What is tap in and tap out in telecom?

Transferred Account Procedures (TAP) is a collection of procedures used in GSM to send billing records of roaming subscribers from the visited mobile network (VPMN) to their respective home network operator (HPMN).

Roaming is the ability of a wireless network operator to provide services to mobile customers from another wireless network. For example, when a mobile customer makes a call from outside his home network, roaming allows him to access the same wireless services that he has with his home network provider through a visited wireless network operator.

A roaming agreement between the home network operator and the visited network operator defines the terms that enable each other's customers access to the wireless networks. The visited network operator records the activities performed by the roaming subscriber and then sends the call event details to the home network operator in the format agreed upon in the roaming agreement, usually Transferred Account Procedure (TAP) format. TAP is the process that allows a visited network operator to send call event detail records of roaming subscribers to their respective home network operators to be able to bill for the subscriber's roaming usage.

When the visited network operator sends a TAP file to the home network operator, after the initial TAP file is received, the home network operator expects more TAP files from the visited network operator.

If the visited network operator does not provide the TAP files for seven calendar days, the home network operator sends the Stop Return Returned Account Procedure (RAP) files to alert and notify the visited network operator that the TAP files have not been received for the last seven days.

The Stop Return RAP file is generated every seven days, until a TAP file is received from the visited network operator.

The home network operator validates the data in the TAP files to ensure that it conforms to the TAP standard and to the terms of the roaming agreement. If the received TAP file contains any errors, the home network operator can reject the entire file or only the incorrect call event detail records. The incorrect file or records are returned to the visited network operator in a Returned Account Procedure (RAP) file.

RAP process is used to return rejected TAP files and records to the visited network operator for corrections. A RAP file contains the rejected TAP file or records and additional data about the error, such as the error code or the error cause. The visited network operator corrects the errors and sends the corrected TAP file back to the home network operator.

The visited network operator bills the home network operator for the roaming subscriber's usage using a rate agreed upon in the roaming agreement. The home network operator settles the charges with the visited network operator as part of the settlement process.

The home network operator then aggregates the roaming charges and bills its own subscribers for their usage in the visited network.

TAP Roaming Manager supports TAP3 format. With TAP Roaming Manager, you can do the following:

TAP-In: Rated calls received from another operators for our subscriber roaming in their network. TAP-Out: Rated calls send to another operator

A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.

The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic (send and receive data streams) through unimpeded in real time, but also copies that same data to its monitor port, enabling a third party to listen.

Network taps are commonly used for network intrusion detection systems, VoIP recording, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment. Taps are used in security applications because they are non-obtrusive, are not detectable on the network (having no physical or logical address), can deal with full-duplex and non-shared networks, and will usually pass through or bypass traffic even if the tap stops working or loses power.

The term network tap is analogous to phone tap or vampire tap. Some vendors define TAP as an acronym for test access point or terminal access point; however, those are backronyms.

The monitored traffic is sometimes referred to as the pass-through traffic, while the ports that are used for monitoring are the monitor ports. There may also be an aggregation port for full-duplex traffic, wherein the A traffic is aggregated with the B traffic, resulting in one stream of data for monitoring the full-duplex communication. The packets must be aligned into a single stream using a time-of-arrival algorithm.

Vendors will tend to use terms in their marketing such as breakout, passive, aggregating, regeneration, bypass, active, inline power, and others; Unfortunately, vendors do not use such terms consistently. Before buying any product it is important to understand the available features, and check with vendors or read the product literature closely to figure out how marketing terms correspond to reality. All of the "vendor terms" are common within the industry, have real definitions and are valuable points of consideration when buying a tap device.

A distributed tap is a set of network taps that report to a centralized monitoring system or packet analyzer.

There are various methods for monitoring a network. Many tapping methods can be used, according to the network technology, the monitoring objective, the resources available and the size of the target network. Various methods will be developed below.

This type of tapping focuses on tapping by making use of software, and without making any significant change on an infrastructures hardware. This type of tapping is often the cheapest one to implement, but it needs several implementations to give a truly complete look of the network.

The simplest type of monitoring is logging into an interesting device and running programs or commands that show performance statistics and other data. This is the cheapest way to monitor a network, and is highly appropriate for small networks. However, it does not scale well to large networks. It can also impact the network being monitored; see observer effect.

