IN

Intelligent Network
Basic IN concept & technology Some basic IN services

Intelligent Network (IN) Concept

The intelligent network concept: intelligence is taken out of exchanges and placed in computer nodes that are distributed throughout the network. Intelligence => access to various databases

This provides the network operator with the means to develop and control services more efficiently. New capabilities can be rapidly introduced into the network. Once introduced, services are easily customized to meet individual customer's needs.

Intelligent Network (IN) Concept

Operator implements service logic (IN Service)

STP
MAP INAP CAP

SCP

Service Control Point (a network element containing the service logic, a database or register)

SSP
ISUP

Service Switching Point (enables service triggering in an exchange)

Exchange

IN service subscriber and customer

In a typical IN service scenario, the network operator or a 3rd party service provider implements the service for one or several subscribers, after which customers can use the service. Service subscriber = company offering the service (e.g. the 0800 number that anybody can call) Customers = those who use the service (e.g. those who call the 0800 number)

Confusion possible: IN service subscriber PSTN subscriber

Typical call-related IN procedure (1)

3. 4. 5. Exchange SCP

1.

2. SSP
Exchange

1. Call routing proceeds up to Exchange 2. Trigger activated in Basic Call State Model at SSP 3. SSP requests information from SCP (database) 4. SCP provides information 5. Call routing continues (routing to next exchange) based on information received from SCP

Typical call-related IN procedure (2)

3. 4. 5. Exchange SCP

1.

2. SSP
Exchange

2. Trigger activated in Basic Call State Model at SSP Typical triggers: Called number (or part of number) Called user (destination) is busy Called user does not answer in predefined time

Typical call-related IN procedure (3)

3. 4. 5. Exchange SCP

1.

2. SSP
Exchange

4. SCP provides information Example: Number translation in SCP SSP sends 800 number (0800 1234) SCP translates into real number which is used for routing the call (+358 9 1234567) translation may be based on several variables

Examples of how SCP can affect call (1)

Called number

SCP
Time or date

SSP Exchange

Destination 1

Destination 2
SCP decides the destination of the call depending on the calling time or date:

9.00 - 17.00 => Destination 1 17.00 - 9.00 => Destination 2

Examples of how SCP can affect call (2)

Called number, Calling number

SCP

SSP Exchange Destination 1

Destination 2
SCP decides the destination of the call depending on the location of calling user:

Calling user in southern Finland => Destination 1 Calling user in northern Finland => Destination 2

Examples of how SCP can affect call (3)

Called number

SCP
Network load

SSP Exchange

Destination 1

Destination 2
SCP decides the destination of the call depending on the traffic load in the network:

Traffic load situation 1 => Destination 1 Traffic load situation 2 => Destination 2

Additional IN features (1)

SCP SSP Exchange Exchange

IP

Intelligent Peripheral (IP) can (a) send announcements to the user (usually: calling user) and (b) receive DTMF digits from the user. IP is not a database; connection to exchange not via SS7, instead via digital TDM channels.

Additional IN features (2)

SCP SSP Exchange Exchange

IP

Typical applications: 1) Whenever services need user interaction 2) User authentication

User interaction in IN service

Announcement: for this .. press 1, for that .. press 2

1. SSP 4.

SCP

2.

Exchange

Exchange

3.
1. 2. 3. 4.

IP

SCP orders IP to select and send announcement IP sends announcement to calling user User replies by giving DTMF number(s) to IP IP sends number information to SCP in a signalling message

User authentication (1)

Announcement: please press your PIN code ...

1. SSP 4.

SCP

2.

Exchange

Exchange

3.
1. 2. 3. 4.

IP

SCP orders IP to select and send announcement IP sends announcement to calling user User gives authentication code (in DTMF form) to IP IP sends authentication code to SCP in a signalling message

User authentication (2)

Display message: please press your PIN code ...

1. SSP 3.

SCP

1.

Exchange IP

2.

When connected to the network via a digital subscriber line, the calling user can be notified with a digital message (please press your PIN code ...) instead of having to use the corresponding voice announcement.

IN services
A large number of IN services can be implemented by combining different building blocks: Called number translation (at SCP) Routing decision based on calling number, time, date, called user busy, called user alerting timeout, network load ... Announcements (from IP) or user notification (<= ISDN user signalling) DTMF number reception (at IP) and analysis (at SCP) Customised charging (at exchanges)

IN service examples
Traditional IN services: Freephone / customised charging schemes Virtual Privat Network (VPN) Number portability Televoting

IN in mobile networks: - Mobility management (HLR, VLR = databases) - Security management (Authentication ...) - Additional IN services in mobile networks => CAMEL (Customised Applications for Mobile networks Enhanced Logic)

Freephone (800) service

User calls 0800 76543. SSP sends this number to SCP which after number analysis sends back to SSP the real destination address (09 1234567) and call can be routed to the destination. Called party is charged. 3. 4. 5. Destination SCP

1.

