The MAP is a special and important functional unit for intra-net and inter-net interconnection in the Public Land Mobile Network (PLMN). The MAP specification present the signaling functions necessary for the mobile network to use SS7 so as to provide the services needed by the mobile network, such as voice service and non-voice service.
The MAP specifications of the GSM have specified the MAP signals between the entities such as the mobile service switching center, location register, authorization center, equipment identification register, etc. of the 900MHz TDMA digital cellular mobile communication network, including message flow, definitions of operations, data type, error type and specific codes.
The MAP is a kind of information exchange mode provided between the GSM network entities to implement the automatic roaming function of mobile stations. At present, the transmission of the MAP signaling is based upon the series NO.7 signaling technical specifications released by the CCITT. Actually, the switching of the MAP signaling can also be based upon other networks in conformity with the OSI network layer standards. Thus, a network operation corporation can mix, match and use various protocols to meet its requirements according to the local actual situations. Of course, the formulation and perfection of relevant protocols are needed.
The MAP is responsible for the information transfer between the GSM functional entities in the following process:
----Location update/cancellocation
----Fault restoration of location register
User Management
----Authorization and encryption
----IMEI management
Routing function
----Access processing and paging
----Processing of supplementary services
----Handover
Short message service
----Operation and maintenance
In the GSM system, the MAP signaling is like the blood in human body, which transfers the information related to the above protocol between various functional entities through the blood vessels (No. 7 CCS system) of the GSM. The architecture of the signaling network is shown in the following figure:
Figure3-1 GSM network architecture
As shown in the above figure, the MAP signaling will be transferred among the B, C, D, E, F and G interfaces in the GSM network. The BSSAP is responsible for the A interface. The description of each interface is as follows:
A-interface: It is the communication interface between the network subsystem and the base station subsystem. With respect to the functional entity of the subsystem, the A interface is the interface between the Base Station Controller (BSC) and the Mobile Switching Center (MSC). The information transferred by this interface includes mobile station management, base station management, mobility management and call processing, etc.
B-interface: It is the interface between the VLR and the MSC. The B interface is used for the MSC to query the current location information of a Mobile Station (MS)
from the Visit Location Register (VLR), or request the VLR to update the current location information of the MS or is used for the operations of supplementary services.
C-interface: It is the interface between the MSC and the HLR. If an MS serves as the called party, the C interface is used for the gateway and the MSC obtains the routing information (roaming number) of the called MS from the HLR. When transferring short messages to the MS, the C interface is used for the SMS gateway MSC to obtain the number of the MSC where the MS is currently located from the HLR.
D-interface: It is the interface between the VLR and the HLR. This interface is used to exchange the location information of the MS and the subscriber management information. To make sure that a mobile subscriber can set up and receive calls in the whole service area, the data exchange is needed between the VLR and the HLR. For example, the VLR needs to inform the HLR of the current location information of the subordinate mobile subscriber and the HLR needs to send all VLR-related service data to the VLR. If the VLR area where the mobile subscriber is previously located has changed, the HLR also needs to delete the location information of the mobile subscriber in the previous roaming VLR. Furthermore, the data exchange through the D interface is needed for the service modification request of the subscriber (such as supplementary service operation) and the subscriber data modification of the operation.
E-interface: It is the interface between the MSC and the MSC. The E interface is the interface used to control the handover between different MSCs in the neighboring cells. During the call connection, when an MS moves from the cell controlled by an MSC to the cell controlled by another MSC, the handover is needed to prevent communication interruption. The E interface is used for the data exchange between the MSCs to start and implement the handover operation.
F-interface: It is the interface between the MSC and the EIR. When an MSC needs to check the validity of the International Mobile Equipment Identity (IMEI), the F interface is needed for exchanging IMEI-related information with the EIR.
G-interface: It is the interface between the VLR and the VLR. When a mobile subscribers roams to a new VLR-controlled cell and the Temporary Mobile Subscriber Identity (TMSI) is used to initiate the location updating, the G interface is used for the current VLR to obtain the IMSI and authorization set from the previous VLR.
Generally, for a practical GSM system architecture, the VLR and MSC are integrated into the same entity. Most manufacturers use this architecture for their M900/M1800 systems. Accordingly, the B interface becomes an internal interface,
the C and D interfaces can pass the same physical connection, and the E and G interfaces can pass the same physical connection.
