SS7 Explained

by Friedo  (friedo@interport.net)

We love it.  We use it, abuse it, make fun of it, and try to figure it out.  It's becoming our primary method of communication, and is what connects most of us to the Internet.  It's the telephone network, of course, and as hackers, it is our moral responsibility to understand it like no one else.

All the telephones in your house are attached via a really long wire to your local CO, which handles routing your calls to wherever they need to go.  In order to do that, various COs in your RBOC need to talk to each other, and they also need to talk to the tandem offices owned by the various long distance carriers in order to route calls to places outside of your local region.  That's where signaling comes in.  In olden times, the telcos used a system called in-band signaling.

This is how calls generally work.  You push some buttons in order to place your call.  Your CO switch analyzes the number you dialed and determines it will need to connect to the Long Distance (LD) carrier that you chose (because it's your constitutional right or something) so it can complete your call.  The LD carrier gets the number from your CO, figures out where to route it, and gives it to the CO on the other side of the country, which in turn rings the other party's line.  But how does this information get all the way from say, my CO in New York to my friend's CO in California?

With in-band signaling it's rather simple.  Your local CO finds an idle line between itself and the LD carrier (of your choice, remember).  Your CO then transmits signaling tones to the LD carrier on this line, which, if you haven't figured it out yet, is the same circuit that will be carrying your conversation momentarily.

In the U.S. we call these MF tones, or Multi-Frequency tones.  This is because, ironically, they're made of multiple frequencies.  In the past, if you listened closely, you could often hear these tones faintly while your call was being routed.

Enter the Blue Box.  Generate your own MF tones, and a world of magic opens up to you.  But alas, that was back in the day, even before my time.  Now we have to deal with the new era in Ma Bell technology: out-of-band signaling.

Out-of-band signaling is what is used in SS7.

SS7 stands for Switching System Seven or Signaling System Seven, depending on who you ask.  When you saw the words "out-of-band signaling," you probably thought, "Hey, I bet that means the signaling happens outside of the band!"  Well uhhh... that's pretty much it.  Nowadays, signaling between switches occurs on dedicated digital connections which carry all the needed routing information.

There are two methods for setting up an SS7 network: a good way and a not so good way.  The not so good way is the simpler of the two, and is called Associated Signaling.  It is the type of network used to deploy SS7 throughout most of Europe.

Associated Signaling works like this: Take one trunk between the two offices and use it as a dedicated digital switching datalink.  In this system, you don't need to set up any additional cabling or routers - you just use the copper already in place.  There are problems with this, though.  If a tree falls on the T1 (or E1, as the case would be in Europe) which has your dedicated SS7 trunk on it, you can no longer communicate with the other office.  Even if you had a second line to the other office, without a signaling trunk, you're out of luck.

When Ma was setting up SS7 in North America, she wanted a highly versatile, redundant system.  Since Ma gets what she wants, Quasi-Associated Signaling (QAS) was born.  QAS is deployed in North America.  The quasi-associated signaling network is far more complex, and will be introduced in this article.

SS7 Network Devices

There are three devices used in the construction of the SS7 network.

(From here on, assume that I'm only talking about the North American signaling network.)  They are:

Signal Switching Points (SSP):  SSPs are telephone switches with SS7 software installed.  SSPs can be COs or tandem offices, and are responsible for originating, terminating, and routing calls.

Signal Transfer Points (STP):  STPs transfer signaling packets from one location to another.  They are also responsible for performing some specialized routing functions.

Signal Control Points (SCP):  SCPs are responsible for providing data necessary for certain types of advanced calling situations.  Such situations include 800/888/877 routing, "follow-me" number rerouting, calling card services, and CO services such as Caller ID.

Signal Control Points and Signal Transfer Points are always deployed in pairs to provide for redundancy.  In addition, they are also linked via all possible combinations, lest a link should fail.

For those of you who love diagrams, here's my attempt:

The [TX] devices represent subscriber telephones and they are connected to the [SSPX] via their respective local loops.

The SSPs are all linked to two STPs, which are both linked to two redundant SCPs .  Thus, if any one device should fail, there is a backup.  Further, since there is no prioritizing of network devices, messages sent to either one will be treated equally.  This is so unusually heavy traffic may be distributed evenly among nodes.