2. SSP Exchange

Charging: Destination (service subscriber) pays the bill

Premium rate service

User calls 0200 34343. SSP sends this number to SCP which after number analysis sends back to SSP the real destination address (09 676567) and call can be routed to the destination. Calling party is charged. 3. 4. 5. Destination SCP

1.

2. SSP Exchange

Charging: Calling user (customer) pays the (usually rather expensive) bill. Both service subscriber and service provider or network operator make profit!

Virtual private network (VPN) service

A VPN provides corporate customers with a private number plan within the PSTN. The customer dials a private (short) number instead of the complete public number in order to contact another user within the VPN. User authentication is usually required.
Number translation: 1212 => 09 1234567
Customised charging

SCP

SSP Destination

Exchange
User authentication

IP

Screening of incoming calls

This is an example of an IN service related to the call destination end. Alert called user only if calling number is 121212 or 234567, otherwise do something else (e.g. reject call or redirect call to another destination).
Calling number = 121212 or 234567: Accept All other calling numbers: Reject or redirect

SCP

SSP Exchange
Local exchange of called user

Called user

Mobile terminated call (MTC)

By far the most important "IN service" is mobility management during a mobile terminated call (MTC), which means finding out under which exchange or mobile switching center (MSC) a mobile user is roaming, so that the call can be routed to this exchange. More about this later. 2. 1. 5. GMSC HLR 4. 6. 3. VLR 7.

Serving MSC

More about IN and IN services

The link www.iec.org/online/tutorials/in provides some examples in Section 10 (AIN Service Creation Examples), for instance:

Example of service creation template:

PLMN
Public Land Mobile Network (official name for mobile network)
Circuit-switched (CS) core network (radio access network is not part of this course) Basic concepts and network elements Mobility management in PLMN

Cellular concept
A cellular network contains a large number of cells with a base station (BS) at the center of each cell to which mobile stations (MS) are connected during a call. If a connected MS (MS in call phase) moves between two cells, the call is not dropped. Instead, the network performs a handover (USA: handoff).

BS

BS

MS

BS

BS

Mobility concept
A cellular network is divided into location areas (LA), each containing a certain number of cells. Location Area 1 Location Area 2 As long as an idle MS (idle = switched on) moves within a location area, it can be reached through paging.

Location Area 3

If an idle MS moves between two location areas, it cannot be reached before it performs location updating.

Architecture of a mobile network

CS core network
PSTN

GSM BSS

MSC VLR

GMSC

MS
3G RAN

HLR AuC EIR

Internet

PS core network

Serving MSC
CS core network
PSTN

GSM BSS

MSC VLR

GMSC

The serving mobile switching AuC center (MSC) is the mobile counterpart to the local EIR 3G exchange in the PSTN. RAN PS core network This is the MSC that is currently serving a mobile user.

HLR

Internet

VLR
CS core network
PSTN

GSM BSS

MSC VLR

GMSC

The visitor location register AuC stores temporary information on mobile users roaming in a EIR 3G location area under the RAN control of the MSC/VLR. PS core network

HLR

Internet

Gateway MSC
CS core network
PSTN

GSM BSS

MSC

GMSC

VLR The gateway MSC (located in the home HLR PLMN of a mobile user) is the first contact point in the mobile network when AuC there is an incoming call to the mobile user. EIR 3G RAN PS core network

Internet

HLR
CS core network
PSTN

GSM BSS

MSC VLR

GMSC

The home location register AuC stores information on mobile users belonging to this mobile EIR 3G network (e.g. subscription data RAN and present VLR under which PS core network the mobile user is roaming).

HLR

Internet

AuC
CS core network
PSTN

GSM BSS

MSC VLR

GMSC

The authentication center safely AuC stores authentication keys (Ki) of mobile subscribers belonging EIR 3G to this mobile network. RAN PS core network

HLR

Internet

EIR
CS core network
PSTN

GSM BSS

MSC VLR

GMSC

The equipment identity register AuC stores information on stolen handsets (not stolen SIMs). EIR 3G RAN PS core network

HLR

Internet

SIM
CS core network
PSTN

GSM BSS SIM

MSC VLR HLR

GMSC

Important mobile user information is AuC stored in the subscriber identity module within the handset. EIR 3G RAN PS core network

Internet

CS core network
CS core network
PSTN

GSM BSS

3G RAN

MSC GMSC The CS core network architecture is basically theVLR same in 2G (GSM) and 3G mobile networks. HLR In North America, IS-MAP signalling is AuC used instead of GSM-MAP signalling. EIR Europe: GSM core network N. America: ANSI-41 core network PS core network

Internet

Basic functions in a mobile network

Radio Resource Management (RRM)
Number refers to following slides in the the slide set

