Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Technical System Info :: sccp_r~1.txt

The SS7 Signaling Connection Control Part Relay System

   ___					              ___
   The SS7 Signaling Connection Control Part Relay System
   ___		   	 	  	              ___

					Friday May 12, 2000

^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^
    -- Research --

++ Introduction ++

++ Key Benefits of SCCP Relay ++

++ Platform & Application / Security Issue ++

++ SCCP Relay & GTT Functional Description ++

++ SCCP Relay Software Architecture ++

++ SCCP Relay Hardware Architecture ++

    -- GSM Background Information --

+ Home Location Register (HLR) +

+ Visitor Location Register (VLR) +

+ International Mobile Subscriber Identity (IMSI) +

+ GSM's Mobile Station Equipment (MSE) +

    -- GSM Call Routing --

+ Mobile Subscriber Roaming +

+ Mobile Subscriber ISDN Number (MSISDN) Call Routing +

+ Implementation of a second HLR to the GSM Network +

    -- References --

++ Web-site Resources ++

++ Acronym Definitions ++
    -- Wrap-up --

+* Conclusion *+
+* Contact *+

^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^ ^^^  

 Introduction --

  As the number of wireless subscribers throughout Canada and the United States
continues to increase dramatically each year, wireless carriers will be facing
the challenges that rapid growth creates. One such challenge in this market
is the migration from a single Home Location Register (HLR) to a multiple HLR

The HLR, which successfully stores critical identification and 
subscription information about each customer, can become a network bottleneck
either because of the sheer number of subscribers contained in the database, or 
because of the number of SS7 messages arriving at the HLR. A single HLR also
poses a risk to the overall survivability of the entire wireless service under
the new SS7 protocol.

Assembling additional HLR carriers to a wireless network presents significant
and problematical challenges, however. If the existing routing algorithms are
simply expanded, then every Mobile Switching Center (MSC) and Signal Transfer
Point (STP) on the network is affected, and the routing table management becomes 
extremely complicated and highly error prone.

(STPs are the packet switches of the SS7 network. They receive and route incoming 
 signaling messages towards the proper destination and also perform specialized
 routing functions.)

Many of the challenges in multiple HLR deployment are constantly an issue,
and are constantly being worked upon. Fortunately a company by the name
of MicroLegend has developed a centralized SS7 message routing system called 
the 'SCCP Relay.' The SCCP Relay supports all of the necessary GSM SS7 message
routing tables to allow wireless carriers (specifically GSM/GPRS) to easily
expand to a multiple HLR topology.

Throughout this document, I will attempt to introduce a new technology within the 
new world of the Out-of-band signaling SS7 architecture -- it is here to stay
and it has taken over the world telecommunications significantly from its older 
counterpart switching system known as 5ESS. 

Now please, sit back and relax, and prepare to enter the world of the SS7 Signaling 
Connection Control Part Relay System...

 Key Benefits of SCCP Relay --

  A number of key benefits of the SCCP Relay (which deserve some mention) are:

  'Reduced operations and maintenance overhead'

The routing information for each subscriber is centralized in the SCCP Relays,
rather than being distributed among all of the STPs (Signal Transfer Point)
and MSCs (Mobile Switching Center). This useful and practical method simplifies
the process of entering and maintaining STP/MSC information, not to mention
the problems involving troubleshooting of SS7 routing.

  'Providing a scaleable architecture for growth'

The SCCP Relay simplifies the addition of multiple Home Location Registers (HLRs)
as the network itself develops. Much work has been done in this sector of
SCCP development, and will continue to innovate the telecommunications industry.

  'Improved overall network reliability'

The SCCP Relay supports the automatic routing of SS7 messages to a backup 
Home Location Register (HLR) in the event of a Primary HLR failure. This
unique and useful feature enables the multiple HLRs to be configured in a
redundant and scaleable fashion, entering that the service itself remains
available to customers even in the rare case of an HLR failure. From my
knowledge of the SCCP Relay system, its up-time is approximately 99.99%. Impressive.

