IN Intelligent Network

INIntelligent Network

• Basic IN concept & technology• Some basic IN services

Intelligent Network (IN) Concept

The intelligent network concept: intelligence is taken out of exchanges and placed in computer nodes that are distributed throughout the network.

Intelligence => access to various databases

This provides the network operator with the means to develop and control services more efficiently. New capabilities can be rapidly introduced into the network. Once introduced, services are easily customized to meet individual customer's needs.

Intelligent Network (IN) Concept

Exchange

STP SCP

SSP

Service Control Point (a network element containing the service logic, a database or register)

Service Switching Point (enables service triggering in an exchange)

MAP INAP CAP

ISUP

Operator implements service logic (IN Service)

IN service subscriber and customer

In a typical IN service scenario, the network operator or a 3rd party service provider implements the service for one or several subscribers, after which customers can use the service.

Service subscriber = company offering the service (e.g. the 0800 number that anybody can call)

Customers = those who use the service (e.g. those who call the 0800 number)

Confusion possible: IN service subscriber PSTN subscriber

Typical call-related IN procedure (1)

SSPExchange

SCP

1.

2.3.

4.5.

Exchange

1. Call routing proceeds up to Exchange

2. Trigger activated in Basic Call State Model at SSP

3. SSP requests information from SCP (database)

4. SCP provides information

5. Call routing continues (routing to next exchange) based on information received from SCP

SSPExchange

SCP

1.

2.3.

4.5.

Exchange

2. Trigger activated in Basic Call State Model at SSP

Typical triggers: Called number (or part of number) Called user (destination) is busy Called user does not answer in predefined time


SSPExchange1.

2.3.

5.Exchange

Example: Number translation in SCP SSP sends 800 number (0800 1234) SCP translates into ”real” number which is used for routing the call (+358 9 1234567)

4. SCP provides information

SCP


translation may be

based on several

variables

4.

Destination 1

SCP decides the destination of the call depending on the calling time or date:

9.00 - 17.00 => Destination 117.00 - 9.00 => Destination 2

SCP

Examples of how SCP can affect call (1)

Destination 2

SSPExchange

Called number

Time or date

Destination 1

SCP decides the destination of the call depending on the location of calling user: Calling user in southern Finland => Destination 1 Calling user in northern Finland => Destination 2

SCP


Destination 2

SSPExchange

Called number, Calling number

Destination 1

SCP decides the destination of the call depending on the traffic load in the network: Traffic load situation 1 => Destination 1 Traffic load situation 2 => Destination 2

SCP


Destination 2

SSPExchange

Called number

Network load

Intelligent Peripheral (IP) can (a) send announcements to the user (usually: calling user) and (b) receive DTMF digits from the user. IP is not a database; connection to exchange not via SS7, instead via digital TDM channels.

SCP

Additional IN features (1)

SSPExchange Exchange

IP

Typical applications: 1) Whenever services need user interaction2) User authentication

SCP

Additional IN features (2)


IP

SCP

User interaction in IN service


IP

1.4.

2.

3.

1. SCP orders IP to select and send announcement2. IP sends announcement to calling user3. User replies by giving DTMF number(s) to IP 4. IP sends number information to SCP in a signalling message

Announcement: “for this .. press 1, for that .. press 2”

SCP

User authentication (1)


IP

1.4.

2.

3.

1. SCP orders IP to select and send announcement2. IP sends announcement to calling user3. User gives authentication code (in DTMF form) to IP 4. IP sends authentication code to SCP in a signalling message

Announcement: “please press your PIN code ...”

SCP

User authentication (2)

SSPExchange

IP

1.3.

2.

Display message: “please press your PIN code ...”

When connected to the network via a digital subscriber line, the calling user can be notified with a digital message (“please press your PIN code ...”) instead of having to use the corresponding voice announcement.

1.

IN services

A large number of IN services can be implemented by combining different “building blocks”:

Called number translation (at SCP)Routing decision based on calling number, time, date, called user busy, called user alerting timeout, network load ...Announcements (from IP) or user notification (<= ISDN user signalling)DTMF number reception (at IP) and analysis (at SCP)Customised charging (at exchanges)

• •

•

•

•

IN service examples

“Traditional” IN services:

- Freephone / customised charging schemes - Virtual Privat Network (VPN) - Number portability - Televoting

“IN” in mobile networks:

- Mobility management (HLR, VLR = databases) - Security management (Authentication ...) - Additional IN services in mobile networks => CAMEL (Customised Applications for Mobile networks Enhanced Logic)

Freephone (800) serviceUser calls 0800 76543. SSP sends this number to SCP which after number analysis sends back to SSP the real destination address (09 1234567) and call can be routed to the destination. Called party is charged.

