\section{The GSM core network} \subsection{GSM core network components} \begin{frame}{GSM core network components} \begin{description}[MSC] \item[MSC] (Mobile Switching Center): The central switch \item[HLR] (Home Location Register): Database of subscribers \item[AUC] (Authentication Center): Database of authentication keys \item[VLR] (Visitor Location Register): For roaming users \item[EIR] (Equipment Identity Register): To block stolen phones \end{description} \end{frame} \begin{frame}{GSM network structure} \begin{description}[BTS] \item[MSC] Actual call switching and top-level mobility functions. May serve dozens of location areas \item[VLR] Temporary cache of subscriber data from HLR + TMSI \item[HLR] Subscriber databases + subscriber location information \item[AUC] Generation of authentication tuples \item[SMSC] SMS Service Centre, store+forward for SMS \end{description} \end{frame} \begin{frame}{GSM core network integration} \begin{itemize} \item VLR often integrated into MSC \item AUC often integrated with AUC \item integration so common, many graphs/diagrams are actually not 100\% correct \end{itemize} \end{frame} %\begin{frame}{GSM Network Structure} %\includegraphics[width=100mm]{GSMNetwork.pdf} %\end{frame} \begin{frame}{GSM network interfaces} \begin{description}[A-bis] \item[C] Interface between GMSC and HLR \item[D] Interface between MSC and HLR \item[E] Interface between MSC and MSC \end{description} All of them based on MAP, so C/D/E not commonly distinguished \end{frame} \subsection{GSM core network protocols} \begin{frame}{core network protocol stack} Traditional telephony based on SS7 / CS7, GSM too \begin{itemize} \item Lower layers (MTP2/MTP3) re-used \item ISUP used for actual call control signalling \item SCCP for routing / GTT \item TCAP for transaction supprt \item MAP for actual GSM related signalling \end{itemize} \end{frame} \begin{frame}{SS7 networks} \begin{itemize} \item STP - Signalling Transfer Point \begin{itemize} \item {\em Router} for SCCP \item performs GTT (see below) \end{itemize} \item SCP - Signalling Control Point \begin{itemize} \item {\em End-node} like MSC/HLR \item SCP has GT, PC, .. \end{itemize} \end{itemize} \end{frame} \begin{frame}{SS7 addresses} \begin{itemize} \item Point Code (PC) \begin{itemize} \item typically unique within PLMN / country \end{itemize} \item Global Title (GT) \begin{itemize} \item world-wide unique address \item translated into PC by GTT at STP \end{itemize} \item Subsystem Number (SSN) \begin{itemize} \item logical function address inside network (MSC, VLR, HLR, ...) \item not used on international links \end{itemize} \end{itemize} \end{frame} \begin{frame}{SS7 GTT (Global Title Translation)} Global Title Translation \begin{itemize} \item can happen at any STP \item translates a Destination GT into new destination address \item new dest address can be any address, such as \begin{itemize} \item new global title (GT) \item point code (PC) \item sub-system number (SSN) \end{itemize} \item GTT rules explicitly configured by operator, e.g. \begin{itemize} \item prefix or range based match \item (inter)nationalize numbering plan \item add digits at beginning or end \end{itemize} \end{itemize} \end{frame} \begin{frame}{SS7 physical layer} \begin{itemize} \item{classic SS7 signalling over TDM circuits} \begin{itemize} \item E1 timeslot (64kbps) \item multiple E1 timeslots (N*64kbps) \item MTP Level 2 / MTP Level 3 \end{itemize} \item modern networks use SIGTRAN \begin{itemize} \item IP as network layer replaces E1 lines \item SCTP on top(no TCP/UDP!) \item many different SIGTRAN stacking options \end{itemize} \item some vendor-proprietary protocols like SCCPlite \end{itemize} \end{frame} \begin{frame}{SIGTRAN stacking options} SIGTRAN != SIGTRAN \begin{itemize} \item IP/SCTP/M2PA/MTP2/MTP3/SCCP/TCAP/MAP \item IP/SCTP/M2UA/MTP3/SCCP/TCAP/MAP \item IP/SCTP/M3UA/SCCP/TCAP/MAP \item IP/SCTP/SUA/TCAP/MAP \end{itemize} \end{frame} \begin{frame}{SCCP} SCCP takes care of \begin{itemize} \item Global Title based addressing \item Global Title Translation \item connection-oriented or connectionless