TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

SIGTRAN

SS7 signalling over IP β€” IETF adaptation layers for telecom packet networks

Type

protocol

Generations

2G3Gcross-gen

Threat level

medium
🧩

Quiz coming soon for this topic.

Questions & comments

Join the discussion

Overview

SIGTRAN is the IETF suite of adaptation layer protocols that carries SS7 signalling over IP packet networks. When operators began building IP-based core network infrastructure in the early 2000s, they faced a problem: the SS7 applications running in their networks β€” MAP for subscriber management, ISUP for call control, TCAP for the transaction layer β€” were designed to run over TDM (Time Division Multiplexing) physical links, not IP. Replacing these applications would have required rewriting decades of certified, standards-tested signalling software. SIGTRAN solved this by adapting the SS7 stack to run over IP without changing the applications above it.

The core SIGTRAN insight is that the lower layers of the SS7 stack β€” the physical link, the error correction, the routing β€” are separate from the application logic. SIGTRAN replaces MTP Layers 1–3 and SCCP with IP-layer equivalents while keeping TCAP, MAP, and ISUP intact above them. The adaptation layer protocols in the SIGTRAN suite define precisely how SS7 PDUs are encapsulated in IP/SCTP packets and how SS7 routing concepts (point codes, Global Titles) map to IP addressing.

The principal SIGTRAN protocols are M3UA (MTP3 User Adaptation Layer, RFC 4666), which carries the MTP3 user data β€” primarily MAP, ISUP, and TCAP β€” over SCTP; SUA (SCCP User Adaptation Layer, RFC 3868), which carries SCCP user data directly without the MTP3 layer; and M2PA (MTP2 Peer-to-Peer User Adaptation, RFC 4165), which provides a peer-to-peer MTP2 link substitute. M3UA is by far the most widely deployed.

The security consequence of SIGTRAN is significant: it moves the SS7 attack surface from TDM links to IP networks. Historically, SS7 access required physical access to a TDM SS7 link β€” an expensive and limited capability. SIGTRAN means that any IP-reachable node can be an SS7 peer, and the same catastrophic attack capabilities documented in GSMA FS.11 become accessible to any attacker who can reach a SIGTRAN endpoint.

How it works

The SIGTRAN architecture defines two functional entities:

  • Signalling Gateway (SG / SGP): Sits at the boundary between the TDM SS7 network and the IP network. It terminates SS7 TDM links on one side and SIGTRAN SCTP associations on the other, adapting between the two.
  • Application Server (AS / ASP): The IP-native node that receives SIGTRAN traffic. In an IMS or soft-switch context, the AS is the call processing node or MSC server that processes MAP or ISUP messages.

The Signalling Gateway Process (SGP) on the SG side and the Application Server Process (ASP) on the AS side establish an SCTP association and then bring up an M3UA (or SUA) application connection over it.

M3UA architecture and procedures

M3UA adapts the MTP3 interface. From the application server's perspective, M3UA provides the same primitives that MTP3 provides to its users (MAP, ISUP, TCAP): Transfer, Pause, Resume, and Status. MAP and ISUP are oblivious to whether they are running over TDM MTP3 or IP-based M3UA.

M3UA message classes:

  • Transfer messages (XFER) β€” Carry user data (payload data unit from MAP, ISUP, etc.) identified by originating and destination point codes.
  • SS7 signalling network management messages (SSNM) β€” Carry network status information: DUNA (Destination Unavailable), DAVA (Destination Available), DAUD (Destination State Audit).
  • Application Server Process traffic maintenance messages (ASPTM) β€” Manage the state of the ASP: ASP Up/Down, ASP Active/Inactive, Heartbeat.

Establishing a SIGTRAN connection

  1. The ASP (Application Server) initiates an SCTP association to the SGP (Signalling Gateway Process).
  2. Once the SCTP association is established, the ASP sends an ASP Up M3UA message. The SGP acknowledges with ASP Up Ack.
  3. The ASP activates traffic flow by sending an ASP Active message, indicating which Application Server (logical routing entity associated with a set of point codes) it is requesting traffic for. The SGP responds with ASP Active Ack.
  4. The ASP can now receive and send M3UA Transfer messages carrying SS7 payload data.

Point code routing in M3UA

SS7 routing uses Signalling Point Codes (SPCs) β€” 14-bit (ITU-T) or 24-bit (ANSI) values that identify nodes in the SS7 network. In M3UA, the Originating Point Code (OPC) and Destination Point Code (DPC) carried in the Routing Context of each Transfer message preserve SS7 routing semantics over IP. An M3UA Transfer message heading for DPC 1-234-5 is equivalent to an SS7 message routed to that point code on a TDM link.