SS7 Links

All links in the SS7 network are bi-directional digital lines that send and receive packets at either 56 kbps or 64 kbps.  There are seven types of links.

A Links:  A Links connect STPs to SSPs and SCPs.  Their sole purpose is to carry messages between SS7 packet switches and COs or tandem offices, and between packet switches and the SCP databases.  Examples of A Links in the diagram are [STP1] to [SCP2] and [STP2] to [CO1].  "A" stands for Access.

B Links:  "B" stands for Bridge.  B Links connect two STPs from separate pairs.  Examples of B Links are [STP1] to [STP3] and [STP2] to [STP4].

C Links:  C Links connect STPs inside a pair.  These provide for redundancy and packet rerouting if necessary.  "C" stands for Cross.  Examples of C Links are [STP1] to [STP2] and [STP3] to [STP4].

D Links:  D Links are the same as B Links except they connect STPs diagonally, such as [STP1] to [STP4] and [STP2] to [STP3].  D Links are for redundancy purposes, and are second in priority to B Links.  "D", by the way, stands for Diagonal.

E Links:  E Links provide for even more reliability and redundancy by connecting an SSP to a secondary STP pair.  The secondary STP pair may be in the same area or in another area in which case it would probably be another SSPs primary pair.  "E" is for Extended.

F Links:  F Links connect two SSPs directly.  Such links are of course not very secure, and are not used to connect two networks.  However, at the local network provider's discretion, they may be used to connect two close end offices to further provide for redundancy.  Such links should never be used as the sole connection between two offices, however.  "F" stands for Fully Associated.  F Links are the type of links used in the Associated Networking scheme in Europe discussed above.

A link that connects an STP to another STP outside its immediate pair or quad can be called either a B Link, D Link, or B/D Link.  These are used to connect local SS7 networks to a broader network.  Of course, any STP can belong to any number of quads, not just one as in the diagram.

SS7 Packets

STPs function as the packet switches of the SS7 network, and there are three basic types of packets that they deal with.  SS7 packets are called Signal Units, or SUs.  SUs are discussed below as they exist being sent across a direct link.  Addressing and complicated routing issues are discussed later.

Fill-in Signal Units, or FISUs, are sent whenever there is no important information to be transmitted over the signal link.  While they contain no data, they are useful because they provide for a constant signal over the link, which aids in network troubleshooting and monitoring.  FISUs are four octets long.  The fields are as follows:

Octets 0-1:  BSN/BIB and FSN/FSB.  The BSN is the Backwards Sequence Number (7-bits), the BIB is the Backwards Indicator Bit, the FSN is the 7-bit Forwards Sequence Number, and the FSB is the Forwards Sequence Bit.  These values are used to confirm receipt of SUs and for error correction purposes.

Octet 2:  Length indicator.  In an FISU, this is always zero.

Octet 3:  Checksum.  Used to check for packet integrity.

Link Status Signal Units, or LSSUs, are used to provide information on the status of the link.  LSSUs look like this:

Octets 0-1:  BSN/BIB and FSN/FIB.

Octet 2:  Length indicator.  This is either one or two for an LSSU.

Next comes that status field, which is either one or two octets.  The content of the status field is outside the scope of this article.

The last octet, as before, is the checksum.

MSUs, or Message Signal Units, comprise the meat of the SS7 system.  These are used to send messages between SSPs and STPs, and STPs and SCPs.  These contain significant data such as routing information, trunk data, and so forth.  MSUs are used to perform all communication relevant to an actual telephone call.

MSUs have the same BSN/BIB and FSN/FIB as the other two SUs, and the length indicator octet can be anywhere between 3 and 63.  (According to protocol standards, only six of the eight bits in the length indicator field are used to determine the length, so MSUs can be no longer than 63 octets.)  The data in the packet is followed by a checksum.

There are several types of MSUs, and some are listed below:

ACM:  Address Complete Message.  ACM indicates that an IAM has been received.  It includes the originating switch address, the terminating switch address, and the selected trunk.

ANM:  Answer Message.  ANM is sent when the called subscriber picks up the phone.  It indicates that the trunk should be opened in both directions and contains the originating switch address, the terminating switch address, and the selected trunk.

