IN

Intelligent Network
Basic IN concept & technology
Some basic IN services

Intelligent Network (IN) Concept

The intelligent network concept: intelligence is taken
out of exchanges and placed in computer nodes that
are distributed throughout the network.
Intelligence => access to various databases
This provides the network operator with the means
to develop and control services more efficiently. New
capabilities can be rapidly introduced into the
network. Once introduced, services are easily
customized to meet individual customer's needs.

Intelligent Network (IN) Concept

Operator implements service logic (IN Service)

STP
STP

MAP
INAP
CAP

SCP
SCP

SSP
SSP
ISUP

Exchange
Exchange

Service Control Point

(a network element containing
the service logic, a database or
register)

Service Switching Point

(enables service triggering in an
exchange)

IN service subscriber and customer

In a typical IN service scenario, the network operator
or a 3rd party service provider implements the service
for one or several subscribers, after which customers
can use the service.
Service subscriber = company offering the service
(e.g. the 0800 number that anybody can call)
Customers = those who use the service (e.g. those
who call the 0800 number)
Confusion possible:
IN service subscriber PSTN
subscriber

Typical call-related IN procedure (1)

SCP
SCP

3.
2.
1.

SSP
SSP
Exchange
Exchange

4.
5.

Exchange
Exchange

1. Call routing proceeds up to Exchange

2. Trigger activated in Basic Call State Model at SSP
3. SSP requests information from SCP (database)

4. SCP provides information

5. Call routing continues (routing to next exchange)

based on information received from SCP

Typical call-related IN procedure (2)

SCP
SCP

3.
2.
1.

SSP
SSP
Exchange
Exchange

4.
5.

Exchange
Exchange

2. Trigger activated in Basic Call State Model at SSP

Typical triggers:
Called number (or part of number)
Called user (destination) is busy
Called user does not answer in predefined time

Typical call-related IN procedure (3)

SCP
SCP

3.
2.
1.

SSP
SSP
Exchange
Exchange

4.
5.

Exchange
Exchange

4. SCP provides information

Example: Number translation in SCP

SSP sends 800 number (0800 1234)
SCP translates into real number which
is used for routing the call
(+358 9 1234567)

translation
may be
based on
several
variables

Examples of how SCP can affect call (1)

Called number

SSP
SSP
Exchange
Exchange

SCP
SCP
Time or date

Destination
Destination 11
Destination
Destination 22

SCP decides the destination of the call depending on

the calling time or date:
9.00 - 17.00 => Destination 1
17.00 - 9.00 => Destination 2

Examples of how SCP can affect call (2)

Called number, Calling number

SSP
SSP
Exchange
Exchange

SCP
SCP

Destination
Destination 11
Destination
Destination 22

SCP decides the destination of the call depending on

the location of calling user:
Calling user in southern Finland => Destination 1
Calling user in northern Finland => Destination 2

Examples of how SCP can affect call (3)

Called number

SSP
SSP
Exchange
Exchange

SCP
SCP
Network load

Destination
Destination 11
Destination
Destination 22

SCP decides the destination of the call depending on

the traffic load in the network:
Traffic load situation 1 => Destination 1
Traffic load situation 2 => Destination 2

Additional IN features (1)

SCP
SCP
SSP
SSP
Exchange
Exchange

Exchange
Exchange
IP
IP

Intelligent Peripheral (IP) can (a) send announcements

to the user (usually: calling user) and (b) receive DTMF
digits from the user. IP is not a database; connection to
exchange not via SS7, instead via digital TDM channels.

Additional IN features (2)

SCP
SCP
SSP
SSP
Exchange
Exchange

Exchange
Exchange
IP
IP

Typical applications:
1) Whenever services need user interaction
2) User authentication

User interaction in IN service

Announcement:
for this .. press 1,
for that .. press 2

2.
3.

SCP
SCP

1.

SSP
SSP
Exchange
Exchange

4.

Exchange
Exchange
IP
IP

1. SCP orders IP to select and send announcement

2. IP sends announcement to calling user
3. User replies by giving DTMF number(s) to IP

4. IP sends number information to SCP in a signalling

message

User authentication (1)

Announcement:
please press your
PIN code ...

2.
3.

SCP
SCP

1.

SSP
SSP
Exchange
Exchange

4.

Exchange
Exchange
IP
IP

1. SCP orders IP to select and send announcement

2. IP sends announcement to calling user
3. User gives authentication code (in DTMF form) to IP

4. IP sends authentication code to SCP in a signalling

message

User authentication (2)

Display message:
please press your
PIN code ...

1.

2.

