HLR&AC Overview

8/3/2019 HLR&AC Overview

1/126

Home Location Register/Authentication Center

Overview

STUDENT TEXT

LZU 108 3827 REV R1A


2/126

LZU 108 3827 REV R1A

All rights reserved. No part of this document may be reproduced

in any form without written permission of the copyright holder.

This book is a training document and contains simplifications. Itmust, therefore, not be considered as a specification of the

system.

The contents of this book are subject to revision without notice

due to continued progress in design and manufacture.

REVISION HISTORY

1998

REVISION DATE DESCRIPTION

R1A November 1998 First release of course.


3/126i

HLR/AC Overview Course

The purpose of the HLR/AC Overview course is to provide an overview of

the Home Location Register and Authentication Center functionality

according to how it is implemented on the Jambala platform.

The course outlines the role of the HLR/AC in the mobile network and

how it communicates with other entities. It describes the main

functionality of the HLR/AC and explains the services that the HLR/AC

provides. It analyzes the architecture of the HLR/AC and examines the

hardware and software components. The HLR/AC Overview course

summarizes how the Jambala platform supports the evolution of the world

of telecommunications.

The HLR/AC Overview is designed to be an Instructor Led Training (ILT)

course. It is a one-day course that covers the theory and concepts of the

HLR/AC and how it operates on the Jambala platform. There are six

modules in the course, each of which is accompanied by a set of

theoretical exercises. The learning objectives associated with each module

are outlined in the table below.

Course Objectives

After completing this course you will achieve competence in the

following areas:

The role of the HLR/AC in the mobile network

The functionality of the HLR/AC

The services provided by the HLR/AC

The hardware and software components of the HLR/AC.

03802 LZU 108 3827 Rev. A


4/126

HLR/AC Overview

ii 03802 LZU 108 3827 Rev. A

Module Module Objectives

1. The Wireless Network

1/03802 LZU 108 3827

Summarize the architecture and main principles of

the cellular network

Identify the entities in a cellular network Recognize the different areas defined within a

cellular network

Understand the terminology associated with cellular

networks

Outline the function of the HLR

List the important data stored in the HLR

2. HLR Traffic Functions

2/03802 LZU 108 3827

Explain the traffic functions of the HLR

Understand the purpose of registration

Describe subscriber activity handling in the HLR

Outline the HLRs role in call delivery

State how the HLR supports equal access

pre-subscription

Identify the HLRs role in SMS calls

Understand how a subscriber service call operates

3. Security and Authentication

3/03802 LZU 108 3827

Describe the purpose and content of the

Authentication Center

Explain how the main authentication proceduresoperate

Understand the security and authentication functions

in the HLR/AC

4. OA&M in the HLR/AC

4/03802 LZU 108 3827

Understand the OA&M model in the HLR/AC

Describe the main tasks related to Operation,

Administration and Maintenance of the HLR/AC

Differentiate between alarms and notifications

Understand geographical redundancy.


5/126

HLR/AC Overview

iii03802 LZU 108 3827 Rev. A

5. HLR/AC Components

5/03802 LZU 108 3827

Describe the application platform

Outline how the HLR/AC communicates according

to CORBA-compliant interfaces

Explain how TelORB, network signaling support

and the OA&M implementation are combined in theHLR/AC

List the hardware components of the HLR/AC

Identify the application software of the HLR/AC

6. HLR Subscriber Features

6/03802 LZU 108 3827

Identify the most common subscriber features

supported by the HLR

Module Module Objectives


6/126

HLR/AC Overview

iv 03802 LZU 108 3827 Rev. A


7/126v

Table Of Contents

Module 1. The Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

1.2 Entities in a Cellular Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

1.2.1 Mobile Switching Center (MSC). . . . . . . . . . . . . . . . . . . . . . . . . . . .2

1.2.2 Base Station (BS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.3 The Authentication Center (AC) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.4 Home Location Register (HLR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.5 Visitor Location Register (VLR) . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

1.2.6 Mobile Station (MS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2.7 Message Center (MC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2.8 Service Control Point (SCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.9 Operation and Maintenance Center (OMC). . . . . . . . . . . . . . . . . . . 5

1.3 Areas in a Cellular Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.3.1 Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3.2 Location Area (LA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3.3 Service Area (SA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

1.3.4 Numbering Plan Area (NPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3.5 Local Access and Transport Area (LATA) . . . . . . . . . . . . . . . . . . . .6

1.4 Terminology in a Cellular Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

1.4.1 Interexchange Carrier (IC). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

1.4.2 Carrier Identification Code (CIC) . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.4.3 Co-operating Exchange. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

1.4.4 Peripheral Equipment Gateway (PEG) . . . . . . . . . . . . . . . . . . . . . . 8

1.4.5 Gateway MSC (MSC-G) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.4.6 Visited MSC (MSC-V) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.5 Numbers in a Cellular Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.5.1 Directory Number (DN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.5.2 Electronic Serial Number (ESN) . . . . . . . . . . . . . . . . . . . . . . . . . .10

1.5.3 Mobile Identification Number (MIN) . . . . . . . . . . . . . . . . . . . . . . . .10

1.5.4 Personal Identification Number (PIN) . . . . . . . . . . . . . . . . . . . . . . 11

1.5.5 Temporary Local Directory Number (TLDN) . . . . . . . . . . . . . . . . . 11

1.5.6 Forward-To Number (C-Number). . . . . . . . . . . . . . . . . . . . . . . . . . 111.6 Home Location Register. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.6.1 Database Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.6.2 Subscriber Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15


8/126

HLR/AC Overview

vi 03802 LZU 108 3827 Rev.A

Module 2. HLR Traffic Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

2.2 Traffic Functions of the HLR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

2.3 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

2.4 Subscriber Activity Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

2.5 Call Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

2.6 Equal Access Pre-Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242.7 IS-136 Alphanumeric Paging with Short Message Service . . . . . . . .26

2.8 Subscriber Service Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

2.9 Support of Subscriber Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Module 3. Security and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

3.2 Types of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

3.2.1 Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343.2.2 Tumbling ESN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

3.2.3 Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

3.2.4 Subscription Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

3.2.5 Administrative Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

3.3 Security and Authentication Functions. . . . . . . . . . . . . . . . . . . . . . . .35

3.4 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

3.4.1 Introduction to Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

3.4.2 Authentication Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

3.4.3 Authentication Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

3.4.4 Authentication Failure Reporting . . . . . . . . . . . . . . . . . . . . . . . . . .44

3.4.5 Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

3.5 Voice Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

3.6 Fraudulent Activity Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

3.6.1 FAD Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

3.6.2 Call Barring Upon Fraudulent Activity . . . . . . . . . . . . . . . . . . . . . .47

3.7 Serial Number Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

3.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Module 4. OA&M in the HLR/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

4.2 The OA&M Model Within the HLR/AC . . . . . . . . . . . . . . . . . . . . . . . .52

4.2.1 Telecommunications Management Network (TMN). . . . . . . . . . . .52

4.3 Typical OA&M Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

4.3.1 Logical Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

4.3.2 Group Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

4.3.3 Subscriber Number Administration . . . . . . . . . . . . . . . . . . . . . . . .55

4.3.4 Subscriber Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

4.3.5 Peripheral Equipment Gateway Data . . . . . . . . . . . . . . . . . . . . . .56

4.3.6 Subscriber Activity Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56


9/126

Table of Contents

vii03802 LZU 108 3827 Rev. A

4.3.7 Administration of Co-operating Exchanges . . . . . . . . . . . . . . . . . .57

4.3.8 Forward-To Number Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

4.3.9 Tables in the HLR/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

4.3.10 Alarm Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

4.4 Geographical HLR Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

4.4.1 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Module 5. HLR/AC Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

5.2 HLR/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

5.2.1 Application Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

5.2.2 Common Object Request Broker Architecture. . . . . . . . . . . . . . . .72

5.2.3 TelORB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

5.2.4 Network Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

5.2.5 OA&M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

5.3 HLR/AC Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .805.3.1 Application Platform Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . .81

