How Mobile Roaming Works: A Technical Guide

When you step off a plane in another country and your phone connects to a local network within seconds, the apparent simplicity hides an extraordinary amount of signaling, authentication, and inter-operator coordination. Mobile roaming is one of the most complex capabilities in telecommunications, involving real-time interactions between databases in different countries, multi-party billing settlements, and protocol stacks that were designed in the 1990s but still carry most of the world's roaming traffic today.

This guide explains how roaming actually works at the network level, from the moment your phone searches for a foreign network to the point where your home operator receives a TAP file and charges your account for the call you made abroad.

The Fundamental Architecture: Home and Visited Networks

Every mobile subscriber has a home network, known as the HPLMN (Home Public Land Mobile Network). This is the operator that issued your SIM card, holds your subscription profile, and bills you each month. When you travel abroad and connect to a foreign operator, that foreign network is called the VPLMN (Visited Public Land Mobile Network).

The relationship between these two networks is governed by a roaming agreement, a bilateral commercial and technical contract that specifies which services will be available to roaming subscribers, what the inter-operator rates will be, and how billing data will be exchanged. Without a roaming agreement, your phone will simply show "No Service" even if radio coverage is available.

At the core of this architecture are two critical databases:

• HLR (Home Location Register): Maintained by your home operator, the HLR stores your subscription profile, including your IMSI (International Mobile Subscriber Identity), the services you are entitled to, call forwarding settings, and critically, the address of the network where you are currently registered. In modern 4G/5G networks, this function is performed by the HSS (Home Subscriber Server) or UDM (Unified Data Management).
• VLR (Visitor Location Register): Maintained by the visited network, the VLR stores a temporary copy of your subscription profile for as long as you are roaming on that network. The VLR is what allows the visited network to authenticate you and provide services without contacting your home network for every single transaction.

The Registration Process: What Happens When You Turn On Your Phone Abroad

When your phone powers on in a foreign country, the following sequence occurs:

1. Network selection: Your phone scans available PLMNs (networks) on the radio frequencies used in that country. It first looks for networks on a preferred list stored in the SIM, which typically prioritizes operators that have roaming agreements with your home operator. If none are found, it presents a list for manual selection.
2. Location update request: Your phone sends a Location Update Request to the MSC (Mobile Switching Center) of the visited network. This message contains your IMSI.
3. VLR to HLR query: The visited network's VLR does not recognize your IMSI (since you are not a local subscriber), so it contacts your home network's HLR via SS7 signaling. The MAP (Mobile Application Part) protocol carries a MAP_UPDATE_LOCATION message that tells the HLR: "Your subscriber is now on our network."
4. HLR authentication: The HLR checks whether a roaming agreement exists with the visited network. If so, it sends a MAP_INSERT_SUBSCRIBER_DATA message back, containing the subscriber's profile (allowed services, supplementary service settings, etc.) and authentication vectors (triplets for 2G, quintets for 3G/4G) that the visited network will use to authenticate the subscriber.
5. Authentication: The visited network challenges the phone using the authentication vectors from the HLR. The SIM card computes a response using its secret key (Ki), and if the response matches what the HLR predicted, the subscriber is authenticated.
6. Registration complete: The VLR stores the subscriber profile, the HLR records the address of the visited network's MSC/VLR, and the phone displays the visited network's name. The entire process typically completes in 2-5 seconds.

IMSI Routing and the Role of Point Codes

A critical question in roaming is: how does the visited network know where to send the MAP message to reach your home HLR? The answer lies in IMSI routing.

The first digits of your IMSI encode the MCC (Mobile Country Code) and MNC (Mobile Network Code), which together uniquely identify your home operator. For example, IMSI 310260... indicates MCC 310 (United States) and MNC 260 (T-Mobile US). The visited network uses a translation table (SCCP Global Title Translation) to map this MCC+MNC combination to the SS7 point code of the home HLR, and the signaling message is routed through the international SS7 network via intermediary Signal Transfer Points (STPs).

In practice, most roaming signaling today passes through GRX (GPRS Roaming Exchange) or IPX (IP Packet Exchange) networks rather than traditional TDM-based SS7. These are private IP networks operated by hub providers such as Syniverse, BICS, or Comfone that interconnect mobile operators globally. The MAP messages are carried over SIGTRAN (SS7 over IP) rather than traditional MTP links, but the protocol semantics remain identical. For a deeper understanding of the underlying SS7 protocol stack, see our article on SS7 signaling.

Voice Calls While Roaming

Making and receiving calls while roaming involves routing decisions at both the visited and home networks.

