[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: A Brief introduction to CCS7 ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ] [ 71 ]
Current issue : #51 | Release date : 1997-09-01 | Editor : route
IntroductionPhrack Staff
Phrack LoopbackPhrack Staff
Line Noisevarious
Phrack Prophile on Swamp RattePhrack Staff
File Descriptor Hijackingorabidoo
LOKI2 (the implementation)route
Juggernaut 1.0 - 1.2 patchfileroute
Shared Library Redirectionhalflife
Bypassing Integrity Checking Systemshalflife
Stealth RPC scanninghalflife
The Art of ScanningFyodor
The Eternity ServiceAdam Back
Monoalphabetic cipher cryptanalysismythrandir
Phrack Magazine Article Index Guideguyver
A Brief introduction to CCS7Narbo
Phrack World Newsdisorder
extract.cPhrack Staff
Title : A Brief introduction to CCS7
Author : Narbo
---[  Phrack Magazine   Volume 7, Issue 51 September 01, 1997, article 15 of 17


-------------------------[  A Brief Introduction to CCS7


--------[  Narbo[SLF] <[email protected]>
  

			0o0o0o0o0o0o0o0o0o0o0o0o0
                        o     Introduction      o
			0o0o0o0o0o0o0o0o0o0o0o0o0

	Every day it seems that the telcos introduce some funky new calling 
feature to make your life easier.  I'm sure at one point or another you've 
probably wondered exactly how all of these calling features work.  The 
answer?  Common Channel Interoffice Signaling or CCS7. 

	CCS7 is somewhat analogous to TCP/IP in that it is a protocol that
allows networked computers (in this case telephone switches) to talk to each 
other.  It maps onto the OSI 7 Layer Reference Model model as such: 

	---------------    ------------------------------
         Application 7      OMAP | ASE |
        ---------------    -------------
        Presentation 6         TCAP    |
        ---------------    -------------
           Session   5                 |
        ---------------                |     ISDN-UP
         Transport   4                 |
        ---------------    --------------
                                SCCP     |
           Network   3     ------------------------------
                                    MTP Level 3
        ---------------    ------------------------------
          Data Link  2              MTP Level 2
        ---------------    ------------------------------
          Physical   1              MTP Level 1
        ---------------    ------------------------------

Legend:

	OMAP: Operations, Maintenance and Administration Part
	ASE : Application Service Layer
	TCAP: Transaction Capabilities Application Part
	SCCP: Signaling Connection Control Part
     ISDN-UP: Integrated Systems Digital Network User Part
	MTP : Message Transfer Part

	This article will provide an introduction to how the network is
set up, how messaging is done, and a brief example of a call setup/takedown. 

			0o0o0o0o0o0o0o0o0o0o0o0o0
			o	History		o
			0o0o0o0o0o0o0o0o0o0o0o0o0

	AT&Ts introduction of CCIS (Common Channel Interoffice Signaling)
in 1976 brought a radical change to the way signaling was handled.  Before
the advent of CCIS all signaling was done in band using the same trunks that
would be used for customer conversations.  Instead of sending all information
over the voice circuits (trunks) a new network was created specifically for
signaling.

	AT&T began immediate deployment of CCIS technology and the CCITT
(Consultative Committee for International Telephone and Telegraph) adopted it 
as an international standard called SS6 (Signaling System 6).  The current 
version of the protocol is CCS7 (Common Channel Signaling System 7) and is 
prevalent throughout North America.

			0o0o0o0o0o0o0o0o0o0o0o0o0
			o       Switches  	o
			0o0o0o0o0o0o0o0o0o0o0o0o0

CCS7 networks are based on a mesh of links connecting switches like the
following:


    ###(SP)       {SCP}---A---[STP] -B-- [STP]
    #    |                   /  | \      / |  \ 
    #    F                  /   |   \  /   |   \
    #    |                 /    C    BB    C    \                   ###########
    ###(SSP)              D     |  /    \  |     \                  #         #
    #    |   \           /    [STP] -B-- [STP]    D               (SSP)---F   #
    #    A     A        /    /           /    \    \               A      |   #
    #    |       \     /    /           A      \    \              |      |   #
    #  [STP] --B- [STP]    /           /        \    [STP] --B- [STP]-A-(SSP)##
    #    | \      / |     D         {SCP}        D     | \      / |       |   #
    #    |   \  /   |    /                        \    |   \  /   |       |   #
    #    C    BB    C   /                          \   C    BB    C       |   #
    #    |  /    \  |  /                            \  |  /    \  |       |   #
    #  [STP] --B- [STP]                              [STP] --B- [STP]     |   #
    #               |                                  |                  |   #
    #               |--(SSP)                           |--------E---------|   #
    #                    #                                                    #
    ###########################################################################

# = Trunks
- = CCS7 links

Explanation:

STP (Signal Transfer Point):

	STPs are tandem switches which act as the routers of the CCS7 network.
They transfer messages between incoming and outgoing signaling links but do not
originate messages other then those used for network management.  Since their
sole function is to act as routers, STPs have NO trunks attached to them.  STPs
are grouped into mated pairs.  These pairs are grouped into the quads you see
in the above diagram.  This is all done for the sake of redundancy.

