% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $ \documentclass{beamer} % This file is a solution template for: % - Talk at a conference/colloquium. % - Talk length is about 20min. % - Style is ornate. % Copyright 2004 by Till Tantau . % % In principle, this file can be redistributed and/or modified under % the terms of the GNU Public License, version 2. % % However, this file is supposed to be a template to be modified % for your own needs. For this reason, if you use this file as a % template and not specifically distribute it as part of a another % package/program, I grant the extra permission to freely copy and % modify this file as you see fit and even to delete this copyright % notice. \mode { \usetheme{Warsaw} % or ... \setbeamercovered{transparent} % or whatever (possibly just delete it) } \usepackage[english]{babel} % or whatever \usepackage[latin1]{inputenc} % or whatever \usepackage{times} \usepackage[T1]{fontenc} % Or whatever. Note that the encoding and the font should match. If T1 % does not look nice, try deleting the line with the fontenc. \usepackage{listings} \title{GSM Workout} \subtitle {Improving GSM protocol analysis} \author{Harald Welte} \institute {gnumonks.org\\gpl-violations.org\\OpenBSC\\airprobe.org\\hmw-consulting.de} % - Use the \inst command only if there are several affiliations. % - Keep it simple, no one is interested in your street address. \date[foss.in/2009] % (optional, should be abbreviation of conference name) {FOSS.in conference, December 2009, Bangalore/India} % - Either use conference name or its abbreviation. % - Not really informative to the audience, more for people (including % yourself) who are reading the slides online \subject{Free Software} % This is only inserted into the PDF information catalog. Can be left % out. % If you have a file called "university-logo-filename.xxx", where xxx % is a graphic format that can be processed by latex or pdflatex, % resp., then you can add a logo as follows: % \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} % \logo{\pgfuseimage{university-logo}} % Delete this, if you do not want the table of contents to pop up at % the beginning of each subsection: %\AtBeginSubsection[] %{ % \begin{frame}{Outline} % \tableofcontents[currentsection,currentsubsection] % \end{frame} %} % If you wish to uncover everything in a step-wise fashion, uncomment % the following command: %\beamerdefaultoverlayspecification{<+->} \begin{document} \begin{frame} \titlepage \end{frame} \begin{frame}{Outline} \tableofcontents % You might wish to add the option [pausesections] \end{frame} % Structuring a talk is a difficult task and the following structure % may not be suitable. Here are some rules that apply for this % solution: % - Exactly two or three sections (other than the summary). % - At *most* three subsections per section. % - Talk about 30s to 2min per frame. So there should be between about % 15 and 30 frames, all told. % - A conference audience is likely to know very little of what you % are going to talk about. So *simplify*! % - In a 20min talk, getting the main ideas across is hard % enough. Leave out details, even if it means being less precise than % you think necessary. % - If you omit details that are vital to the proof/implementation, % just say so once. Everybody will be happy with that. \begin{frame}{The FOSS.in/2009 GSM workout} What do we want to achieve? \begin{itemize} \item improve airprobe.org GSM protocol analyzer \item improve wireshark protocol dissectors for GSM \end{itemize} \end{frame} \begin{frame}{The FOSS.in/2009 GSM workout} What skills do you need? \begin{itemize} \item general underestanding about communications protocols \item wireshark usage and preferrably wireshark dissector architecture \item GSM protocol knowledge not really required \end{itemize} \end{frame} \section{airprobe.org} \begin{frame}{airprobe