Network switching subsystem

Last updated

Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call out and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile phone operators and allows mobile devices to communicate with each other and telephones in the wider public switched telephone network (PSTN). The architecture contains specific features and functions which are needed because the phones are not fixed in one location.

Contents

The NSS originally consisted of the circuit-switched core network, used for traditional GSM services such as voice calls, SMS, and circuit switched data calls. It was extended with an overlay architecture to provide packet-switched data services known as the GPRS core network. This allows mobile phones to have access to services such as WAP, MMS and the Internet.

Mobile switching center (MSC)

Description

The mobile switching center (MSC) is the primary service delivery node for GSM/CDMA, responsible for routing voice calls and SMS as well as other services (such as conference calls, FAX, and circuit-switched data).

The MSC sets up and releases the end-to-end connection, handles mobility and hand-over requirements during the call and takes care of charging and real-time prepaid account monitoring.

In the GSM mobile phone system, in contrast with earlier analogue services, fax and data information is sent digitally encoded directly to the MSC. Only at the MSC is this re-coded into an "analogue" signal (although actually this will almost certainly mean sound is encoded digitally as a pulse-code modulation (PCM) signal in a 64-kbit/s timeslot, known as a DS0 in America).

There are various different names for MSCs in different contexts which reflects their complex role in the network, all of these terms though could refer to the same MSC, but doing different things at different times.

The gateway MSC (G-MSC) is the MSC that determines which "visited MSC" (V-MSC) the subscriber who is being called is currently located at. It also interfaces with the PSTN. All mobile to mobile calls and PSTN to mobile calls are routed through a G-MSC. The term is only valid in the context of one call, since any MSC may provide both the gateway function and the visited MSC function. However, some manufacturers design dedicated high capacity MSCs which do not have any base station subsystems (BSS) connected to them. These MSCs will then be the gateway MSC for many of the calls they handle.

The visited MSC (V-MSC) is the MSC where a customer is currently located. The visitor location register (VLR) associated with this MSC will have the subscriber's data in it.

The anchor MSC is the MSC from which a handover has been initiated. The target MSC is the MSC toward which a handover should take place. A mobile switching center server is a part of the redesigned MSC concept starting from 3GPP Release 4.

Mobile switching center server (MSC-Server, MSCS or MSS)

The mobile switching center server is a soft-switch variant (therefore it may be referred to as mobile soft switch, MSS) of the mobile switching center, which provides circuit-switched calling mobility management, and GSM services to the mobile phones roaming within the area that it serves. The functionality enables split control between (signaling ) and user plane (bearer in network element called as media gateway/MG), which guarantees better placement of network elements within the network.

MSS and media gateway (MGW) makes it possible to cross-connect circuit-switched calls switched by using IP, ATM AAL2 as well as TDM. More information is available in 3GPP TS 23.205.

The term Circuit switching (CS) used here originates from traditional telecommunications systems. However, modern MSS and MGW devices mostly use generic Internet technologies and form next-generation telecommunication networks. MSS software may run on generic computers or virtual machines in cloud environment.

Other GSM core network elements connected to the MSC

The MSC connects to the following elements:

Procedures implemented

Tasks of the MSC include:

Home location register (HLR)

The home location register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network. There can be several logical, and physical, HLRs per public land mobile network (PLMN), though one international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can span several physical nodes) at a time.

The HLRs store details of every SIM card issued by the mobile phone operator. Each SIM has a unique identifier called an IMSI which is the primary key to each HLR record.

Another important item of data associated with the SIM are the MSISDNs, which are the telephone numbers used by mobile phones to make and receive calls. The primary MSISDN is the number used for making and receiving voice calls and SMS, but it is possible for a SIM to have other secondary MSISDNs associated with it for fax and data calls. Each MSISDN is also a unique key to the HLR record. The HLR data is stored for as long as a subscriber remains with the mobile phone operator.