2. MAP Message Format
2.1 Message Structure
The transmission of the MAP messages is based upon the services provided by each protocol layer of the TCAP, SCCP and MTP. A piece of MAP message transmitted the signaling link also includes the protocol data of the protocol layers of the TCAP, SCCP and MTP. The format of a complete message is shown in the following figure:
Figure3-2 MAP message format
2.2 MAP Message
The MAP message is the component part of the TCAP message and the TCAP message is the data part of the SCCP message. The mobile application SCCP message is transferred in the SIF field in the Message Signal Unit (MSU) of the No.7 signaling. The UDT message type is used, the protocol type is Class 0 or 1 and the basic format is shown in the following figure:
Figure3-3 Specific format of mobile SCCP message
Note:
(1) F: Its code pattern is 01111110, which not only indicates the end of the previous signal unit, but also indicates the start of the next signal unit. Multiple random F tags can be inserted between two signal units. The F tag can reduce the processing workload of the system in overload condition.
(2)CK: check error, the 16-bit cyclic redundant code is used to detect the errors generated during the transmission of the signal unit.
(3) Sequence number of signal units and retransmission indication bit
BSN: Backward Sequence Number. The BSN indicates the sequence number for the opposite part until all messages of the BSN have been received correctly.
BIB: Backward (retransmission) Indication Bit. The BIB is used for reverseindication of the opposite party starts the retransmission from the BSN+1 message.
FSN: Forward sequence number, i.e., the sequence number of the message.
FIB: Forward (retransmission) Indication Bit. The FIB is used for reverseindication of the start of the message retransmission.
(4)LI: Signal unit length indication bit. Its value is equal to the number of octets between the LI field and the CK field. FISU: LI of FISU = 0, LI of LSSU = 1 or 2 and LI of MSU >2. Since the length of the LI field is 6 bits, with the value range of 0-63, when the length is greater than or equal to 63, all the values of LI are set as 63 to maintain the original structure.
(5) SIO: Service Indication Octet. The SIO is only used in MSC for indicating the message type. The three levels of the MTP allocate messages to the corresponding functional modules according to the SIO, and meanwhile, it indicates whether a message is a national network message or an international network message.
Lower 4 bits: DCBA, service indicator, where the SCCP is 0011.
Higher 4 bits: HGFE, Sub-service field, If HG=00, it indicates the international network; if HG=01, it indicates the international backup network; if HG=10, it indicates the national network and if HG=11, it indicates the national backup network. The FE bits are standby.
A specific MAP service message exists in the TCAP message in the form of component. Generally, the message types of the MAP service correspond to the operation codes one by one. However, during the message transfer, a message corresponds to an invoke ID. The invoke ID is the only identity of a message during the MAP dialogue. With the differentiation of the invoke ID, a component can be “translated” into the corresponding MAP service message.
2.3 MAP Message Code
For the detailed protocol of the MAP message, the description of Abstract Syntax Notation (ASN.1) in the CCITT Recommendation X.208 is used.
The operation code, operation type and operation time limit corresponding to the MAP service message are given in the ETSI GSM 09.02 specifications. Where, the operation time limit includes three types: long, intermediate and short time limits. The specific values depend upon the specific implementation modes.
The following table lists the operation codes used in the MAP. The operation codes here are the results of the specific coding of the operation codes in the Table 3-8 “TCAP messages in the component part”
Table3-8 MAP message codes
Note:
(1) G/IW MSC: Gateway/InterWorking MSC, short message gateway intercon-nection MSC
(2) MSC-A: Main control MSC initiating the handover
(3) MSC-B: MSC to which the a MS is handed over Each above-mentioned MAP message has special parameter and format. For details, please refer to Appendix B in the ETSI 0902 Specifications.
3. Message Examples
A UDT message is listed as follows:
118>> 30168 UDT 000000d 05FF09 03FF11 3F 3F 83 11 FF 03 09 FF 05 0D 09 81 03 0E 18 0B 12 06 00 12 04 68 31 39 31 00 00 0A 12 07 00 12 04 68 31 09 40 67 2A 62 28 48 04 2B 81 11 00 6C 80 A1 80 02 01 00 02 01 02 30 16 04 08 64 00 30 31 08 00 51 F4 81 06 91 68 31 09 40 67 00 00 00 00
The structure of the above trace message is as follows:
1) The whole message belongs to the MTP layer.