SCP (Signal Control Point):

	SCPs act as the application database servers for the CCS7 network.
SSPs make database queries through the STPs to the SCPs for such things as
800 number lookups.  As they are not used for direct line connections SCPs also
do not have trunks attached to them.  SCPs are the least common type of switch;
for instance, in Canada, there are only two SCPs, one of which is in Calgary, 
the other in Toronto.

SSP (Service Switching Point) and SP (Service Point):

	SSPs and SPs are the most common switches (despite my diagram :)) and 
are deployed as EO (End Office) switches and in PBXs (Private Branch Exchanges).
On average each SSP can handle about 100,000 - 125,000 lines.  Of course the 
amount of trunks actually available on the switch is considerably smaller then 
the amount of incoming lines; the telcos have various modeling algorithms that 
predict the maximum amount of trunks that will actually be used which is why 
occasionally when, say, a U2 concert hits town a switch can run out of 
available trunks as people rush the phones for tickets.  SSPs and SPs differ 
only on that the former can enact SCP database queries while the latter cannot. 

			0o0o0o0o0o0o0o0o0o0o0o0o0
			o        Links   	o
			0o0o0o0o0o0o0o0o0o0o0o0o0

	A CCS7 link is nothing more then a dedicated 56/64K trunk.  There are 
various classifications of link types: (Refer to the previous diagram for 
examples)

A Links:

	Connect SSP/SPs and SCPs to STPs.

B (Bridge) Links:

	Connect two STP pairs together to form an STP quad.

C (Cross) Links:

	Connect mated STP pairs together.

D Links:

	Interconnect STP quads.

E Links:

	Connect SSP/SPs or SCPs to a STP pair other than their "home" pair.

F Links:

	Connect SSP/SPs and SCPs to each other.

	Links are joined together to form linksets. A linkset is defined as all
the links connecting one node in the network to another node.  Directly 
analogous to linksets are routesets which map out the paths to all the other 
nodes in the network by associating a cost with each possible linkset the 
message could go out on. 

	If that sounded confusing (and I know it did) here is a small example.
Consider the following subsection from our bigger network:

    ###(SP1) 
    #    |   
    #    |     
    #    |     
    ###(SSP1)   
    #    |   \     
    #    L1    L2    
    #    |       \    
    #  [STP1] ---- [STP2]--    
    #    | \      /  |     |
    #    |   \  /    | 	   |
    #    |    \/     |     |
    #    |  /    \   |     |
    #  [STP3] ---- [STP4]  |
    #                 \    /     
    #                 (SSP2)                  
    #                    #                                               
    ######################


	Say SSP1 wants to send a message to SSP2. The routeset to SSP2 on SSP1
will be datafilled with two possible linksets that could be used; namely the
ones going to STP1 and STP2.  However, it's obvious that using L2 would be more
efficient, taking 2 hops instead of 3, via L1.  On the switch this would be 
noted by L2 having a lower cost than L1.

			0o0o0o0o0o0o0o0o0o0o0o0o0
			o  Call Setup Example  	o
			0o0o0o0o0o0o0o0o0o0o0o0o0

	Call setup and takedown using CCS7 is handled by a subset of the 
protocol called ISDN-UP (Integrated Services Digital Network User Part).  There
are many messages belonging in this subset but only five are needed to make a 
phone call.

	Let's say I want to call Dr. Sardu using the network from the previous 
example.  The good doctor's phone is serviced by SSP2 while mine is serviced 
by SSP1.  When I pick up my phone the switch will detect that it is off the 
hook and send a dial tone.  After dialing, an IAM (Initial Address Message) 
will go out on the network from SSP1 to SSP2.  Assuming all goes well (the 
phone is not busy, etc...) an ACM (Address Complete Message) will come back
from SSP2 to SSP1. It is at this time that I hear the first ring tone in my
receiver. The moment the other party picks up and all the trunks are seized
an ANM (Answer Message) is sent from SSP2 to SSP1 and upon reception of this
message billing starts (A few ms of free phone time. Woo woo!).  When the
conversation is complete and one party hangs up, its switch will send an REL
(Release Message) and upon reception the other party will hear the "click" of
the phone being hung up.  When he then hangs up the final RCL (Release Complete)
message will be sent and the seized trunks will return to idle.


----[  EOF


[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2024, Phrack Magazine.