semantics \item GSM core network interfaces with MAP/CAP only use connection-less UDT service \end{itemize} \end{frame} \begin{frame}{TCAP} \begin{itemize} \item Idea: decouple transaction logic from actual application \item transaction semantics can be used by multiple higher-layer protocols \item state machines on both sides maintained outside of application \item protocol specified in ASN.1, BER encoding \end{itemize} \end{frame} \begin{frame}{MAP - Mobile Application Part} \begin{itemize} \item used between all classic GSM core network components \item application protocol on top of TCAP \item protocol specified in ASN.1, BER encoding \end{itemize} \end{frame} \begin{frame}{CAP - Camel Application Part} \begin{itemize} \item used for CAMEL entities (gsmSCF, gsmSSF, gprsSSF, gsmSRF) \item application protocol on top of TCAP \item protocol specified in ASN.1, BER encoding \end{itemize} \end{frame} \section{Roaming interfaces} \subsection{Roaming introduction} \begin{frame}{Introduction to Roaming} Roaming enables subscribers to use other operators' networks \begin{itemize} \item Home Network is called HPLMN \item Visited Network is called VPLMN \item Roaming requres between HPLMN and VPLMN \begin{itemize} \item Roaming agreement (contract) \item SS7 connectivity (ISUP/MAP/CAP) \item IP connectivity (for packet data) \end{itemize} \end{itemize} \end{frame} \begin{frame}{Roaming principle} \begin{itemize} \item MS, MSC, VLR and SGSN are in VPLMN \item HLR, AUC, GMSC and GGSN are in HPLMN \item they talk to each other via MAP, just like in non-roaming case \item selection of HPLMN based on IMSI of subscriber \item non-roaming caes: HPLMN == VPLMN \end{itemize} \end{frame} \begin{frame}{MVNO - Mobile Virtual Network Operators} A MVNO setup is a special case of roaming \begin{itemize} \item MNO operates PLMN with RAN and CN \item MVNO operates HPLMN without RAN (BSC/BTS) \item MVNO subscribers always roam into MNO network \end{itemize} \end{frame} %\subsection{Roaming transactions} %FIXME \subsection{Traditional Billing} \begin{frame}{Traditional Billing} Initially, GSM was designed for business users \begin{itemize} \item Billing was always post-paid \item Each PLMN simply logs all call/sms \item Logs called CDR (Call Data Record) \item At the end of the month, invoices are generated \item CDR records are exchanged between roaming partners \end{itemize} \end{frame} \begin{frame}{Billing for Roaming} \begin{itemize} \item CDR files often vendor-specific / custom \item GSMA established a standard called TAP \item TAP is the standard for exchange of billing records between roaming partners \item Summary: Intra-PLMN: CDR, Inter-PLMN: TAP \item TAP has many versions/generations \item Specified in ASN.1 \end{itemize} \end{frame} \begin{frame}{The advent of pre-paid} \begin{itemize} \item At some point, users wanted pre-paid services \item Difficult to implement in traditional billing architecture \item In HPLMN, every operator could come up with custom solution \item Thus, pre-paid initially not supported in roaming \item In the early pre-paid days, there were lots of ways to exceed pre-paid balance \end{itemize} \end{frame} \begin{frame}{Pre-paid required fundamental changes} \begin{itemize} \item The pre-paid balance / account is maintained in HPLMN \item HPLMN needs much more control over user while roaming \item A new protocol (CAMEL) was introduced, as well as new entities in the network \item Lots of changes all over netowrk elements (MSC, SGSN, HLR) \end{itemize} \end{frame} \subsection{CAMEL} \begin{frame}{CAMEL - Customized Applications Mobile Enhanced Logic} \begin{itemize} \item gsmSCF - Service Control Function \begin{itemize} \item receives per-subscriber specific config from HLR (CSI: CAMEL Subscription Information) \item remotely controls call, SMS, etc. processing \end{itemize} \item gsmSSF - Service Switching Function \begin{itemize} \item built into MSC \item hooks / triggers at key state changes \item allows gsmSCF to alter/override/abort transactions \end{itemize} \item gprsSSF provides similar feature inside SGSN \end{itemize} \end{frame}