5.3.2 HLR/AC Application Software . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

5.3.3 Example of an Incoming Message . . . . . . . . . . . . . . . . . . . . . . . .88

5.4 Dimensioning the HLR/AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

5.4.1 Dimension the HLR/AC Traffic Intensity . . . . . . . . . . . . . . . . . . . .90

5.4.2 Dimension the HLR/AC Subscriber Database Size. . . . . . . . . . . .91

5.5 HLR and Middleware Right-To-Use . . . . . . . . . . . . . . . . . . . . . . . . . .93

5.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Module 6. HLR Subscriber Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

6.2 Calling Number Identification (CNI) . . . . . . . . . . . . . . . . . . . . . . . . . .96

6.3 Enquiry Call (ENQ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

6.4 Group 3 Fax (G3FAX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

6.5 Malicious Call Tracing (MCT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

6.6 Mobile Priority Subscriber (MPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

6.7 Asynchronous Data (ADS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

6.8 Call Waiting (CAW). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

6.9 Mobile Charging Area (MCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .986.10 Short Message Service (SMS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

6.11 Call Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

6.11.1 Call Forwarding Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

6.11.2 Busy Call Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

6.11.3 Call Forwarding Variations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

6.11.4 Forward-to Number Provision . . . . . . . . . . . . . . . . . . . . . . . . . . .102

6.12 Immediate Charging (ISE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6.13 Message Waiting Indication (MWI). . . . . . . . . . . . . . . . . . . . . . . . . .104

6.14 Do Not Disturb (DDB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104


10/126

HLR/AC Overview

viii 03802 LZU 108 3827 Rev.A

6.15 Absent Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

6.16 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

List of Abbreviations and Acronyms . . . . . . . . . . . . . . . . . . . . . . . 107

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115


11/1261

Module 1. The Wireless Network

1.1 Introduction

This module introduces the range of components that exist in a wireless

network. It describes the role of each component and their relationships to

the other entities in the network. It outlines the various geographical

regions defined within the cellular network and explains the meaning of

some terminology specific to cellular networks. The module describes the

main role of the HLR as a database and summarizes the data stored in theHLR.

Module Objectives

After completing this module you will be able to:

Summarize the architecture and main components of the cellular

network

Identify the entities in a cellular network

Recognize the different areas defined within a cellular network Understand the terminology associated with cellular networks

Outline the function of the HLR

List the important data stored in the HLR.

1/03802 LZU 108 3827 Rev. A


12/126

HLR/AC Overview

2 1/03802 LZU 108 3827 Rev. A

1.2 Entities in a Cellular Network

The Advanced Mobile Phone System (AMPS) is an analogue standard

which was developed in North America and introduced in 1984. The

Digital Advanced Mobile Phone System (D-AMPS) is an evolution of the

analog AMPS standard and implements Time Division Multiple Access

(TDMA). D-AMPS conforms to the IS-136 standard defined by the

Cellular Telecommunications Industry Association (CTIA).

The majority of cellular networks in North America, South America, New

Zealand and Australia adhere to the Digital Advanced Mobile Phone

System (D-AMPS) standard. There are various entities in a D-AMPS

network, some of which are displayed in the figure below.

Figure 1.1 Entities in a Cellular Network

1.2.1 Mobile Switching Center (MSC)

The Mobile Switching Center (MSC) is the heart of the cellular network. It

is responsible for switching calls from the initial origin to the final point of

destination. The MSC handles all connections and disconnections of

mobile calls. It supports the call processing and switching functions in the

wireless network. It handles traffic within a cellular network, interfacing

with other MSCs in the same or other cellular networks.

It also interfaces with the Public Switched Telephone Network (PSTN) at

the local, transit, or international gateway levels.


13/126

Module 1 - The Wireless Network

31/03802 LZU 108 3827 Rev. A

1.2.2 Base Station (BS)

The Base Station (BS) handles traffic to and from the mobile subscriber. It

is connected to the MSC and includes the transceiver and control

equipment located at one site. This control equipment handles and

supervises the quality of the radio connection between the BS and mobile

subscriber, and the communication link between the BS and MSC.

An MSC controls one or more BSs.

1.2.3 The Authentication Center (AC)

The Authentication Center (AC) establishes that the individual attempting

to make a call is a genuine subscriber and has a valid subscription to the

mobile network. The AC holds authentication data specific to each

subscriber which prevents fraud in the network. Using this data, the AC

can detect when someone is trying to access the network with a counterfeit

subscription. The AC is often colocated with the Home Location Register

(HLR).

1.2.4 Home Location Register (HLR)

The Home Location Register (HLR) acts as a centralized network element

for storing subscriber information. It administers the subscriber

information and sends that information to other network elements. Each

mobile subscriber has a record in a HLR. An HLR stores subscriber

information (such as location information, subscriber activity status or

subscriber features) in the subscribers record.

An HLR may be located within an MSC or it may be a stand-alone

network node. An HLR can serve more than one MSC. An operator may

have more than one HLR installed in the network depending, on subscriber

capacity. Each HLR can be duplicated for redundancy purposes.

1.2.5 Visitor Location Register (VLR)

The Visitor Location Register (VLR) is a database for storing information

related to visiting subscribers. A visiting subscriber is a subscriber who is

currently receiving service from an MSC. An MSC considers all mobile

subscribers to be visiting subscribers. The visiting mobile subscriberidentities and associated subscriber data are stored in VLR records similar

to the HLR records.

The VLR is normally co-located with an MSC, (leading to the term

MSC/VLR), but is separate from the HLR. When a subscriber registers

with the network, subscriber information must be transferred from the

HLR to the MSC where the subscriber is registered. The VLR acts as the

interface between the HLR and the MSC for the transfer of subscriber-

related information. The MSC retrieves information from the VLR for

handling calls to or from visiting subscribers.


14/126

HLR/AC Overview

4 1/03802 LZU 108 3827 Rev. A

The signaling standard IS-41 can be used to transport messages between

the MSC/VLR and the HLR.

1.2.6 Mobile Station (MS)

The Mobile Station (MS) is the physical handset that the subscriber uses to

make a mobile call. It enables the user to access network services. The MS

communicates with the mobile network; it is the interface equipment usedto terminate the radio path at the user side. Different manufacturers

produce many different variations of mobile stations, offering a variety of

designs and features tailored to meet the individual needs of subscribers.

There are a range of standards for mobile stations that affect the

capabilities of the mobile station. A mobile station, manufactured

according to a particular standard, ensures that the mobile station can

obtain service in a cellular system that adheres to the same standard.

The following are examples of Interim Standards (ISs) which affect

mobile stations:

IS-54B

IS-136

IS-95

IS-95A

IS-88

IS-94

IS-91.

Mobile Stations which adhere to a particular standard ensure that certain

functionality is possible. For example a mobile station that supports

IS-54B, IS-91 or IS-136 is capable of authentication.

The MS communicates with the mobile network via the BS along a radio

link. The communication path between the MS and BS is referred to as the

air interface.

1.2.7 Message Center (MC)

A Message Center (MC) is a network node responsible for the receptionand delivery of short messages (alphanumeric messages sent to the display

screen of a mobile station).

The MC communicates with the MSC and the HLR using IS-41 signaling.

1.2.8 Service Control Point (SCP)

The Service Control Point (SCP) acts as a host for a variety of Wireless

Intelligent Network (WIN) features in addition to those features offered by

the MSC/VLR functionality. WIN features enhance the range, quality and


15/126


51/03802 LZU 108 3827 Rev. A

flexibility of services that can be offered to mobile subscribers as well as

the speed with which new services can be developed and introduced. Toll

Free Calling and Private Numbering Plan are examples of WIN services.

The SCP contains the logic to control the handling of WIN calls and

services. The SCP allows operators to quickly deploy customized features

enabling them to offer service differentiation, which ultimately leads to an

increase in subscriber loyalty and revenue.

The SCP can communicate with the HLR/AC and the MSC using

IS-41 signaling.