SSPExchange

SCP

1.

2.3.

4.5.

Destination

Charging: Destination (service subscriber) pays the bill

Premium rate serviceUser calls 0200 34343. SSP sends this number to SCP which after number analysis sends back to SSP the real destination address (09 676567) and call can be routed to the destination. Calling party is charged.

SSPExchange

SCP

1.

2.3.

4.5.

Destination

Charging: Calling user (customer) pays the (usually rather expensive) bill. Both service subscriber and service provider or network operator make profit!

Virtual private network (VPN) serviceA VPN provides corporate customers with a private number plan within the PSTN. The customer dials a private (short) number instead of the complete public number in order to contact another user within the VPN. User authentication is usually required.

SSPExchange

SCP

DestinationIP

User authentication

Number translation: 1212 => 09 1234567

Customised charging

Screening of incoming callsThis is an example of an IN service related to the call destination end. Alert called user only if calling number is 121212 or 234567, otherwise do something else (e.g. reject call or redirect call to another destination).

SSPExchange

SCP

Called user

Calling number = 121212 or 234567: Accept All other calling numbers: Reject or redirect

Local exchange of called user

VLR

Mobile terminated call (MTC)By far the most important "IN service" is mobility management during a mobile terminated call (MTC), which means finding out under which exchange or mobile switching center (MSC) a mobile user is roaming, so that the call can be routed to this exchange. More about this later.

GMSC

HLR

1.

2.

5.6.

Serving MSC

3.

4.7.

More about IN and IN services…

The link www.iec.org/online/tutorials/in provides some examples in Section 10 (AIN Service Creation Examples), for instance:

Example of service creation template:

PLMNPublic Land Mobile Network (official

name for mobile network)

• Circuit-switched (CS) core network (radio access network is not part of this course) • Basic concepts and network elements• Mobility management in PLMN

Cellular conceptA cellular network contains a large number of cells with a base station (BS) at the center of each cell to which mobile stations (MS) are connected during a call.

BS

BS

BS

BS

MS

If a connected MS (MS in call phase) moves between two cells, the call is not dropped. Instead, the network performs a handover (USA: handoff).

Mobility conceptA cellular network is divided into location areas (LA), each containing a certain number of cells.

As long as an idle MS (idle = switched on) moves within a location area, it can be reached through paging.

If an idle MS moves between two location areas, it cannot be reached before it performs location updating.

Location Area 1

Location Area 3

Location Area 2

Architecture of a mobile network

GSM BSS

3G RAN

PS core network

CS core networkGMSCMSC

VLRHLRAuCEIR

PSTNInternet

MS

Serving MSC

GSM BSS

3G RAN

PS core network

CS core networkGMSCMSC

VLRHLRAuCEIR

PSTNInternet

The serving mobile switching center (MSC) is the mobile counterpart to the local exchange in the PSTN.This is the MSC that is currently serving a mobile user.

VLR

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

The visitor location register stores temporary information on mobile users roaming in a location area under the control of the MSC/VLR.

MSCVLR

Gateway MSC

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

MSCVLR

The gateway MSC (located in the home PLMN of a mobile user) is the first contact point in the mobile network when there is an incoming call to the mobile user.

HLR

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

The home location register stores information on mobile users belonging to this mobile network (e.g. subscription data and present VLR under which the mobile user is roaming).

MSCVLR

AuC

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

The authentication center safely stores authentication keys (Ki) of mobile subscribers belonging to this mobile network.

MSCVLR

EIR

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

The equipment identity register stores information on stolen handsets (not stolen SIMs).

MSCVLR

SIM

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

Important mobile user information is stored in the subscriber identity module within the handset.

MSCVLR

SIM

CS core network

GSM BSS

3G RAN

PS core network

CS core networkGMSC

HLRAuCEIR

PSTNInternet

MSCVLR

The CS core network architecture is basically the same in 2G (GSM) and 3G mobile networks.In North America, IS-MAP signalling is used instead of GSM-MAP signalling. Europe: GSM core networkN. America: ANSI-41 core network

Basic functions in a mobile network

Session Management (SM)Call Control (CC)

Mobility Management (MM)

Radio Resource Management (RRM)

MOC, MTCPDP Context

Random access and channel reservation Handover managementCiphering (encryption) over radio interface

IMSI/GPRS Attach (switch on) and Detach (switch off) Location updating (MS moves to other Location Area)Authentication

1

23

4

Number refers to following

slides in the the slide set

Later lecture

Range of functions

GSM BSS or 3G

RAN

PS core network

CS core networkRRM

MM

CC

SM

Random access in a mobile networkCommunication between MS and network is not possible before going through a procedure called random access.