architecture} \begin{itemize} \item Software to receive GSM off the air \begin{itemize} \item implements GSM layer 0 and 1, sometimes 2 \item many implementations available in airprobe.org \item gsm-receiver and gsm-tvoid most popular \end{itemize} \item Intermediate data formate to pass information to protocol analyzer \item Actual protocol analyzers like \begin{itemize} \item gsmdecode, part of airprobe \item wireshark.org project \end{itemize} \end{itemize} \end{frame} \begin{frame}{Intermediate data formats} \begin{itemize} \item Intermediate data formate to pass information between GSM receiver and actual protocol analyzer \begin{itemize} \item hex bytes for every layer 2 or layer 3 message, or \item PCAP file with GSM encapsulation type, or \item some non-standard frames through tun/tap device, or \item GSMTAP header (like wiretap) inside UDP packets over loopback device \end{itemize} \end{itemize} \end{frame} \section{GSM Um interface} \begin{frame}{Understanding Um}{Overview} % Following GSM 04.03 Section 4 %\small{ \begin{itemize} \item Modeled after the U interface of ISDN \item Broadcast channels: SCH, BCCH, FCCH \item Common channels: CCCH (PCH \& AGCH), RACH \item Dedicated Channels: \begin{description}[Dm] \item[Dm] SDCCH, FACCH, SACCH \item[Bm] TCH/H, TCH/F \end{description} \end{itemize} \end{frame} \begin{frame}{Understanding Um}{Channels \& Layers} \begin{figure}[h] \centering \includegraphics[width=100mm]{GSMLayers.pdf} \end{figure} \end{frame} \subsection{Time Division Multiplex} \begin{frame}{Understanding Um}{TDM Structure} \begin{itemize} \item ARFCN (Absolute Radio Freq.~Chan.~Num.)-- A 270,833 Hz radio channel. ARFCNs within a BTS numbered C0, C1, etc. \item 8 timeslots per frame on each ARFCN, numbered T0..T7. \item ``physical channel'' -- one slot on one ARFCN, designated C0T0, C0T1, C1T5, etc. \item Physical channel TDM follows a 26- or 52-frame multiframe, carrying multiple logical channels. \end{itemize} \end{frame} \begin{frame}{Understanding Um --TDM Example} \begin{figure}[h] \centering \includegraphics[width=90mm]{26Multiframe.pdf} \caption{Example of traffic channel TDM} \end{figure} \end{frame} \subsection{Logical Channels} \begin{frame}{Understanding Um}{The Beacon} The beacon is always on C0T0 and always constant full power \begin{description}[CCCH] \item[SCH] (Sync.) -- TDM timing and reduced BTS identity \item[FCCH] (Freq.~Corr.) -- Fine frequency synchronization \item[BCCH] (Broadcast Control) -- Cell configuration and neighbor list \item[CCCH] (Common Control) -- a set of unicast channels \begin{description}[AGCH] \item[PCH] paging channel for network-originated transactions \item[AGCH] access grant channel \item[RACH] uplink access request \end{description} \end{description} \end{frame} \begin{frame}{Understanding Um}{SCH -- Synchronization CHannel} \begin{itemize} \item First channel acquired by a handset \item T1, T2, T3' -- TDM clocks for GSM frame number \item BCC -- 3 bits, identifies BTS in the local group \item NCC -- 3 bits, identifies network within a region \item BSIC is NCC:BCC \end{itemize} \end{frame} \begin{frame}{Understanding Um}{BCCH -- Broadcast Control CHannel} \begin{itemize} \item Second channel acquired by the handset. \item A repeating cycle of system information messages. \begin{description}[Type 4] \item[Type 1] ARFCN set \item[Type 2] Neighbor list \item[Type 3] Cell/Network identity, CCCH configuration \item[Type 4] Network identity, cell selection parameters \item[GPRS] adds a few more (7, 9, 13, 16, 17) \end{description} \end{itemize} \end{frame} \begin{frame}{Understanding Um}{CCCH -- Common Control CHannel} \begin{description}[AGCH] \item[PCH] Paging \begin{itemize} \item Unicast. Handsets addressed by IMSI or TMSI, never IMEI. \item Handset sees paging request and then requests service on RACH. \end{itemize} \item[RACH] Random