1.2.9 Operation and Maintenance Center (OMC)

An Operation and Maintenance Center (OMC) is a computerized

monitoring center which is connected to network components such as

MSCs. In the OMC, staff are presented with information about the status

of the network and can monitor and control nodes within the cellular

network. The staff can remotely contol these nodes and perform operationson them without having to be on-site. There may be one or several OMCs

within a network depending on the network size.

1.3 Areas in a Cellular Network

A mobile network is divided up into a number of areas that enable

operators to break up their cellular systems into manageable areas

providing mobile coverage to subscribers. A mobile network can be

referred to as a Public Land Mobile Network (PLMN).

Figure 1.2 Areas in a Cellular Network


16/126

HLR/AC Overview

6 1/03802 LZU 108 3827 Rev. A

1.3.1 Cell

A cell is the basic unit of a mobile network. A mobile network is

comprised of many cells. Each cell provides coverage to a specific area in

the mobile network. The size of a cell can vary; it can provide coverage to

a large or small geographic area. A Base Station (BS) controls one or

several cells.

1.3.2 Location Area (LA)

Operators can group a number of cells together to form a Location Area

(LA). When a mobile station enters a new LA it must register its new

location with the cellular system. The VLR keeps track of the LA that a

mobile subscriber is currently receiving coverage in. When a call is being

routed to a subscriber, this Location Area is used to page the subscriber.

1.3.3 Service Area (SA)

A number of Location Areas (LAs) can be grouped together to form a

Service Area (SA). A Service Area is controlled by one MSC.

The HLR stores the MSC identity of the Service Area in which the mobile

subscriber was last registered.

1.3.4 Numbering Plan Area (NPA)

A Numbering Plan Area (NPA) identifies the area code for a PLMN or

PSTN. For example, the NPA for Montreal is 514.

1.3.5 Local Access and Transport Area (LATA)

A Local Access and Transport Area (LATA) is a geographical region that

defines the boundaries betweeen between local and long-distance service.

A call that originates and terminates within the same LATA is a local call

while a call that crosses the boundary of a LATA is a long-distance call.

Mobile operators (local exchange carriers) provide service within a LATA

while long distance carriers transport calls transiting between LATAs.

The service area of a Mobile Switching Center (MSC) may include one or

more Local Access and Transport Areas (LATAs). Subscribers can travelfrom one LATA to another and make calls from within their LATA to

subscribers in other LATAs.


17/126


71/03802 LZU 108 3827 Rev. A

1.4 Terminology in a Cellular Network

Figure 1.3 NPA, LATA and IC

1.4.1 Interexchange Carrier (IC)

An Interexchange Carrier (IC) is an operating company that transports

mobile calls across LATA boundaries; it specialises in long distance calls.

There are a number of different Interexchange Carriers (ICs), for exampleMCI, Sprint or AT&T. ICs offer diverse competitive packages to

subscribers. The subscriber can choose (pre-subscribe) which IC to use for

their calls outside their area code (inter-LATA calls) by dialing a specific

code. The HLR stores this information in the subscriber data as the

subscribers Preferred Interexchange Carrier (PIC). If the subscriber does

not choose an IC, the default PIC is used.

1.4.2 Carrier Identification Code (CIC)

A Carrier Identification Code (CIC) is used to route and bill calls in thepublic switched telephone network. CICs are four-digit codes in the format

XXXX.

To obtain a CIC, an applicant must purchase access from an access

provider, who will in turn apply to the North American Numbering Plan

Administration (NANPA) for the assignment on behalf of the access

purchaser.


18/126

HLR/AC Overview

8 1/03802 LZU 108 3827 Rev. A

1.4.3 Co-operating Exchange

A co-operating exchange is any Mobile Switching Center (MSC) or

Message Center (MC) in a cellular network that communicates with the

HLR. All mobile telephony exchanges in the network that subscribers can

roam to are defined as co-operating exchanges in the HLR. When an

operator defines an MSC as a co-operating exchange, information such as

the identity of the MSC, routing information and signaling information areentered into the database. This information is used for routing purposes so

that other entities in the cellular network can communicate with the

co-operating exchange.

1.4.4 Peripheral Equipment Gateway (PEG)

The Peripheral Equipment Gateway (PEG) is a node in the network which

connects MSCs and HLRs to external equipment, specifically the Voice

Mail System (VMS).

When the HLR detects that a subscriber has diverted calls to the VMS,calls to the subscriber are routed via the PEG to the appropriate voice mail

box.

1.4.5 Gateway MSC (MSC-G)

The Gateway MSC (MSC-G) is the exchange where calls to a given

subscriber arrive initially in the PLMN. The MSC-G is the first exchange

to receive calls from the mobile operators network and also calls from

other networks, for example the PSTN.

The MSC-G can also be referred to as the Interrogation Exchange because

it interrogates the HLR asking for the subscribers location.


19/126


91/03802 LZU 108 3827 Rev. A

Figure 1.4 MSC-G and MSC-V

1.4.6 Visited MSC (MSC-V)

A Visited Mobile Switching Center (MSC-V) is any MSC where a mobile

subscriber places or receives a call. It is the exchange that is currently

providing service to the subscriber. The MSC-V is responsible for call set-

up, supervision, and disconnection; locating, handoff, and related

functions; and charging.

The MSC-V is usually the MSC where the subscriber has registered and is

pointed to by the subscriber location information in the HLR at call

delivery.

The MSC-V can also be referred to as the serving Exchange.


20/126

HLR/AC Overview

10 1/03802 LZU 108 3827 Rev. A

1.5 Numbers in a Cellular Network

Figure 1.5 Numbers in a Cellular Network

1.5.1 Directory Number (DN)

A Directory Number (DN) is a number which uniquely identifies a mobile

telephone subscription in the PSTN numbering system. The DN is used

when dialing calls to mobile subscribers. The mobile telephone numberingplan can be separate or integrated into the PSTN numbering plan. The DN

consists of a 10 digit number of the format NPA nxx xxxx where n can

have the value 2-9 and x can have the value 0-9.

1.5.2 Electronic Serial Number (ESN)

The Electronic Serial Number (ESN) is a number which uniquely

identifies a subscribers mobile station. There are eight digits in the ESN.

It consists of three parts: a manufacturer's code, a reserved area, and a

manufacturer-assigned serial number.

The ESN is used for protection from unauthorized use. Each mobile

station is assigned a unique, fixed ESN which is stored in protected

memory of the mobile station during manufacture. If a mobile station is

stolen, the operator can define the ESN to be fraudulent and prevent

misuse.

1.5.3 Mobile Identification Number (MIN)

The Mobile Identification Number (MIN) is a number which uniquely

identifies a mobile subscription on the radio path. It is used for signaling


21/126


111/03802 LZU 108 3827 Rev. A

within the cellular network. The MIN is stored in the mobile station. In

North America, the MIN value is often the same as the DN.

1.5.4 Personal Identification Number (PIN)

A Personal Identification Number (PIN) is a number which is unique to

each mobile subscriber. The network administration supplies the mobile

subscriber with a PIN code.

The subscriber can use their PIN to activate and deactivate certain

subscriber features, for example call barring. In this manner, the PIN code

protects against unauthorized access to subscriber contolled features.

1.5.5 Temporary Local Directory Number (TLDN)

The Temporary Local Directory Number (TLDN) is used for delivering

calls to roaming subscribers. Each MSC has its own pool of TLDNs.

During a call to a subscriber, the HLR asks the exchange where the

subscriber is located (MSC-V) for a TLDN which is used to route the call

to the MSC-V. The TLDN is a network address which is temporarily

assigned for call set-up; once the call is routed to the subscriber, the TLDN

is released back into the pool and can be used for other call set-ups.

1.5.6 Forward-To Number (C-Number)

A Forward To Number (C-Number) is the number of another phone to

which a call is diverted during call forwarding. The operator can define

this number (e.g. for forwarding Voice Mail) or the subscriber can define

the number by means of procedure calls. A subscriber can have certainsubscriber classes indicating that calls should be diverted.