Another way to monitor devices is to use a remote management protocol such as SNMP to ask devices about their performance. This scales well, but is not necessarily appropriate for all types of monitoring. The inherent problems with SNMP are the polling effect. Many vendors have alleviated this by using intelligent polling schedulers, but this may still affect the performance of the device being monitored. It also opens up a host of potential security problems.

Another method to monitor networks is to use port mirroring (called "SPAN", for Switched Port Analyzer, by vendors such as Cisco, and given other names, such MLXe telemetry by Brocade Communications and other vendors)(also known as MIRROR port) or a monitoring protocol such as TZSP on routers and switches. This is a low-cost alternative to network taps and solves many of the same problems. However, not all routers and switches support port mirroring, and, on those that do, using port mirroring can affect the performance of the router or switch. These technologies may also be subject to the problem with full-duplex described elsewhere in this article, and there are often limits for the router or switch on how many pass-through sessions can be monitored, or how many monitor ports (generally two) can monitor a given session. Often, when the SPAN port is overloaded, packets will be dropped before reaching the monitoring device. There is also the possibility of losing some of the error packets that may be causing problems. If this data is not sent to the monitoring device because it is dropped, it is impossible to troubleshoot, no matter how advanced a device that may be used.

This tapping method consists in enabling promiscuous mode on the device that is used for the monitoring and attaching it to a network hub. This works well with older LAN technologies such as 10BASE2, FDDI, and Token Ring. On such networks, any host can automatically see what all other hosts were doing by enabling promiscuous mode. However, modern switched network technologies create point-to-point links between pairs of devices, making it impossible to tap network traffic with this method.

This type of tapping focuses on tapping with remarkable use of hardware

This method consists in the installation of a device in between a network cable and the device the Admin/Attacker wishes to "tap". When a monitoring device is installed in-line, the network will stop every time the device fails, or shutsdown. The "victim" device might stop receiving traffic when the tapping-device is updating/rebooting if said mechanisms weren't integrated in a smart way (aka. that would prevent this scenario from happening).

Some taps, particularly fiber taps, use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the tap should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the tap divides the incoming light using a simple physical apparatus into two outputs, one for the pass-through, one for the monitor. This can be called a passive tap. Other taps use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive.

V-Line Tapping is the most important Tapping system methods. V-Line Tapping (also known as Bypass Tapping) allows placing the served system virtually in-line. Putting this device in-line will compromise the integrity of a critical network. By placing a Tapping system instead of the monitoring device and connecting the monitoring device to the Tapping system, it can guarantee that the traffic will continue to flow and the device will not create a failure point in the network. This method always passes every packet, even error packets that a SPAN port may drop, to the monitoring device. This method involves using spying-software on the target machine. For a system-admin, this type of solution is the easiest to implement and the most cost-effective one; However, for an attacker, this type of tapping is very risky, as this is easily detectable by system scans. The tapping system will be removed after a reboot if the spying software was installed in a non-persistent way on a system that is executing a Live-OS.

Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100 Mbit/s of data to flow in each direction at the same time, this means that the network really allows 200 Mbit/s of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. Therefore, network taps for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding or link aggregation to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies, such as passive fiber network TAPs do not deal well with the full-duplex traffic.

Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored. This scenario is for active, inline security tools, such as next-generation fire walls, intrusion prevention systems and web application firewalls.

Once a tap is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.

Some taps have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the tap point. These are often called regeneration taps.

Some taps operate at the physical layer of the OSI model rather than the data link layer. For example, they work with multi-mode fiber rather than 1000BASE-SX. This means that they can work with most data link network technologies that use that physical media, such as ATM and some forms of Ethernet. Network taps that act as simple optical splitters, sometimes called passive taps (although that term is not used consistently) can have this property.

Some network taps offer both duplication of network traffic for monitoring devices and SNMP services. Most major network tap manufacturers offer taps with remote management through Telnet, HTTP, or SNMP interfaces. Such network tap hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternatively, SNMP alarms generated by managed taps can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.

Some taps get some of their power (i.e., for the pass-through) or all of their power (i.e., for both pass-through and monitor) from the network itself. These can be referred to as having inline power.

