GSM SS7.ppt

Slide 1GSM and SS7 Overview
Session objective
To understand the main scenarios in a Global System for Mobile Communication (GSM) network, from a signaling perspective
Location update/ Registration
Concepts / Terminology encountered en route
GSM network elements
MCC – Mobile Country Code
MNC – Mobile Network Code
MSISDN – Mobile Station International ISDN Number
CC – Country Code
Signaling basics – Signaling System 7 (SS7) suite of protocols
GSM-SS7 Fundamentals
Mobile Network
MSC 1
BSC 1
VLR 2
VLR 1
MSC 2
Roamware Proprietary and Confidential
GMSC
HLR
MSC/
VLR
MSC/
VLR
SMSC
The Location Area (LA) is defined as an area in which a mobile station may move freely without updating the VLR. A
location area may include one or several cells.
IMSI, MSISDN and IMEI
e.g. 91-9820-026174
Total of 15 digits. MCC and MNC take up a max of 6 digits. MCC is 3 digit Country Code and MNC is 2-3 digit (mostly 2) Network Code in the country
e.g. 404-20-1234567890
TAC
FAC
SNR
SNR – Serial Number (6 digits)
IMEI
MSIN
Numbering Plans
E.212
Not routable on SS7 network directly
E.214
MCC+MNC translated to CC+NDC
Remaining digits retained unchanged
In GSM, only HLR can be addressed this way (wildcard)
Main components of a GSM network
Cell sites (BTS – Base Transceiver Stations)
BSC - Base Station Controller (controls several BTSs)
MSC - Mobile Switching Center (controls several BSCs)
HLR – Home Location Register
VLR – Visitor Location Register
The Authentication Centre or AUC is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS etc) between the mobile phone and the GSM core network.
Proper implementation of security in and around the AUC is a key part of an operator's strategy to avoid SIM cloning .
The EIR (Equipment Identity Register) is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI ) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones.
Some More Terminology
MS – Mobile Station – Handset + SIM Card
A Public Land Mobile Network is a generic name for all mobile wireless networks that use land based radio transmitters or base stations.
HLR – Home Location Register
IMSI
MSISDN
Addresses of MSC and VLR currently serving the MS
The record is a permanent one – it is there even if the subscriber is roaming outside the home network
Has an interface to Customer Care / Billing system.
HLR is a central database that contains details of each mobile phone subscriber that is authorised to use the GSM core network.
More precisely, the HLR stores details of every SIM card issued by the mobile phone operator . Each SIM has a unique identifier called an IMSI which is one of the primary keys to each HLR record.
One database per operator
• Contains all the permanent subscriber information
– MSISDN (Mobile Subscriber ISDN number) is the telephone number of the subscriber
– IMSI code is used to link the MSISDN number to the subscriber's SIM (Subscriber Identity Module)
– International Mobile Subscriber Identity (IMSI) is the 15 digit code used to identify the subscriber
– It incorporates a country and operator code
– Charging information
– Services available to the customer
• Also the subscriber's present Location Area Code, which refers to the MSC, which can connect to the MS
Also MS LAI and status (attached or detached) is also stored.
VLR – Visitor Location Register
Temporarily stores records for mobile subscribers who are served/attached to a cell served by the MSC attached to this VLR
Records are stored in VLR for local subscribers as well as roamers.
Records are removed from the VLR as soon as the subscriber leaves the area of this VLR and “registers” in a new MSC/VLR pair
Caches subscriber data so that the HLR need not be queried for everything.
Data stored – same as HLR, additionally HLR add of the subscriber.
Data stored includes:
authentication data
GSM services that the subscriber is allowed to access
Primary functions of the VLR:
to inform the HLR that a subscriber has arrived in the particular area covered by the VLR
to track where the subscriber is within the VLR area (location area) when no call is ongoing
to allow or disallow which services the subscriber may use
to purge the subscriber record if a subscriber becomes inactive whilst in the area of a VLR. The VLR deletes the subscriber's data after a fixed time period of inactivity and informs the HLR (e.g. when the phone has been switched off and left off or when the subscriber has moved to an area with no coverage for a long time).
to delete the subscriber record when a subscriber explicitly moves to another, as instructed by the HLR
MSC – Mobile Switching Center
Also called the Switch
Controls multiple Base Stations; handles voice trunks
Responsible for setting up, routing and supervising calls to and from the mobile subscriber
GMSC is a MSC with a capability to:
Interface between mobile network and other networks
Query the HLR to determine where to route an incoming call for a subscriber of this network
A “Pure GMSC” is a GMSC that subscribers cannot latch on to (no VLR attached and no BSCs connected)
What is SS7?