22/126

HLR/AC Overview

12 1/03802 LZU 108 3827 Rev. A

1.6 Home Location Register

1.6.1 Database Function

The Home Location Register (HLR) acts as a central network element for

storing mobile subscriber information. It administers the subscriber

information and distributes that information to other network elements.The HLR subscriber is always considered a roamer by the network and

whenever the subscriber registers in a new service area the HLR copies

most of the subscriber information from its database to the VLR. The

serving MSC/VLR location of the subscriber is then stored in the HLR,

which the HLR uses to deliver calls to the roaming subscriber.

The HLR stores subscription, location and activity data and provides

administration procedures to allow this data to be added and maintained.

1.6.2 Subscriber DataThe HLR holds both static and dynamic data. Static data is mainly related

to the mobile subscription and is generally added and updated manually.

Figure 1.6 The HLR as a Database


23/126


131/03802 LZU 108 3827 Rev. A

The main data items are listed below:

Mobile Identification Number (MIN)

Directory Number (DN)

Electronic Serial Number (ESN)

Personal Identification Number (PIN)

Terminal TypeThe standard that corresponds to the subscribers mobile station, for

example IS-54 B, IS-136 etc.

Subscriber Features

Note that for certain features additional information will be stored,

for example, for call forwarding a forward-to number and service

activity state will also be stored. In some cases subscribers can reset

these values by using service calls. Some features are assigned to all

subscribers (for example traffic class, control channel capability)

and some will be optional (for example call forwarding busy,

preferred long distance carrier etc.).Dynamic data is updated automatically as the mobile roams and becomes

active or inactive. This includes:

Serving MSC Identification (MSCID)

The serving MSCID is updated when the mobile registers in an

exchange service area.

Temporary Location (TLOC)

When subscriber makes a call in an exchange where the subscriber is

not previously registered the MSC may send a registration messagewith a Temporary Location (TLOC). The TLOC may be used to

route calls to the subscriber instead of the stored location. The

TLOC is only set for a call on an analog voice channel and is cleared

when the call finishes. This feature is used in Ericsson MSCs.

Location Area Identification (LOCID)

The LOCID is received when the mobile registers and can be sent to

the MSC during call delivery in case the serving MSC does not have

a valid location area for the subscriber.

Activity statusThe activity status indicates whether the mobile station is currently

registered. The activity status is updated to active when a mobile

station powers on and becomes inactive when the mobile powers off

or misses a periodic registration.

Control Channel Mode (CCM)

This is stored and maintained for subscribers in order to check for

fraudulent accesses. That is if the mode is not compatible with the

Control Channel Capabilities (CCCs) of the phone. CCM is also


24/126

HLR/AC Overview

14 1/03802 LZU 108 3827 Rev. A

used to check before delivering short messages that the mobile is on

a digital CC. To support this a registration message must be sent

from the serving MSC whenever the MS changes CC type.


25/126


151/03802 LZU 108 3827 Rev. A

1.7 Summary

A number of entities exist in the cellular network. They co-operate and

communicate together in order to provide mobile communication to the

subscriber. They each have a specific role to fulfill and perform different

tasks.

Some of the entities in a cellular network are:

Mobile Switching Center (MSC)

Base Station (BS)

Authentication Center (AC)

Home Location Register (HLR)

Visitor Location Register (VLR)

Mobile Station (MS)

Message Center (MC)

Service Control Point (SCP)

Operation and Maintenance Center (OMC).

A cellular network is divided into a number of geographical areas:

A cell is the smallest and most basic area in the mobile network

A number of cells can be grouped together to form a Location Area

(LA)

A number of Location Areas can be grouped together to form a

Service Area (SA).

A Numbering Plan Area (NPA) corresponds to an area code in a PLMN.

A Local Access Transport Area (LATA) is a geographical region that

distinguishes between local and long-distance service.

An Interexchange Carrier (IC) provides a service for transporting calls that

traverse LATAs, that is long distance calls. A Carrier Identification Code

(CIC) identifies an IC.

Some of the numbers associated with the cellular network are:

The Directory Number (DN) which is the number which you dial inorder to reach a mobile subscriber

The Electronic Serial Number (ESN) which is inscribed on every

mobile station during manufacture

The Mobile Identification Number (MIN) is the mobile networks

translation of the Directory Number

The Temporary Local Directory Number (TLDN) is requested from

the exchange where the subscriber is located and is used as a

dynamic address to route the call to the subscriber

The Forward To Number (C-Number) specifies a destination number


26/126

HLR/AC Overview

16 1/03802 LZU 108 3827 Rev. A

that the call should be diverted to.

The HLR stores subscriber data, for example ESN, DN and PIN. It also

stores dynamic data which is updated automatically, for example MSCID

and activity status.


27/12617

Module 2. HLR Traffic Functions

2.1 Introduction

Although it is not a switch, the Home Location Register is involved in

handling many types of traffic cases. In particular, the HLR is involved in

subscriber activity management and in the set-up phase of calls to mobile

stations. This module outlines the role of the Home Location Register for

various traffic cases.

Module Objectives

After completing this module you will be able to understand:

Explain the traffic functions of the HLR

Understand the purpose of registration

Describe subscriber activity handling in the HLR

Outline the HLRs role in call delivery State how the HLR supports equal access pre-subscription

Identify the HLRs role in SMS calls

Understand how a subscriber service call operates.

2/03802 LZU 108 3827 Rev. A


28/126

HLR/AC Overview

18 2/03802 LZU 108 3827 Rev. A

2.2 Traffic Functions of the HLR

The HLR is involved in the following traffic functions:

Registration

Subscriber activity handling

Call delivery

Equal access pre-subscription

IS-136 alphanumeric paging with Short Message Service (SMS)

Subscriber service calls

Supporting subscriber feature calls.

The HLR is also involved in authentication and checking for fraudulent

events during traffic processes, the details of which are not shown here but

are covered later in the Security and Authentication module.


29/126

Module 2 - HLR Traffic Functions

192/03802 LZU 108 3827 Rev. A

2.3 Registration

The purpose of registration is to update a subscribers mobile station

location, which is used when a call needs to be delivered to that mobile

station.

The HLR may be involved with several types of registrations, for example,

new system area, power on, power down (activity/inactivity messages)and control channel changes.

The example here shows how the HLR deals with a mobile subscriber who

registers in an MSC where they were not previously registered.

Figure 2.1 Registration in a new Serving Exchange

1. The MS sends a Registration Access message to the serving MSC.

2. The serving MSC does not find the subscriber record in the VLR and

sends a Registration Notification message to the subscribers HLR.

3. The HLR checks the subscriber record, and finds the last location

area where the subscriber was registered (if any).

4. The HLR sends a Registration Cancellation message to the MSC

where the MS was last registered, because a mobile subscriber

should only be registered in one VLR at a time. The last serving

MSC then removes the subscriber data from the VLR and sends back

confirmation that the subscriber has been removed.

5. In the HLR, the subscriber state is set to active and the location data

is set to the new serving MSCID.

6. The subscriber data is sent to the serving MSC in the Registration

Notification Return Result message and stored in the VLR.


30/126

HLR/AC Overview

20 2/03802 LZU 108 3827 Rev. A

The HLR can receive multiple registrations from the same subscriber. This

can occur if the MS registers in an area bordering another MSC and if its

registration access message is picked up by a Base Station in another

MSC. If this happens, and the function Multiple Access Handling is

present (normally available), the stored location is not immediately

updated. The Multiple Access Time Supervision (MATS) feature delays a

Registration, for a short time interval, until the probability of receiving

other Registration Notification messages from the same subscriber isdiminished. During this time interval, the Registration Notification

message reporting the best signal strength is considered to be the true

access.

When the time interval for Multiple Access Handling has expired, a

Registration Cancellation message is forwarded to the exchange indicated

by the stored location. If the exchange accepts to cancel its subscribers

record, the interim location is stored as the new stored location.

