GSM and SS7 Overview

By Firoz Ahmed

• To understand the main scenarios in a GSM network, from a signaling perspective – Location update/ Registration– Phone Calls

• Outgoing• Incoming

– Short Messages• Outgoing• Incoming

Session objective

• GSM network elements – HLR, VLR, MSC, GMSC, SMSC

• IMSI, MSISDN, MCC, MNC, CC, NDC• Numbering plans – E.164, E.212, E.214• Signaling basics – SS7 suite of protocols

Concepts / Terminology encountered en route

Mobile Switching Network

MSC 1

BSC 1

VLR 2VLR 1 MSC 2HLR

BSC 2

Cell Sites (BTS)

Base Station Subsystem

Network Subsystem

Rough View of a GSM network

GMSC

HLR

MSC/

VLR

MSC/

VLR

SMSC

To other networks

IMSI, MSISDN and IMEI

MCC MNC

IMSI

CC = Country CodeNDC = National Destination Codee.g. 91-9820-026174

Total of 15 digits. MCC and MNC take up a max of 6 digits. MCC is 3 digit Country Code and MNC is 2-3 digit (mostly 2) Network Code in the countrye.g. 404-20-1234567890

CC NDC

MSISDN

Country

UK

France

India

CC

44

33

91

MCC

234

208

404

CC and MCC codes are different

TAC FAC SNR

TAC – Type Approval Code (6 digits)FAC – Final Assembly Code (2 digits)SNR – Serial Number (6 digits)

IMEI

MSIN

Sub. No.

SP

• E.164– The phone number world (CC + NDC + number)

• E.212– IMSI range (MCC + MNC + MSIN)– Not routable on SS7 network directly

• E.214– Routable address derived from IMSI– MCC+MNC translated to CC+NDC– Remaining digits retained unchanged– In GSM, only HLR can be addressed this way (wildcard)

Numbering Plans

• Cell sites (BTS – Base Transceiver Stations)• BSC - Base Station Controller (controls several BTSs)• MSC - Mobile Switching Center (controls several BSCs)• HLR – Home Location Register• VLR – Visitor Location Register• GMSC – Gateway MSC• EIR – Equipment Identity Register• AuC – Authentication Center

Main components of a GSM network

Some Terminology

• PLMN – Public Land Mobile Network

• HPLMN/HPMN – Home Public Mobile Network

• VPLMN/VPMN – Visited Public Mobile Network

• MS – Mobile Station – Handset + SIM Card

HLR – Home Location Register

• Stores a record for each subscriber of this network– IMSI– MSISDN– Subscription profile– Addresses of MSC and VLR currently serving the MS

• The record is a permanent one – it is there even if the subscriber is roaming outside the home network

• Has an interface to Customer Care / Billing system.

VLR – Visitor Location Register

• Temporarily stores records for mobile subscribers who are served/attached to a cell served by the MSC attached to this VLR

• Records are stored in VLR for local subscribers as well as roamers.

• Records are removed from the VLR as soon as the subscriber leaves the area of this VLR and “registers” in a new MSC/VLR pair

• Caches subscriber data so that the HLR need not be queried for everything.

Primary functions of the VLR:

• to inform the HLR that a subscriber has arrived in the particular area covered by the VLR

• to track where the subscriber is within the VLR area (location area) when no call is ongoing

• to allow or disallow which services the subscriber may use

• to purge the subscriber record if a subscriber becomes inactive whilst in the area of a VLR. The VLR deletes the subscriber's data after a fixed time period of inactivity and informs the HLR (e.g. when the phone has been switched off and left off or when the subscriber has moved to an area with no coverage for a long time).