Is a global standard for telecommunication defined by the International Telecommunication Union (ITU) .
Signaling System 7 (SS7) is a system that transports the information required to set up and manage telephone calls by converting signaling information to digital packets.
Signaling – communication between different network elements to achieve some purpose (most common and oldest purpose – setting up a phone call)
SS7 is a type of “Common Channel” signaling as it achieves signaling by sending formatted messages on a common channel dedicated for signaling
Evolved to control mobile/wireless and intelligent networking (800, LNP, callerID)
E1 and T1 physical links
The standard defines the procedure and protocol by which the network elements in the PSTN exchange info over a digital signalling network to effect wireless and wireline call setup routing and control.
Signaling System 7 (SS7) is a system that transports the information required to set up and manage telephone calls by converting signaling information to digital packets. An international telecommunications standard, SS7 uses out-of-band signaling, meaning that signaling (control) information travels on a separate, dedicated 56 Kb/s or 64 Kb/s channel rather than on the same channel as the telephone call. Historically, the signaling for a telephone call has used the same voice circuit that the telephone call traveled on (this is known as in-band signaling).
Using SS7 technology, communications systems developers can create solutions that set up telephone calls more efficiently, offer enhanced security, and make it easier to incorporate and manage advanced capabilities such as call forwarding and wireless roaming service.
E1/T1
Wide area digital transmission scheme used predominantly in Europe that carries data at a rate of 2.048Mbps. E1/T1 lines can be leased for private use from common carriers. The E1/T1 contains 32 timeslots at 64Kbps.
T1 delivers 1.544 Mbps, A T1 interface supports 24 timeslots of 64 kbit/s each. One or more timeslots may be used for SS7 links.
LNP – Local Number Portability
SS7 Stack
A telephone caller dials a number that is received by a switch at the telephone company central office.
The switch - known as the Service Switching Point (SSP) - forwards the call over a Signaling System 7 (SS7) network to a Service Control Point (SCP) where the service logic is located.
The Service Control Point identifies the service requested from part of the number that was dialed and returns information about how to handle the call to the Service Switching Point.
MTP1/2/3 in brief
SS7 architectural level that defines the physical, electrical, and functional characteristics of the digital signaling link.
Deals with H/W and electrical configuration at the level of link, interface cards and multiplexers.
MTP 2:
Exercises flow control, message sequence validation, error checking, and retransmission.
MTP 3:
Introduces addresses and can perform routing
The address is called a Signaling Point Code (14-bit integer in ETSI and 24-bit integer in ANSI networks)
MTP3 header has 2 addresses – the Originating (sender’s) point code and the Destination (receiver’s) point code
MTP 1 is concerned with the physical level (how to represent 0 and 1, voltage levels, multiplexing etc.)
MTP 1 - Deals with H/W and electrical configuration at the level of link, interface cards and multiplexers. One rule for MTP L1 is that a link must consists of 2 data channels operating in opposite directions at the same bit rate, i.e the links must be bi-directional.
MTP 2 – Last to handle the messages being transmitted and first to handle the message being received.
MTP 3 - provides messages between signalling points in the network, helping control traffic when congestion or failures occur.
ETSI - European Telecommunications Standards Institute. - body established to coordinate the development of telecommunications systems within Europe
MTP3 is split into two distinct parts, SMH (Signalling Message Handling) and SNM(Signalling Network Management). The SNM part is looking after the general management of MTP, the SHM part deals with the discrimination, distribution and routing of signalling messages. MTP3 defines the functions and procedures of the signalling system for signalling message handling and signalling network management. Signalling message handling consists of the actual transfer of a signalling message and directing the message to the proper signalling link or user part. Signalling network management consists of controlling the signalling message routing and configuration of the signalling network facilities based on predetermined information and the status of the signalling network facilities.
MTP 3 header consists of:
Service indicator - Used to perform message distribution and in some cases to perform message routing. The service indicator codes are used in international signalling networks for the following purposes:
Sub-service field - The sub-service field contains the network indicator and two spare bits to discriminate between national and international messages.
SCCP, TCAP in brief
Introduces more sophisticated routing and addressing
Adds the concept of a “Global Title”, which is a higher level address than the point code
Global Titles are similar to phone numbers (CC+NDC+num)
Makes true End to End communication practical
SCCP is used as the transport layer for TCAP-based services such as freephone (800/888), calling card, local number portability
TCAP(Transaction Capabilities Application Part):
Supports primitives like Begin, Continue, End and Abort
Supports Transaction Ids for both sides (Orig and Dest), but transactions that have a Begin-End pattern use only 1 Transaction id (Orig).