Figure 2.2 Registration

When a mobile station initiates a call in an area that it is not registered in,

the mobile stations temporary location gets updated in the HLR. Thistemporary location lasts for the duration of the call, but is cleared when the

call is terminated. This only applies to analog calls in an Ericsson MSC.


31/126


212/03802 LZU 108 3827 Rev. A

2.4 Subscriber Activity Handling

This function handles the activity and inactivity messages received by the

HLR from the Visiting Mobile Switching Center (MSC-V) where the

subscriber is roaming. A mobile station becomes Inactive when it misses a

periodic registration or when the mobile station powers off. This activity

information is used to avoid call routing and delivery to an inactive

subscriber.

Figure 2.3 Subscriber Activity Handling

1. The subscriber powers down their mobile station and an indication is

sent to the MSC-V.

2. The MSC-V sends an MSInactive message to the HLR.

3. The HLR marks the subscribers activity status as Inactive.

4. The HLR sends the MSInactive Return Result message to the

MSC-V to indicate acknowledgement.

When an inactive subscriber becomes active in an MSC-V, a Registration

Notification message is sent to the HLR. The HLR marks the subscribersactivity status as active.

If the stored subscriber location is different from the location where the

activity information is received, the HLR sends a Location Cancellation

Request message to the stored location. The stored location is reset to

reflect the current location.


32/126

HLR/AC Overview

22 2/03802 LZU 108 3827 Rev. A

2.5 Call Delivery

This section describes how a call is delivered to a mobile subscriber. It is

assumed that the subscriber is active, that the call is successfully delivered

to the MS and that the subscriber will answer the call.

For a call to reach a mobile station it must enter the mobile system via an

MSC with gateway functionality (that is, MSC-G). A call to a mobilestation can be delivered to a MSC-G via a Public Switched Telephony

Network (PSTN) or another MSC, or initiated within the

MSC-G by another mobile station.

Figure 2.4 Call Delivery

1. The MSC-G receives a call setup message containing the DN.

2. The MSC-G sends a Location Request message, with the DN and

some other data, to the subscribers HLR with the DN and some other

data. The HLR returns a number, so that the call can be delivered to

the subscriber. This number is called a Temporary Local Directory

Number (TLDN).

3. The HLR uses the DN to read the subscriber record. It then checks

the subscriber state and relevant features, and converts the DN to the

MIN.

4. If the subscriber state and features are acceptable, the HLR sends a

Routing Request message, containing the MIN, to the serving MSC,

(the MSC from which the subscriber last sent a registration

message).


33/126


232/03802 LZU 108 3827 Rev. A

5. The MSC-V selects a TLDN and ties this to the subscribers MIN

and other data. This TLDN uniquely represents this subscriber for

the duration of call setup. Note that the MSC-V may try to page the

MS and give it a voice channel before returning the TLDN.

6. The TLDN is returned to the HLR in the Routing Request Return

Result message.

7. The HLR returns the TLDN to the MSC-G in the Location RequestReturn Result message.

8. The MSC-G uses the TLDN to route the call to the MSC-V. It is also

possible that the MSC-G and MSC-V are one and the same, in which

case, the TLDN is used to deliver the call internally in the MSC-G.

9. When the call enters the MSC-V, the TLDN is used to identify the

mobile station. When identified, the mobile station is paged,

designated to a voice channel (if not done at the time TLDN was

requested) and alerted of an incoming call. When the mobile

subscriber answers, the call delivery to the mobile station is

complete.In some circumstances, a call may not be delivered, depending on the

information returned in the Routing Request Return Result message from

the MSC-V to the HLR.

When the MSC-V receives the Routing Request message, it checks the

status of the mobile station. If the MS status is inactive, then only the MS

status is sent to the HLR in the Routing Request Return Result message.

If the mobile station is busy or inactive, the HLR checks if the subscriber

has call forwarding. If so, a call forward-to number is sent in the Location

Request Return Result message to the MSC-G, otherwise a busy indicatoris sent.

Calls may not be delivered due to congestion, or a subscriber feature

setting, for example, call barring.


34/126

HLR/AC Overview

24 2/03802 LZU 108 3827 Rev. A

2.6 Equal Access Pre-Subscription

Equal access pre-subscription allows the subscriber a choice of carriers to

service calls between Local Access and Transport Area (LATA)

boundaries. These calls are referred to as "inter-LATA calls." The

subscriber has the option to choose an Interexchange Carrier (IC) for each

call on a per-call basis, by specifying the Interexchange Carrier code from

the MS before calls, or to use a mobile pre-subscribed PreferredInterexchange Carrier (PIC) by setting up a default IC for all calls.

Figure 2.5 Equal Access Pre-subscription

The equal access pre-subscription feature operates as follows:

1. The subscriber dials an interexchange B-subscriber number from the

Public Switched Telephone Network (PSTN).

2. The number is received in the MSC-G. A Location Request message

is sent to the HLR to determine the B-subscribers location.

3. The HLR detects from the number dialed, that it is an interexchange

call. The HLR checks the roaming B-subscribers profile for theirdefault PIC (Note that the B-subscriber typically pays for the

roaming part of the call, so their PIC should be used).

4. The B-subscribers Preferred Interexchange Carrier is translated into

the Carrier Identification Code (CIC) in a PIC-CIC translation table.

This table facilitates ease of change, for example, when an

Interexchange Carrier changes, the operator does not need to update

all subscriber records, but only update one PIC-CIC translation in

the PIC-CIC translation table.


35/126


252/03802 LZU 108 3827 Rev. A

5. The Routing Request message is sent to the serving MSC to get the

status of the called MS or their TLDN.

6. The serving MSC returns the Routing Request Return Result

message to the HLR containing the TLDN or the state of the MS.

7. If the MS can receive the call, the HLR sends the Location Request

Return Result message to the MSC-G with the TLDN and the

subscribers CIC.8. This CIC routes the call through its associated interexchange carrier,

to the other LATA and its MSC-V.

9. The MSC-V uses the TLDN to identify the mobile station, page it

and designate a voice channel to it.

Equal Access is also used when a mobile A-subscriber makes a long

distance call. Their preferred carrier (which was copied down to the VLR

at registration) is used.


36/126

HLR/AC Overview

26 2/03802 LZU 108 3827 Rev. A

2.7 IS-136 Alphanumeric Paging with ShortMessage Service

This feature allows users with IS-136 compatible mobile stations to send

and receive short text messages. The messages can be up to 239 characters

long (operator defined) and are sent or received only on a Digital Control

Channel (DCCH). Messages are sent to the Message Center (MC) whichstores and forwards the messages to the serving MSC (MSC-V) for

delivery to active idle mobile stations.

For example, the MC requests the serving MSC address from the HLR.

This address is used to route the message to the serving MSC. The MSC

pages the mobile station and the message is delivered. If the mobile station

cannot be contacted, then the message is stored in the MC and the

subscriber is flag marked in the HLR. When the subscriber becomes

available, the HLR informs the MC so that the message can be delivered.

The HLR is only involved in terminating SMS calls.

The following example shows a message being sent to the MS.

Figure 2.6 Terminated SMS Delivery

1. The message is stored in the MC for subscriber 514 5550100. This

could be manually entered by an operator or could originate from

another MS.

2. The MC sends a SMS request message (SMSREQ) containing the

MIN of the subscriber to the HLR.

3. The HLR checks the MIN, the ESN, if the subscriber has the SMS

feature and if the MS is active.


37/126


272/03802 LZU 108 3827 Rev. A

4. If all checks have a positive result, the HLR sends the SMS address

(S7/C7 destination address of the visiting exchange, for example, the

point code 226-2-38) in the SMSREQ Return Result message.

5. The MC sends the SMS Delivery Point to Point message (SMDPP),

containing the text message, to the MSC-V.

