29c3 OpenBTS workshop - Mini-Workshop

  • Published on
    19-Jan-2015

  • View
    2.116

  • Download
    5

Embed Size (px)

DESCRIPTION

Event: https://events.ccc.de/congress/2012/wiki/OpenBTS_workshop Video: http://www.youtube.com/playlist?list=PLifX8tOt8ajpmUnIabqsqMD0MxcCHNI08

Transcript

  • 1. OpenBTS Mini- WorkshopOpenBTS is a registered trademark of Range Networks, Inc. 1Saturday, August 6, 20111

2. GSM Basics 2Saturday, August 6, 20112 3. GSM History 1982 - CEPT establishes GSM group 1987 - Basic parameters selected 1989 - GSM standardization process moved to ETSI 1990 - Phase 1 spec frozen 1992 - First commercial service 1995 - Phase 2 spec frozen 2001 - 500M GSM users world-wide 2009 - Accounts for about 80% of all cellular service 2011 - 3G UMTS displacing 2G GSM in some places, but all 3G UMTS phones still support 2G GSM 3Saturday, August 6, 2011 3 4. GSM Layers Layers similar to OSI model. L1 - physical layer - bits and waveforms L2 - data link layer - makes the link reliable L3 - connection management layer - where most of the cellular telephone application happens4Saturday, August 6, 20114 5. Physical Layer (L1)5Saturday, August 6, 2011 5 6. Cellular Concepts: FDMA Frequency division multiple access: users on different radio frequencies. The only MA type in older analog systems. F r e q Time6Saturday, August 6, 20116 7. Cellular Concepts: TDMA Time division multiple access: users share a channel, using it at different times. Can be sync or async (802.11).FreqTime7Saturday, August 6, 2011 7 8. Cellular Concepts: FDMA and TDMA GSM is both FDMA and TDMA. 200 kHz radio channel spacing 8 timeslots per channelFreq Time 8Saturday, August 6, 2011 8 9. Timeslots from GSM for Dummies, with permission 9Saturday, August 6, 2011 9 10. The ARFCN Absolute Radio Frequency Channel Number 200 kHz radio channel spacing 270.833 kHz radio channel bandwidth Cannot use adjacent ARFCNs in the same cell because they overlap. Assigned in xed uplink/downlink pairs.10Saturday, August 6, 201110 11. Frequency Duplexingfrom GSM for Dummies, with permission 11Saturday, August 6, 201111 12. Common GSM BandsName UpDownARFCNs Regions P-GSM 900 890-915 935-9601-124 1, 3 E-GSM 900 880-915 925-960 0-125, 1, 3 975-1023 GSM 850 824-849 869-894128-2512DCS 1800 1710-1785 1805-1880 512-8851, 3 PCS 1900 1850-1910 1930-1990 512-8102 12Saturday, August 6, 2011 12 13. Duplexing Handset and BTS cannot transmit on the same frequency at the same time. TDD - Time Division Duplexing - Handset and BTS time transmissions to avoid conict. This is cheapest. FDD - Frequency Division Duplexing - Handset and BTS operate on different frequencies. This requires special RF lters. GSM is FDD in the BTS, and both FDD and TDD for the handset.13Saturday, August 6, 201113 14. Frequency Duplexingfrom GSM for Dummies, with permission 14Saturday, August 6, 201114 15. Frequency Duplexing Cavity Duplexer 15Saturday, August 6, 2011 15 16. Timing and Power Control BTS controls output power level of the handset to maximize battery life and optimize receiver performance. BTS controls timing advance of the handset to prevent collisions of arriving radio bursts. This happens on the SACCH. 16Saturday, August 6, 201116 17. Link Layer (L2)17Saturday, August 6, 2011 17 18. The Link Layer L3 has variable-length messages and assumes reliable delivery. L1 has xed-length frames and loses them sometimes. L2 connects these so that L3 can use L1. 18Saturday, August 6, 201118 19. Connection Management Layer (L3)19Saturday, August 6, 201119 20. GSM Layer 3 This is where things start to look like a telephone system. Sublayers: Radio Resource (RR) Mobility Management (MM) Call Control (CC) Short Message Service (SMS) 20Saturday, August 6, 2011 20 21. GSM L3 RR Radio Resource management. Assign and release radio channels. Page handsets for service. Generate the beacon. Data elements are descriptions of physical layer parameters.21Saturday, August 6, 201121 22. GSM L3 MM Mobility Management. Keep track of what part of the network is serving a given handset. Authenticate users. Data elements are subscriber identities and authentication tokens.22Saturday, August 6, 2011 22 23. GSM L3 CC Call Control. Connect the handset to the telephone switch. Nearly identical to ISDNs Q.931. Data elements are phone numbers, call status codes and bearer capability descriptions. 23Saturday, August 6, 2011 23 24. GSM L3 SMS SMS L3 is just a connection layer for SMS L4. Just a pass-through. Nothing really happens in SMS until you hit L5.24Saturday, August 6, 2011 24 25. Addressing in GSM IMSI: International Subscriber Mobile Identity. A 14- 15-digit number in the SIM that uniquely identies the subscriber. Encodes identity of issuing carrier, too. TMSI: Temporary Subscriber Mobile Identity. A 32-bit number assigned by the network that uniquely identies the subscriber within that network.25Saturday, August 6, 201125 26. Addressing in GSM (cont.) IMEI: International Mobile Equipment Identity. A 15-digit number that uniquely identies the handset. Encodes manufacturer and model. Not used much in GSM except for fraud detection. MSISDN: The subscribers telephone number. 