An SSP uses TCAP to query an SCP to determine the routing number(s) associated with a dialed 800, 888, or 900 number. The SCP uses TCAP to return a response containing the routing number(s) (or an error or reject component) back to the SSP. Calling card calls are also validated using TCAP query and response messages.
TCAP is used largely by switching locations to obtain data from databases or to invoke features at another switch.
Signaling Connection Control Part (SCCP), a routing protocol in SS7 protocol suite in layer 4, provides end-to-end routing for TCAP messages to their proper database. SCCP provides connectionless and connection-oriented network services above MTP Level 3. While MTP Level 3 provides point codes to allow messages to be addressed to specific signaling points, SCCP provides subsystem numbers to allow messages to be addressed to specific applications or subsystems at these signaling points. SCCP is used as the transport layer for TCAP-based services such as freephone (800/888), calling card, local number portability, wireless roaming, and personal communications services (PCS).
SCCP also provides the means by which an STP can perform global title translation (GTT), a procedure by which the destination signaling point and subsystem number (SSN) is determined from digits (i.e., the global title) present in the signaling message. The global title digits may be any sequence of digits, such as 800/888 number, pertinent to the service requested.
An SSP uses TCAP to query an SCP to determine the routing number(s) associated with a dialed 800, 888, or 900 number. The SCP uses TCAP to return a response containing the routing number(s) (or an error or reject component) back to the SSP. Calling card calls are also validated using TCAP query and response messages. When a mobile subscriber roams into a new mobile switching center (MSC) area, the integrated visitor location register requests service profile information from the subscriber's home location register (HLR) using mobile application part (MAP) information carried within TCAP messages.
Network device that filters, forwards, and floods frames based on the destination address of each frame. The switch operates at the data link layer of the OSI model.
End-to-end signaling is defined as signaling information that must be sent from the originating exchange to the final destination exchange.
MAP – Mobile Application Part
Enables real time communication between nodes in a mobile network.
Signaling protocol for
Mechanism for a Gateway-MSC (GMSC) to obtain a routing number for an incoming call
GPRS (general packet radio service) - A wireless communication service that permits fast, continuous access to the Internet from wireless phones, computers, and other devices.
ISUP, TUP
ISUP (ISDN User Part):
Defines the protocols and procedures to set up, manage and release trunk circuits that carry voice and data calls.
TUP (Telephone User Part):
In some parts of the world the TUP supports basic call processing.
ISUP Call Scenario
ISUP Messages
IAM - Initial Address Message
This is an ISUP message containing all the information necessary for a switch to establish the connection.
ACM - Address Complete Message
This message serves as the acknowledgment of an IAM. The ACM indicates that the switch sending it has reserved the circuit designated for reservation in the IAM. Receipt of the ACM triggers the originating exchange to send the “phone ringing” (ringback) tone to the calling party.
ANM - Answer Message
When the called party picks up the phone, the destination exchange senses DC loop current on its subscriber interface. As a result, that exchange sends an answer message (ANM) back to the intermediate exchange.
Each switch in the circuit completes its portion of the circuit and returns an ANM to the next switch closer to the calling party. When the ANM reaches the originating exchange, the call is connected.
IAM - The message is used to seize a circuit and transfer addressing and call handling / routing information
Any in-band signaling system that uses DC voltage.
ISUP Messages contd.
REL - Release
This message is sent first by the exchange sensing that the phone was hung up. Each subsequent exchange sends its own REL to the next exchange and initiates release of the circuitry.
RLC - Release Complete
Each exchange receiving an REL sends an RLC message back to acknowledge receipt of the REL and to indicate that circuit release has been initiated.
INAP – Intelligent Network Application Part
INAP is a signaling protocol between a service switching point (SSP), network media resources (intelligent peripherals), and a centralized network database called a service control point (SCP).
Through INAP, operators have gained independence from the software features offered by switch vendors.
Intelligent peripherals, which provide features such as voice announcements and interactive voice responses.
Through INAP, operators have gained independence from the software features offered by switch vendors.
The Intelligent Network (IN) is a telephone network architecture that separates service logic from switching equipment, allowing new services to be added without having to redesign switch software to support new services. With IN, operators are able to implement differentiating, value added services giving them competitive advantages in the market since it makes it easier for a provider to add services and offer customers more service choices. IN is application independent, meaning that it provides generic, reusable functionalities that can be integrated and recombined to offer a host of revenue generating services.
Developed by the International Telecommunications Union (ITU), IN is recognized as a global standard.