Examples of other data stored in the HLR against an IMSI record is:

The HLR is a system which directly receives and processes MAP transactions and messages from elements in the GSM network, for example, the location update messages received as mobile phones roam around.

Other GSM core network elements connected to the HLR

The HLR connects to the following elements:

Procedures implemented

The main function of the HLR is to manage the fact that SIMs and phones move around a lot. The following procedures are implemented to deal with this:

Authentication center (AuC)

Description

The authentication center (AuC) is a function to authenticate each SIM card that attempts to connect to the gsm core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network.

If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of identification check performed on the serial number of the mobile phone described in the EIR section below, but this is not relevant to the AuC processing.

Proper implementation of security in and around the AuC is a key part of an operator's strategy to avoid SIM cloning.

The AuC does not engage directly in the authentication process, but instead generates data known as triplets for the MSC to use during the procedure. The security of the process depends upon a shared secret between the AuC and the SIM called the Ki. The Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AuC. This Ki is never transmitted between the AuC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications.

Other GSM core network elements connected to the AuC

The AuC connects to the following elements:

Procedures implemented

The AuC stores the following data for each IMSI:

When the MSC asks the AuC for a new set of triplets for a particular IMSI, the AuC first generates a random number known as RAND. This RAND is then combined with the Ki to produce two numbers as follows:

The numbers (RAND, SRES, Kc) form the triplet sent back to the MSC. When a particular IMSI requests access to the GSM core network, the MSC sends the RAND part of the triplet to the SIM. The SIM then feeds this number and the Ki (which is burned onto the SIM) into the A3 algorithm as appropriate and an SRES is calculated and sent back to the MSC. If this SRES matches with the SRES in the triplet (which it should if it is a valid SIM), then the mobile is allowed to attach and proceed with GSM services.

After successful authentication, the MSC sends the encryption key Kc to the base station controller (BSC) so that all communications can be encrypted and decrypted. Of course, the mobile phone can generate the Kc itself by feeding the same RAND supplied during authentication and the Ki into the A8 algorithm.

The AuC is usually collocated with the HLR, although this is not necessary. Whilst the procedure is secure for most everyday use, it is by no means hack proof. Therefore, a new set of security methods was designed for 3G phones.

In practice, A3 and A8 algorithms are generally implemented together (known as A3/A8, see COMP128). An A3/A8 algorithm is implemented in Subscriber Identity Module (SIM) cards and in GSM network Authentication Centers. It is used to authenticate the customer and generate a key for encrypting voice and data traffic, as defined in 3GPP TS 43.020 (03.20 before Rel-4). Development of A3 and A8 algorithms is considered a matter for individual GSM network operators, although example implementations are available. To encrypt Global System for Mobile Communications (GSM) cellular communications A5 algorithm is used. [1]

Visitor location register (VLR)

Description

The Visitor Location Register (VLR) is a database of the MSs (Mobile stations) that have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Each main base transceiver station in the network is served by exactly one VLR (one BTS may be served by many MSCs in case of MSC in pool), hence a subscriber cannot be present in more than one VLR at a time.

The data stored in the VLR has either been received from the Home Location Register (HLR), or collected from the MS. In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary interface. Whenever an MSC detects a new MS in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, apprising it of the new location of that MS. If VLR data is corrupted it can lead to serious issues with text messaging and call services.

Data stored include:

Procedures implemented

The primary functions of the VLR are:

Equipment identity register (EIR)

EIR is a system that handles real-time requests to check the IMEI (checkIMEI) of mobile devices that come from the switching equipment (MSC, SGSN, MME). The answer contains the result of the check:

The switching equipment must use the EIR response to determine whether or not to allow the device to register or re-register on the network. Since the response of switching equipment to ‘greylisted’ and ‘unknown equipment’ responses is not clearly described in the standard, they are most often not used.