6. The MS is paged and the text message is delivered over the DCCH.

7. The SMDPP Return Result message is sent back to the MC toindicate successful delivery or not.

If the MS is not active, then the HLR flag marks the subscriber so that the

MC is informed by the SMS Notification message (SMSNOT) when the

MS becomes active (registered in the HLR).

If the subscriber is not connected, or does not have the SMS feature, then a

Return Error message is sent back to the MSC, and the short message

delivery fails.


38/126

HLR/AC Overview

28 2/03802 LZU 108 3827 Rev. A

2.8 Subscriber Service Call

The HLR subscriber service call provides the Home Location Register

subscribers with the capability to administer subscriber-controlled features

via a dialed code called a feature code. Operators can define and modify

these feature codes for subscriber service calls to the HLR. The operator

can also group the features and assign feature codes for setting the grouped

features.

After completing the service call, the subscriber receives a unique

recorded message for each code-controlled service. This message indicates

whether that particular feature was successfully activated or deactivated.

The following example shows a subscriber defining and activating a call

forward-to number for the call forward no reply feature.

Figure 2.7 Subscriber Service Call

1. The subscriber dials the digits for the procedure call, for example,*74 5550000. The number 74 is the procedure code to set the call

forward-to number for the call forward no reply feature. The call

forward-to number is 5550000.

2. The Feature Request message is received by the HLR from the

MSC.

3. The HLR verifies the procedure digits, that is, 74, in the Procedure

Code Analysis Table. This table contains a list of all valid procedure

codes. Note that the call forward-to number is checked in the Call

Forward-to Number Analysis Table to ensure that the number is not

a restricted number, for example, the emergency number 911. TheHLR compares the personal passcode, if specified by the subscriber,

to the one that is stored in the subscribers data.

4. When the verification is complete, the appropriate action code is

selected (that is, activation, deactivation, interrogation). In this

example, the HLR activates the feature with the call forward-to

number and updates the subscriber data. When the action code is

executed, the result of the action code is sent back in the Feature

Request Return Result message to the HLR.


39/126


292/03802 LZU 108 3827 Rev. A

5. The Feature Request Return Result message is sent to the serving

MSC. This message contains an indication that the service call was

successful and optionally, an announcement list which can generate

a unique recorded message to confirm the feature activation to the

subscriber. The particular announcement for the procedure call is

found by looking up the announcement code table.

In step 5 above, the serving MSC must be transaction compatible, that is, itmust support the announcement list so that it can receive the

announcement code of the service. If the MSC is not capable of handling

the HLR announcement list, a tone is sent to the subscriber. These

announcement codes are retrieved from the announcement code table in

the HLR, which stores all the announcements.

Each service has a unique announcement code associated with the

following status:

Activation

Announcement code for the activation of a service

Deactivation

Announcement code for the deactivation of a service

Failure

Announcement code for a service that fails to be

updated/interrogated.

The MSC generates the announcement towards the mobile station.


40/126

HLR/AC Overview

30 2/03802 LZU 108 3827 Rev. A

2.9 Support of Subscriber Features

Although the HLR is not a switching node, some subscriber feature

information in the HLR may determine how a call is to be handled. The

following features are those which result in the HLR having an active role

in call handling:

Call Forwarding Immediate Call Itemization

Voicemail

Message Waiting Indicator

Do Not Disturb

Absent Subscriber

Terminating Call Barring.

Note: the involvement of the HLR in feature-related calls is described later

in this book.


41/126


312/03802 LZU 108 3827 Rev. A

2.10 Summary

The main traffic functions of the HLR are:

Registration

This function updates a subscribers mobile station location which is

used when a call needs to be delivered to that mobile station.

Subscriber Activity Handling

This function handles the activity and inactivity messages received

by the HLR from the MSC-V, where the subscriber is roaming.

Call Delivery

This function handles the delivery of a call to a mobile station.

Equal Access Pre-subscription

This feature allows the subscriber a choice of carriers to service calls

across LATA boundaries.

IS-136 Alphanumeric Paging with Short Message Service

This feature allows users with IS-136 compatible mobile stations to

send and receive short messages.

Subscriber Service Calls

This feature provides HLR subscribers with the capability to

administer subscriber controlled services via a dialed code called a

feature code.

Support of Subscriber FeaturesThe HLR may be involved in handling calls related to subscriber

features (for example, call forwarding, immediate call itemization).


42/126

HLR/AC Overview

32 2/03802 LZU 108 3827 Rev. A


43/12633

Module 3. Security and Authentication

3.1 Introduction

This module distinguishes between the different fraudulent activities that

can occur in mobile networks today. The module outlines the purpose and

contents of the AC. It describes the sequence of events involved in the

main authentication procedures such as SSD update, base station

challenge, unique challenge and global challenge. It also explains the

security and authentication functionality which is implemented in the AC.

Module Objectives


Describe the purpose and contents of the Authentication Center

Explain how the main authentication procedures operate

Understand the security and authentication functions in the

Authentication Center.

3/03802 LZU 108 3827 Rev. A


44/126

HLR/AC Overview

34 3/03802 LZU 108 3827 Rev. A

3.2 Types of Fraud

Fraud is a major problem for mobile network operators all over the world.

The losses due to fraud amount to billions of dollars every year.

Figure 3.1 Different Types of Fraud

Several basic types of cellular fraud are attempted in cellular networks,

each of which is described below.

3.2.1 Cloning

The MIN and ESN of a legitimate subscriber's mobile unit are

programmed into another mobile unit. This can be done in different ways:

The MIN and ESN are scanned when being transmitted over the air

interface

A fraudster steals a mobile station and retrieves the MIN and ESN

from its memory

A cellular operator employee "steals" the MIN and ESN from thesystem.

Cloning is the most common type of fraud. The majority of fraud in a

cellular system is usually of this type.


45/126

Module 3 - Security and Authentication

353/03802 LZU 108 3827 Rev. A

3.2.2 Tumbling ESN

Tumbling ESN involves running an algorithm with a computer device

connected to a mobile unit which generates random ESN and MIN codes.

These are sent to the cellular network and when they match the ESN and

MIN stored in the HLR/AC, the system accepts the mobile unit and a

connection with the switch is established.

3.2.3 Hijacking

Hijacking involves increasing the output power of a mobile unit in order to

take over a legitimate subscriber's voice channel. Once contact with the

system is established, the second number feature can be used. This enables

a user to dial a second number while connected to one already. Once the

second number connection is established the first number is disconnected.

The result is that the legitimate subscriber is charged for a call they did not

make.

3.2.4 Subscription Fraud

The general idea of subscription fraud is to fool the administrative system

of the operator. Typical examples of subscription fraud are subscriptions

opened with erroneous personal data or customers that make a lot of calls

the first month and then disappear without paying the bill.

3.2.5 Administrative Fraud

Administrative fraud occurs when exchange and subscriber data is

accessed and changed without authorization. This can be done either bythe operators own personnel (internal fraud) or by someone connecting to

the lines going into the HLR/AC and MSC.

3.3 Security and Authentication Functions

The following measures are used within the mobile network to counteract

fraud:

Authentication

Voice Privacy

Fraudulent Activity Detection

Serial Number Screening.

Each of these is described in more detail below.


46/126

HLR/AC Overview

36 3/03802 LZU 108 3827 Rev. A

3.4 Authentication

3.4.1 Introduction to Authentication

Authentication is used in cellular networks to verify that individuals

accessing the network are genuine subscribers using authorised

equipment. Authentication is a set of procedures that allows the network tovalidate the identity of each authentication capable Mobile Station (MS).

Authentication is seen as one of the major steps to prevent fraud in cellular

systems. The Telecommunication Industry Association (TIA) established a

committee to address fraud detection and prevention. This committee

specified enhancements to the IS-41 standard to support new

authentication procedures. IS-41 standards specify protocols and

operations to support the various authentication procedures.

An Authentication Center (AC) must exist to implement authentication

procedures and to manage authentication information related to

subscribers. The Ericsson AC is co-located with the HLR, thus sharing

subscriber information with the HLR.

