Electronics Guide

The SS7 Protocol Stack

SS7 is layered. The Message Transfer Part (MTP), in three levels, provides the physical, link, and network functions that deliver signaling messages reliably between nodes identified by point codes. Above it, the Signaling Connection Control Part (SCCP) adds global-title addressing and connection-oriented transport, allowing messages to be routed by logical address rather than by fixed point code. The Transaction Capabilities Application Part (TCAP) supports remote operations, providing the request-and-response transactions used by database queries.

The mobile-specific application is the Mobile Application Part (MAP), defined by the 3rd Generation Partnership Project (3GPP) for second- and third-generation networks. MAP runs over TCAP and carries the procedures that manage subscriber location, authentication, and supplementary services, and it transports the Short Message Service (SMS). Two other application parts matter for voice: the ISDN User Part (ISUP) controls trunk circuits for call setup and release, and the Camel Application Part (CAP) supports intelligent-network services such as prepaid charging.

SIGTRAN: SS7 over IP

As core networks migrated from time-division-multiplexed links to packet transport, the SIGTRAN protocol family was defined by the Internet Engineering Task Force to carry SS7 messages over Internet Protocol networks. At its heart is the Stream Control Transmission Protocol (SCTP), a transport protocol designed for signaling that adds multihoming for resilience and avoids the head-of-line blocking of the Transmission Control Protocol. Adaptation layers such as M3UA (MTP Level 3 User Adaptation) and M2PA allow existing SS7 upper layers, including SCCP and MAP, to run unchanged over SCTP. SIGTRAN preserved the enormous installed base of SS7 applications while freeing operators from dedicated signaling links.

Reference Points and Applications

In the LTE Evolved Packet Core, Diameter carries the signaling across many of the named interfaces, called reference points. The S6a interface connects the Mobility Management Entity to the Home Subscriber Server for subscriber authentication and the download of subscription data. The Gx interface connects the Policy and Charging Rules Function to the Packet Data Network Gateway to install policy and charging rules, while the Rx interface lets application functions, including the IMS, request quality-of-service treatment for a session. Charging is conveyed over the Ro and Gy interfaces for online (real-time) charging and the Rf interface for offline charging.

Because a single subscriber procedure may touch several of these interfaces, Diameter routing through agents is essential. Diameter relay and proxy agents forward messages between realms, and Diameter Edge Agents sit at network boundaries to mediate signaling with other operators. The same elements that make Diameter routing flexible also make it a target for the security mediation discussed later.

GTP-C and GTP-U

The control-plane variant, GTP-C, establishes, modifies, and deletes the sessions that allow a device to send and receive data. In LTE it manages the bearers between the Serving Gateway and the Packet Data Network Gateway and signals the device's assigned address and quality-of-service parameters. The user-plane variant, GTP-U, encapsulates the subscriber's actual data packets inside an outer header so that they can be tunneled across the core regardless of the device's own address, with each tunnel identified by a Tunnel Endpoint Identifier. This tunneling is what preserves a stable session as a subscriber moves between cells and gateways. In the 5G core, GTP-U continues to carry user-plane traffic between the gNodeB and the User Plane Function, but GTP-C is retired: its session-control role passes to the Packet Forwarding Control Protocol on the N4 interface, while the rest of the control plane moves to the service-based interfaces described below.

IMS Architecture

The IP Multimedia Subsystem is the 3GPP framework that turns SIP into a carrier-grade service platform, providing the registration, routing, and service control needed for operator voice. Its central elements are the Call Session Control Functions (CSCFs). The Proxy CSCF is the subscriber's first point of contact and secures the signaling. The Interrogating CSCF locates the correct serving node at the network edge. The Serving CSCF performs registration, invokes application servers, and routes sessions according to subscriber profiles retrieved from the Home Subscriber Server.

IMS delivers Voice over LTE (VoLTE) and Voice over New Radio (VoNR), carrying telephony as packet sessions rather than over a legacy circuit-switched core. It also provides Rich Communication Services messaging and interworks with the public switched telephone network through media and signaling gateways. When a network cannot yet carry voice over its packet core, mechanisms such as circuit-switched fallback hand the device to an older radio for the call, illustrating how signaling layers bridge the generations.

The Evolved Packet Core

The Evolved Packet Core (EPC) is the flat, all-Internet-Protocol core introduced with LTE. Its control plane centers on the Mobility Management Entity, which handles device attachment, authentication, and mobility, signaling to the radio network and exchanging Diameter with the Home Subscriber Server. The user plane runs through the Serving Gateway and the Packet Data Network Gateway, interconnected by GTP. The Policy and Charging Rules Function applies operator policy over Diameter. This separation of a single mobility manager from the data-forwarding gateways was a deliberate flattening of the more hierarchical third-generation core.

The 5G Service-Based Architecture

The 5G core (5GC) replaces rigid point-to-point interfaces with a service-based architecture in which network functions expose and consume services over a common bus. Functions such as the Access and Mobility Management Function (AMF), the Session Management Function (SMF), the User Plane Function (UPF), the Policy Control Function (PCF), the Authentication Server Function (AUSF), and the Unified Data Management (UDM) communicate through service-based interfaces. Each service exposes a Representational State Transfer (REST) style application programming interface defined in OpenAPI, and the signaling rides HTTP/2 carrying JavaScript Object Notation (JSON) payloads. A Network Repository Function lets each function discover and authorize the others at run time, replacing the statically configured interconnections of earlier cores.

The separation of control and user planes is formal and complete in the 5G core, an arrangement first introduced into the LTE core under the name Control and User Plane Separation (CUPS). The User Plane Function can therefore be placed close to the radio edge for low latency while control functions remain centralized in the cloud. The control of the distributed user plane does not use the service-based bus: the Session Management Function programs each User Plane Function over the N4 reference point using the Packet Forwarding Control Protocol (PFCP), installing the packet-detection, forwarding, quality-of-service, and usage-reporting rules that govern a session. PFCP is the direct 5G descendant of GTP-C's control role, and the same protocol carries CUPS signaling in late-generation LTE cores.

This shift from telecom-specific protocols to mainstream web technologies eases integration with cloud-native and virtualized infrastructure, and it enables network slicing, in which logically independent virtual networks with tailored characteristics share the same physical core. The Network Slice Selection Function steers each device to the appropriate slice during registration, a purely signaling-plane decision with large consequences for the service the subscriber receives.

Signaling Vulnerabilities and Protection

SS7 and the early MAP procedures lack authentication of the originating network, so an attacker with signaling access can request a subscriber's location, intercept SMS messages (including one-time passcodes), or trigger denial of service. Diameter, despite being newer, inherited analogous weaknesses at the interconnect boundary. The industry responded with signaling firewalls that inspect cross-border SS7 and Diameter traffic, with the category-based screening rules published in GSMA guidance documents, and with the architectural mediation of the Diameter Edge Agent. The 5G core advances this further: the Security Edge Protection Proxy (SEPP) provides authenticated, integrity-protected, and confidential signaling between operators, closing the trust gap that plagued earlier interconnect.

Lawful Intercept

Lawful intercept is the legally authorized, standardized capability for an operator to provide a target's communications and associated metadata to an authorized agency under due legal process. 3GPP and the European Telecommunications Standards Institute define reference architectures that separate the administrative function that provisions a warrant from the delivery functions that hand over intercept-related information (the signaling metadata) and, where authorized, the communication content. The design isolates these functions so that interception is auditable, scoped to lawful authorization, and invisible to the target, while remaining subject to the legal framework of each jurisdiction.