Making a Call (Mobile Originated)

When you make a call while roaming, the call is handled by the visited network's MSC. The visited MSC looks up your subscriber profile in the VLR to confirm you are authorized to make calls, then routes the call based on the dialed number. For international calls, the routing is typically straightforward: the visited MSC routes the call to the destination via its own international gateway.

Receiving a Call (Mobile Terminated)

Receiving a call while roaming is more complex, because the calling party dials your home number. The call flow is:

1. The call arrives at your home network's GMSC (Gateway MSC)
2. The GMSC queries the HLR: "Where is this subscriber?"
3. The HLR returns the address of the visited MSC/VLR where you are registered
4. The GMSC requests a roaming number (MSRN) from the visited MSC
5. The visited MSC assigns a temporary MSRN and returns it
6. The GMSC routes the call to the visited MSC using the MSRN
7. The visited MSC pages the subscriber and delivers the call

This "tromboning" means that a call to a roaming subscriber always transits through the home network, even if the caller is in the same country as the roaming subscriber. This adds latency and cost, which is why some operators implement CAMEL-based optimizations.

The CAMEL Protocol: Real-Time Charging Control

CAMEL (Customized Applications for Mobile Enhanced Logic) is a protocol that allows the home network to maintain real-time control over calls made by roaming subscribers. Without CAMEL, the home operator only learns about roaming usage when TAP files arrive, which can be hours or days later. This creates a risk for prepaid subscribers who might exhaust their balance while the home operator has no visibility.

With CAMEL, the visited network's MSC sends a signaling message to the home network's gsmSCF (GSM Service Control Function) before connecting each call. The gsmSCF can:

• Authorize or deny the call based on the subscriber's current balance
• Set a maximum call duration timer
• Trigger mid-call events (e.g., warning tone before balance runs out)
• Redirect calls to alternative destinations
• Apply real-time tariffing based on the home operator's rate plan

CAMEL effectively extends the home operator's intelligent network (IN) platform to cover roaming scenarios. It requires both the home and visited networks to support CAMEL, which is specified in the roaming agreement.

TAP Files: The Billing Settlement Mechanism

The financial settlement between home and visited operators is handled through TAP (Transferred Account Procedure) files, a standard defined by the GSMA. The process works as follows:

1. The visited network generates CDRs (Call Detail Records) for all roaming subscriber activity: voice calls, SMS, and data sessions.
2. These CDRs are assembled into a TAP file, typically using the TAP3 format (currently TAP3.12), which is an ASN.1-encoded binary format.
3. TAP files are transmitted to the home operator, usually via a clearing house such as Syniverse or BICS, which acts as an intermediary to simplify the bilateral exchange (instead of each operator exchanging files with every roaming partner individually).
4. The home operator processes the TAP file, applies retail pricing to the subscriber's bill, and settles the wholesale charges with the visited operator according to the IOT (Inter-Operator Tariff) agreed in the roaming agreement.

TAP file exchange frequency varies but is typically every few hours for high-volume roaming corridors. The GSMA mandates maximum latency targets (RAP returns must be sent within a defined window), and financial settlement is usually monthly through the clearing house.

TAP File Structure

TAP3 File
  +-- BatchControlInfo (file metadata, sender/recipient IDs)
  +-- AccountingInfo (currency, TAP decimal places)
  +-- NetworkInfo (UTC offset table, recEntity table)
  +-- CallEventDetailList
       +-- MobileOriginatedCall (calling, called, duration, charges)
       +-- MobileTerminatedCall
       +-- SupplServiceEvent (SMS MO, SMS MT)
       +-- GprsCall (data volume up/down, APN, duration)

Data Roaming: PGW, SGW, and the GTP Protocol

Data roaming in 4G LTE networks introduces additional network elements. When a subscriber roams with data enabled, the data session can follow one of two models:

• Home-routed traffic: The visited network's SGW (Serving Gateway) tunnels all data traffic back to the home network's PGW (PDN Gateway) via GTP (GPRS Tunneling Protocol) across the GRX/IPX network. The PGW assigns the IP address and applies policy/charging. This means all internet traffic from a roaming subscriber is backhauled to the home country, adding latency but giving the home operator full control.
• Local breakout (LBO): The visited network provides a local PGW, and data traffic exits to the internet locally. This reduces latency significantly (critical for real-time applications) but gives the visited operator more control over policy and the home operator less visibility. LBO is increasingly common with VoLTE roaming and 5G.

In 5G standalone networks, the architecture evolves further with the SMF (Session Management Function) and UPF (User Plane Function) replacing the SGW/PGW, and the SEPP (Security Edge Protection Proxy) providing secure signaling interconnection between operators.

