Introduction
This post summarises FS.52 “GT Leasing Code of Conduct” (CoC), focussing on the requirements placed on the companies that declare compliance with the CoC. For full details, see FS.52, which takes precedence.
First, some terminology and relationships:
- A GT lessor is a company that leases GTs to another company, called a GT lessee.
- A transit carrier carries traffic between different networks. GT leasing requires transit carriers to help with routing of signalling traffic.
- In the context of GT leasing, a target operator is the recipient of signalling traffic from a GT lessee using GTs leased from the GT lessor.
GT leasing enables GT lessees to gain access to the global SS7 network and to exchange signalling messages using GTs associated with the GT lessor. This reduces routing transparency, disguising the activities of GT lessees, and making it difficult for target operators to know who sent the signalling traffic that is entering their networks. The lack of transparency and absence of controls and oversight associated with GT leasing is of concern to mobile network operators because of the associated risks it introduces, which can include customer traffic interception, location tracking and fraud.
The CoC requirements oblige GT lessors and transit carriers who declare compliance to provide transparency in relation to the traffic that uses leased GTs, reducing opportunities for bad actors to commit abuse.
What’s in FS.52?
The document introduces GT leasing, describing the parties involved, GT leasing use cases, and how signalling traffic using leased GTs is routed. It outlines the benefits of GT leasing from the perspective of those involved in the practice, but also describes the significant issues and concerns associated with GT leasing.
The core of the document are the sections specifying the requirements on GT lessors and transit carriers as summarised below. Note that there are no CoC requirements aimed at GT lessees. CoC compliance by GT lessors and transit carriers is expected to be sufficient to significantly reduce the risks associated with GT leasing.
Requirements for GT Lessors
A GT lessor | Rationale |
Must acknowledge that it is legally liable to the target operator for signalling traffic that uses its GTs, even if the traffic was generated and sent by a GT lessee. | A GT lessor cannot divest itself of the responsibilities associated with use of its GTs by a GT lessee and must be accountable to the target operator. |
Shall perform due diligence on a GT lessee, review its proposed use of the leased GTs and repeat this periodically. It shall implement real-time technical controls to ensure that traffic using leased GTs is appropriate and terminate arrangements with GT lessees where this is not the case. | These actions ensure that the use of leased GTs is appropriate, doesn’t violate agreements, and is no risk to target operators or their customers. |
Shall require the GT lessee use a transit carrier that has signed up to the CoC. | This will maximise signalling transparency by all parties carrying traffic using leased GTs. |
Shall provide clear information on its leased GTs to other GSMA members (via the RAEX application), including the business name of GT lessees and the type of node using the leased GTs. | So that target operators can handle incoming signalling traffic appropriately, depending on its source and purpose. |
Shall stop using routing via lessee only from 31/12/23. Until then, the GT lessor shall receive a passive feed of traffic routed to/from a GT lessee or a near real-time method to query the traffic. | With the routing via lessee only approach, signalling traffic is not routed via the GT lessor, so it cannot see and check that the GT lessee is using the GTs in the agreed way. Implementing a passive feed enables the GT lessor to see and check that the GT lessee is using the GTs in the agreed way. This approach provides transparency while routing via lessee only is phased out. |
Shall retain relevant data for a reasonable period, share full details about a GT lessee with a target operator where illegitimate signalling traffic was received by the target operator using its leased GTs, and allow involved transit carriers to also share signalling traces. | Allows the target operator to investigate and act in response to receipt of illegitimate traffic using leased GTs. |
Should share information on signalling security incidents with other GSMA members, including details of any GT leasing arrangements terminated due to misuse, and shall not object to being named in information shared by others. | Sharing of information amongst GSMA members on signalling security matters helps all potential target operators with risk management. |
Shall not normally allow sub-leasing of GTs. Where it occurs, bind the GT lessee to providing sub-lessee details. | Sub-leasing of GTs reduces transparency further, increasing risks for target operators and their customers. |
Requirements for Transit Carriers
A Transit Carrier | Rationale |
Shall stop using routing via lessee only from 31/12/23, or for any new arrangements after declaring CoC compliance. Until then, the transit carrier shall provide the GT lessor with a passive feed of traffic routed to/from a GT lessee or a near real-time method to query the traffic. | With the routing via lessee only approach, signalling traffic is not routed via the GT lessor, so it cannot see and check that the GT lessee is using the GTs in the agreed way. Implementing a passive feed enables the GT lessor to see and check that the GT lessee is using the GTs in the agreed way. This approach provides transparency while routing via lessee only is phased out. |
Must implement best practice security on the IPX network as specified in the binding requirements of GSMA document IR.77 | All participants on the IPX network are required to contribute to its security. |
Shall retain relevant data for a reasonable period, and if requested and legally permitted, provide a target operator with source and other details of signalling traffic using GT leasing and routing method used. | Allows the target operator to investigate and act in response to receipt of illegitimate traffic using leased GTs. |
Should, if requested, block delivery of signalling traffic to a target operator from GT lessees where the target operator cannot do this. It may also proactively block traffic deemed fraudulent from reaching a target operator but shall inform the target operator and GT lessor of such action. | Supports target operators in protecting their network and customers against risks introduced by GT leasing. |
Should share information on signalling security incidents with other GSMA members and shall not object to being named in information shared by others. | Sharing of information amongst GSMA members on signalling security matters helps all potential target operators with risk management. |
What Should Operators Not Involved in GT leasing do?
FS.52 does not contain CoC requirements for mobile operators not involved in GT leasing. However, it does make some recommendations for such operators, as follows:
- If not currently leasing GTs, don’t start – consider alternative approaches instead.
- Implement GSMA recommendations in GSMA document FS.11 (such as implementing a signalling firewall) to protect the network.
- Investigate illegitimate signalling and seek to identify its true source, and share information on signalling security incidents with other GSMA members.
- Update agreements with GT lessors and transit carriers to require their compliance with the CoC.
- Don’t accept signalling traffic from external parties unless it is governed by an agreement.