I was having an e-mail exchange with John Todd about call routing between cellular and VoIP networks. He asked, "If am roaming with my AT&T phone in Germany and am on the T-Mobile network, and someone in Germany calls my +1-... E.164 number from their Deutsche Telecom land line, the call isn't routed via the US - it gets terminated locally because Deutsche Telecom passes the call to T-mobile directly. But is DT sending the call to my "base" E.164 address, or to the MSRN?"
Good question. I gave my best answer based on my reading of GSM 03.04 and GSM 04.08. John suggested that the answer might also be useful information for other VoIP people trying to get a handle on what goes on inside a cellular network. So here it is:
- The originating Deutsche Telekom (DT) local exchange (LE) in Germany, acting on your MSISDN (mobile subscriber ISDN, your normal cellular telephone number), contacts an international switching center (ISC) in Germany, which in turn contacts an ISC in the US.
- The US ISC, acting on your MSISDN, contacts AT&T's gateway mobile switching center (GMSC) which in turn contacts AT&T's HLR (home location register) to get your MSRN (mobile subscriber roaming number, the number where your call actually needs to terminate).
- The HLR returns an MSRN in Germany that had previously been assigned to you by the German T-Mobile network.
- The AT&T GMSC tells the US ISC to forward the call to the MSRN in Germany.
- The US ISC tells the German ISC to forward the call to the MSRN in Germany.
- The German ISC tells the DT LE to forward the call to the MSRN in Germany.
- The DT LE, now using the MSRN, contacts a T-Mobile GMSC in Germany.
- The T-Mobile GMSC looks up your MSRN in its visitor location register (VLR), where it finds your IMSI and sees that you are an AT&T subscriber, since that is encoded into the IMSI. The GMSC also gets the identity of the basestation controller (BSC) where you most recently registered.
- The T-Mobile VLR contacts the AT&T HLR to verify your account. (Not absolutely sure on this step, but probably. We'll contact AT&T's HLR again in a few seconds, though, so they might defer this step.)
- The T-Mobile GMSC contacts your serving BSC to initiate paging on the radio interface. The paging message, sent on the common control channel (CCCH) of every BTS controlled by that BSC, contains your IMSI or TMSI.
- Your handset sees the paging message and responds on the random access channel (RACH).
- The BTS/BSC sees the RACH message and responds with a channel assignment on your serving BTS through the CCCH.
- You pick up the newly assigned dedicated control channel (DCCH) and establish LAPDm async balanced mode. At this point, you have effectively have an ISDN D-channel connection to the BSC.
- On the new D-channel, you send a "paging response" message that identifies you, by IMSI or TMSI, to the BSC. (If you send a TMSI, the BSC resolves it to an IMSI at this point.)
- The BSC (optionally) authenticates you with AT&T's HLR, (optionally) initiates encryption, and then sends you a message informing you that "connection mode" is established. You may also (optionally) get reassigned to a new radio channel at this point, or simply be told that the mode of your existing radio channel has changed. Either way, you now have an ISDN-like connection to T-Mobile's GMSC, with a D-channel for signaling and B-channel for media.
- From this point forward, the signaling part is just like Q.931.
I would encourage any ISDN jockeys out there, especially from OpenBSC or Linux Call Router to correct anything I overlooked or got wrong in that.