VLR.
The VLR sends the MSRN to the GMSC (using
SS7/MAP signalling).
2. HLR 3.
MSRN  IMSI
4. 4. VLR
1. 5. 6.
GMSC Serving MSC

32
4 Mobile terminated call (5)

5. Using the MSRN number and standard SS7/ISUP

signalling, the call is routed to the serving MSC.
Although not shown in the figure, there may be
intermediate switching centers (serving MSC/VLR
may be located at the other end of the world).
2. HLR 3.
4. 4. VLR
1. 5. 6.
GMSC Serving MSC

33
4 Mobile terminated call (6)

6. MSC/VLR starts paging within the location area

(LA) in which the called mobile user is located,
using TMSI for identification. Only the mobile user
with the corresponding TMSI responds to the paging
via the random access channel (RACH).

HLR MSRN  IMSI

2. 3.
IMSI  TMSI

4. 4. VLR
1. 5. 6.
GMSC Serving MSC

34