SCP
SCP

1.

SSP
SSP
Exchange
Exchange

3.

IP
IP

When connected to the network via a digital

subscriber line, the calling user can be
notified with a digital message (please press
your PIN code ...) instead of having to use
the corresponding voice announcement.

IN services
A large number of IN services can be implemented by
combining different building blocks:
Called number translation (at SCP)
Routing decision based on calling number,
time, date, called user busy, called user
alerting timeout, network load ...
Announcements (from IP) or user notification
(<= ISDN user signalling)
DTMF number reception (at IP) and analysis
(at SCP)
Customised charging (at exchanges)

IN service examples
Traditional IN services:
-

Freephone / customised charging schemes

Virtual Privat Network (VPN)
Number portability
Televoting

IN in mobile networks:
- Mobility management (HLR, VLR = databases)
- Security management (Authentication ...)
- Additional IN services in mobile networks =>
CAMEL (Customised Applications for Mobile
networks Enhanced Logic)

Freephone (800) service

User calls 0800 76543. SSP sends this number to SCP
which after number analysis sends back to SSP the
real destination address (09 1234567) and call can be
routed to the destination. Called party is charged.
SCP
SCP

3.
2.
1.

SSP
SSP
Exchange
Exchange

4.
5.

Destination
Destination

Charging: Destination (service subscriber)

pays the bill

Premium rate service

User calls 0200 34343. SSP sends this number to SCP
which after number analysis sends back to SSP the
real destination address (09 676567) and call can be
routed to the destination. Calling party is charged.
SCP
SCP

3.
2.
1.

SSP
SSP
Exchange
Exchange

4.
5.

Destination
Destination

Charging: Calling user (customer) pays the (usually rather

expensive) bill. Both service subscriber and service provider
or network operator make profit!

Virtual private network (VPN) service

A VPN provides corporate customers with a private
number plan within the PSTN. The customer dials a
private (short) number instead of the complete public
number in order to contact another user within the
VPN. User authentication is usually required.
Number translation: 1212 => 09 1234567

SSP
SSP
Exchange
Exchange

SCP
SCP

Customised charging

User authentication

Destination
Destination
IP
IP

Screening of incoming calls

This is an example of an IN service related to the call
destination end. Alert called user only if calling number
is 121212 or 234567, otherwise do something else (e.g.
reject call or redirect call to another destination).
Calling number = 121212 or 234567: Accept
All other calling numbers: Reject or redirect

SSP
SSP
Exchange
Exchange
Local exchange of called user

SCP
SCP
Called
Called user
user

Mobile terminated call (MTC)

By far the most important "IN service" is mobility
management during a mobile terminated call (MTC),
which means finding out under which exchange or
mobile switching center (MSC) a mobile user is
roaming, so that the call can be routed to this
exchange. More about this later.
HLR
HLR

2.

4.

5.
1.

GMSC
GMSC

3.

6.

VLR
VLR
Serving
Serving MSC
MSC

7.

More about IN and IN services

The link www.iec.org/online/tutorials/in provides some
examples in Section 10 (AIN Service Creation Examples),
for instance:

Example
of service
creation
template:

PLMN
Public Land Mobile Network
(official name for mobile network)
Circuit-switched (CS) core network
(radio access network is not part of
this course)
Basic concepts and network elements
Mobility management in PLMN

Cellular concept
A cellular network contains a large number of cells with
a base station (BS) at the center of each cell to which
mobile stations (MS) are connected during a call.

BS

BS

BS

MS

BS

If a connected MS
(MS in call phase)
moves between two
cells, the call is not
dropped.
Instead, the network
performs a handover
(USA: handoff).

Mobility concept
A cellular network is divided into location areas (LA),
each containing a certain number of cells.
Location Area 1
Location
Area 2

Location Area 3

As long as an idle MS
(idle = switched on)
moves within a location
area, it can be reached
through paging.

If an idle MS moves between

two location areas, it cannot be
reached before it performs
location updating.

Architecture of a mobile network

MSC
MSC
VLR
VLR

GMSC
GMSC

PSTN

GSM
BSS

CS core network

HLR
HLR
AuC
AuC

MS

EIR
EIR
PS core network

Internet

3G
RAN

Serving MSC

MSC
MSC
VLR
VLR

GMSC
GMSC

PSTN

GSM
BSS

CS core network

HLR
HLR
AuC
AuC

serving a mobile user.

Internet

The serving mobile switching

center (MSC) is the mobile
counterpart to the local
EIR
3G
EIR
exchange in the PSTN.
RAN
PS core network
This is the MSC that is currently

VLR

MSC
MSC
VLR
VLR

GMSC
GMSC

PSTN

GSM
BSS

CS core network

HLR
HLR
AuC
AuC

Internet

The visitor location register

stores temporary information
on mobile users roaming in a
EIR
3G
EIR
location area under the
RAN
control of the MSC/VLR.
PS core network

Gateway MSC

Internet

MSC
GMSC
MSC
GMSC
VLR
VLR
The gateway MSC (located in the home
HLR
HLR contact
PLMN of a mobile user) is the first
point in the mobile network when
AuC
AuCthere is
an incoming call to the mobile user.
EIR
3G
EIR
RAN
PS core network

PSTN

GSM
BSS

CS core network

HLR

MSC
MSC
VLR
VLR

GMSC
GMSC

PSTN

GSM
BSS

CS core network

HLR
HLR
AuC
AuC

Internet

The home location register

stores information on mobile
users belonging to this mobile
EIR
3G
EIR
network (e.g. subscription data
RAN
and present VLR under which
PS core network
the mobile user is roaming).

AuC

MSC
MSC
VLR
VLR

GMSC
GMSC

PSTN

GSM
BSS

CS core network

HLR
HLR
AuC
AuC

Internet

The authentication center safely

stores authentication keys (Ki)
of mobile subscribers belonging
EIR
3G
EIR
to this mobile network.
RAN
PS core network

EIR

MSC
MSC
VLR
VLR

GMSC
GMSC

PSTN

GSM
BSS

CS core network

HLR
HLR
AuC
AuC

Internet

The equipment identity register

stores information on stolen
handsets (not stolen SIMs).
EIR
3G
EIR
RAN
PS core network

SIM

SIM
SIM

MSC
MSC
VLR
VLR

GMSC
GMSC

Internet

HLR
HLR
Important mobile user information isAuC
stored in the
AuC
subscriber identity module within the handset.
EIR
3G
EIR
RAN
PS core network

PSTN

GSM
BSS

CS core network

CS core network

EIR
EIR
Europe: GSM core network
N. America: ANSI-41 core network
PS core network

Internet

3G
RAN

MSC
GMSC
GMSC
The CS core MSC
network architecture
is
basically theVLR
same in 2G (GSM) and 3G
VLR
mobile networks.
HLR
HLR
In North America, IS-MAP signalling is
AuC
used instead of GSM-MAPAuC
signalling.

PSTN

GSM
BSS

CS core network

Basic functions in a mobile network

Radio Resource Management (RRM)
1 Random access and channel reservation

Handover management
Ciphering (encryption) over radio interface

Number
refers to
following
slides in the
the slide set

Mobility Management (MM)

IMSI/GPRS Attach (switch on) and Detach (switch off)
Location updating (MS moves to other Location Area)
3
Authentication
2

Call Control (CC)

Session Management (SM)

MOC, MTC

PDP Context
Later lecture

Range of functions
RRM

CS core network
CC

GSM
BSS
or
3G
RAN

MM
SM
PS core network

Random access in a mobile network

Communication between MS and network is not possible

before going through a procedure called random access.
Random access must consequently be used in:
Network-originated activity
paging, e.g. for a mobile terminated call (MTC)
MS-originated activity
IMSI attach, IMSI detatch
GPRS attach, GPRS detach
location updating
mobile originated call (MOC)
SMS (short message service) message transfer

Random access in action (GSM)

1. MS sends a short access burst over the Random

Access CHannel (RACH) in uplink using Slotted Aloha (in
case of collision => retransmission after random time)
2. After detecting the access burst, the network returns
an immediate assignment message which includes the
following information:
- allocated physical channel (frequency, time slot) in
which the assigned signalling channel is located
- timing advance (for correct time slot alignment)
3. The MS now sends a message on the dedicated
signalling channel assigned by the network, indicating
the reason for performing random access.

Multiplexing vs. multiple access

In downlink, multiplexing (e.g. TDM)

Network decides channel
In uplink, multiple access (e.g. TDMA)
Network decides channel also in this case

Multiple access is always associated with random

access. MS requests signalling channel, and network
decides which channel (e.g. time slot) will be used.

Security measures in a mobile network

1) PIN code (local authentication of handset
=> local security measure, network is not involved)
2) Authentication (performed by network)
3) Ciphering of information sent over air interface
4) Usage of TMSI (instead of IMSI) over air interface
IMSI = International Mobile Subscriber Identity
(globally unique identity)
TMSI = Temporary Mobile Subscriber Identity
(local and temporary identity)

Basic principle of authentication

SIM
(in handset)

Air
interface

Challenge
Algorithm
Algorithm
Authentication key
Ki

RAND

Response
SRESS

Network (algorithm
running in AuC)
Random number
Algorithm
Algorithm
Authentication key
SRESA

Ki

The
The same?
same? IfIf yes,
yes,
authentication
authentication isis successful
successful

Where does the algorithm run?