1 Random access and channel reservation

Handover management Ciphering (encryption) over radio interface

Mobility Management (MM)

IMSI/GPRS Attach (switch on) and Detach (switch off) Location updating (MS moves to other Location Area) 3 Authentication 2

Call Control (CC) Session Management (SM)

MOC, MTC
PDP Context

Later lecture

Range of functions
RRM CC GSM BSS or 3G RAN CS core network

MM SM

PS core network

Random access in a mobile network

Communication between MS and network is not possible before going through a procedure called random access. Random access must consequently be used in: Network-originated activity paging, e.g. for a mobile terminated call (MTC)

MS-originated activity IMSI attach, IMSI detatch GPRS attach, GPRS detach location updating mobile originated call (MOC) SMS (short message service) message transfer

Random access in action (GSM)

1. MS sends a short access burst over the Random Access CHannel (RACH) in uplink using Slotted Aloha (in case of collision => retransmission after random time) 2. After detecting the access burst, the network returns an immediate assignment message which includes the following information: - allocated physical channel (frequency, time slot) in which the assigned signalling channel is located - timing advance (for correct time slot alignment) 3. The MS now sends a message on the dedicated signalling channel assigned by the network, indicating the reason for performing random access.

Multiplexing vs. multiple access

In downlink, multiplexing (e.g. TDM) Network decides channel In uplink, multiple access (e.g. TDMA)

Network decides channel also in this case

Multiple access is always associated with random access. MS requests signalling channel, and network decides which channel (e.g. time slot) will be used.

Security measures in a mobile network

1) PIN code (local authentication of handset => local security measure, network is not involved) 2) Authentication (performed by network) 3) Ciphering of information sent over air interface 4) Usage of TMSI (instead of IMSI) over air interface IMSI = International Mobile Subscriber Identity (globally unique identity) TMSI = Temporary Mobile Subscriber Identity (local and temporary identity)

Basic principle of authentication

SIM (in handset) Air interface RAND Network (algorithm running in AuC) Random number

Challenge

Algorithm
Authentication key Ki

Response SRESS

Algorithm
Authentication key SRESA Ki

The same? If yes, authentication is successful

Where does the algorithm run?

Algorithm for calculating SRES runs within SIM (user side) and AuC (network side). The authentication key (Ki) is stored safely in SIM and AuC, and remains there during authentication. The two SRES values are compared in the VLR.
Air interface RAND

SIM
Ki

SRESS

VLR

SRESA

AuC
Ki

Algorithm considerations

Using output and one or more inputs, it is in practice not possible to calculate backwards other input(s), brute force approach, extensive search Key length in bits (N) is important (in case of brute force approach 2N calculation attempts may be needed) Strength of algorithm is that it is secret => bad idea! Security through obscurity

Better: open algorithm can be tested by engineering community (security through strong algorithm)

Case study: Location updating (1)

(Most generic scenario, see van Bosse for details)
MSC
VLR 1
IMSI TMSI

SIM
IMSI LAI 1 TMSI

LAI 1 (in broadcast messages)

MSC

HLR
IMSI LAI 1

VLR 2

Most recently allocated TMSI and last visited LAI (Location Area ID) are stored in SIM even after switch-off.

After switch-on, MS monitors LAI. If stored and monitored LAI values are the same, no location updating is needed.

Location updating (2)

SIM
IMSI LAI 1 TMSI

(in broadcast messages)

LAI 2

MSC
VLR 1

IMSI TMSI

MSC

HLR
IMSI LAI 1

VLR 2

MS has moved from a cell belonging to VLR 1 to another cell belonging to VLR 2. MS notices that the LAI values are different => location update is required!

Location updating (3)

MSC SIM
IMSI LAI 1 TMSI LAI 1, TMSI

VLR 1

IMSI TMSI

MSC

HLR
No TMSI - IMSI context! IMSI LAI 1

VLR 2

SIM sends old LAI (i.e., LAI 1) and TMSI to VLR 2. VLR 2 does not recognize TMSI since there is no TMSIIMSI context. Who is this user?

Location updating (4)

Address: LAI 1

MSC
VLR 1

SIM
IMSI LAI 1 TMSI IMSI

IMSI TMSI

MSC

HLR
IMSI LAI 1

VLR 2

IMSI TMSI

However, VLR 2 can contact VLR 1 (address: LAI 1) and request IMSI.

IMSI is sent to VLR 2. There is now a TMSI-IMSI context.

Location updating (5)

MSC SIM
IMSI LAI 1 TMSI

VLR 1 MSC
IMSI TMSI

IMSI TMSI

HLR
LAI 2
IMSI LAI 1 LAI 2

VLR 2

Important: HLR must be updated (new LAI). If this is not done, incoming calls can not be routed to new MSC/VLR. HLR also requests VLR 1 to remove old user data.