Some taps can also reproduce low-level network errors, such as short frames, bad CRC or corrupted data.

Here are some advantages of a network tap over port mirroring or SPAN:

Because network taps require additional hardware, they are not as cheap as technologies that use capabilities that are built into the network. However, network taps are easier to manage and normally provide more data than some network devices.

Network taps can require channel bonding on monitoring devices to get around the problem with full-duplex discussed above. Vendors usually refer to this as aggregation as well.

Putting a network tap into place will disrupt the network being monitored for a short time. Even so, a short disruption is preferable to taking a network down multiple times to deploy a monitoring tool. Establishing good guidelines for the placement of network taps is recommended.

Monitoring large networks using network taps can require a lot of monitoring devices. High-end networking devices often allow ports to be enabled as mirror ports, which is a software network tap. While any free port can be configured as a mirror port, software taps require configuration and place load on the network devices.

Even fully passive network taps introduce new points of failure into the network. There are several ways that taps can cause problems, and this should be considered when creating a tap architecture. Consider non-powered taps for optical-only environments or throwing star network tap for copper 100BASE-TX. This allows you to modify the intelligent aggregation taps that may be in use and avoids any complications when upgrading from 100 megabit to gigabit to 10 gigabit. Redundant power supplies are highly recommended.

Fully passive is only possible on optical connections of any bandwidth and on copper connections from type G703 (2Mbit) and Ethernet Base-T 10/100 Mbit. On Gigabit and 10 Gbit Base-T connections, passive tapping is currently not possible.

Countermeasures for network taps include encryption and alarm systems. Encryption can make the stolen data unintelligible to the thief. However, encryption can be an expensive solution, and there are also concerns about network bandwidth when it is used.

Another counter-measure is to deploy a fiber-optic sensor into the existing raceway, conduit or armored cable. In this scenario, anyone attempting to physically access the data (copper or fiber infrastructure) is detected by the alarm system. A small number of alarm systems manufacturers provide a simple way to monitor the optical fiber for physical intrusion disturbances. There is also a proven solution that utilizes existing dark (unused) fiber in a multi-strand cable for the purpose of creating an alarm system.

In the alarmed cable scenario, the sensing mechanism uses optical interferometry in which modally dispersive coherent light traveling through the multi-mode fiber mixes at the fiber's terminus, resulting in a characteristic pattern of light and dark splotches called speckle. The laser speckle is stable as long as the fiber remains immobile, but flickers when the fiber is vibrated. A fiber-optic sensor works by measuring the time dependence of this speckle pattern and applying digital signal processing to the Fast Fourier Transform (FFT) of the temporal data.

The U.S. government has been concerned about the tapping threat for many years, and it also has a concern about other forms of intentional or accidental physical intrusion. In the context of classified information Department of Defense (DOD) networks, Protected Distribution Systems (PDS) is a set of military instructions and guidelines for network physical protection. PDS is defined for a system of carriers (raceways, conduits, ducts, etc.) that are used to distribute Military and National Security Information (NSI) between two or more controlled areas or from a controlled area through an area of lesser classification (i.e., outside the SCIF or other similar area). National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 7003, Protective Distribution Systems (PDS), provides guidance for the protection of SIPRNET wire line and optical fiber PDS to transmit unencrypted classified National Security Information (NSI).

The 1000BASE-T signal uses PAM 5 modulation, meaning that each cable pair transports 5 bits simultaneously in both directions. The PHY chips at each end of the cable have a very complex task at hand, because they must separate the two signals from each other. This is only possible because they know their own signal, so they can deduct their own send signals from the mixed signals on the line and then interpret the information sent by their link partners.

To tap a copper link as shown in the picture above it is not possible to just tap the middle of the wire because all you will see is a complex modulation of two signals. The only way to terminate the signal (as shown in the picture) is to use a PHY chip to separate the signal and then send the signal on to the link partner. This solution works but causes some other problems.