  'Flexible connection options'

The SCCP Relay supports all types of Signaling System 7 (SS7) links, it can
operate as an STP (Signaling Transfer Point), connecting directly to mobile
switching centers (MSCs), Home Location Registers (HLRs) and other end nodes.
Typically, the flexible connection types of SS7's Signaling Transfer Points (STP) 
can be configured to the proper destination in existing incoming routing functions.

  'Mated pair deployment / Auto re-routing'

The SCCP Relay is deployed in a mated pair configuration, with each link being
fully and 100% redundant. Each mated pair system is capable of handling the full of
of network traffic (5,000,000 subscribers) with virtually no problems whatsoever.

Platform & Application / Security Issue --

Since its inception in 1994, Microlegend has focused exclusively on Signaling
System 7 network solutions. Microlegend's products support Intelligent Network
services, resolve interworking problems, switching signaling traffic, interface
SS7 and IP networks, and PROTECT network resources for telecommunications companies

Because of this, Microlegend has implemented ways which enable them to do
their job quickly and reliably. Unfortunately the problem they are faced with
is the issue concerning database security. 

For example:

When Microlegend's team of engineers want to perform system diagnosis,
software updating, and subscriber databasing with "maximum efficiency", they 
simply use a dial-up connection. This dial-up connection (located in Ottawa Ontario)
requires absolutely no login or password at all - just the telephone number,
and the optimal performing Unix Operating System known as 'VxWorks'.

What is at stake:

- Microlegend faces being compromised by hackers/phreakers and malicious
  persons. These persons could take advantage of this security flaw and
  steal potentially sensitive company information.

- The telecommunications infrastructure which supports well over 5,000,000
  (five million) subscribers throughout Canada and the United States.

- Loss of revenue in the Billions due to time spent security auditing.

What can be done:

 Instead of Microlegend compromising security for obscurity by using a dial-up 
 account to perform their system diagnosis, software updating, and subscriber
 databasing, they should use their 10BaseT Ethernet LAN with an SSH connection
 to perform the necessary tasks.

 SCCP Relay & GTT Functional Description --

 A detailed understand of the SCCP Relay product requires quite a bit of
grounding in the works of GSM networks. For convenience, I will explain
the brief key concepts of GSM network operation in relation to SCCP Relay
and GTT functioning.

The SCCP Relay provides a "central point" for GTT provisioning and execution on
behalf of the entire GSM carrier's SS7 network. The SCCP Relay performs GTT
capabilities for both the IMSI (123049210) and MSISDN (Mobile Subscriber Integrated 
Services Digital Network) Adress types, eliminating the need to continually manage the
routing tables within STPs (Signaling Transfer Point) or MSCs (Mobile Switching Center).

ASCII Diagram	                 _______
-------------             / --- ( ( | ) )  - MSC
                         /  /--  ------- 
                        /  /
SCCP Relay    STP/MSC  /  /
    \          /      /  /
   ___        ___    /  /
  |   |      |   |__/  /
  |   | ---- |   |\   /
  |   |      |   | \ /
   ---  \  /  --- \ \
         \/    |  /\ \      ___ 
         /\    | /  \ \    (___)  - HLR
        /  \   |/    \ --- |   |
   ___ /    \ ___     \ /--(___)
  |   |      |   |   __/
  |   | ---- |   |  /   \    
  |   |      |   |-/     \         
   ---        --- \    	  \--;__  __
  		   \ ------- |  ||  | - Gateway STP
    /          \              --  -- 

[[ The SCCP Relay is deployed as a redundant pair of signaling nodes that can
be accessed via SS7 links connected to currently deployed STPs or can be utilized
as the STPs themselves. Where STPs previously have been deployed, the SCCP
messages are routed to the Relay (partial GTT) by the STP/MSC. The SCCP Relay
then performs system translation (either full or partial, depending on the provisioned
data), and routes the message back to the network to be automatically forwarded
to the destination HLR. The SCCP Relay can also perform the MTP routing, which is
the main function of the STPs. This incredible capability enables the SCCP Relay to
be deployed in networks without STPs. See the ASCII Diagram Above. ]]

 SCCP Relay Software Architecture --

The SCCP Relay System is a solution based upon the 'Versatile Signaling Point' (VSP).
      || [look for a guide pertaining to VSP on 
    Nettwerked soon:] ||
At the "heart" of the SCCP Relay is the object oriented SS7 stack that provides
all the basic capabilities of a Signaling Transfer Point (STP) without compromising
speed or security (well, maybe not security... but I'll look into it).