2) The segment from the 09 81 to the last belongs to the SCCP Layer.
3) 3 The segment from 62 28 to the last belongs to the TCAP layer.
4) 4 The segment from the 6C 80 to the last belongs to the component sublayer of the TCAP layer. The MAP messages can be encapsulated into the components.
The messages in each layer are as follows:
1) The MTP layer:
3F----indicating the length of the whole MTP message. When the number of all the message bytes is greater than 63 bytes, the byte is uniformly set as 3F.
83----If the higher four bits are “8”, it indicates the network indicator, indicating the national master network; if the lower four bits are “3”, it indicates the service indicator, indicating the subsequent SCCP message.
11 FF 03----the DPC is 03 FF 11
09 FF 05----the OPC is 05 FF 09
0D----SLS Signaling link selection code
2) The SCCP layer:
The format of the UDT message type includes message type code, protocol type, and route tag (including three points: the first pointer points at the address of the called subscriber, the second pointer points at the address of the calling subscriber and the third pointer points at the data, i.e., the TCAP part).
09----indicating the message type is UDT.
81----If the higher four bits are “8”, it indicates that the QoS(Quality of service) requires error return; if the higher four bits are “0”, it indicates that the QoS does not require the error return. If the lower four bits are “1”, it indicates that the protocol type of the SCCP is sequential connectionless class 0.
03----The pointer of the called subscriber address: “03” means that the bytes starting with the third byte after “03” indicate the called address.
0E----The pointer of the calling subscriber address: “0E” means that the bytes starting with the fourteenth byte after “0E” indicate the calling address.
18----The pointer of the data address: “18” means the bytes starting with the twenty-fourteenth byte after “18” indicate the data address, i.e., the start of the TCAP part.
0B 12 06 00 12 04 68 31 39 31 00 00 ----The address of the called GT code.
0B----indicating the length of the called GT address is 11 bytes.
12----This byte indicates the address indicator and translation type, with the following meaning:
Bit8----Standby
Bit7----Route indicator
“0” indicates the route is selected according to the Global Title (GT) in the address
“1” indicates that the route is selected according to the DPC in the MTP routing tag and the subsystem in the called subscriber address.
Bit6/5/4/3----GT indicator
“0000” indicates GT of Class 0
“0001” indicates GT of Class 1
“0010” indicates GT of Class 2
“0011” indicates GT of Class 3
“0100” indicates GT of Class 4
Bit2----Subsystem indicator
“0” indicates the subsystem ID is not included.
“1” indicates the subsystem ID is included.
Bit1----Signaling indicator
“0” indicates the signaling point code is not included.
“1” indicates the signaling point code is included.
06----Subsystem ID
0000 0000----Undefined subsystem ID/not used
0000 0001----SCCP Management (SCMG)
0000 0010----Standby
0000 0000----ISDN User Part (ISUP)
0000 0100----Operation, Maintenance and Administration Part (OMAP)
0000 0101----Mobile Application Part (MAP)
0000 0110----Home Location Register (HLR)
0000 0111----Visit Location Register (VLR)
0000 1000----Mobile Switching Center (MSC)
0000 1001----Equipment Identity Center (EIR)
0000 1010----Authorization Center (AUC)
0000 1011----Standby
0000 1100----Intelligent Network Application Part (INAP)
0000 1101
: Standby
:
1111 1110
1111 1111----Extended standby
00----This byte is standby in GT of Class 4
12----The higher four bits of this byte indicate the numbering plan and the lower four bits indicate the coding design.
Numbering plan Coding design
8765
4321
0000 Undefined 0000 Undefined
0001 ISDN/Telephone numbering plan 0001 BCD, Odd number of digits
0010 Standby 0010 BCD, Even number of digits
0011 Data numbering plan 0011 Standby
0100 Telex numbering plan 0100
0101 Marine mobile numbering plan 0101
0110 Land mobile numbering plan 0110
0111 ISDN/Mobile numbering plan 0111
1000 1000
: Standby Standby
: :
1111 1111
04----Code of address property indicator
7 6 5 4 3 2 1
0 0 0 0 0 0 0 FREE
0 0 0 0 0 0 1 Subscriber number
0 0 0 0 0 1 0 National standby
0 0 0 0 0 1 1 National valid number
0 0 0 0 1 0 0 International number
0 0 0 0 1 1 0 Intelligent network service number
0 0 0 0 1 0 1 FREE
:
:
1 1 1 1 1 1 1 FREE
68 31 39 31 00 00----MSISDN, 86139313000
0A 12 07 00 12 04 68 31 09 40 67----Address of the calling GT code. The analysis method is the same as that of the address of the called GT code.