IAM:  Initial Address Message.  The IAM is used to begin a call.  It originates at the caller's switch and is addressed to the recipient's switch.  It contains information such as the initiating and destination switch addresses, the calling number, the called number, and the trunk selected for the call.

REL:  Release Message.  REL indicates that one of the parties has hung up, and it is time to release the trunk.  It contains the originating and terminating switch addresses, and the specified trunk.

RCL:  Release Complete Message.  RCL is sent to confirm that the trunk has been released.  It contains originating and terminating switch addresses, and the trunk.

SS7 Layers

Like TCP/IP, SS7 has layers.

The layers serve an important role in distinguishing different aspects of the network and creating a modular approach to network design.

The physical layer deals with the hardware and electrical issues.  Signaling links are almost always DS0 copper lines (the same as a regular phone line).

Message Transfer Part - Level 2 (MTP Level 2) deals with making sure the two endpoints of a communication can receive and interpret packets.  It controls such things as error correction and flow control.

Message Transfer Part - Level 3 (MTP Level 3) provides such capabilities as node addressing, packet rerouting, and inter-connectivity between nodes not directly linked.

The Signaling Connection Control Part (SCCP) extends the capabilities of the MTP layers.  The MTP layers can deliver packets to a specific node on the network, and the SCCP layer can address those to particular node-based applications.  In other words, the SCCP is aware of the purpose of the packet, and controls such things as database queries and switch control.

The ISDN User Part (ISUP) controls the protocols and messaging used to establish voice and data calls over the switched network.  The ISUP is used for both digital ISDN calls and analog calls.

The next layer is the TCAP, which stands for Transaction Capabilities Application Part.  It is responsible for transmitting messages in between applications on a specific node.  Since it requires explicit addressing of node applications, it uses SCCP for transport.

The final layer is the Operations, Maintenance, and Administration Part, or OMAP.  OMAP is designed to assist the maintainers and administrators of the network (as the name implies) and includes such features as checking routing table validity and procedures for link and node troubleshooting.

Node Addressing

In order to properly route packets to their destination nodes, there needs to be some sort of addressing scheme.

You are familiar with addressing schemes even if you are not a computer nerd.  If your house is a node on a network, your postal address defines where that node is.  In order for someone to send you a letter, they need to know your address, so the mailman knows where to take the letter.  Your telephone number defines where your node is on the Public Switched Telephone Network (PSTN).  IP addresses define you as a node on the Internet or another IP-based network.

The SS7 addressing scheme is a three level hierarchy.  Every node on the SS7 network belongs to a cluster, and every cluster to a local network.  To address a node, you label it by its network number, followed by its cluster number, followed by its node number (also called a member number).

Each number is one octet long and can have values from 0 to 255.  Network numbers are assigned to RBOCs (Bell Atlantic, Ameritech, etc.), independent local carriers such as RCN, interexchange carriers, and LD carriers like Sprint or MCI.  It is up to the assignee to designate cluster and node numbers within his network however he wants.

The Telephone Call

Now that we know all about how SS7 works, let's examine a typical local telephone call situation.

Customer A, in a town in New York, wants to call his friend in a neighboring town.

He picks up his phone and his CO gives him dial tone.  He dials away, and the CO analyzes the number.

The CO determines that the call is local and needs to go to a neighboring end office.  The process is started by the STP sending an IAM to the other office.

The IAM tells the other office who's calling whom, and which voice trunk it plans to use for the call.

Upon receipt of the IAM, the called party's end office sends back an ACM message to alert the originating switch that it has received the IAM.

Upon receipt of the ACM, the originating switch opens the trunk in one direction so the calling party can hear that the called party's switch is ring ringing the called party's line.

If and when the called party picks up, the terminating switch sends an ANM to indicate that the phone has been answered.  This is the originating switch's signal to open the trunk in both directions and begin billing.

When the calling party hangs up, his switch sends an REL message, telling the other switch to release the line.  Upon receipt of the REL message, the other switch idles the trunk and sends an RCL to alert the originating switch that the trunk is idle and to stop billing.

SS7 provides for a much more secure and stable signaling network.  It also allows for such technologies as toll free numbers, calling cards, and services such as Caller ID.

The hackability of SS7 does not at first appear possible, unless someone could figure out how to interface directly with the SS7 network.