Transferred Account Procedure is the mechanism by which wireless operators exchange roaming billing information. The GSM Association in 1995 released the very first TAP specification, i.e., TAP version 1. From then onward, the specifications have continuously evolved to support new services and associated operational aspects. For example, in the earlier versions, the usage was recorded in terms of call detailed records (CDRs). This was changed to call event detail (CED) to reflect the nature of services in current and future generations of networks. TAP2 and TAP2+ were introduced later; they allowed the operators to bill for new services and provide the additional information required by satellite and U.S. operators. TAP3 is the latest version released by the GSM Association. It includes all the features supported by earlier versions of TAP. In addition, it supports billing for new-generation services, including mobile multimedia and prepaid roaming. It also supports interoper-ator tariff (IOT) charging principles and key information for marketing and customer service functions.

The latest version, TAP3, is designed to cater to the needs of the next-generation services. It uses an industry-standard coding scheme, i.e., ASN.1. This enables use of commercially available tools rather than proprietary toolkits. Many of the earlier version constraints, e.g., file size limitation, have been also removed.

TAP3 can handle all the features and services supported by earlier versions of TAP. In addition, the new supported services are:

■ High-speed circuit-switched (HSCSD) and packet-switched (GPRS) data services

■ Prepaid roaming using CAMEL

■ USSD charging

■ Mobile directory number to support mobile number portability for interstandard roaming

■ Support of private numbering plans (SPNP)

■ Enhanced full rate (EFR) for enhanced voice quality

■ Fraud information gathering system (FIGS), including fraud monitoring indicator and third-party number

■ Support for UMTS QoS

The additional interoperator tariff features that TAP3 is able to handle are:

■ HPLMN repricing—enables HPLMN to reprice each call according to its own tariff plan

■ Call-level discounts

TAP3 also allows for the specific requirements of satellite networks and of large countries where no single operator covers the entire geographic area. This includes support for the following additional parameters.

■ Additional charging parameters, e.g., separation of airtime and toll charges

■ Additional time zones

Unlike earlier versions, TAP3 also contains valuable information about roamer and also services used by a roamer. Wireless service providers can use this information for marketing (e.g., targeted campaigns) and customer care. This information could also be used to build roamer profiles and ad hoc studies as and when required. This enables various stakeholders within a roaming organization to make informed business decisions.

In the GSM world, the usage records are generated in mobile switching centers (MSCs), short message service centers (SMSCs), and voice mail service centers (VMSCs). Several different types of records are generated, depending on the usage. For example, call detailed records (CDRs) for mobile-originated (MO) and mobile-terminating (MT) calls, transaction detailed records for MO-SMS, MT-SMS, and other nonvoice usage. In GPRS and 3G, usage records are generated at the SGSNs, GGSNs, MMSCs, and a host of other gateway elements. The usage records are generated for packet-switched data calls, MMS, and access of contents.

The TAP-out process enables an HPMN (the PLMN where TAP-out processing is performed) to send rated records for the calls made by inbound roamers (visitors from foreign networks) to their respective home networks (VPMNs).

As shown in Figure 11-2, the serving MSC in the visited network creates detailed records every time a roamer successfully accesses a service. These records are then transferred to the billing system for rating and pricing. The billing system segregates and group calls/records created for the roamers and converts those in the ASN.1 TAP file format. The MCC and MNC codes in IMSIs are used to validate and group the calls. The TAP files contain rated call information. The rating is done in accordance with the bilateral agreement between operators. These TAP files are then sent to roaming partners on a regular basis. This transfer takes place either directly or via a clearinghouse. The frequency of transfer is subject to the bilateral roaming agreement and generally decided up-front. In general, the TAP file exchange should take place as frequently as possible to enable monitoring of high usage and possible fraud.

Electronic data interchange (EDI) is the standard mechanism of TAP file transfer to ensure that charging records are made available to the HPLMN without delay. In case of EDI failure, magnetic tapes or some other suitable mechanism can be used as a fallback and are subject to a bilateral agreement. Magnetic tape technology is fast becoming obsolete.

The TAP-in process at the receiving network accepts the files generated by its partner networks. The TAP-in process involves parsing, validation, conversion of usage data into internal format, and prerating in accordance with the roaming tariff plan. The reject and return process is used in the cases where the validation of TAP files results in errors.

A new procedure called reject and return was introduced recently as part of the TAP3 specification in order to handle errors in TAP files efficiently. Before the implementation of this process, an error concerning one single call in a TAP file resulted in rejection of the entire file. This was the cause of unnecessary delays in the billing and settlement process.

Figure 11-2 Transferred account procedure.