22----The length of the SCCP data part, i.e., the length of the TCAP message
3) The TCAP layer:
The TCAP is the data part of the SCCP. The message of the TCAP layer is composed of Information Elements (IEs). An IE is composed of tag, length and contents. The division of IEs is the basis for the TC message analysis.
The contents of a TCAP message are described as follows.
62 28 48 04 2B 81 11 00 6C 80 A1 80 02 01 00 02 01 02 30 16 04 08 64 00 30 31 08 00 51 F4 81 06 91 68 31 09 40 67 00 00 00 00
The specific analysis is as follows:
The transaction sublayer:
62---- The field code of the transaction part, i.e., the message type tag of the TCAP, indicating that the message type is a message Begin.
Main message type tags (field names) Code H G F E DC B A
Begin 0 1: 1 0 0 0 1 0
End 0 1: 1 0 0 1 0 0
Continue 0 1: 1 0 0 1 0 1
Abort 0 1: 1 0 0 1 1 1
28----According to the composition of the IE, after the message type tag is the IE length, so it can be seen that the “2A” before 62 indicates that the length of this TCAP message is 42 (2AH) bytes.
48----Indicating the transaction ID in the message type so as to differentiate different transactions. “48” indicates the source transaction ID tag.
“48” indicates the source transaction ID tag.
“49” indicates the destination transaction ID tag.
04----Again according to the composition of IE, after the tag also is the IE length, so
“04” indicates that the length of the destination transaction ID value is four bytes.
2B 81 11 00----Source transaction ID value
4) The component sublayer:
This layer includes the MAP messages and is critical to the analysis of the MAP signaling. Generally, the component sublayer is composed of the component part and the dialogue part. Most UDTs including the MAP messages include the component part, but may not include the dialogue part. A component layer message only including the component part is listed as follows. For the MAP, this layer is transparent.
6C 80 A1 80 02 01 00 02 01 02 30 16 04 08 64 00 30 31 08 00 51 F4 81 06 91 68 31 09 40 67 00 00 00 00 00 00
The specific analysis is as follows:
6C----Component part tag
“6C” indicates the component is a part tag.
“6B” indicates the dialogue is a part tag.
80----According to the composition of the IE, after the tag is the IE length, so “80” indicates the length of the component is indefinite.
A1----Part code tag in the component part
“A1” indicates the part is an invoke part.
“A2” indicates the part is the return-result (last) part.
“A3” indicates the part is a Return-Error part.
“A4” indicates REJECT
80----After the tag is also the IE length, so “80” indicates the length is indefinite.
02----Local invoke tag
01----Operation code length.
00----The invoke ID value is 00.
02----Local operation code tag, indicating the operation conducted for the invoke this time.
01----The length of the local operation code is one byte, i.e., the next byte is the operation code.
02----Operation code, indicating the operation conducted for the invoke this time. The common operations are listed as follows:
Operation code Operation
02 Locating Updating
03 Cancel Location
04 Sent Roaming Number
07 Insert Subscriber Data
09 Sent Parameter
16 Sent Routing Information
56 Sent Authentication Information
30----indicating the sequence tag, this item is optional in the returned component. Some parts do not have this item.
16----Length
04----Octet string
08----Length
64 00 22 07 08 00 51 F4 -----Mandatory location update parameter: IMSI
81---Tag
06---Length
91----Attribute
68 31 09 00 64 F7 ----Optional parameter for location updating: MSC number
It can be seen from the above analysis that the analysis of the TCAP is actually the analysis of the SCCP data part. The analysis of the MAP message mainly lies in the analysis of the component part, i.e., find the tag of the component part in the message------6C and then analyze the MAP part.
4. Summary
This chapter mainly describes the MAP functions, message structure and the analysis method of a complete mobile SCCP. Through the learning of this chapter, we should master the analysis method of the MAP message so as to lay a solid basis for learning the message analysis of the C/D interfaces.
5. Exercise
Please draw out the message structure diagram of the SCCP message.