Random access must consequently be used in:Network-originated activity • paging, e.g. for a mobile terminated call (MTC)MS-originated activity • IMSI attach, IMSI detatch • GPRS attach, GPRS detach• location updating• mobile originated call (MOC)• SMS (short message service) message transfer

1

Random access in action (GSM)1. MS sends a short access burst over the Random Access CHannel (RACH) in uplink using Slotted Aloha (in case of collision => retransmission after random time) 2. After detecting the access burst, the network returns an ”immediate assignment” message which includes the following information: - allocated physical channel (frequency, time slot) in which the assigned signalling channel is located - timing advance (for correct time slot alignment)3. The MS now sends a message on the dedicated signalling channel assigned by the network, indicating the reason for performing random access.

1

Multiplexing vs. multiple access

In downlink, multiplexing (e.g. TDM)

In uplink, multiple access (e.g. TDMA)

Multiple access is always associated with random access. MS requests signalling channel, and network decides which channel (e.g. time slot) will be used.

Network decides channel…

Network decides channel also in this case

1) PIN code (local authentication of handset => local security measure, network is not involved)2) Authentication (performed by network)3) Ciphering of information sent over air interface4) Usage of TMSI (instead of IMSI) over air interface

IMSI = International Mobile Subscriber Identity (globally unique identity)

TMSI = Temporary Mobile Subscriber Identity (local and temporary identity)

Security measures in a mobile network

Algorithm Algorithm

The same? If yes, authentication is successful

SIM (in handset)

Air interface

Network (algorithm running in AuC)

Random numberChallenge

Response

Authentication key Authentication key

RAND

SRESS

Ki Ki

Basic principle of authentication2

SRESA

Algorithm for calculating SRES runs within SIM (user side) and AuC (network side). The authentication key (Ki) is stored safely in SIM and AuC, and remains there during authentication.

The two SRES values are compared in the VLR.

Where does the algorithm run?2

AuCSIMVLR

Air interface

SRESS SRESA

RAND

Ki Ki

Using output and one or more inputs, it is in practice not possible to calculate “backwards” other input(s),“brute force approach”, “extensive search”

Key length in bits (N) is important (in case of brute force approach 2N calculation attempts may be needed)

Strength of algorithm is that it is secret => bad idea! “Security through obscurity”

Better: open algorithm can be tested by engineering community (security through strong algorithm)

Algorithm considerations2

HLR

MSCVLR 1

Most recently allocated TMSI and last visited LAI (Location Area ID) are stored in SIM even after switch-off.After switch-on, MS monitors LAI. If stored and monitored LAI values are the same, no location updating is needed.

(Most generic scenario, see van Bosse for details)

MSCVLR 2

IMSI LAI 1TMSI

LAI 1

IMSILAI 1

3

(in broadcast messages)

Case study: Location updating (1)

SIMIMSITMSI

SIMMSC

VLR 1

MS has moved from a cell belonging to VLR 1 to another cell belonging to VLR 2.MS notices that the LAI values are different => location update is required!

MSCVLR 2

LAI 2HLR

(in broadcast messages)

3 Location updating (2)

IMSILAI 1

IMSITMSI

IMSI LAI 1TMSI

SIMMSC

VLR 1

MSCVLR 2

HLR


IMSILAI 1

SIM sends old LAI (i.e., LAI 1) and TMSI to VLR 2. VLR 2 does not recognize TMSI since there is no TMSI-IMSI context. Who is this user?

LAI 1, TMSI

No TMSI - IMSI context!

IMSITMSI

IMSI LAI 1TMSI

SIMMSC

VLR 1

MSCVLR 2

HLR


IMSILAI 1

However, VLR 2 can contact VLR 1 (address: LAI 1) and request IMSI. IMSI is sent to VLR 2. There is now a TMSI-IMSI context.

IMSI

Address: LAI 1

IMSITMSI

IMSITMSI

IMSI LAI 1TMSI

SIMMSC

VLR 1

MSCVLR 2

HLR


IMSITMSI

Important: HLR must be updated (new LAI). If this is not done, incoming calls can not be routed to new MSC/VLR. HLR also requests VLR 1 to remove old user data.

