___ ___ The SS7 Signaling Connection Control Part Relay System ___ ___ Friday May 12, 2000 ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ -- Research -- ++ Introduction ++ ++ Key Benefits of SCCP Relay ++ ++ Platform & Application / Security Issue ++ ++ SCCP Relay & GTT Functional Description ++ ++ SCCP Relay Software Architecture ++ ++ SCCP Relay Hardware Architecture ++ -- GSM Background Information -- + Home Location Register (HLR) + + Visitor Location Register (VLR) + + International Mobile Subscriber Identity (IMSI) + + GSM's Mobile Station Equipment (MSE) + -- GSM Call Routing -- + Mobile Subscriber Roaming + + Mobile Subscriber ISDN Number (MSISDN) Call Routing + + Implementation of a second HLR to the GSM Network + -- References -- ++ Web-site Resources ++ ++ Acronym Definitions ++ -- Wrap-up -- +* Conclusion *+ +* Contact *+ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ Introduction -- As the number of wireless subscribers throughout Canada and the United States continues to increase dramatically each year, wireless carriers will be facing the challenges that rapid growth creates. One such challenge in this market is the migration from a single Home Location Register (HLR) to a multiple HLR topology. The HLR, which successfully stores critical identification and subscription information about each customer, can become a network bottleneck either because of the sheer number of subscribers contained in the database, or because of the number of SS7 messages arriving at the HLR. A single HLR also poses a risk to the overall survivability of the entire wireless service under the new SS7 protocol. Assembling additional HLR carriers to a wireless network presents significant and problematical challenges, however. If the existing routing algorithms are simply expanded, then every Mobile Switching Center (MSC) and Signal Transfer Point (STP) on the network is affected, and the routing table management becomes extremely complicated and highly error prone. (STPs are the packet switches of the SS7 network. They receive and route incoming signaling messages towards the proper destination and also perform specialized routing functions.) Many of the challenges in multiple HLR deployment are constantly an issue, and are constantly being worked upon. Fortunately a company by the name of MicroLegend has developed a centralized SS7 message routing system called the 'SCCP Relay.' The SCCP Relay supports all of the necessary GSM SS7 message routing tables to allow wireless carriers (specifically GSM/GPRS) to easily expand to a multiple HLR topology. Throughout this document, I will attempt to introduce a new technology within the new world of the Out-of-band signaling SS7 architecture -- it is here to stay and it has taken over the world telecommunications significantly from its older counterpart switching system known as 5ESS. Now please, sit back and relax, and prepare to enter the world of the SS7 Signaling Connection Control Part Relay System... Key Benefits of SCCP Relay -- A number of key benefits of the SCCP Relay (which deserve some mention) are: 'Reduced operations and maintenance overhead' ------------------------------------------- The routing information for each subscriber is centralized in the SCCP Relays, rather than being distributed among all of the STPs (Signal Transfer Point) and MSCs (Mobile Switching Center). This useful and practical method simplifies the process of entering and maintaining STP/MSC information, not to mention the problems involving troubleshooting of SS7 routing. 'Providing a scaleable architecture for growth' -------------------------------------------- The SCCP Relay simplifies the addition of multiple Home Location Registers (HLRs) as the network itself develops. Much work has been done in this sector of SCCP development, and will continue to innovate the telecommunications industry. 'Improved overall network reliability' ------------------------------------ The SCCP Relay supports the automatic routing of SS7 messages to a backup Home Location Register (HLR) in the event of a Primary HLR failure. This unique and useful feature enables the multiple HLRs to be configured in a redundant and scaleable fashion, entering that the service itself remains available to customers even in the rare case of an HLR failure. From my knowledge of the SCCP Relay system, its up-time is approximately 99.99%. Impressive. 'Flexible connection options' --------------------------- The SCCP Relay supports all types of Signaling System 7 (SS7) links, it can operate as an STP (Signaling Transfer Point), connecting directly to mobile switching centers (MSCs), Home Location Registers (HLRs) and other end nodes. Typically, the flexible connection types of SS7's Signaling Transfer Points (STP) can be configured to the proper destination in existing incoming routing functions. 