Most often, EIR uses the IMEI blacklist feature, which contains the IMEI of the devices that need to be banned from the network. As a rule, these are stolen or lost devices. Mobile operators rarely use EIR capabilities to block devices on their own. Usually blocking begins when there is a law in the country, which obliges all cellular operators of the country to do so. Therefore, in the delivery of the basic components of the network switching subsystem (core network) is often already present EIR with basic functionality, which includes a ‘whitelisted’ response to all CheckIMEI and the ability to fill IMEI blacklist, which will be given a ‘blacklisted’ response.

When the legislative framework for blocking registration of devices in cellular networks appears in the country, the telecommunications regulator usually has a Central EIR (CEIR) system, which is integrated with the EIR of all operators and transmits to them the actual lists of identifiers that must be used when processing CheckIMEI requests. In doing so, there may be many new requirements for EIR systems that are not present in the legacy EIR:

Other functions may be required in individual cases. For example, Kazakhstan has introduced mandatory registration of devices and their binding to subscribers. But when a subscriber appears in the network with a new device, the network operation is not blocked completely, and the subscriber is allowed to register the device. To do this, there are blocked all services, except the following: calls to a specific service number, sending SMS to a specific service number, and all Internet traffic is redirected to a specific landing page. This is achieved by the fact that EIR can send commands to several MNO systems (HLR, PCRF, SMSC, etc.).

The most common suppliers of individual EIR systems (not as part of a complex solution) are the companies BroadForward, Mahindra Comviva, Mavenir, Nokia, Eastwind.

Other support functions

Connected more or less directly to the GSM core network are many other functions.

Billing center (BC)

The billing center is responsible for processing the toll tickets generated by the VLRs and HLRs and generating a bill for each subscriber. It is also responsible for generating billing data of roaming subscriber.

Multimedia messaging service center (MMSC)

The multimedia messaging service center supports the sending of multimedia messages (e.g., images, audio, video and their combinations) to (or from) MMS-bluetooth.

Voicemail system (VMS)

The voicemail system records and stores voicemail.

Lawful interception functions

According to U.S. law, which has also been copied into many other countries, especially in Europe, all telecommunications equipment must provide facilities for monitoring the calls of selected users. There must be some level of support for this built into any of the different elements. The concept of lawful interception is also known, following the relevant U.S. law, as CALEA. Generally, lawful Interception implementation is similar to the implementation of conference call. While A and B are talking with each other, C can join the call and listen silently.

See also

Related Research Articles

<span class="mw-page-title-main">GSM</span> Cellular telephone network standard

The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. GSM is also a trade mark owned by the GSM Association. GSM may also refer to the Full Rate voice codec.

The international mobile subscriber identity is a number that uniquely identifies every user of a cellular network. It is stored as a 64-bit field and is sent by the mobile device to the network. It is also used for acquiring other details of the mobile in the home location register (HLR) or as locally copied in the visitor location register. To prevent eavesdroppers from identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.

<span class="mw-page-title-main">SIM card</span> Integrated circuit card for a mobile device

A SIMcard is an integrated circuit (IC) intended to securely store an international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephone devices. SIMs are also able to store address book contacts information, and may be protected using a PIN code to prevent unauthorized use.

<span class="mw-page-title-main">Roaming</span> Wireless telecommunication term

Roaming is a wireless telecommunication term typically used with mobile devices, such as mobile phones. It refers to a mobile phone being used outside the range of its native network and connecting to another available cell network.

<span class="mw-page-title-main">International Mobile Equipment Identity</span> Cellphone identification code

The International Mobile Equipment Identity (IMEI) is a numeric identifier, usually unique, for 3GPP and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone but can also be displayed on-screen on most phones by entering the MMI Supplementary Service code *#06# on the dialpad, or alongside other system information in the settings menu on smartphone operating systems.

The GPRS core network is the central part of the general packet radio service (GPRS) which allows 2G, 3G and WCDMA mobile networks to transmit Internet Protocol (IP) packets to external networks such as the Internet. The GPRS system is an integrated part of the GSM network switching subsystem.