The VSP SS7 Stack includes MTP and SCCP layer functionality with a configurable
GTT application, along with user interface, functioning log files (intruders beware!),
and several SCSI Disk Processes.

The GTT process supports both IMSI and MSISDN numbering formats, and as
a group, these processes are referred to as the SS7 Message Handler Unit (MHU).

Basically what the SS7 MHU does is simple: it terminates the SS7 links, performs
the GTT on incoming SS7 messages, and then re-routes the messages back onto the 
SS7 network. To optimize its performance, the MHU runs on that real-time UNIX
operating system (you guessed it) 'VxWorks'.

The SCCP Relay system with its Versatile Signaling Point platform also includes
an independent Database Administration Unit (DAU), that supports the provisioning
and administration of the GTT data. The DAU, which happens to run on a UNIX-based
Operating system (gotta love UNIX!) called AIX, includes a command parser, database
manager, and an SCSI disk interface. The DAU and MHU communicate with each other in
parallel a highly redundant 10BaseT Ethernet LAN. An Ethernet WAN is used to
connect the SCCP Relays, to ensure that they remain synchronized with each other

In addition to the software running on the DAU and MHU, the SCCP Relay system 
incorporates a Graphical User Interface (GUI) program that can be installed on 
several of the operating stations. This user interface provides the ability to 
provision and view the GTT data that resides on the DAU, as well as the option
to view the log information collected about GTT database transactions!

The operation stations connect to the SCCP Relay through a LAN or WAN, depending
on what option you choose. In addition, a custom interface to an existing provisioning
system can be developed to provision and view the entire GTT database. 
For convenience check out the following terribly drawn ASCII diagram to get a better
idea about how the SCCP Relay's DB Admin works with AIX and how the Message Handler
works with VxWorks and how they all work together on the seamless 10BaseT LAN/WAN.

ASCII Diagram

 	  - - - - - [#] ~ Console	               10 BaseT ~  
         |   							    |
        	 - Serial Cable			    SCCP Relay     
 	 |       ..____________________________________________     |
                . /				DB Admin Unit  \
	 |       |				      		|---|
           	 |					  	|
         |       | 	    (Command Parser)--------------------|---|- (@@)
		 |    	             \           \         	|   Customer
         |	 |     	 	      \           \        	| Defined Admin
		 |                     \           \            |  Interface
         |	 | (SCSI Control)--------(DB Manager)       |   |   |
		 | 				/    \ 	        |
         |	 | 			       /      \_ _ _ _ _ _ _|_ _($#)
		 | 		 	      /                 |    Ops Station
         |       |  AIX			     /                  |   |
         |       |	                     SS7 Msg Handler    |   |
 	         | (GTT Application)________			|	 
         | 	 |    	|         |    	    \			|   |
                 | (SCSI Control)----------(Log Server)		|
         |       |	 	  |	    |    |		|   |
          ------ |		  | 	    |	 |   (MTP UI)	|
		 |      __________|_________|    |     |	|   |
		 |    (( SS7   [SCCP Layer] |))  |     |	|
                 |    (( Stack  	  _/ ))  |     |	|   |
                 |    ((       [MTP Layer]___))__|     |	| \____(#!)
                 |    ((	 ||||	|____))________|	|   |--Mate
                 |    +__________||||_________+			|    SR System
                 |               ||||    			|   |
                 | 	         ||||				|
  	         | VxWorks       ||||				|   |
			      SS7 Links 			    |

 SCCP Relay Hardware Architecture --

 The VSP platform, on which the SCCP Relay runs, is available in a verity
of configurations and sizes. The VSP scales smoothly from an economical system
with only four SS7 links to a fully loaded system with over 75 SS7 links.