• to delete the subscriber record when a subscriber explicitly moves to another, as instructed by the HLR

MSC – Mobile Switching Center

• Also called the Switch• Controls multiple Base Stations; handles voice trunks• Responsible for setting up, routing and supervising calls to and from the

mobile subscriber• GMSC is a MSC with a capability to:

– Interface between mobile network and other networks– Query the HLR to determine where to route an incoming call for a

subscriber of this network• A “Pure GMSC” is a GMSC that subscribers cannot latch on to (no VLR

attached and no BSCs connected)

What is SS7?

• Is a global standard for telecommunication defined by the International Telecommunication Union (ITU) .

• Signaling System 7 (SS7) is a system that transports the information required to set up and manage telephone calls by converting signaling information to digital packets.

• Signaling – communication between different network elements to achieve some purpose (most common and oldest purpose – setting up a phone call)

• SS7 is a type of “Common Channel” signaling as it achieves signaling by sending formatted messages on a common channel dedicated for signaling

• Evolved to control mobile/wireless and intelligent networking (800, LNP, callerID)

• E1 and T1 physical links

Basic Signalling System((SS7 Stack) in Mobile network protocol

MTP = Message Transfer PartRouting, datalink, physical

Call control

Cellular/wirelessIntelligentNetworking

MTP1/2/3 in brief

• MTP 1 – SS7 architectural level that defines the physical, electrical, and

functional characteristics of the digital signaling link.

– Deals with H/W and electrical configuration at the level of link, interface cards and multiplexers.

• MTP 2:– SS7 data link layer protocol. – Exercises flow control, message sequence validation, error checking,

and retransmission.

• MTP 3:– Introduces addresses and can perform routing– The address is called a Signaling Point Code (14-bit integer in ETSI

and 24-bit integer in ANSI networks)– MPT3 header has 2 addresses – the Originating (sender’s) point code

and the Destination (receiver’s) point code

SCCP, TCAP in brief

• SCCP (Signaling Connection Control Part):– Introduces more sophisticated routing and addressing– Adds the concept of a “Global Title”, which is a higher level address than the point code– Global Titles are similar to phone numbers (CC+NDC+num)– Makes true End to End communication practical– SCCP is used as the transport layer for TCAP-based services such as freephone

(800/888), calling card, local number portability

• TCAP(Transaction Capabilities Application Part):– Introduces the concept of “transactions” – allowing applications to associate related

messages with each other– Supports primitives like Begin, Continue, End and Abort– Supports Transaction Ids for both sides (Orig and Dest), but transactions that have a

Begin-End pattern use only 1 Transaction id (Orig).– An SSP uses TCAP to query an SCP to determine the routing number(s) associated with

a dialed 800, 888, or 900 number. The SCP uses TCAP to return a response containing the routing number(s) (or an error or reject component) back to the SSP. Calling card calls are also validated using TCAP query and response messages.

– TCAP is used largely by switching locations to obtain data from databases or to invoke features at another switch.

MAP – Mobile Application Part

• Enables real time communication between nodes in a mobile network.

• Signaling protocol for– Location Updating incl. GPRS– Call handling– Supplementary services– SMS Delivery

• IS-41D: TDMA/CDMA variant

ISUP, TUP

• ISUP (ISDN User Part):• Defines the protocols and procedures to set up, manage and

release trunk circuits that carry voice and data calls.

• TUP (Telephone User Part):• In some parts of the world the TUP supports basic call processing.

ISUP Call Scenario

ISUP Messages

• IAM - Initial Address Message• This is an ISUP message containing all the information necessary for a

switch to establish the connection.

• ACM - Address Complete Message• This message serves as the acknowledgment of an IAM. The ACM

indicates that the switch sending it has reserved the circuit designated for reservation in the IAM. Receipt of the ACM triggers the originating exchange to send the “phone ringing” (ringback) tone to the calling party.

• ANM - Answer Message• When the called party picks up the phone, the destination exchange senses

DC loop current on its subscriber interface. As a result, that exchange sends an answer message (ANM) back to the intermediate exchange.

• Each switch in the circuit completes its portion of the circuit and returns an ANM to the next switch closer to the calling party. When the ANM reaches the originating exchange, the call is connected.