'Mated pair deployment / Auto re-routing' --------------------------------------- The SCCP Relay is deployed in a mated pair configuration, with each link being fully and 100% redundant. Each mated pair system is capable of handling the full of of network traffic (5,000,000 subscribers) with virtually no problems whatsoever. Platform & Application / Security Issue -- Since its inception in 1994, Microlegend has focused exclusively on Signaling System 7 network solutions. Microlegend's products support Intelligent Network services, resolve interworking problems, switching signaling traffic, interface SS7 and IP networks, and PROTECT network resources for telecommunications companies worldwide. Because of this, Microlegend has implemented ways which enable them to do their job quickly and reliably. Unfortunately the problem they are faced with is the issue concerning database security. For example: When Microlegend's team of engineers want to perform system diagnosis, software updating, and subscriber databasing with "maximum efficiency", they simply use a dial-up connection. This dial-up connection (located in Ottawa Ontario) requires absolutely no login or password at all - just the telephone number, and the optimal performing Unix Operating System known as 'VxWorks'. What is at stake: - Microlegend faces being compromised by hackers/phreakers and malicious persons. These persons could take advantage of this security flaw and steal potentially sensitive company information. - The telecommunications infrastructure which supports well over 5,000,000 (five million) subscribers throughout Canada and the United States. - Loss of revenue in the Billions due to time spent security auditing. What can be done: Instead of Microlegend compromising security for obscurity by using a dial-up account to perform their system diagnosis, software updating, and subscriber databasing, they should use their 10BaseT Ethernet LAN with an SSH connection to perform the necessary tasks. SCCP Relay & GTT Functional Description -- A detailed understand of the SCCP Relay product requires quite a bit of grounding in the works of GSM networks. For convenience, I will explain the brief key concepts of GSM network operation in relation to SCCP Relay and GTT functioning. The SCCP Relay provides a "central point" for GTT provisioning and execution on behalf of the entire GSM carrier's SS7 network. The SCCP Relay performs GTT capabilities for both the IMSI (123049210) and MSISDN (Mobile Subscriber Integrated Services Digital Network) Adress types, eliminating the need to continually manage the routing tables within STPs (Signaling Transfer Point) or MSCs (Mobile Switching Center). ASCII Diagram _______ ------------- / --- ( ( | ) ) - MSC / /-- ------- / / SCCP Relay STP/MSC / / \ / / / ___ ___ / / | | | |__/ / | | ---- | |\ / | | | | \ / --- \ / --- \ \ \/ | /\ \ ___ /\ | / \ \ (___) - HLR / \ |/ \ --- | | ___ / \ ___ \ /--(___) | | | | __/ | | ---- | | / \ | | | |-/ \ --- --- \ \--;__ __ \ ------- | || | - Gateway STP / \ -- -- SCCP Relay STP/MSC [[ The SCCP Relay is deployed as a redundant pair of signaling nodes that can be accessed via SS7 links connected to currently deployed STPs or can be utilized as the STPs themselves. Where STPs previously have been deployed, the SCCP messages are routed to the Relay (partial GTT) by the STP/MSC. The SCCP Relay then performs system translation (either full or partial, depending on the provisioned data), and routes the message back to the network to be automatically forwarded to the destination HLR. The SCCP Relay can also perform the MTP routing, which is the main function of the STPs. This incredible capability enables the SCCP Relay to be deployed in networks without STPs. See the ASCII Diagram Above. ]] SCCP Relay Software Architecture -- The SCCP Relay System is a solution based upon the 'Versatile Signaling Point' (VSP). || [look for a guide pertaining to VSP on Nettwerked soon: http://nettwerk.hypermart.net] || At the "heart" of the SCCP Relay is the object oriented SS7 stack that provides all the basic capabilities of a Signaling Transfer Point (STP) without compromising speed or security (well, maybe not security... but I'll look into it). The VSP SS7 Stack includes MTP and SCCP layer functionality with a configurable GTT application, along with user interface, functioning log files (intruders beware!), and several SCSI Disk Processes. The GTT process supports both IMSI and MSISDN numbering formats, and as a group, these processes are referred to as the SS7 Message Handler Unit (MHU). Basically what the SS7 MHU does is simple: it terminates the SS7 links, performs the GTT on incoming SS7 messages, and then re-routes the messages back onto the SS7 network. To optimize its performance, the MHU runs on that real-time UNIX operating system (you guessed it) 'VxWorks'. The SCCP Relay system with its Versatile Signaling Point platform also includes an independent Database Administration Unit (DAU), that supports the provisioning and administration of