Mobility management is one of the major functions of a GSM or a UMTS network that allows mobile phones to work. The aim of mobility management is to track where the subscribers are, allowing calls, SMS and other mobile phone services to be delivered to them.

MSISDN is a number uniquely identifying a subscription in a Global System for Mobile communications or a Universal Mobile Telecommunications System mobile network. It is the mapping of the telephone number to the subscriber identity module in a mobile or cellular phone. This abbreviation has several interpretations, the most common one being "Mobile Station International Subscriber Directory Number".

GSM services are a standard collection of applications and features available over the Global System for Mobile Communications (GSM) to mobile phone subscribers all over the world. The GSM standards are defined by the 3GPP collaboration and implemented in hardware and software by equipment manufacturers and mobile phone operators. The common standard makes it possible to use the same phones with different companies' services, or even roam into different countries. GSM is the world's most dominant mobile phone standard.

An international mobile subscriber identity-catcher, or IMSI-catcher, is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack. The 3G wireless standard offers some risk mitigation due to mutual authentication required from both the handset and the network. However, sophisticated attacks may be able to downgrade 3G and LTE to non-LTE network services which do not require mutual authentication.

The Mobile Application Part (MAP) is an SS7 protocol that provides an application layer for the various nodes in GSM and UMTS mobile core networks and GPRS core networks to communicate with each other in order to provide services to users. The Mobile Application Part is the application-layer protocol used to access the Home Location Register, Visitor Location Register, Mobile Switching Center, Equipment Identity Register, Authentication Centre, Short message service center and Serving GPRS Support Node (SGSN).

GSM procedures are sets of steps performed by the GSM network and devices on it in order for the network to function. GSM is a set of standards for cell phone networks established by the European Telecommunications Standards Institute and first used in 1991. Its procedures refers to the steps a GSM network takes to communicate with cell phones and other mobile devices on the network. IMSI attach refers to the procedure used when a mobile device or mobile station joins a GSM network when it turns on and IMSI detach refers to the procedure used to leave or disconnect from a network when the device is turned off.

Phone cloning is the copying of identity from one cellular device to another.

IS-41, also known as ANSI-41, is a mobile, cellular telecommunications system standard to support mobility management by enabling the networking of switches. ANSI-41 is the standard now approved for use as the network-side companion to the wireless-side AMPS (analog), IS-136, cdmaOne, and CDMA2000 networks. It competes with GSM MAP, but the two will eventually merge to support worldwide roaming.

The Short Message Service is realised by the use of the Mobile Application Part (MAP) of the SS7 protocol, with Short Message protocol elements being transported across the network as fields within the MAP messages. These MAP messages may be transported using "traditional" TDM based signalling, or over IP using SIGTRAN and an appropriate adaptation layer.

A Central Equipment Identity Register (CEIR) is a database of mobile equipment identifiers. Such an identifier is assigned to each SIM slot of the mobile device.

CAVE-based authentication is an access authentication protocol based on used in CDMA2000 1X 3G mobile network systems, using the CAVE algorithm. It is also known as HLR authentication, 2G Authentication, or Access Authentication.

The Um interface is the air interface for the GSM mobile telephone standard. It is the interface between the mobile station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog to the U interface of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also support GPRS packet-oriented communication.

The Mobile Telephone Switching Office (MTSO) is the mobile equivalent of a PSTN Central Office. The MTSO contains the switching equipment or Mobile Switching Center (MSC) for routing mobile phone calls. It also contains the equipment for controlling the cell sites that are connected to the MSC.

References

  1. Shahabuddin, Shahria; Rahaman, Sadiqur; Rehman, Faisal; Ahmad, Ijaz; Khan, Zaheer (2018). A Comprehensive Guide to 5G Security. John Wiley & Sons Ltd. p. 12.