SS7 Stack
Roaming Scenario – simplified view
Location Update
MSISDN, Subscriber Profile Info
MAP Can Loc Ack
LU Cnf
Vodafone, Mumbai (HPLMN)
Airtel, Delhi (VPLMN)
Calls
Outgoing calls are called Mobile Originating Calls (MO Calls)
Incoming calls are called Mobile Terminated Calls (MT Calls)
Calls in a GSM network involve MAP as well as ISUP signaling
Calls in a wireline network involve ISUP signaling only (exception – special services such as 800 numbers that involve database queries)
MSC/
VLR
GMSC
GMSC
HLR
ISUP IAM CIC=5
ISUP IAM CIC=7
(Exception – CAMEL)
Customisable Applications for Mobile Enhanced Logic
The circuit identification code (CIC) identifies the circuit that is being set up or released. The CIC may be a voice trunk or any other transmission medium in
the PSTN.
Incoming (MT) Call
Page and Ring
When a subscriber in the fixed network (PSTN/ISDN) dials a mobile number (MSISDN), the local exchange identifies the number as a mobile number and sets up a connection to the nearest gateway (GMSC) in the PLMNN. Since the GMSC does not know the MS location or its state (attached or detached), the GMSC sends a request to the HLR for information so that the call can be routed to the MSC currently serving the mobile subscriber. The HLR returns the status of the MS as well as its current LAI.
If the MS is detached, the network will not proceed with the call set-up. If, however, the MS is attached the call is routed to the MSC currently serving the MS.
To route the call to the correct MSC, the HLR will first request a routing no. from the MSC service area’s VLR. The HLR translates the MSISDN number into the IMSI before it forwards the IMSI, alongwith the request for a MSRN to the MSC. The routing/roaming no. (MSRN) contains all the necessary info. to route the call request to the correct MSC.
The MSC returns the MSRN back to the GMSC via the HLR.
On receiving the MSRN, the GMSC then is able to route the call directly to the correct MSC.
Once the MSC is contacted, it instructs the BSCs in the subscriber’s location area (LA) to begin paging the MS, as the LAI for the MS is known and is stored in the VLR.
A paging message is sent to all the cells in the LA. In paging the MS, the BTSs transmit the TMSI over a radio channel known as paging channel.
SMS (Short Message Service)
Very efficient in terms of network resources
When A sends an SMS to B, it involves 2 steps:
A submits SMS to A’s home SMSC (MO SMS from A)
A’s SMSC delivers SMS to B (MT SMS to B)
Point to note – SMS passes through only 1 SMSC (sender’s SMSC)
Either of the 2 steps (submit/delivery) can be done with a program (e.g. News, Sports services on SMS) instead of a mobile station:
E.g. SMS “NEWS” to 8888. Delivery step involves application instead of MS.
News application responds: Submit step involves application instead of MS.
SMSC – Application communication is on TCP/IP, not SS7
These applications are called SMEs (Short Message Entities)
Several standard SMSC – SME protocols such as SMPP, UCP, CIMD2
Outgoing (MO) SMS
MAP Send Info For MO SMS
MAP MO Forward SM
Incoming (MT) SMS
MAP MT Fwd SM
Call Forwarding
Call Forwarding Unconditional (CFU)
Call Forwarding on No Reply (CFNRy)
Call Forwarding on mobile subscriber Not Reachable (CFNRc)
Out of coverage
Each case can have a distinct “Forward To” number (FTN)
But usually call forwarding is set to Voicemail
Call Forwarding Unconditional (CFU)
CFNRc (IMSI Detach)
SRI Ack (FTN)
CFB/CFNRy/CFNRc (no coverage)
Page
Failed
Early and Late Call Forwarding
Call Forwarding cases are classified as Early or Late
Early : Call (ISUP IAM) is forwarded from Home GMSC
Late: Call (ISUP IAM) goes to Serving MSC, and is forwarded from there
Early Call Forwarding: CFU, CFNRc (IMSI Detach)
Late Call Forwarding: CFB, CFNRy, CFNRc (No coverage)
Late Call Forwarding is expensive when the subscriber is roaming
Further, the VoiceMail system may not received the original called number and hence may have to prompt the caller to input the called number
Passive Node, Active Node, ISUP Loopback
Passive node
Monitoring/ eavesdropping
No load added to network
Active node
Connectivity to at least one MSC/GMSC
Addresses needed (point code, global title)
ISUP Loopback
Convenient technique when a service/application needs to process ISUP but not voice
Uses the MSC’s ability to physically separate voice trunks from signaling on 2 different lines (e.g. E1/T1s)
Signaling E1/T1 sent to application (e.g. Roamware node)
Voice trunk E1/T1 looped back to switch
Thank you
Thank you!

Documents

GSM SS7.ppt