The AC establishes that the individual attempting to make a call is a

genuine subscriber and has a valid subscription to the mobile network. The

AC holds authentication data specific to each subscriber. Using this data,

the AC can detect when someone is trying to access the network with a

counterfeit subscription and report a suspected fraudulent event to the

MSC. The MSC in turn reports this to the operator and appropriate action

can be taken.

Figure 3.2 The Authentication Center in the Network


47/126


373/03802 LZU 108 3827 Rev. A

The authentication function is based on secret keys that are never sent or

shown openly. The secret keys, together with other parameters, are used as

input to an authentication algorithm, called the Cellular Authentication

and Voice Encryption (CAVE) algorithm, in order to calculate an

authentication value. Both the network and the MS run the algorithm and

calculate the result and thereafter the network checks that the result is the

same. In the event of a mismatch the operator is alerted by a printout and

the appropriate action can be taken.

The operator sets the authentication feature on or off in the AC for each

subscriber. The subscriber must have an authentication capable phone (that

is, one that conforms to the IS-54B standard, or higher, for example, IS-91

or IS-136).

Connection of an authentication subscriber in the AC requires first setting

the authentication feature service level in the HLR, then definition of

subscriber data in the AC and finally, activating the feature in the HLR.

Conversely, disconnection of the subscriber requires passivating the

authentication feature in the HLR, deletion of the subscriber in the AC and

resetting of the service level in the HLR.

Note that the ESN cannot be removed or changed for an authentication

subscriber and an authentication subscriber cannot be disconnected from

the HLR if the feature is active.

3.4.2 Authentication Data

The AC contains the following data per subscriber:

Authentication Key (A-Key)

Shared Secret Data (SSD).

In addition, the The AC uses the subscribers MIN and ESN from the HLR

for authentication purposes. The MS also stores the A-Key and the SSD.

Authentication Key (A-Key)

When a subscriber takes out a subscription with an authentication capable

phone she/he is assigned an A-key. The A-Key is a 6 to 26 digit number

generated in the AC (the operator defines the length). This number is never

transmitted over the air or between network nodes. It is never displayedopenly and is stored in encrypted format in the AC and MS only.

The A-key can be transferred to the MS by the service representative. The

A-key can be:

Operator defined

AC generated

Defaulted (a common A-key pre-programmed into the MS and AC).


48/126

HLR/AC Overview

38 3/03802 LZU 108 3827 Rev. A

Figure 3.3 A-Key, CAVE and SSD

Cellular Authentication and Voice Encryption (CAVE)

The Cellular Authentication and Voice Encryption (CAVE) algorithm is

implemented in the AC, the MS and may also be implemented in the MSC.

CAVE generates the SSD using the A-Key, ESN and a generated random

number. CAVE also generates authentication results from the SSD, MIN,

ESN and a random number.

Shared Secret Data (SSD)

The A-key is never transmitted between nodes (MSC and AC). Instead a

value called Shared Secret Data (SSD) is calculated by the AC and MS

and is used in the authentication process. This number is calculated by

inputing the A-key, ESN and a random number into the CAVE algorithm.

SSD can be considered as an A-Key which can be passed between nodes,

rather than an authentication result to be used to confirm an access.

The SSD can be sharedwith the MSC/VLR so that certain authentication

functions can be done in the MSC/VLR. This can reduce the amount of

signaling required in the network for authentication. To share the SSD, theMSC/VLR must have the CAVE algorithm. If the SSD is not shared the

MSC-V sends an authentication request message to the AC every time the

MS requires authentication.


49/126


393/03802 LZU 108 3827 Rev. A

3.4.3 Authentication Procedures

In order to authenticate a mobile subscriber, four different procedures are

used, each in a different situation.

Figure 3.4 Authentication Procedures

Several actions may be taken if an MS fails one of the authentication

procedures. The MSC or HLR determines the action to take. It could deny

access to the mobile (unless the call was an emergency call) or initiate

another authentication procedure. The MSC will be informed of failed

authentication procedures which it will report to the operator.

Authentication

ProcedureUsage

SSD Update Performed when a new SSD is required (operator

defined)

Base Station

Challenge

Performed when a new SSD is required (operator

defined)

Global Challenge Registration and other control channel accesses

Unique Challenge Originating call, originating SMS call,

terminating call, flash request


50/126

HLR/AC Overview

40 3/03802 LZU 108 3827 Rev. A

SSD Update

The AC decides when a new SSD is to be calculated. For example, a new

subscriber will require a new SSD, or a new SSD could be periodically or

manually calculated if fraud is suspected.

Figure 3.5 SSD Update (SSD not shared)

1. The AC generates a new SSD using CAVE and a random number.

2. The AC forwards the random number (RANDSSD) to the MS.

3. The MS uses CAVE to generate its SSD.


51/126


413/03802 LZU 108 3827 Rev. A

Base Station Challenge

This enables an MS to validate a base station. This protects MSs from

attacks by false base stations which could force MSs to send their ESN,

MIN and other secret information. A Base Station Challenge is initiated by

an MS with each SSD Update and is a continuation of the steps above:

4. MS generates a random number (RANDBS) and sends it to the AC.

5. The MS and AC calculate a result word (AUTHBS).

6. The AC forwards the result of its calculation to the mobile station.

7. The MS compares the AC result its own result.

8. The MS informs the AC of the validity or invalidity of the new SSD.

Figure 3.6 Base Station Challenge (SSD not shared)


52/126

HLR/AC Overview

42 3/03802 LZU 108 3827 Rev. A

Global Challenge

The Global Challenge procedure authenticates a MS at system access on

the analog or digital Control Channel (CC), including at:

Registration

Call origination on the control channel

Call termination on the control channel

Mobile originated Short Message Service (SMS) accesses.

The procedure is global because the information used for the challenge is

broadcast on the control channel and so can be read by all subscribers.

Figure 3.7 Global Challenge (SSD not shared)

1. The serving MSC (MSC-V) generates a random number which iscontinually broadcast on the CC.

2. The MS calculates an authentication result and sends this to the

MSC-V along with the rest of the system access data.

3. The authentication result and random number are sent to the AC.

4. The AC calculates its own authentication result using the MIN, ESN,

SSD and the random number received from the MSC-V. CAVE

calculates the result and compares it to the result received from the

MS. If the result matches, then the MS is considered to be authentic.

5. The comparison result is sent to the MSC-V for handling.

If the SSD is shared, then the serving MSC calculates the authentication

response and will report any mismatches to the AC.


53/126


433/03802 LZU 108 3827 Rev. A

Unique Challenge

The Unique Challenge procedure authenticates a MS at:

Voice channel seizure

When ordered by the AC as an extra fraud check (that is, after SSD

update, after global challenge)

During a call.

The challenge is unique because the random number used for the

challenge is generated at each access for a particular MS.

Figure 3.8 Unique Challenge (SSD not shared)

1. The AC generates a random number which it uses to calculate an

authentication result. This result is sent to the MSC-V.

2. The random number is sent to the MS, which it uses to calculate its

authentication result.

3. The MS sends the result to the MSC-V which it compares to the AC

calculated result.

4. The AC is informed of the comparison result and the appropriate

action is taken (if any).


54/126

HLR/AC Overview

44 3/03802 LZU 108 3827 Rev. A

3.4.4 Authentication Failure Reporting

Each of the global challenge, unique challenge and SSD update processes

have associated outcomes indicating success or failure. While these

outcomes are normally recorded, not all are reported; that is not every

authentication process outcome is conveyed from the serving MSC to the

AC. The factors that can trigger a report are:

The nature of the authentication function, that is global challenge,

unique challenge or SSD Update

The authentication process result, either success or failure

The authentication initiator, either the AC or serving MSC

The status of the SSD sharing, either shared or not shared.