ISUP Messages contd.

• REL - Release• This message is sent first by the exchange sensing that the phone was

hung up. Each subsequent exchange sends its own REL to the next exchange and initiates release of the circuitry.

• RLC - Release Complete• Each exchange receiving an REL sends an RLC message back to

acknowledge receipt of the REL and to indicate that circuit release has been initiated.

INAP – Intelligent Network Application Part

• INAP is a signaling protocol between a service switching point (SSP), network media resources (intelligent peripherals), and a centralized network database called a service control point (SCP).

• Through INAP, operators have gained independence from the software features offered by switch vendors.

SS7 Stack

Mobile charging system ( A holistic view)

Roaming Scenario – simplified view

MSC/

VLR

GMSC GMSC HLR

MSC/

VLR

MSC/

VLR

HLR

SMSCSMSC

Hutch, Mumbai (HPLMN)

Airtel, Delhi (VPLMN)

Location Update

MSC/

VLR

GMSC GMSC HLR

MSC/

VLR

MAP Update Location

MAP Cancel Location

HLR -> old VLR

MAP Insert Subscriber Data

MAP ISD Ack

MAP Update Location Ack

IMSI, VLR Address, HLR Address

MSISDN, Subscriber Profile Info

MAP Can Loc Ack

LU Req

MAP Update Location Area

IMSI, Loc Info (Cell id, Loc Area)

LU Cnf

MAP Upd Loc Area Ack

Hutch, MumbaiAirtel, Delhi

• Outgoing calls are called Mobile Originating Calls (MO Calls)

• Incoming calls are called Mobile Terminated Calls (MT Calls)

• Calls in a GSM network involve MAP as well as ISUP signaling

• Calls in a wireline network involve ISUP signaling only (exception – special services such as 800 numbers that involve database queries)

Calls

Outgoing (MO) Call to a wireline number

MSC/

VLR

GMSC GMSC HLR

MAP Send Info For Outgoing Call

ISUP IAM CIC=5

ISUP IAM CIC=7

Hutch, MumbaiAirtel, Delhi

Point to note:- Call does not involve home network

(Exception – CAMEL)

Incoming (MT) Call

MSC/

VLR

GMSC GMSC HLR

ISUP IAM CIC=10

MAP Send Routing Info

MAP Provide Roaming Number

MAP PRN Ack (MSRN)

SRI Ack (MSRN)

ISUP IAM

ISUP IAM

MAP Send Info For Incoming Call

Page and Ring

Hutch, MumbaiAirtel, Delhi

Mobile originating call

• Very popular service• Very efficient in terms of network resources• When A sends an SMS to B, it involves 2 steps:

– A submits SMS to A’s home SMSC (MO SMS from A)

– A’s SMSC delivers SMS to B (MT SMS to B)

• Point to note – SMS passes through only 1 SMSC (sender’s SMSC)• Either of the 2 steps (submit/delivery) can be done with a program (e.g.

News, Sports services on SMS) instead of a mobile station:– E.g. SMS “NEWS” to 8888. Delivery step involves application instead of MS.

– News application responds: Submit step involves application instead of MS.

• SMSC – Application communication is on TCP/IP, not SS7• These applications are called SMEs (Short Message Entities) • Several standard SMSC – SME protocols such as SMPP, UCP, CIMD2

SMS (Short Message Service)

SMS (all n/w components)

Incoming SMS

MSC/

VLR

GMSC GMSC HLR

SMSCSMSC

Orange, Mumbai (HPLMN)

Airtel, Delhi (VPLMN)

Sender’s

SMSC

MAP SRI_SM

MAP SRI_SM Ack (MSC Address)

MAP MT Fwd SM

Page and deliver

MAP MT Fwd SM Ack

SMS between different Radio access technology networks ( eg: Between CDMA and GSM

Thanks a lot…..Questions??