Learn Telecom
Protocols
SS7: Signaling System 7

SS7: Signaling System 7

Signaling System 7 is the signaling protocol suite that has controlled the public switched telephone network since the 1980s. Every PSTN call — from digit dialing to ringing to answer to hangup — is orchestrated by SS7 messages traveling through a dedicated signaling network separate from the voice path. Even as SIP takes over for VoIP, SS7 remains operational in legacy networks and at the boundaries where IP meets the PSTN.

What SS7 Does

SS7 is an out-of-band signaling system. Unlike earlier signaling methods where tones traveled on the same circuit as the voice (in-band signaling — which was vulnerable to fraud via devices like the infamous blue box), SS7 uses a completely separate packet data network to carry signaling messages.

SS7 handles:

  • Call setup and teardown: Sending messages between switches to establish and release voice circuits
  • Number portability lookups: Querying the NPAC database to find the LRN for ported numbers
  • Caller ID delivery: Carrying calling party number and name information
  • Toll-free routing: Querying the SMS/800 database to determine where to route 800-number calls
  • Custom calling features: Call waiting, call forwarding, three-way calling
  • Wireless roaming: Location updates, handoff signaling, SMS delivery

SS7 Protocol Stack

SS7 is a layered protocol suite. The key layers relevant to voice operations:

MTP (Message Transfer Part)

The foundation layers that handle reliable message delivery:

  • MTP Level 1: Physical layer (typically 56 kbps or 64 kbps data links)
  • MTP Level 2: Data link layer (framing, error detection, flow control)
  • MTP Level 3: Network layer (message routing between signaling points)

MTP provides reliable, ordered delivery of signaling messages between SS7 nodes. It includes redundancy mechanisms — if a signaling link fails, traffic is automatically rerouted to alternate paths.

SCCP (Signaling Connection Control Part)

Sits above MTP and provides additional addressing and routing capabilities. SCCP enables Global Title Translation (GTT), which maps telephone numbers to specific signaling point codes — essential for database queries like number portability lookups.

ISUP (ISDN User Part)

The protocol used for call setup and teardown. ISUP messages travel between switches to establish voice circuits. The key ISUP messages:

Message Abbreviation Purpose
Initial Address Message IAM Initiates a call. Contains called number, calling number, circuit identification, and call parameters.
Address Complete Message ACM Indicates the called party is being alerted (ringing).
Answer Message ANM The called party answered. Billing starts.
Release Message REL One party hangs up. Indicates reason for release.
Release Complete RLC Confirms circuit release. Resources freed.

A basic call flow in ISUP:

Originating Switch                    Terminating Switch
       |                                      |
       |--- IAM (called#, calling#) --------->|
       |                                      | (ring subscriber)
       |<-- ACM (ringing) -------------------|
       |                                      | (subscriber answers)
       |<-- ANM (answer) --------------------|
       |                                      |
       |<========= Voice Circuit ============>|
       |                                      |
       |--- REL (caller hangs up) ----------->|
       |<-- RLC (circuit released) -----------|
       |                                      |

TCAP (Transaction Capabilities Application Part)

Used for database queries — interactions that do not involve setting up a voice circuit. TCAP is the protocol behind:

  • LNP lookups: Querying the NPAC/LSMS for the LRN of a ported number
  • Toll-free lookups: Querying the SMS/800 database for 800-number routing
  • CNAM lookups: Querying the caller name database for caller ID name delivery
  • LIDB queries: Line Information Database queries for billing validation

TCAP messages are carried over SCCP and MTP. They use a request/response model: the switch sends a query, a database (SCP — Service Control Point) processes it, and returns the result.

SS7 Network Architecture

The SS7 network consists of three types of nodes:

SSP (Service Switching Point)

The telephone switches themselves — Class 5 local switches and Class 4 tandem switches. SSPs originate and receive ISUP messages to set up calls. They also originate TCAP queries for database lookups.

STP (Signal Transfer Point)

Dedicated packet switches that route SS7 messages between nodes. STPs do not originate or terminate calls — they are pure signaling routers. STPs are always deployed in mated pairs for redundancy. If one STP fails, its mate handles the traffic.

SCP (Service Control Point)

Databases that respond to TCAP queries. The NPAC/LSMS for number portability, the SMS/800 for toll-free routing, and the CNAM database for caller name are all SCPs in the SS7 architecture.

         [SCP]              [SCP]
    (NPAC/LSMS)         (SMS/800)
          |                   |
     [STP-A] <===========> [STP-B]     (mated pair)
      /    \                /    \
   [SSP]  [SSP]        [SSP]  [SSP]
  (switches serving subscribers)

SS7 and Call Routing

When you make a phone call over the PSTN, SS7 handles the signaling at every step:

  1. The originating SSP analyzes the dialed digits and determines the destination NPA/NXX
  2. The SSP sends a TCAP query through the STP to the NPAC SCP to check for number portability (the LRN dip)
  3. With the routing destination determined, the SSP sends an ISUP IAM toward the terminating switch
  4. The IAM may traverse one or more tandem switches, each forwarding the ISUP signaling
  5. The terminating SSP receives the IAM, alerts the subscriber, and returns ACM
  6. When the subscriber answers, the terminating SSP sends ANM
  7. The voice circuit is cut through and the conversation begins
  8. On hangup, REL/RLC messages release the circuit

All of this signaling travels on the SS7 network — a separate infrastructure from the voice trunks carrying the actual conversation.

SS7 in the Modern Network

SS7 was designed for a circuit-switched world, and as networks migrate to IP, its role is diminishing. But it has not disappeared:

Where SS7 Still Lives

  • Legacy PSTN switches: Millions of wireline subscribers are still served by TDM switches that use SS7 natively
  • Wireless core networks: 2G and 3G mobile networks use SS7 variants (MAP — Mobile Application Part) for roaming, handoff, and SMS delivery
  • Intercarrier boundaries: Some carrier-to-carrier interconnections still use TDM trunks with ISUP signaling
  • Database services: TCAP-based services (LNP, CNAM, toll-free) continue to operate even as the transport shifts to IP

The Transition to SIP

Most new carrier infrastructure uses SIP for call signaling. At the boundary between SIP and SS7 networks, signaling gateways translate between the two protocols. The IETF defined SIP-I and SIP-T as methods for encapsulating or translating ISUP information within SIP messages, preserving the rich call metadata from the SS7 world.

Security Concerns

SS7 was designed in an era of trusted carrier networks and has no built-in authentication or encryption. In recent years, security researchers have demonstrated that SS7 vulnerabilities can be exploited for:

  • Location tracking: Querying the network for a subscriber’s current location
  • Call and SMS interception: Redirecting communications through attacker-controlled nodes
  • Fraud: Manipulating billing and routing information

These vulnerabilities are a significant motivation for the industry’s migration to IP-based protocols with modern security (TLS, STIR/SHAKEN).

Further Reading

SIP: Session Initiation ProtocolSIP vs. SS7: Signaling in Modern Telecom