26Saturday, August 6, 2011 26 27. Addressing in GSM (cont.) The MSISDN-IMSI association exists only in the network, not in the handset. There is no MSISDN-IMEI association. If a phone is locked that usually means that it will accept SIMs only from a specic carrier.27Saturday, August 6, 201127 28. Introduction to VoIP28Saturday, August 6, 201128 29. The Old Analog PSTN Phone numbers form an address space, like any other address space. A phone lines address is determined by where it is physically connected to the network. Dialed numbers (signaling) are encoded as tones in the audio stream (in-band signaling). The switch decodes signaling to connect completed physical circuits between phones. Circuit Switched Telephony29Saturday, August 6, 2011 29 30. 70s-era Analog Switch 30Saturday, August 6, 201130 31. SS7 Signaling System 7 (SS7) replaced analog lines with synchronous digital ones, but its still circuit-switched. Signaling and media travel on different logical channels (out-of-band signaling). Telephony is just an application in the SS7 network. ...so is the GSM core network. The switch is just a computer, shufing frames between media channels as instructed by the signaling. Phone numbers are no longer physical addresses, but entries in a routing database. 31Saturday, August 6, 201131 32. Q.931 Call Signaling Subscriber Network Subscriber dials number.SETUPCALL PROCEEDINGRemote phone ringing.ALERTINGRemote party answers. CONNECTCONNECT ACKCall connected. Subscriber hangs up.DISCONNECT RELEASE RELEASE COMPLETE Dial tone.32Saturday, August 6, 201132 33. VoIP Replace circuit-switched SS7 with packet-switched IP. Signaling and media can follow entirely different paths and use entirely different protocols. Telephony is an application running on the internet. The switch is just a computer shufing packets as directed by the signaling. IP network gives additional layer of addressing.33Saturday, August 6, 201133 34. VoIP Specics: SIP & RTP Session Initiation Protocol (SIP), RFC-3261, for signaling. SIP header design similar to HTTP. Real-Time Protocol (RTP), RFC-3550, for media. Both protocols already used internally by many telecom carriers, all renamed IMS.34Saturday, August 6, 201134 35. SIP Call Flow Subscriber Network Subscriber dials number.INVITETrying 100Remote phone ringing.Ringing 180 Remote party answers.OK 200 ACKCall connected. Subscriber hangs up. BYE ACKDial tone. 35Saturday, August 6, 201135 36. Putting it Together: OpenBTS = GSM + VoIP 36Saturday, August 6, 201136 37. OpenBTS DesignPrinciples Put as little functionality as possible into the GSM-specic software. Translate protocols to open standards whenever possible. Exploit external applications whenever possible.37Saturday, August 6, 201137 38. OpenBTS DesignPrinciples Terminate L3 RR inside OpenBTS to eliminate the need for a BSC. Translate MM, CC and SMS to SIP and let the VoIP software deal with them. Most new features will be external modules on socket interfaces. 38Saturday, August 6, 201138 39. OpenBTS VoIP Principles OpenBTS itself is invisible. The VoIP network sees only the phones. Each handset appears as a SIP endpoint at the IP address of its serving BTS. Each handset is a SIP user called IMSIxxxxxxxxxxxxxxxx, where xxxxxxxxxxxxxxx is the IMSI of the SIM in the handset. 39Saturday, August 6, 2011 39 40. Mobile-Originated CallSIP Switch OpenBTS Handset CHAN. REQ.IMMED. ASSIGN. CM SVC. REQ. CM SVC. ACCEPT SETUP INVITECALL PROCEEDING Status: 100 Trying Status: 182 Ringing Status: 200 OK ALERTINGCONNECTCONNECT ACK. RTP trafc GSM trafc40Saturday, August 6, 2011 40 41. Mobile-Originated CallSIP Switch OpenBTSHandsetCHAN. REQ. IMMED. ASSIGN.RR This is where we skipCM SVC. REQ.the encryption step.CM SVC. ACCEPTMMSETUP INVITE CALL PROCEEDING Status: 100 Trying Status: 182 RingingCC Status: 200 OKALERTING CONNECT CONNECT ACK. RTP trafcGSM trafc 41Saturday, August 6, 2011 41 42. Mobile-Originated CallSIP Switch OpenBTS Handset CHAN. REQ.IMMED. ASSIGN. CM SVC. REQ. CM SVC. ACCEPT SETUP INVITECALL PROCEEDING Status: 100 Trying Status: 182 Ringing Status: 200 OK ALERTINGCONNECTCONNECT ACK. RTP trafc GSM trafc42Saturday, August 6, 2011 42 43. Backhaul Loading GSM FR codec is about 13 kbit/sec/call. Asterisk can transcode to other codecs ranging from 2.4-64 kbit/sec/call, with varying quality. Regardless of codec type, RTP overhead is about 17 kbit/sec/call. IAX overhead is closer to 20 kbit/sec/call, but can be shared across multiple calls. 43Saturday, August 6, 2011 43 44. Backhaul Requirementsable 6.1: Backhaul bandwidth for various codec/trunking congurations. All rates in kbit/sec and a ming 20 ms framing. Codec per callper call 7 calls7 callsspeech raw rate over RTPover RTPIAX trunking quality G.71164 81567468toll-qualityGSM-FR13 30210124toll-quality G.729 8 25175 97near-toll-quality Speex 8 25175 97near-toll-quality Speex 4 21147 60not toll-qualityLPC-10 2.4 20136 37not to