The basic structure of the hardware components of the SCCP Relay, regardless
of the size and configuration, are exactly the same. The only real differences
between small systems and large systems are the number of cards, and the size of 
the chassis itself.

The MHU is controlled by a System Controller card based on a 200 MHz PowerPC(tm)
processor. This processor controls the system level functions, including the TCP/IP
port, the serial ports, and the SCSI interface for the disk drive. It also provides
control for two Link Interface (LI) cards, with up to four SS7 links on each.
As these Link Interface cards are added, every third card is a Link controller card,
with its own 300 MHz PowerPC(tm) processor. This distributed processor architecture
ensures that the SCCP Relay has sufficient power to handle very large numbers of 
subscribers (over 5,000,000 [Five Million]).

Each Link Interface card can support as many as four (4) SS7 Links. The V.35 cards
provide four SS7 ports, while the E1 and T1 versions provide two SS7 ports each.

The DAU runs in its own independent chassis, with its own independent fan, SCSI disk
and power supply. It uses the same System Controller card as the MHU, without the need
for the use of any Link Interface or Link Controller cards.

ASCII Diagram

		Database Administration Unit
          |							    |
          |							    |
10BaseT   |         						    |
   _______|  		     [Disk (AIX)]			    | DC Supply
          |   {{Fan}}          		       [*Power Supply*] ____|__
	  |							    |
	  |							    |
 Serial   |	 {{{Processor - System Controller}}}	            |
(Console) |							    |
   _______|							    |
          |							    |
          | Processor - System Controller: 1, 1		 	    |
 10BaseT  | Link Interface Card (4 SS7 links): 2, 2		    |
	  | Link Interface Card (4 SS7 links): 3, 3		    |
          |                _   _   _    _   _   _		    |
    ______|		  |1| |2| |3|  |1| |2| |3|		    |
          |		  | | | | | |  | | | | | |		   -- 
          | 		  | | | | | |  | | | | | |	           -- E1/T1/V.35
  Serial  |		  | | | | | |  | | | | | |		   --
(Console) | 		  | | | | | |  | | | | | |		   -- 
   _______|		  | | | | | |  | | | | | |		   --
          |   		  | | | | | |  | | | | | |		   --
          |    [Disk]     | | | | | |  | | | | | | 		   -- 
 Serial   |   [VxWorks]   | | | | | |  | | | | | | 		    |
 (Logs)   |		  | | | | | |  | | | | | |		    |
   _______|	 	  | | | | | |  | | | | | |		    |
          |		  | | | | | |  | | | | | |		    |
          |		  | | | | | |  | | | | | |	   	    |
          |		  | | | | | |  | | | | | |	  	    |
          |		  | | | | | |  | | | | | |		    |
          |	          |_| |_| |_|  |_| |_| |_|		    |
          |		     					    |
          |	   [-~-----------------FAN-----------------~-]      |
          |   [*Power Supply*]                    [*Power Supply*]  |
          |      (DC Supply)			     (DC Supply)    |
           SS7 Message Handling Unit

   GSM Background Information -- (Acronym Definitions in paragraph form)

'Home Location Register (HLR)'

A Home Location Register (HLR) is a database that contains semipermanent mobile
subscriber information for a wireless carriers' entire subscriber base.

HLR subscriber information includes the International Mobile Subscriber Identity
(IMSI), service subscription information, location information (the identity of
the currently serving Visitor Register (VLR) to enable the routing of mobile-terminated
calls), service restrictions and supplementary services information.

What the HLR basically does is it handles SS7 transactions with both Mobile Switching
Centers (MSCs) and of course VLR nodes, which either request information from the HLR
or update the information contained within the HLR. The HLR also initiates transactions
with VLRs to complete incoming calls and to update subscriber data.

Traditional wireless network design (anything before 1996) is based on the utilization
of a single Home Location Register (HLR) for each wireless network, but growth 
considerations are prompting carrier administrators to consider multiple HLR databases.

So what does that mean? It means our Telecommunications Industry is under pressure to
develop larger and faster networks in order to satisfy the needs of residential and
business customers.