Algorithm for calculating SRES runs within SIM (user

side) and AuC (network side). The authentication key
(Ki) is stored safely in SIM and AuC, and remains there
during authentication.
The two SRES values are compared in the VLR.
Air interface
RAND

SIM
SIM
Ki

SRESS

VLR
VLR

SRESA

AuC
AuC
Ki

Algorithm considerations

Using output and one or more inputs, it is in practice

not possible to calculate backwards other input(s),
brute force approach, extensive search
Key length in bits (N) is important (in case of brute
force approach 2N calculation attempts may be needed)
Strength of algorithm is that it is secret => bad idea!
Security through obscurity
Better: open algorithm can be tested by engineering
community (security through strong algorithm)

Case study: Location updating (1)

(Most generic scenario, see van Bosse for details)

SIM
SIM
IMSI
LAI 1
TMSI

LAI 1
(in broadcast messages)

MSC
MSC
VLR
VLR22

MSC
MSC
VLR
VLR11

IMSI
TMSI

HLR
HLR
IMSI
LAI 1

Most recently allocated TMSI and last visited LAI (Location

Area ID) are stored in SIM even after switch-off.
After switch-on, MS monitors LAI. If stored and monitored
LAI values are the same, no location updating is needed.

Location updating (2)

SIM
SIM
IMSI
LAI 1
TMSI

(in broadcast
messages)
LAI 2

MSC
MSC
VLR
VLR22

MSC
MSC
VLR
VLR11

IMSI
TMSI

HLR
HLR
IMSI
LAI 1

MS has moved from a cell belonging to VLR 1 to another

cell belonging to VLR 2.
MS notices that the LAI values are different => location
update is required!

Location updating (3)

SIM
SIM
IMSI
LAI 1
TMSI

LAI 1, TMSI

MSC
MSC
VLR
VLR22

MSC
MSC
VLR
VLR11

IMSI
TMSI

HLR
HLR
No TMSI - IMSI context!

IMSI
LAI 1

SIM sends old LAI (i.e., LAI 1) and TMSI to VLR 2.

VLR 2 does not recognize TMSI since there is no TMSIIMSI context. Who is this user?

Location updating (4)

Address: LAI 1

SIM
SIM
IMSI
LAI 1
TMSI

IMSI

MSC
MSC
VLR
VLR22

IMSI
TMSI

MSC
MSC
VLR
VLR11

IMSI
TMSI

HLR
HLR
IMSI
LAI 1

However, VLR 2 can contact VLR 1 (address: LAI 1) and

request IMSI.
IMSI is sent to VLR 2. There is now a TMSI-IMSI context.

Location updating (5)

MSC
MSC
VLR
VLR11

SIM
SIM
IMSI
LAI 1
TMSI

MSC
MSC
VLR
VLR22

IMSI
TMSI

IMSI
TMSI

HLR
HLR
LAI 2

IMSI
LAI 1
LAI 2

Important: HLR must be updated (new LAI). If this is not

done, incoming calls can not be routed to new MSC/VLR.
HLR also requests VLR 1 to remove old user data.

Location updating (6)

MSC
MSC
VLR
VLR11

SIM
SIM
IMSI
LAI 1
TMSI
LAI 2
TMSI

LAI 2
TMSI

MSC
MSC
VLR
VLR22

HLR
HLR
IMSI
TMSI
TMSI

IMSI
LAI 2

VLR 2 generates new TMSI and sends this to user. User

stores new LAI and TMSI safely in SIM.
Location updating was successful!

Trade-off when choosing LA size

If LA size is very large (e.g. whole mobile network)
+ location updating not needed very often
paging load is very heavy
High paging channel capacity required

If LA size is very small (e.g. single cell)

+ small paging load
location updating must be done very often
Affects signalling load

Role of TMSI
MS
MS

Random access

Uses
TMSI

Network
Network

Authentication
Start ciphering

CC or MM transaction
IMSI detach
New TMSI stored in SIM

IMSI is not
sent over air
interface if
not absolutely
necessary!
New TMSI
allocated by
network

Mobile network identifiers (1)

MSISDN
MSISDN
Globally
unique
number

CC
CC

NDC
NDC

SN
SN

E.164 numbering
format

CC = Country Code (1-3 digits)

NDC = National Destination Code (1-3 digits)
SN = Subscriber Number

Mobile station ISDN (MSISDN) numbers are based on the

ITU-T E.164 numbering plan and can therefore be used
for routing a circuit-switched call.
When the calling (PSTN or PLMN) user dials an MSISDN
number, the call is routed to the gateway MSC (GMSC)
located in the home network of the called (mobile) user.