The reject and return process allows processing of validated CEDs to proceed and return of errored CEDs back to the concerned VPMN. An automated mechanism can be built to handle the fatal errors and missing files or data. Having fewer call event details at the end of the month in the reclaims process allows an early interoperator settlement.

Having the capability to reject individual call event details also benefits the retail billing process and early realization of dues from subscribers. Figure 11-3 describes a simplified view of TAP file transfer using the rejects and returns process.

At the HPLMN, this process enables the return of call event detail records containing severe errors to a concerned VPLMN, while correct CEDs can be processed as usual. The typical subprocesses at the HPLMN are:

■ TAP file validation

■ Missing file detection

■ Fatal error detection

■ Severe error detection

■ Creation of a RAP file

■ Transmission of RAP files to the concerned VPLMN

The VPLMN, if possible, corrects the files and/or call event details and resubmits them to the HPLMN. This process allows for the VPLMN to recoup roaming revenues from the HPLMN for resubmitted call event details/files. The typical subprocesses at the HPLMN are:

■ RAP file decoding

■ Submit missing file/files

■ Correct fatal errors

■ Correct severe errors

■ Create TAP files and resubmit to the HPLMN

Figure 11-3 Reject and return process simplified.

GSM TAP Standard TD.57 − GSM Transferred Account Procedure (TAP) defines the format and validation rules for transferring roaming usage information

Roaming is the ability for a customer of mobile communications to automatically make and receive telephone calls, send and receive data, or access other services while travelling outside the geographical coverage area of the home network, by means of using a network of another operator.

Roaming can be either national roaming or international roaming. National roaming means that mobile subscribers make use of another network in geographical areas, where their own operator does not have coverage. This is, for example, used by operators, who do not have complete coverage in a country. International roaming is used when mobile subscribers travel abroad and make use of the network of an operator in the foreign country.

How does it actually take place? If a service provider does not have a network coverage in a particular city or country, then this service provider makes a roaming agreement with another service provider having network in that city or country. As per this agreement, another service provider provides all the available services to the roaming customer of first service provider.

CDRs generated in one roaming partner's area are collected and rated by that roaming partner and finally they are sent to the actual service provider of the roaming customer. Actual service provider charges the end customer for all the roaming services provided based on their predefined service charges.

Two roaming partners settle their financials on monthly basis by exchanging actual roaming CDRs and reports based on those CDRs.

The Home Public Mobile Network is the network from the operator by which a mobile subscriber has a subscription. The term is used as opposed to Visited Public Mobile Network (VPMN).

The Visited Public Mobile Network is the network used by a mobile subscriber while roaming. The term is used as opposed to Home Public Mobile Network (HPMN).

There are well known bodies like MACH who interface between different roaming partners to help them to exchange their CDRs, setting up roaming agreements and resolving any dispute.

Clearing houses receive billing records from one roaming partner for the inbound roamers and submit billing records to another roaming partner for which this roamer would be called outbound roamer.

Transferred Account Procedure version 3 (TAP3) is the process that allows a visited network operator (VPMN) to send billing records of roaming subscribers to their respective home network operator (HPMN). TAP3 is the latest version of the standard and will enable billing for a host of new services that networks intend to offer their customers.

Clearing house uses TAP3 protocol to exchange all the CDRs between different roaming partners. TAP3 defines how and what information on roamed usage must be passed between Network Operators. These files are exchanged using simple FTP connection.

There are different versions of TAP. TAP evolved from TAP1 through TAP2 and TAP2+ to TAP3. The latest release, TAP3, includes support for inter-standard roaming in a satellite network, WLAN and UMTS and other 3G technologies.

Generation, monitoring and analysis of voice and data traffic generated by your roaming partners when roaming on your network (inbound roaming). Revenue leakages and billing errors identification: by comparing (a) the sample traffic generated by the robots to (b) the call data records in your TAP files (TAP OUT).

TAP is the process that allows a visited network operator to send call event detail records of roaming subscribers to their respective home network operators to be

The TAP-out process enables an HPMN (the PLMN where TAP-out processing is performed) to send rated records for the calls made by inbound roamers (visitors

The TAP file is collected by the CapSettle – Roaming TAP Converter, which has been integrated as a black box to the system, then converts the