Access \begin{itemize} \item Handset requests channel with RACH burst, 8-bit tag. \end{itemize} \item[AGCH] Access Grant \begin{itemize} \item BTS answers on AGCH, echoing tag and timestamp. \end{itemize} \end{description} \end{frame} \begin{frame}{Understanding Um}{Dm Channels} \begin{description}[SDCCH] \item[SDCCH] Most heavily used control channel: registration, SMS transfers, call setup in many networks. Payload rate of 0.8 kb/s. \item[FACCH] Blank and burst channel steals bandwidth from traffic. Used for in-call signaling, call setup in some networks. Payload rate up to 9.2 kb/s on TCH/F. \item[SACCH] Low rate channel muxed onto every other logical channel type. Used for timing/power control, measurement reports and in-call SMS transfers. \end{description} \end{frame} \begin{frame}{Frequency Hopping} \begin{itemize} \item Intended to improve radio performance through diversity in fading and interference \item Two ways to implement hopping \begin{itemize} \item Baseband hopping: $N$ fixed-frequency transceivers are connected to $N$ baseband processors through a switch or commutator. Allows CA of $N$ ARFCNs. C0 can be in the CA. \item Synthesizer hopping: Each of $N$ baseband processors connects to a dedicated transceiver. This requires transceivers that can be retuned and settled in less than 30~$\mu$s. Allows CA to have $\gg N$ ARFNCs. C0 is not in the CA. \end{itemize} \item Some networks implement synchronous hopping to prevent collisions of hopping bursts from neighboring cells. \end{itemize} \end{frame} \begin{frame}{Frequency Hopping Parameters} A {\em hopping sequence} is an ordered list of ARFCNs used by a given physical channel (PCH), synced to the GSM frame clock. Each PCH can have an independent hopping sequence. \begin{description}[MAIO] \item[CA] Cell Allocation, set of ARFCNs used for hopping in BTS \item[HSN] Hopping Sequence Number, parameter used in pseudorandom algorithm generating hopping sequence \item[MA] Mobile Allocation, subset of CA used by a particular PCH \item[MAIO] MA Index Offset, offset added to hopping sequence when indexing MA. \end{description} \begin{itemize} \item CA is the same for every PCH in the BTS \item HSN, MA and MAIO can be different for every PCH, usually only MAIO is unique \end{itemize} \end{frame} \subsection{The Layers of the Um Interface} \begin{frame}{Understanding Um}{The Layers} The Layers are not exactly the ISO model, but a similar theme. \begin{description} \item[L1] The radiomodem, TDM and FEC functions \item[L2] Frame segmentation and retransmission \item[L3] Connection \& mobility management \item[L4] Relay functions between BSC and other entities \end{description} \end{frame} \begin{frame}{Understanding Um}{The Layers} \begin{figure}[h] \centering \includegraphics[width=85mm]{L2Figure.pdf} \caption{Layers of a Dm channel} \end{figure} \end{frame} \subsection{Um Layer 1} \begin{frame}{Understanding Um}{L1} \begin{itemize} \item Analog radio path (transceiver, amplifiers, duplexer, antenna) \item{GMSK or GMSK/EDGE radiomodem (``L0'')} \item{TDM to define logical channels} \item{FEC (Forward Error Correction)} \begin{itemize} \item{Rate-1/2 convolutional code is typical.} \item{40-bit Fire code parity word on most control channels.} \item{4-burst or 8-burst interleaving is typical.} \end{itemize} \end{itemize} \end{frame} \begin{frame}{L1 Overview (see handout)} \begin{figure}[h] \centering \includegraphics[width=50mm]{UmL1Overview.pdf} \end{figure} \end{frame} \begin{frame}{Um L1 Interleaving} \begin{itemize} \item Every GSM data frame is spread over 4 or 8 radio bursts. \begin{itemize} \item 4-burst block interleave on most channels \item 8-burst diagonal interleave on TCHs \end{itemize} \item Loss of one burst means 1/4 or 1/8 missing channel bits, scattered throughout a frame. \item Allows a slow-hopping system to achieve many performance gains associated with fast-hopping. \end{itemize} \end{frame} \subsection{Um Layer 2} \begin{frame}{Understanding Um}{L2} \begin{itemize} \item L1 drops frames, but L3 assumes a reliable link. \item L1 uses fixed-length frames, but L3 uses variable-length messages. \item L2 (Data Link Layer) bridges the gap with segmentation, sequencing and retransmission. \item ISDN uses LAPD for L2, derived from HDLC, derived from SDLC, dating back to IBM's SNA mainframe networks. \end{itemize} \end{frame} \begin{frame}{Understanding Um}{L2} \begin{itemize} \item{LAPDm on Dm channels, a HDLC derivative, similar to ISDN's LAPD but simplified.} \item{LLC on GPRS channels, another HDLC derivative.} \item{GSM defines no L2 in Bm channels.} \begin{itemize} \item{Speech/fax are just media and have no L2.} \item{CSD typically used with PPP for L2.} \end{itemize} \end{itemize} \end{frame} \section{TODO} \subsection{GSMTAP} \begin{frame}{GSMTAP Interface} It's important to find the right level of the GSMTAP interface \begin{itemize} \item If we simply pass every GSM burst, then wireshark would need to do the burst-rerassembly, forward error correction, etc - something it traditionally doesn't do \item If we pass every Layer 2 Frame (23 bytes) \begin{itemize} \item burst decoding, reassembly, etc. is done in receiver \item however, every burst might have different RF parameters like ARFCN, RX level, error rate, ... \end{itemize} \end{itemize} \end{frame} \begin{frame}[containsverbatim]{Current GSMTAP Header} \tiny{ \begin{lstlisting} struct gsmtap_hdr { u_int8_t version; /* version, set to 0x01 currently */ u_int8_t hdr_len; /* length in number of 32bit words */ u_int8_t type; /* see GSMTAP_TYPE_* */ u_int8_t timeslot; /* timeslot (0..7 on Um) */ u_int16_t arfcn; /* ARFCN (frequency) */ u_int8_t noise_db; /* noise figure in dB */ u_int8_t signal_db; /* signal level in dB */ u_int32_t frame_number; /* GSM Frame Number (FN) */ u_int8_t burst_type; /* Type of burst, see above */ u_int8_t antenna_nr; /* Antenna Number */ u_int16_t res; /* reserved for future use (RFU) */ } __attribute__((packed)); \end{lstlisting} } \end{frame} \subsection{ip.access wireshark dissectors} \begin{frame}{ip.access wireshark dissectors} \begin{itemize} \item ip.access wrote some wireshark dissectors against an old wireshark version \item they never submtited them upstream, but we have the source under GPL \item meanwhile, upstream wireshark has parts of that functionality \item we now need to port those old dissectors to current wireshark \end{itemize} \end{frame} \begin{frame}{ip.access wireshark dissectors} \begin{itemize} \item IPA protocol as encapsulation layer \begin{itemize} \item different implementation in upstream (packet-gsm\_ipa.c) \item maybe some few bits missing from upstream \item port the missing bits from ip.access to upstream \end{itemize} \item GSM 12.21 (A-bis OML) \begin{itemize} \item different implementation in openbsc (abis-oml.patch) \item quite a number of bits missing from upstream \item BTS vendor specific decoding preference needed \end{itemize} \item GSM 08.58 (A-bis RSL) \begin{itemize} \item different implementation in upstream (packet-rsl.c) \item many ip.access specific bits missing \item port the missing bits from ip.access to upstream \end{itemize} \end{itemize} \end{frame} \begin{frame}{ip.access wireshark dissectors} \begin{itemize} \item IPA IML (internal management link) \begin{itemize} \item no implementation in upstream \item simply merge it into current upstream \end{itemize} \item RTP Multiplex (packet-rtp\_mux.c) \begin{itemize} \item no implementation in upstream \item simply merge it into current upstream \end{itemize} \item GSM CSD (packet-gsm\_csd.c) \begin{itemize} \item no implementation in upstream \item simply merge it into current upstream \end{itemize} \end{itemize} \end{frame} \end{document}