'Visitor Location Register (VLR)'

A Visitor Location Register (VLR) is a database which contains temporary information
concerning the mobile customers (subscribers) that are currently located in a
given MSC (Mobile Switching Centre) serving area, but whose Home Location Register (HLR)
is elsewhere (out of range).

When a mobile subscriber roams away from his/her home location and into a remote location
(ie. digital to analog), SS7 messages are used to obtain information about the subscriber
from the HLR, and essentially create a temporary record for the subscriber in the VLR which
usually only has one per Mobile Switching Centre.

'International Mobile Subscriber Identity (IMSI) Number' 

"What the hell is IMSI?" - IMSI is a unique non-dialable number allocated to each mobile
subscriber in the GSM system that identifies the subscriber and his or her subscription
within the GSM network. Make sense yet?

The IMSI resides in the Subscriber Identity Module (SIM), which is transportable across
Mobile Station Equipment (MSE) (look for IMSI being supported by the GPRS standard soon!)

The IMSI is made up of three important parts: 

#1: The Mobile Country Code (MCC)

#2. The Mobile Network Code (MNC) (they consist of 2 digits)

#3. The Mobile Subscriber Identity Number (MSIN) (they consist of 10 digits)

'Mobile Subscriber ISDN (MSISDN) Number'

The MSISDN is the dialable number that subscribers use to reach another mobile
subscriber. Some of the newer phones (ie. newer GSM supported Motorola, Nokia's)
in Canada and the U.S. support the up-to-date multiple MSISDNs which are now in 

'Mobile Station Equipment (MSE) Subscription Services'

GSM carriers typically order Mobile Station Equipment (MSE) (or GSM phones)
from their suppliers (Nokia, Motorola, Sony, etc.) in large quantities (e.g. 1000 Units).
After receiving an order, the equipment supplier will program the ordered MSE SIMs with a
range of IMSI numbers.

  GSM Call Routing --

 'Mobile Subscriber Roaming'

When a mobile subscriber roams into a new location area, the VLR automatically 
determines that it must update the HLR with the new location information, which it does
using an SS7 Location Update Request Message (LURM). The Location Update Message
is then routed to the HLR through the SS7 network, based on the global title translation
of the IMSI that is stored within the SCCP Called Party Address portion of the message.
The HLR responds with a message that informationís the VLR whether the subscriber should
be provided services in the new location.

 'Mobile Subscriber ISDN Number (MSISDN) Call Routing'

When a user dials a GSM mobile subscriber's MSISDN, the PSTN routes the call
to the Home MSC based on the dialed telephone number. The MSC must then query
the HLR based on the MSISDN identification, to acquire routing information required
to route the call to the subscribers' current location.

The MSC stores sensitive global title translation tables that are used to determine
the HLR associated with the MSISDN. When only one HLR exists, the translation tables
are trivial. When more than one HLR is used however, the translations become extremely
challenging, with one translation record per subscriber (see the useful example below).
Havin determined the appropriate HLR address, the MSC sends a Routing Information Request
(RIR) to it.

When the HLR receives the Routing Information Request, it "maps" the MSISDN to the IMSI,
and ascertains the subscribers' personal profile including the current VLR at which the
subscriber is registered. The HLR then queries the VLR for a Mobile Station Roaming Number
(MSRN). The MSRN is essentially an ISDN telephone number which the mobile subscriber can
be reached at. The MSRN is a temporary number that is valid ONLY for the duration of a 
single call. The HLR generates a response message, which includes the MSRN, and sends it
back across the SS7 network to the MSC. Finally, the MSC attempts to complete the call using
the MSRN provided.

  'Implementation of a second HLR to the GSM Network'

As a GSM wireless carrier's subscriber base grows, it will eventually become
necessary to add a second HLR to their network (obviously). This requirement might be
prompted by a Service Subscription Record Storage Capacity Issue (SSRSCI) or
perhaps an SS7 Message Processing Performance Issue (MPPI). It might possibly be prompted
by a need to increase the overall network reliability.