Roaming Steering: Directing Subscribers to Preferred Networks

Operators do not passively wait for their subscribers to connect to any available network. Roaming steering is the practice of actively directing subscribers to preferred visited networks, typically those with the most favorable commercial terms or best quality of service.

Steering techniques include:

• SIM-based steering: The preferred roaming list on the SIM is programmed with the operator's preferred partners, ordered by priority. This can be updated over-the-air (OTA).
• Network-based steering: The home operator's steering platform sends MAP commands to redirect the subscriber's registration from a non-preferred to a preferred network. This involves rejecting the Location Update on the non-preferred network and letting the phone re-select.
• Signaling-based steering: More advanced techniques involve intercepting Location Update messages at the SS7/SIGTRAN level and selectively accepting or rejecting them based on the visited PLMN identity.

Steering is a multi-million dollar optimization for large operators, as the IOT difference between preferred and non-preferred partners can be substantial.

IoT Roaming: Permanent Roaming and eSIM

The Internet of Things has created new roaming challenges. Unlike human subscribers who roam temporarily while traveling, IoT devices (connected cars, smart meters, asset trackers) may be deployed permanently in a foreign country. This "permanent roaming" was not envisioned in the original GSM roaming framework and creates issues:

• Regulatory concerns: Some regulators require that devices permanently operating in their country use a local operator, not a foreign roaming SIM.
• Commercial terms: Roaming agreements were designed for temporary use. Permanent roaming can create disputes over traffic volumes and settlement terms.
• Technical limitations: Some visited networks deprioritize roaming subscribers during congestion, which may be unacceptable for critical IoT applications.

The industry is addressing these challenges through several mechanisms. eUICC (embedded SIM) and eSIM allow remote SIM provisioning, enabling a device to switch its profile to a local operator without physical SIM replacement. The GSMA's IoT roaming framework defines specific agreements for M2M/IoT permanent roaming, and some operators offer dedicated IoT roaming hubs that aggregate connectivity across multiple visited networks.

Roaming in the 5G Era

5G introduces significant changes to the roaming architecture. The Service-Based Architecture (SBA) replaces point-to-point interfaces with HTTP/2-based APIs. The SEPP (Security Edge Protection Proxy) becomes the mandatory interconnection point between operators, providing message filtering, topology hiding, and end-to-end encryption of roaming signaling.

Key 5G roaming developments include:

• Network slicing across roaming boundaries: A subscriber's network slice (e.g., ultra-reliable low-latency for autonomous driving) must be maintained when roaming, requiring new negotiation protocols between operators.
• Edge computing implications: If applications are running at the network edge (MEC), roaming creates questions about whether to use the visited network's edge or route back to the home network's edge.
• AUSF-based authentication: 5G-AKA authentication in roaming scenarios uses the home network's AUSF (Authentication Server Function), providing stronger security guarantees than the 4G EAP-AKA' mechanism.

Common Roaming Problems and Their Causes

Understanding the architecture helps explain common roaming issues:

• "No Service" abroad: Usually means no roaming agreement exists, or the SIM's preferred roaming list does not include any available network. Can also indicate IMSI routing failures at the SS7 level.
• Calls fail but SMS works: Often a CAMEL negotiation failure. The visited MSC may not support the CAMEL phase required by the home operator, causing voice calls to be rejected while SMS (which uses a different MAP operation) works normally.
• Data roaming extremely slow: In home-routed mode, all traffic is backhauled to the home country. A subscriber in Tokyo using a US operator may have their data traffic routed through a PGW in New York, adding 200ms+ of round-trip latency.
• Bill shock: Without CAMEL or a real-time charging interface, the home operator may not process TAP files for hours. During that window, the subscriber can accumulate significant charges, particularly for data. The EU's "Roam Like at Home" regulation addressed this for intra-EU roaming by capping wholesale rates.

Conclusion

Mobile roaming is a remarkable achievement of inter-operator cooperation, built on decades of standardization through the GSMA and 3GPP. The underlying signaling relies heavily on the SS7/MAP protocol stack, even as the transport layer migrates to IP-based SIGTRAN and Diameter. As 5G deployments accelerate and IoT devices create new permanent roaming scenarios, the roaming architecture continues to evolve, but the fundamental principles of HLR/VLR interaction, subscriber authentication, and TAP-based settlement remain at its foundation.

For operators looking to implement or extend roaming capabilities, MOBITELSMS provides SS7 gateway services for MAP/CAMEL signaling and mobile core network solutions that support both 4G and 5G roaming architectures.