Figure 3.9 Authentication Failure Reporting

3.4.5 Authentication Statistics

Authentication statistics provide the network administration with

information on the operation of authentication procedures. Statistics aremaintained for the number of successful and unsuccessful responses to

authentication procedures on a per subscriber basis.

It is possible to print the authentication failure statistics per subscriber. All

the statistics associated with the subscriber are reset when the mobile

responds correctly to the SSD Update order.

It is also possible to print only those subscribers who have failed

authentication procedures a pre-defined number of times.


55/126


453/03802 LZU 108 3827 Rev. A

3.5 Voice Privacy

Voice Privacy provides subscribers with security when using their mobile

phones for business and personal conversations by preventing

eavesdropping on a Digital Traffic Channel (DTC). It does this by

encrypting the user information (that is, voice or data) that is transmitted

over the DTC. This occurs in the MS-BS segment of the connection when

requested by the MSC-V.

Voice Privacy is authorized for use on a per-subscriber basis, and can be

activated on a per-call basis by the subscriber on digital systems

supporting authentication. The AC supports voice privacy by supplying

encryption data.

The mobile station may request activation/deactivation of Voice Privacy

using a procedure code during call set-up or in conversation state. If an MS

is assigned to an analog voice channel and it requests Voice Privacy, it is

subsequently handed-off to a DTC in order to support it. If Voice Privacy

cannot be supported for the call, the subscriber can be informed by a tone.

Figure 3.10 Voice Privacy

The information used to encrypt the voice/data is referred to as a mask

(VPMASK). This is generated within the Global Challenge procedure and

is derived using a random number, SSD and other inputs.

If the mobile station is successfully authenticated by the Global Challenge

on the control channel, and the subscriber is authorized to use Voice

Privacy and has requested it for that call, the VPMASK is applied to the

user's voice transmission.


56/126

HLR/AC Overview

46 3/03802 LZU 108 3827 Rev. A

3.6 Fraudulent Activity Detection

The Fraudulent Activity Detection (FAD) function is an on-line

surveillance characteristic that reports suspected fraudulent events related

to both calls and subscription activities. This function enables operators to

minimise the fraudulent use of the cellular system.

Fraudulent Activity Detection is applicable to all mobile stations and isindependent of the authentication capability of the handset. It monitors the

activity of subscribers in both the VLR and the HLR for events that may

indicate fraud.

The FAD function performs the detection of a fraudulent event in the HLR

while the MS is in the middle of a call. The network suspects the

fraudulent use of an MS when a call access is made while another mobile

user with the same MIN is currently in use. This is called a simultaneous

call access. Other suspicious events include an MS being on a control

channel which does not match the phones capability or where a phone

registers before its due time.

A simultaneous call access could be caused by:

Cloning

Tumbling ESN/MIN

Hijacking.

A simultaneous call access is investigated in the subscribers HLR and if

fraud is identified, the operator is informed.


57/126


473/03802 LZU 108 3827 Rev. A

3.6.1 FAD Procedure

Figure 3.11 Fraudulent Activity Detection

1. Registration

A mobile subscriber in MSC-B service area registers with the HLR.

2. Fraud suspected

The HLR detects that the MSs MIN is currently in use.

3. Fraud verified

MSC-A is checked to see if the MS is still on a voice channel.

4. Fraud concluded

The MS is marked as busy in the MSC-A, concluding that it is a

fraudulent activity as the MS cannot be on a call in two different

exchanges at the same time.

5. Fraud reported and logged

When a fraudulent event is detected, the elements which could

possibly be interpreted as fraud are recorded. The events (ESN,

exchange ID, time and activity type) can be sent to an I/O device

where a reporting function generates a printout containing the MS

identity and a reason code for each event.

3.6.2 Call Barring Upon Fraudulent Activity

An alternative to sending a report to an I/O device is that the HLR can

activate the Call Barring Upon Fraudulent Activity Detection feature. This

is a fraud prevention tool that allows the automatic barring of originating

calls when fraud is detected. Once a phone is barred due to a detected

fraud, it can only originate certain types of calls pre-defined in its

subscriber type. The operator can determine the FAD events which will be


58/126

HLR/AC Overview

48 3/03802 LZU 108 3827 Rev. A

used as triggers for Call Barring Upon FAD and also select the type of

subscriber for which Call Barring upon FAD will be activated.

3.7 Serial Number Screening

Because each mobile station's ESN is unique, a screening process can be

used to determine if the mobile station can be allowed to access the

services provided by the cellular system.

This Serial Number Screening feature reduces the number of fraudulent

calls, as well as the number of unnecessary location registrations and

validation requests processed by a subscriber's home system (that is HLR).

The ESN and the MIN are verified before the call is set-up. Both numbers

are screened based on their range of possible values.

Figure 3.12 Serial Number Screening

The feature operates as follows in the network nodes:

Serving MSC (ESN Validation)

At first system access in a visited exchange, the MSC-V checks theformat and range of a received ESN and MIN. During subsequent

accesses, the ESN and MIN are checked against those stored in the

mobile subscriber's record in the HLR. The MSC-V denies access to

a subscriber who attempts an access with a ESN that differs to that

stored in the subscriber record.

Home Location Register (Missing ESN)

The HLR will bar a subscriber when there is no ESN previously

stored in an HLR by the system operator. This particular function

requires the operator to manually enter all valid ESNs into the HLR

data. This eliminates fraudulent calls made to or from mobiles.


59/126


493/03802 LZU 108 3827 Rev. A

3.8 Summary

Authentication counteracts fraudulent methods, such as:

Cloning

Duplicating a legitimate MS, including the MIN and ESN.

Hijacking

Stealing a voice channel from a legitimate subscriber.

Tumbling ESN

Stepping ESN and MIN ranges until access is gained to the system.

The main security and authentication functions are:

Authentication

When performing any access to the system, the MS will send its

authentication data. This data, which is independently calculated by

the mobile station and the system, will be compared to confirm the

MS identity.

Voice Privacy

The Voice Privacy feature provides a degree of cryptographic

protection against eavesdropping on the digital air interface.

Call Barring Upon Fraudulent Activity Detection

Serial Number Screening.

As part of authentication:

The AC holds secret subscriber data (A-Key and SSD) and is

involved in the authentication procedures.

The CAVE algorithm uses the A-Key, the ESN and a randomnumber to generate the SSD.

When passing authentication information between the AC and

MSCs, the SSD is transmitted instead of the A-Key.

Authentication procedures are performed for different system

accesses. Authentication procedures include:

SSD update

Base station challenge

Unique challenge

Global challenge.


60/126

HLR/AC Overview

50 3/03802 LZU 108 3827 Rev. A


61/12651

Module 4. OA&M in the HLR/AC

4.1 Introduction

This module outlines the Operation, Administration and Maintenance

(OA&M) architecture in the HLR/AC. It explains the standard OA&M

modelling concepts and applies them to the HLR/AC implementation.

It summarizes some of the typical OA&M activities performed by the

operator. It differentiates between alarms and notifications and illustrates

some typical alarms in the HLR/AC.

A high level description of geographical redundancy is also given and themain actions performed during node recovery.

Module Objectives


Understand the OA&M model in the HLR/AC

Describe the main tasks related to Operation, Administration and

Maintenance of the HLR/AC

Differentiate between alarms and notifications Understand geographical HLR redundancy.

4/03802 LZU 108 3827 Rev. A


62/126

HLR/AC Overview

52 4/03802 LZU 108 3827 Rev. A

4.2 The OA&M Model Within the HLR/AC

The management of increasingly complex telecommunications networks

is heading in the direction of open standards. The HLR/AC offers an

OA&M solution using a Telecommunications Management Network

(TMN) model and a manager-agent system.

4.2.1 Telecommunications Management Network (TMN)

As networks increase in complexity, so the demands on network

management become greater. For many years networks were managed

through proprietary protocols. This introduced problems when

interconnecting networks. It also meant that different information was

required to interrogate equipment on the network; the network operator

HLR&AC Overview

Documents

Transcript of HLR&AC Overview