the GTT data. The DAU, which happens to run on a UNIX-based Operating system (gotta love UNIX!) called AIX, includes a command parser, database manager, and an SCSI disk interface. The DAU and MHU communicate with each other in parallel a highly redundant 10BaseT Ethernet LAN. An Ethernet WAN is used to connect the SCCP Relays, to ensure that they remain synchronized with each other properly. In addition to the software running on the DAU and MHU, the SCCP Relay system incorporates a Graphical User Interface (GUI) program that can be installed on several of the operating stations. This user interface provides the ability to provision and view the GTT data that resides on the DAU, as well as the option to view the log information collected about GTT database transactions! The operation stations connect to the SCCP Relay through a LAN or WAN, depending on what option you choose. In addition, a custom interface to an existing provisioning system can be developed to provision and view the entire GTT database. For convenience check out the following terribly drawn ASCII diagram to get a better idea about how the SCCP Relay's DB Admin works with AIX and how the Message Handler works with VxWorks and how they all work together on the seamless 10BaseT LAN/WAN. ASCII Diagram ------------- | - - - - - [#] ~ Console 10 BaseT ~ | | - Serial Cable SCCP Relay | ..____________________________________________ | . / DB Admin Unit \ | | |---| | | | | (Command Parser)--------------------|---|- (@@) | \ \ | Customer | | \ \ | Defined Admin | \ \ | Interface | | (SCSI Control)--------(DB Manager) | | | | / \ | | | / \_ _ _ _ _ _ _|_ _($#) | / | Ops Station | | AIX / | | |==============================================| | | SS7 Msg Handler | | | (GTT Application)________ | | | | | \ | | | (SCSI Control)----------(Log Server) | | | | | | | | ------ | | | | (MTP UI) | | __________|_________| | | | | | (( SS7 [SCCP Layer] |)) | | | | (( Stack _/ )) | | | | | (( [MTP Layer]___))__| | | \____(#!) | (( |||| |____))________| | |--Mate | +__________||||_________+ | SR System | |||| | | | |||| | | VxWorks |||| | | \______________||||___________________________| SS7 Links | SCCP Relay Hardware Architecture -- The VSP platform, on which the SCCP Relay runs, is available in a verity of configurations and sizes. The VSP scales smoothly from an economical system with only four SS7 links to a fully loaded system with over 75 SS7 links. The basic structure of the hardware components of the SCCP Relay, regardless of the size and configuration, are exactly the same. The only real differences between small systems and large systems are the number of cards, and the size of the chassis itself. The MHU is controlled by a System Controller card based on a 200 MHz PowerPC(tm) processor. This processor controls the system level functions, including the TCP/IP port, the serial ports, and the SCSI interface for the disk drive. It also provides control for two Link Interface (LI) cards, with up to four SS7 links on each. As these Link Interface cards are added, every third card is a Link controller card, with its own 300 MHz PowerPC(tm) processor. This distributed processor architecture ensures that the SCCP Relay has sufficient power to handle very large numbers of subscribers (over 5,000,000 [Five Million]). Each Link Interface card can support as many as four (4) SS7 Links. The V.35 cards provide four SS7 ports, while the E1 and T1 versions provide two SS7 ports each. The DAU runs in its own independent chassis, with its own independent fan, SCSI disk and power supply. It uses the same System Controller card as the MHU, without the need for the use of any Link Interface or Link Controller cards. ASCII Diagram ------------- Database Administration Unit _________________________________________________________ | | | | 10BaseT | | _______| [Disk (AIX)] | DC Supply | {{Fan}} [*Power Supply*] ____|__ | | | | Serial | {{{Processor - System Controller}}} | (Console) | | _______| | |_________________________________________________________| | | | Processor - System Controller: 1, 1 | 10BaseT | Link Interface Card (4 SS7 links): 2, 2 | | Link Interface Card (4 SS7 links): 3, 3 | | _ _ _ _ _ _ | ______| |1| |2| |3| |1| |2| |3| | | | | | | | | | | | | | | -- | | | | | | | | | | | | | -- E1/T1/V.35 Serial | | | | | | | | | | | | | -- (Console) | | | | | | | | | | | | | -- _______| | | | | | | | | | | | | -- | | | | | | | | | | | | | -- | [Disk] | | | | | | | | | | | | -- Serial | [VxWorks] | | | | | | | | | | | | | (Logs) | | | | | | | | | | | | | | _______| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |_| |_| |_| |_| |_| |_| | | | | [-~-----------------FAN-----------------~-] | | [*Power Supply*] [*Power Supply*] | | (DC Supply) (DC Supply) | |_________________________________________________________| SS7 Message Handling Unit GSM Background Information -- (Acronym Definitions in paragraph form) 'Home Location Register (HLR)' A