The new HLR can be populated with service subscription records as new subscribers are 
brought into service or existing service subscription records can be ported from the old
HLR to the new HLR to more evenly distribute the growing SS7 traffic load.
Usually, when new subscribers are brought into service, the second HLR will be populated
with blocks of IMSI numbers that are allocated when new MSE equipment is ordered.

Much more complicated SS7 message routing Global Title Translations are required
for Routing Information Request transactions between the MSCs distributed over the
entire wireless carrier serving area and the two or more HLRs. MSC Routing Information
Requests are routed to the appropriate HLR based on the dialed MSISDN and not the IMSI.

Unlike the IMSI numbers, the MSISDN numbers can not easily be arranged in groups to
reside within a single HLR and therefore, the MSC must contain an MSISDN to HLR 
address association record for every mobile subscriber homed on each of the MSCs.

    References --

'Web-site Resources'

Frame Relay

Frame Relay Forum

HN Networks

MicroLegend SS7 Tutorial

Telecom Testing Support for GSM, SS7, GPRS, CDMA, Broadband

-- This is seriously the best information I could find.
What ever happened to the days where you'd punch in a phrase or
word, and actually find decent documents on personal and/or educational
web-sites? Now all I run into are these God damn commercial .com's
sites who just want to sell their shitty hardware/software... who
just want to make a BUCK. Well never worry about me selling out
to "the man", because all my information is going to stay completely FREE! =)

'Acronym Definitions'

I compiled most of these myself... the rest are stolen.

ACM             Address Complete Message
ANM             Answer Message
A Links         Access Links
BIB             Backward Indicator Bit
B Links         Bridge Links
BSN             Backward Sequence Number
CDT             Conversation Data Table
CPA             Called Party Address
CPN             Called/Calling Party Number
DAU             Database Administration Unit
D Links         Diagonal Links
DPA             Distributed Processor Architecture
DPC             Destination Point Code
E Link          Extended Link
F Link          Fully Associated Link
FIB             Forward Indicator Bit
FISU            Fill in Signal Unit
FSN             Forward Sequence Number
GTT             Global Title Translation
HLR             Home Location Register
IAM             Initial Address Message
IRSC            International Roaming Signaling Converter
ISDN            Integrated Services Digital Network
ISUP            ISDN User Part
KPBS            Kilobits per Second
LSSU            Link Status Signal Unit
LURM            Location Update Request Message
Mf              Multifrequency
MHU             Message Handler Unit
MPPI            Message Processing Performance Issue
MSC             Mobile Switching Center
MSE             Mobile Station Equipment
MSIN            Mobile Subscriber Identity Number
MSISDN          Mobile Subscriber Integrated Services Digital Network
MSRN            Mobile Station Roaming Number
MSU             Message Signal Unit
MTP             Message Transfer Part 
OMAP            Operations, Maintenance and Administration Part
OPC             Originating Point Code
PC              Point Code
PSTN            Public Switched Telephone Network
RBOC            Regional Bell Operating Company
REL             Release Message
RCL             Release Complete Message
RIR             Routing Information Request
RSP             Route Set Prohibited Test Message
RSR             Restricted Test Message
SS7             Signaling System 7
SCCP            Signaling Connection Control Part
SCP             Signal Control Point
SLS             Signaling Link Selection
SOI             Service Order Interface
SSRSCI          Service Subscription Record Storage Capacity Issue
SRT             Screening and Rerouting Table
SSP             Signal Switching Point
STP             Signal Transfer Point
SU              Signal Unit
TCAP            Transaction Capabilities Application Part
TFA             Transfer Allowed Message
TFP             Transfer Prohibited Message
TFR             Transfer Restricted Message
TUB             Traffic Usage or Billing
VPC             Virtual Point Codes
VSP             Versatile Signaling Point

	Wrap-up --


This is the first of many SS7 related documents to be published for
Nettwerked / Hack Canada, which of course is a good thing because
there aren't enough people in the world writing about the SS7 protocol 
let alone home grown Canadians!

Look for an introductory SS7 paper soon.


			   N E T T W E R K E D
			      P R O D U C T 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH