I was having an e-mail exchange with John Todd about call routing between cellular and VoIP networks. He asked, "If am roaming with my AT&T phone in Germany and am on the T-Mobile network, and someone in Germany calls my +1-... E.164 number from their Deutsche Telecom land line, the call isn't routed via the US - it gets terminated locally because Deutsche Telecom passes the call to T-mobile directly. But is DT sending the call to my "base" E.164 address, or to the MSRN?"
Good question. I gave my best answer based on my reading of GSM 03.04 and GSM 04.08. John suggested that the answer might also be useful information for other VoIP people trying to get a handle on what goes on inside a cellular network. So here it is:
- The originating Deutsche Telekom (DT) local exchange (LE) in Germany, acting on your MSISDN (mobile subscriber ISDN, your normal cellular telephone number), contacts an international switching center (ISC) in Germany, which in turn contacts an ISC in the US.
- The US ISC, acting on your MSISDN, contacts AT&T's gateway mobile switching center (GMSC) which in turn contacts AT&T's HLR (home location register) to get your MSRN (mobile subscriber roaming number, the number where your call actually needs to terminate).
- The HLR returns an MSRN in Germany that had previously been assigned to you by the German T-Mobile network.
- The AT&T GMSC tells the US ISC to forward the call to the MSRN in Germany.
- The US ISC tells the German ISC to forward the call to the MSRN in Germany.
- The German ISC tells the DT LE to forward the call to the MSRN in Germany.
- The DT LE, now using the MSRN, contacts a T-Mobile GMSC in Germany.
- The T-Mobile GMSC looks up your MSRN in its visitor location register (VLR), where it finds your IMSI and sees that you are an AT&T subscriber, since that is encoded into the IMSI. The GMSC also gets the identity of the basestation controller (BSC) where you most recently registered.
- The T-Mobile VLR contacts the AT&T HLR to verify your account. (Not absolutely sure on this step, but probably. We'll contact AT&T's HLR again in a few seconds, though, so they might defer this step.)
- The T-Mobile GMSC contacts your serving BSC to initiate paging on the radio interface. The paging message, sent on the common control channel (CCCH) of every BTS controlled by that BSC, contains your IMSI or TMSI.
- Your handset sees the paging message and responds on the random access channel (RACH).
- The BTS/BSC sees the RACH message and responds with a channel assignment on your serving BTS through the CCCH.
- You pick up the newly assigned dedicated control channel (DCCH) and establish LAPDm async balanced mode. At this point, you have effectively have an ISDN D-channel connection to the BSC.
- On the new D-channel, you send a "paging response" message that identifies you, by IMSI or TMSI, to the BSC. (If you send a TMSI, the BSC resolves it to an IMSI at this point.)
- The BSC (optionally) authenticates you with AT&T's HLR, (optionally) initiates encryption, and then sends you a message informing you that "connection mode" is established. You may also (optionally) get reassigned to a new radio channel at this point, or simply be told that the mode of your existing radio channel has changed. Either way, you now have an ISDN-like connection to T-Mobile's GMSC, with a D-channel for signaling and B-channel for media.
- From this point forward, the signaling part is just like Q.931.
I would encourage any ISDN jockeys out there, especially from OpenBSC or Linux Call Router to correct anything I overlooked or got wrong in that.
I received this comment privately via e-mail:
ReplyDeleteRe: your blog post - this is how I believe it works:
Incoming:
* DT sends ISUP IAM to internatioanl ISC in Germany, as your MSISDN is not german, which connects to internatioanl ISC in the US (as its +1).
* US ISC relays the ISUP IAM to AT&T's GMSC (as it serves that MSISDN range), which contacts AT&T's HLR asking for your MSRN.
* The AT&T HLR then contacts the T-Mobile Germany VLR you are attached to and asks it to provide a MSRN for the associated MSC
* The AT&T GMSC now relays the ISUP IAM to the T-Mobile Germany MSC using the MSRN (the MSRN prefix routes the ISUP correctly, using a bi-laterally agreed roaming link)
* The T-Mobile Germany MSC now pages the relevent BSC, it already knows your IMSI as the AT&T HLR inserted your subscriber info when you moved to that VLR.
etc.
So the call is "tromboned" via the US: DT->AT&T->T-Mobile. I don't believe the call could easily be directly routed from DT->T-Mobile for one main reason: Cost. If I'm a US subscriber roaming in Africa, and somebody calls me from the US, they don't pay a penny more to call so their telco isn't going to want to foot the bill for the leg from the US to Africa. However my telco will, as I'm paying the roaming bill.
Outgoing:
I believe there are two options: home routing where the call is routed via your home network's GMSC, or directly via the visited networks GMSC. Each has their pro's and con's.
I'm interested in working on this for a self study class at Cal Poly (provided that they don't deny my appeal for being dismissed form the university). Obviously, I have *A LOT* of reading to do.
ReplyDeleteI think that it would be cool to make a COW for a senior project (in 2 years), and have it be based off of OpenBTS.
I should definitely ask this question in the GNURadio mailing list, but are their any good books that give a comprehensive description of the GSM system?
I'm looking into "GSM - Architecture, Protocols and Services," and possibly "GSM Networks: Protocols, Terminology and Implementation (Artech House Mobile Communications Library.)" as well as "The GSM System for Mobile Communications."
I'm not aware of any single book that covers the whole system. There's just too much, especially when you get into the 2.5G systems. Artech house does have several good books, though, for different aspects of the system. The Gunnar Heine "GSM Networks: Protocols, Terminology, and Implementation" looks pretty good for L1-L3 from the handset through the BSC. If I had just one GSM book, that would probably be the one.
ReplyDeleteHi David
ReplyDeleteI happen to know the MSRN number that temporarily assigned to a traveler, if i make a phone call to that MSRN from my fix line phone will GMSC to be able to route the call to the traveler?
In other words, will GMSC route calls to traveler coming from a PSTN network without looking at the source number?
thanks
Ray
Good question.
ReplyDeleteI don't know if the MSRN is accessible from the PSTN.
The MSRN is like any MSISDN, but is assigned for call setup only. During this phase, it is assigned to the terminating roaming number, and once the call is connected, this MSRN is released back into the pool. You do not get this assigned on a more permanent basis while roaming, so there is no point in dialling it.
ReplyDelete