Home Location Register (HLR) is a database that contains semipermanent mobile subscriber information for a wireless carriers' entire subscriber base. HLR subscriber information includes the International Mobile Subscriber Identity (IMSI), service subscription information, location information (the identity of the currently serving Visitor Register (VLR) to enable the routing of mobile-terminated calls), service restrictions and supplementary services information. What the HLR basically does is it handles SS7 transactions with both Mobile Switching Centers (MSCs) and of course VLR nodes, which either request information from the HLR or update the information contained within the HLR. The HLR also initiates transactions with VLRs to complete incoming calls and to update subscriber data. Traditional wireless network design (anything before 1996) is based on the utilization of a single Home Location Register (HLR) for each wireless network, but growth considerations are prompting carrier administrators to consider multiple HLR databases. So what does that mean? It means our Telecommunications Industry is under pressure to develop larger and faster networks in order to satisfy the needs of residential and business customers. 'Visitor Location Register (VLR)' A Visitor Location Register (VLR) is a database which contains temporary information concerning the mobile customers (subscribers) that are currently located in a given MSC (Mobile Switching Centre) serving area, but whose Home Location Register (HLR) is elsewhere (out of range). When a mobile subscriber roams away from his/her home location and into a remote location (ie. digital to analog), SS7 messages are used to obtain information about the subscriber from the HLR, and essentially create a temporary record for the subscriber in the VLR which usually only has one per Mobile Switching Centre. 'International Mobile Subscriber Identity (IMSI) Number' "What the hell is IMSI?" - IMSI is a unique non-dialable number allocated to each mobile subscriber in the GSM system that identifies the subscriber and his or her subscription within the GSM network. Make sense yet? The IMSI resides in the Subscriber Identity Module (SIM), which is transportable across Mobile Station Equipment (MSE) (look for IMSI being supported by the GPRS standard soon!) The IMSI is made up of three important parts: #1: The Mobile Country Code (MCC) #2. The Mobile Network Code (MNC) (they consist of 2 digits) #3. The Mobile Subscriber Identity Number (MSIN) (they consist of 10 digits) 'Mobile Subscriber ISDN (MSISDN) Number' The MSISDN is the dialable number that subscribers use to reach another mobile subscriber. Some of the newer phones (ie. newer GSM supported Motorola, Nokia's) in Canada and the U.S. support the up-to-date multiple MSISDNs which are now in affect. 'Mobile Station Equipment (MSE) Subscription Services' GSM carriers typically order Mobile Station Equipment (MSE) (or GSM phones) from their suppliers (Nokia, Motorola, Sony, etc.) in large quantities (e.g. 1000 Units). After receiving an order, the equipment supplier will program the ordered MSE SIMs with a range of IMSI numbers. GSM Call Routing -- 'Mobile Subscriber Roaming' When a mobile subscriber roams into a new location area, the VLR automatically determines that it must update the HLR with the new location information, which it does using an SS7 Location Update Request Message (LURM). The Location Update Message is then routed to the HLR through the SS7 network, based on the global title translation of the IMSI that is stored within the SCCP Called Party Address portion of the message. The HLR responds with a message that information’s the VLR whether the subscriber should be provided services in the new location. 'Mobile Subscriber ISDN Number (MSISDN) Call Routing' When a user dials a GSM mobile subscriber's MSISDN, the PSTN routes the call to the Home MSC based on the dialed telephone number. The MSC must then query the HLR based on the MSISDN identification, to acquire routing information required to route the call to the subscribers' current location. The MSC stores sensitive global title translation tables that are used to determine the HLR associated with the MSISDN. When only one HLR exists, the translation tables are trivial. When more than one HLR is used however, the translations become extremely challenging, with one translation record per subscriber (see the useful example below). Havin determined the appropriate HLR address, the MSC sends a Routing Information Request (RIR) to it. Example: -------- When the HLR receives the Routing Information Request, it "maps" the MSISDN to the IMSI, and ascertains the subscribers' personal profile including the current VLR at which the subscriber is registered. The HLR then queries the VLR for a Mobile Station Roaming Number (MSRN). The MSRN is essentially an ISDN telephone number which the mobile subscriber can be reached at. The MSRN is a temporary number that is valid ONLY for the duration of a single call. The HLR generates a response message, which includes the MSRN, and sends it back across the SS7 network to the MSC. Finally, the MSC attempts to complete the call using the MSRN provided. 'Implementation of a second HLR to the GSM Network' As a GSM wireless carrier's subscriber base grows, it will eventually become necessary to add a second HLR to their network (obviously). This requirement might be prompted by a Service Subscription Record Storage Capacity Issue (SSRSCI) or perhaps an SS7 Message Processing Performance Issue (MPPI). It might possibly be prompted by a need to increase the overall network reliability. The new HLR can be populated with service subscription records as new subscribers are brought into service or existing service subscription records can be ported from the old HLR to the new HLR to more evenly distribute the growing SS7 traffic load. Usually, when new subscribers are brought into service, the second HLR will be populated with blocks of IMSI numbers that are allocated when new MSE equipment is ordered. Much more complicated SS7 message routing Global Title Translations are required for Routing Information Request transactions between the MSCs distributed over the entire wireless carrier serving area and the two or more HLRs. MSC Routing Information Requests are routed to the appropriate HLR based on the dialed MSISDN and not the IMSI. Unlike the IMSI numbers, the MSISDN numbers can not easily be arranged in groups to reside within a single HLR and therefore, the MSC must contain an MSISDN to HLR address association record for every mobile subscriber homed on each of the MSCs. References -- 'Web-site Resources' Frame Relay http://cctpwww.cityu.edu.hk/network/l2_framerelay.htm Frame Relay Forum http://www.frforum.com/ HN Networks http://www.hn-networks.co.uk/index.html MicroLegend SS7 Tutorial http://www.microlegend.com/whatss7.shtml Telecom Testing Support for GSM, SS7, GPRS, CDMA, Broadband http://www.radcom-inc.com/tstsolut/telecom.htm -- This is seriously the best information I could find. What ever happened to the days where you'd punch in a phrase or word, and actually find decent documents on personal and/or educational web-sites? Now all I run into are these God damn commercial .com's sites who just want to sell their shitty hardware/software... who just want to make a BUCK. Well never worry about me selling out to "the man", because all my information is going to stay completely FREE! =) 'Acronym Definitions' I compiled most of these myself... the rest are stolen. ACM Address Complete Message ANM Answer Message A Links Access Links BIB Backward Indicator Bit B Links Bridge Links BSN Backward Sequence Number CDT Conversation Data Table CPA Called Party Address CPN Called/Calling Party Number DAU Database Administration Unit D Links Diagonal Links DPA Distributed Processor Architecture DPC Destination Point Code E Link Extended Link F Link Fully Associated Link FIB Forward Indicator Bit FISU Fill in Signal Unit FSN Forward Sequence Number GTT Global Title Translation HLR Home Location Register IAM Initial Address Message IRSC International Roaming Signaling Converter ISDN Integrated Services Digital Network ISUP ISDN User Part KPBS Kilobits per Second LSSU Link Status Signal Unit LURM Location Update Request Message Mf Multifrequency MHU Message Handler Unit MPPI Message Processing Performance Issue MSC Mobile Switching Center MSE Mobile Station Equipment MSIN Mobile Subscriber Identity Number MSISDN Mobile Subscriber Integrated Services Digital Network MSRN Mobile Station Roaming Number MSU Message Signal Unit MTP Message Transfer Part OMAP Operations, Maintenance and Administration Part OPC Originating Point Code PC Point Code PSTN Public Switched Telephone Network RBOC Regional Bell Operating Company REL Release Message RCL Release Complete Message RIR Routing Information Request RSP Route Set Prohibited Test Message RSR Restricted Test Message SS7 Signaling System 7 SCCP Signaling Connection Control Part SCP Signal Control Point SLS Signaling Link Selection SOI Service Order Interface SSRSCI Service Subscription Record Storage Capacity Issue SRT Screening and Rerouting Table SSP Signal Switching Point STP Signal Transfer Point SU Signal Unit TCAP Transaction Capabilities Application Part TFA Transfer Allowed Message TFP Transfer Prohibited Message TFR Transfer Restricted Message TUB Traffic Usage or Billing VPC Virtual Point Codes VSP Versatile Signaling Point Wrap-up -- 'Conclusion' This is the first of many SS7 related documents to be published for Nettwerked / Hack Canada, which of course is a good thing because there aren't enough people in the world writing about the SS7 protocol let alone home grown Canadians! Look for an introductory SS7 paper soon. 'Contact' webmaster@nettwerk.hypermart.net http://nettwerk.hypermart.net A N E T T W E R K E D P R O D U C T