IMSITMSI

IMSILAI 1LAI 2

LAI 2

IMSI LAI 1TMSI

SIMMSC

VLR 1

MSCVLR 2

HLR


IMSILAI 2

VLR 2 generates new TMSI and sends this to user. User stores new LAI and TMSI safely in SIM. Location updating was successful!

IMSI LAI 1TMSILAI 2 TMSI

LAI 2TMSI

IMSI TMSI TMSI

Trade-off when choosing LA size

Affects signalling load

If LA size is very large (e.g. whole mobile network)

location updating not needed very often paging load is very heavy

If LA size is very small (e.g. single cell)

small paging load location updating must be done very often

High paging channel capacity required

+

+

3

Role of TMSI

MS NetworkRandom access

Authentication

Start ciphering

IMSI detach New TMSI allocated by

networkNew TMSI stored in SIM

CC or MM transaction

UsesTMSI

IMSI is not sent over air interface if

not absolutely necessary!

Mobile network identifiers (1)

SNCCMSISDN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)SN = Subscriber Number

NDC=

Globally unique number

E.164 numbering format

Mobile station ISDN (MSISDN) numbers are based on the ITU-T E.164 numbering plan and can therefore be used for routing a circuit-switched call.When the calling (PSTN or PLMN) user dials an MSISDN number, the call is routed to the gateway MSC (GMSC) located in the home network of the called (mobile) user.


TNCCMSRN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)TN = Temporary Number

NDC=

Temporarily allocated number

E.164 numbering format

Mobile station roaming numbers (MSRN) are also based on the ITU-T E.164 numbering plan and can therefore be used for routing a circuit-switched call.The MSRN is selected by the MSC/VLR serving the called (mobile) user, sent to the GMSC, and used for routing the call from the GMSC to the serving MSC.


MSINMCCIMSI

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)MSIN = Mobile Subscriber Identity Number (10 digits)

MNC= E.212 numbering format

The international mobile station identity (IMSI) is based on the ITU-T E.212 numbering plan and cannot be used for routing a circuit-switched call (exchanges or switching centers do not understand such numbers).The IMSI is stored in the HLR and SIM of the mobile user.



LACMCCLAI

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)LAC = Location Area Code (10 digits)

MNC= E.212 numbering format

The location area identity (LAI) points to a location area belonging to a certain MSC/VLR. This identity must be stored in the HLR so that mobile terminated calls can be routed to the correct serving MSC/VLR.


IMEI ≈ ”Serial number of handset” (not SIM)

4 Case study: Mobile terminated call (1)

VLR

1. Using the MSISDN number (dialled by the calling user located in the PSTN or the PLMN of another operator) and standard SS7/ISUP signalling, the call is routed to the GMSC in the home network of the called mobile user.

GMSC

HLR

1.

2.

4.5.

Serving MSC

3.

4.6.

(see van Bosse for details)

4 Mobile terminated call (2)

VLRGMSC

HLR

1.

2.

4.5.

Serving MSC

3.

4.6.

2. The GMSC contacts the HLR of the called mobile user. The SS7/MAP signalling message contains the MSISDN number which points to the mobile user record (containing IMSI, LAI where user is roaming, etc.) in the HLR database.


VLRGMSC

HLR

1.

2.

4.5.

Serving MSC

3.

4.6.

3. Using global title translation (GTT), the HLR translates the IMSI and LAI information into the signalling point code of the serving MSC/VLR. The HLR sends SS7/MAP request “Provide roaming number” (i.e. MSRN) to the VLR.


VLRGMSC

HLR

1.

2.

4.5.

Serving MSC

3.

4.6.

4. The VLR selects a temporary MSRN. Note that there must be binding between MSRN and IMSI in the VLR.The VLR sends the MSRN to the GMSC (using SS7/MAP signalling).

MSRN IMSI


VLRGMSC

HLR

1.

2.

4.5.

Serving MSC

3.

4.6.

5. Using the MSRN number and standard SS7/ISUP signalling, the call is routed to the serving MSC.Although not shown in the figure, there may be intermediate switching centers (serving MSC/VLR may be located at the other end of the world).


VLRGMSC

HLR

1.

2.

4.5.

Serving MSC

3.

4.6.

6. MSC/VLR starts paging within the location area (LA) in which the called mobile user is located, using TMSI for identification. Only the mobile user with the corresponding TMSI responds to the paging via the random access channel (RACH).

MSRN IMSIIMSI TMSI

Documents

IN Intelligent Network