Architecture role

SIGTRAN sits at the convergence boundary between legacy TDM telecom infrastructure and IP-based networks. In a typical operator deployment:

  • The Signalling Transfer Point (STP) is the central SS7 routing node. Modern STPs are typically IP-based and run SIGTRAN internally, even if they maintain TDM interfaces for legacy node interconnect. The STP presents an M3UA interface to IP-native nodes and a TDM SS7 interface to legacy nodes.
  • HLR, MSC, and SGSN nodes that have been IP-upgraded use M3UA to reach the STP rather than physical SS7 links.
  • Roaming interconnect β€” The GRX/IPX network carries SS7 roaming signalling. Modern interconnects use SIGTRAN (M3UA or SUA) rather than TDM links between operator networks. This is a critical security boundary.

In a 3G/4G hybrid network: The MSC server (Media Gateway Controller) and SGSN communicate with the HLR and STP via M3UA over SCTP. The STP may connect to international roaming partners via SIGTRAN over the GRX. Any node reachable via SCTP on the STP's listening address has effective SS7 access.

In 4G EPC, SIGTRAN's role is reduced but not eliminated. The MME uses Diameter (not SS7) for subscriber management. However, operators maintaining 2G/3G coverage alongside 4G retain SIGTRAN infrastructure throughout. The SGs interface between the MME and the MSC uses SGs (a 3GPP interface) for SMS delivery via the CS domain, and the underlying transport for the MSC side may be SIGTRAN.

Key interfaces

InterfaceBetweenProtocolPurpose
M3UA linkASP ↔ SGPM3UA/SCTPTransfer of MTP3 user data (MAP, ISUP) over IP
SUA linkASP ↔ SGPSUA/SCTPTransfer of SCCP user data directly over IP
M2PA linkSG ↔ SGM2PA/SCTPPeer-to-peer MTP2 link emulation over IP
Gp (SIGTRAN)SGSN ↔ GGSNGTPv1 (over IP)GPRS roaming; the Gp transport is often SIGTRAN-routed

Security posture

SIGTRAN's security posture is a direct consequence of its design intent: it makes SS7 accessible over IP networks. Every security vulnerability in SS7 β€” MAP-based location tracking, SMS interception, Cancel Location denial of service, ATI-based IMSI harvesting β€” becomes executable by any attacker who can reach a SIGTRAN endpoint with an SCTP packet.

The historical security boundary for SS7 was physical: obtaining an SS7 point code and TDM link connection required regulatory approval or cooperation from a licensed operator. SIGTRAN, deployed without adequate access controls, changes this to an IP access control problem. An operator who exposes a SIGTRAN endpoint to the internet, or who deploys SIGTRAN in a shared network environment without strict segmentation, has effectively published their SS7 network to any attacker.

GSMA FS.11 addresses SIGTRAN security in Section 4 and Annex B, recognising that the SS7 threat categories (Category 1 through 5) apply equally to traffic arriving via SIGTRAN. The signalling firewall β€” which inspects MAP and ISUP messages regardless of transport β€” is the primary defence.

Attack surface

MAP message injection via IP-accessible SIGTRAN endpoint

An attacker who can establish an SCTP association to a SIGTRAN endpoint that lacks authentication and IP access control can send arbitrary M3UA Transfer messages containing MAP PDUs. The SS7 application layer (HLR, MSC, SGSN) receives these messages as if they arrived from a legitimate SS7 peer β€” because at the SS7 level, they did. The attacker has the same MAP capabilities as any signalling network node.

Impact: Equivalent to full SS7 access: location tracking, SMS interception, Call interception, subscriber denial of service, IMSI harvesting β€” the complete FS.11 attack taxonomy.
Difficulty: Low given IP access to the SIGTRAN endpoint. Requires only the SCTP association establishment and knowledge of the target subscriber's MSISDN.

SIGTRAN gateway compromise enabling wholesale network access

The Signalling Gateway is the single point that bridges between the TDM SS7 network and the IP domain. If the SGP is compromised, the attacker has access to the entire SS7 network it serves β€” not just one node, but all point codes reachable through the gateway. This is analogous to compromising the STP: it provides a vantage point from which any SS7 message in any direction can be observed and injected.