Mobile network identifiers (2)

MSRN
MSRN
Temporarily
allocated
number

CC
CC

NDC
NDC

TN
TN

E.164 numbering
format

CC = Country Code (1-3 digits)

NDC = National Destination Code (1-3 digits)
TN = Temporary Number

Mobile station roaming numbers (MSRN) are also based

on the ITU-T E.164 numbering plan and can therefore be
used for routing a circuit-switched call.
The MSRN is selected by the MSC/VLR serving the called
(mobile) user, sent to the GMSC, and used for routing the
call from the GMSC to the serving MSC.

Mobile network identifiers (3)

IMSI
IMSI
Globally
unique
number

MCC
MCC

MNC
MNC

MSIN
MSIN

E.212 numbering
format

MCC = Mobile Country Code (3 digits)

MNC = Mobile Network Code (2 digits)
MSIN = Mobile Subscriber Identity Number
(10 digits)

The international mobile station identity (IMSI) is based

on the ITU-T E.212 numbering plan and cannot be used
for routing a circuit-switched call (exchanges or switching
centers do not understand such numbers).
The IMSI is stored in the HLR and SIM of the mobile user.

Mobile network identifiers (4)

LAI
LAI
Globally
unique
number

MCC
MCC

MNC
MNC

LAC
LAC

E.212 numbering
format

MCC = Mobile Country Code (3 digits)

MNC = Mobile Network Code (2 digits)
LAC = Location Area Code (10 digits)

The location area identity (LAI) points to a location area

belonging to a certain MSC/VLR. This identity must be
stored in the HLR so that mobile terminated calls can be
routed to the correct serving MSC/VLR.
IMEI
IMEI

Serial number of handset (not SIM)

Case study: Mobile terminated call (1)

(see van Bosse for details)
1. Using the MSISDN number (dialled by the calling
user located in the PSTN or the PLMN of another
operator) and standard SS7/ISUP signalling, the
call is routed to the GMSC in the home network of
the called mobile user.
HLR
HLR

2.

4.

4.
1.

GMSC
GMSC

3.

5.

VLR
VLR
Serving
Serving MSC
MSC

6.

Mobile terminated call (2)

2. The GMSC contacts the HLR of the called mobile

user. The SS7/MAP signalling message contains
the MSISDN number which points to the mobile
user record (containing IMSI, LAI where user is
roaming, etc.) in the HLR database.
HLR
HLR

2.

4.

4.
1.

GMSC
GMSC

3.

5.

VLR
VLR
Serving
Serving MSC
MSC

6.

Mobile terminated call (3)

3. Using global title translation (GTT), the HLR

translates the IMSI and LAI information into the
signalling point code of the serving MSC/VLR.
The HLR sends SS7/MAP request Provide roaming
number (i.e. MSRN) to the VLR.
HLR
HLR

2.

4.

4.
1.

GMSC
GMSC

3.

5.

VLR
VLR
Serving
Serving MSC
MSC

6.

Mobile terminated call (4)

4. The VLR selects a temporary MSRN. Note that

there must be binding between MSRN and IMSI in
the VLR.
The VLR sends the MSRN to the GMSC (using
SS7/MAP signalling).
HLR
HLR

2.

4.

4.
1.

GMSC
GMSC

3.

5.

MSRN IMSI

VLR
VLR
Serving
Serving MSC
MSC

6.

Mobile terminated call (5)

5. Using the MSRN number and standard SS7/ISUP

signalling, the call is routed to the serving MSC.
Although not shown in the figure, there may be
intermediate switching centers (serving MSC/VLR
may be located at the other end of the world).
HLR
HLR

2.

4.

4.
1.

GMSC
GMSC

3.

5.

VLR
VLR
Serving
Serving MSC
MSC

6.

Mobile terminated call (6)

6. MSC/VLR starts paging within the location area

(LA) in which the called mobile user is located,
using TMSI for identification. Only the mobile user
with the corresponding TMSI responds to the
paging via the random access channel (RACH).
HLR
HLR

2.

GMSC
GMSC

MSRN IMSI
IMSI TMSI

4.

4.
1.

3.

5.

VLR
VLR
Serving
Serving MSC
MSC

6.