Location updating (6)

MSC SIM
IMSI LAI 1 TMSI LAI 2 TMSI

VLR 1 MSC HLR

IMSI TMSI TMSI IMSI LAI 2

LAI 2 TMSI

VLR 2

VLR 2 generates new TMSI and sends this to user. User stores new LAI and TMSI safely in SIM. Location updating was successful!

Trade-off when choosing LA size

If LA size is very large (e.g. whole mobile network) + location updating not needed very often paging load is very heavy
High paging channel capacity required

If LA size is very small (e.g. single cell)

+ small paging load location updating must be done very often

Affects signalling load

Role of TMSI
MS Random access Uses TMSI Network

Authentication Start ciphering IMSI is not sent over air interface if not absolutely necessary! New TMSI allocated by network

CC or MM transaction
IMSI detach New TMSI stored in SIM

Mobile network identifiers (1)

MSISDN Globally unique number = CC NDC SN E.164 numbering format

CC = Country Code (1-3 digits) NDC = National Destination Code (1-3 digits) SN = Subscriber Number

Mobile station ISDN (MSISDN) numbers are based on the ITU-T E.164 numbering plan and can therefore be used for routing a circuit-switched call. When the calling (PSTN or PLMN) user dials an MSISDN number, the call is routed to the gateway MSC (GMSC) located in the home network of the called (mobile) user.

Mobile network identifiers (2)

MSRN Temporarily allocated number = CC NDC TN E.164 numbering format

CC = Country Code (1-3 digits) NDC = National Destination Code (1-3 digits) TN = Temporary Number

Mobile station roaming numbers (MSRN) are also based on the ITU-T E.164 numbering plan and can therefore be used for routing a circuit-switched call. The MSRN is selected by the MSC/VLR serving the called (mobile) user, sent to the GMSC, and used for routing the call from the GMSC to the serving MSC.

Mobile network identifiers (3)

IMSI Globally unique number = MCC MNC MSIN E.212 numbering format

MCC = Mobile Country Code (3 digits) MNC = Mobile Network Code (2 digits) MSIN = Mobile Subscriber Identity Number (10 digits)

The international mobile station identity (IMSI) is based on the ITU-T E.212 numbering plan and cannot be used for routing a circuit-switched call (exchanges or switching centers do not understand such numbers). The IMSI is stored in the HLR and SIM of the mobile user.

Mobile network identifiers (4)

LAI Globally unique number = MCC MNC LAC E.212 numbering format

MCC = Mobile Country Code (3 digits) MNC = Mobile Network Code (2 digits) LAC = Location Area Code (10 digits)

The location area identity (LAI) points to a location area belonging to a certain MSC/VLR. This identity must be stored in the HLR so that mobile terminated calls can be routed to the correct serving MSC/VLR.
IMEI

Serial number of handset (not SIM)

Case study: Mobile terminated call (1)

(see van Bosse for details) 1. Using the MSISDN number (dialled by the calling user located in the PSTN or the PLMN of another operator) and standard SS7/ISUP signalling, the call is routed to the GMSC in the home network of the called mobile user. HLR 4. GMSC 4. 5.

2. 1.

3. VLR 6.

Serving MSC

Mobile terminated call (2)

2. The GMSC contacts the HLR of the called mobile user. The SS7/MAP signalling message contains the MSISDN number which points to the mobile user record (containing IMSI, LAI where user is roaming, etc.) in the HLR database. HLR 4. GMSC 4. 5.

2. 1.

3. VLR 6.

Serving MSC

Mobile terminated call (3)

3. Using global title translation (GTT), the HLR translates the IMSI and LAI information into the signalling point code of the serving MSC/VLR. The HLR sends SS7/MAP request Provide roaming number (i.e. MSRN) to the VLR. 2. 1. 4. GMSC HLR 4. 5. 3. VLR 6.

Serving MSC

Mobile terminated call (4)

4. The VLR selects a temporary MSRN. Note that there must be binding between MSRN and IMSI in the VLR. The VLR sends the MSRN to the GMSC (using SS7/MAP signalling). 2. 1. 4. GMSC HLR 4. 5. 3.

MSRN IMSI

VLR

Serving MSC

6.

Mobile terminated call (5)

5. Using the MSRN number and standard SS7/ISUP signalling, the call is routed to the serving MSC. Although not shown in the figure, there may be intermediate switching centers (serving MSC/VLR may be located at the other end of the world). 2. 1. 4. GMSC HLR 4. 5. 3. VLR 6.

Serving MSC

Mobile terminated call (6)

6. MSC/VLR starts paging within the location area (LA) in which the called mobile user is located, using TMSI for identification. Only the mobile user with the corresponding TMSI responds to the paging via the random access channel (RACH). HLR 4. GMSC 4. 5.
MSRN IMSI IMSI TMSI

2. 1.

3.

VLR

Serving MSC

6.