Impact: Complete visibility of and injection capability into all SS7 signalling for all subscribers on the connected networks.
Difficulty: High. Requires exploitation of the SIGTRAN gateway device itself, not merely IP access.

SCTP association hijacking via Verification Tag prediction

SCTP uses a 32-bit Verification Tag to bind chunks to a specific association. If an attacker can predict or derive the Verification Tag for an active association (possible if tag generation is not sufficiently random), they can inject SCTP chunks that the receiving node will accept as belonging to the legitimate association. This enables M3UA message injection without establishing a new association.

Impact: Injection into an established M3UA/SS7 session without triggering new-association logging.
Difficulty: Medium. Depends on the randomness of the Verification Tag implementation.

IP-based topology enumeration

Unlike TDM SS7 β€” where topology enumeration required physical access and analysis of received MSUs β€” SIGTRAN endpoints can be discovered via standard IP scanning. An attacker can probe operator IP ranges for SCTP-listening endpoints, identify SIGTRAN nodes by their response to INIT chunks, and map the signalling topology before any application-layer interaction.

Impact: Exposes the SS7 node topology; enables targeted attacks against specific HLR, STP, or MSC addresses.
Difficulty: Low. Standard network scanning techniques apply.

Mitigations

  • IP whitelisting for SCTP: SIGTRAN endpoints must accept SCTP associations only from the specific IP addresses of known, authorised peers. This is the equivalent of the physical SS7 link being the access control in TDM: IP address control replaces physical cable control. Any SCTP connection from an unlisted address must be rejected at the network boundary, before it reaches the SIGTRAN stack.

  • Signalling firewall inspection: An SS7 signalling firewall deployed at the SIGTRAN boundary applies GSMA FS.11 category filtering to MAP messages regardless of whether they arrive via TDM or SIGTRAN. IP transport does not bypass application-layer controls. The firewall position should be between the Signalling Gateway and the internal HLR/MSC/SGSN infrastructure.

  • Network segmentation: SIGTRAN traffic should be carried on dedicated network segments β€” separate VLANs, VRFs, or physical networks β€” rather than on shared infrastructure shared with enterprise or internet-facing services. The risk is not only external access; an attacker who compromises any system on the same network as a SIGTRAN endpoint has a potential path to the SS7 network.

  • Point code validation: M3UA messages carry originating and destination point codes. The Signalling Gateway and application nodes should validate that originating point codes correspond to known, authorised network nodes. A message arriving with an OPC that does not match the source SCTP association is either misconfigured or spoofed.

  • Encryption on external SIGTRAN links: For SIGTRAN connections that cross administrative boundaries β€” to roaming partners or to wholesale signalling carriers β€” apply DTLS (RFC 6083) or IPsec. Encrypting the SCTP transport does not address the application-layer authentication problem, but it prevents passive interception of signalling traffic and makes active injection harder.

Spec references

  • RFC 4666 β€” The M3UA specification. Section 3 defines the architecture and functional entities (SGP, ASP). Section 4 defines the message format and all M3UA message types. The primary reference for M3UA implementation and security analysis.

  • RFC 3868 β€” The SUA specification. Analogous to M3UA but at the SCCP user level, enabling SCCP-based applications (including TCAP) to run directly over SCTP without MTP3. Section 3 defines the architecture; Section 4 defines the message set.

  • RFC 4960 β€” The SCTP specification. Understanding the SCTP association setup and Verification Tag mechanism is essential for understanding SIGTRAN security β€” SCTP is the access control layer.

  • GSMA FS.11 β€” SS7 and SIGTRAN network security. Section 4 extends the SS7 threat framework to the SIGTRAN context. Annex B provides SIGTRAN-specific security recommendations. The operational reference for operators deploying signalling firewalls.

Related topics

SIGTRAN is built on top of SCTP β€” it cannot operate without it. SCTP provides the multi-homed, reliable transport that enables SIGTRAN to replicate the path-diverse properties of TDM SS7 links in IP networks.

The application protocols that SIGTRAN carries are MAP (via M3UA's MTP3 user payload), ISUP (also via M3UA), and SS7 (the broader protocol stack). The network nodes that implement SIGTRAN include the MSC, HLR, SGSN, and especially the STP, which is the central SS7 routing point and the natural place to terminate SIGTRAN links.

For the full attack taxonomy that SIGTRAN exposure enables, see SS7 attacks. The roaming architecture provides context for why SIGTRAN is exposed at operator interconnect boundaries, which is the primary external attack surface.

Relationships