import of old now defunct presentation slides svn repo

1 files changed, 485 insertions, 0 deletions

diff --git a/2009/gsm_workout-fossin2009/gsm_workout.tex b/2009/gsm_workout-fossin2009/gsm_workout.tex
new file mode 100644
index 0000000..5878f5f
--- /dev/null
+++ b/2009/gsm_workout-fossin2009/gsm_workout.tex
@@ -0,0 +1,485 @@
+% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
+
+\documentclass{beamer}
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{Warsaw}
+  % or ...
+
+  \setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+
+\usepackage[english]{babel}
+% or whatever
+
+\usepackage[latin1]{inputenc}
+% or whatever
+
+\usepackage{times}
+\usepackage[T1]{fontenc}
+% Or whatever. Note that the encoding and the font should match. If T1
+% does not look nice, try deleting the line with the fontenc.
+\usepackage{listings}
+
+
+\title{GSM Workout}
+
+\subtitle
+{Improving GSM protocol analysis}
+
+\author{Harald Welte}
+
+\institute
+{gnumonks.org\\gpl-violations.org\\OpenBSC\\airprobe.org\\hmw-consulting.de}
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[foss.in/2009] % (optional, should be abbreviation of conference name)
+{FOSS.in conference, December 2009, Bangalore/India}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{Free Software}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+\begin{frame}{Outline}
+  \tableofcontents
+  % You might wish to add the option [pausesections]
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+\begin{frame}{The FOSS.in/2009 GSM workout}
+What do we want to achieve?
+\begin{itemize}
+	\item improve airprobe.org GSM protocol analyzer
+	\item improve wireshark protocol dissectors for GSM
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The FOSS.in/2009 GSM workout}
+What skills do you need?
+\begin{itemize}
+	\item general underestanding about communications protocols
+	\item wireshark usage and preferrably wireshark dissector architecture
+	\item GSM protocol knowledge not really required
+\end{itemize}
+\end{frame}
+
+\section{airprobe.org}
+
+\begin{frame}{airprobe architecture}
+\begin{itemize}
+	\item Software to receive GSM off the air
+	\begin{itemize}
+		\item implements GSM layer 0 and 1, sometimes 2
+		\item many implementations available in airprobe.org
+		\item gsm-receiver and gsm-tvoid most popular
+	\end{itemize}
+	\item Intermediate data formate to pass information to protocol analyzer
+	\item Actual protocol analyzers like
+	\begin{itemize}
+		\item gsmdecode, part of airprobe
+		\item wireshark.org project
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Intermediate data formats}
+\begin{itemize}
+	\item Intermediate data formate to pass information between GSM receiver and actual protocol analyzer
+	\begin{itemize}
+		\item hex bytes for every layer 2 or layer 3 message, or
+		\item PCAP file with GSM encapsulation type, or
+		\item some non-standard frames through tun/tap device, or
+		\item GSMTAP header (like wiretap) inside UDP packets over loopback device
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\section{GSM Um interface}
+
+\begin{frame}{Understanding Um}{Overview}
+% Following GSM 04.03 Section 4
+%\small{
+\begin{itemize}
+	\item Modeled after the U interface of ISDN
+	\item Broadcast channels: SCH, BCCH, FCCH
+	\item Common channels: CCCH (PCH \& AGCH), RACH
+	\item Dedicated Channels: 
+	\begin{description}[Dm]
+		\item[Dm] SDCCH, FACCH, SACCH
+		\item[Bm] TCH/H, TCH/F
+	\end{description}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Understanding Um}{Channels \& Layers}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=100mm]{GSMLayers.pdf}
+\end{figure}
+\end{frame}
+
+\subsection{Time Division Multiplex}
+
+\begin{frame}{Understanding Um}{TDM Structure}
+\begin{itemize}
+	\item ARFCN (Absolute Radio Freq.~Chan.~Num.)-- A 270,833 Hz radio channel. ARFCNs within a BTS numbered C0, C1, etc.
+	\item 8 timeslots per frame on each ARFCN, numbered T0..T7.
+	\item ``physical channel'' -- one slot on one ARFCN, designated C0T0, C0T1, C1T5, etc.
+	\item Physical channel TDM follows a 26- or 52-frame multiframe, carrying multiple logical channels.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Understanding Um --TDM Example}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=90mm]{26Multiframe.pdf}
+	\caption{Example of traffic channel TDM}
+\end{figure}
+\end{frame}
+
+\subsection{Logical Channels}
+
+\begin{frame}{Understanding Um}{The Beacon}
+The beacon is always on C0T0 and always constant full power
+\begin{description}[CCCH]
+	\item[SCH] (Sync.) -- TDM timing and reduced BTS identity
+	\item[FCCH] (Freq.~Corr.) -- Fine frequency synchronization
+	\item[BCCH] (Broadcast Control) -- Cell configuration and neighbor list
+	\item[CCCH] (Common Control) -- a set of unicast channels
+	\begin{description}[AGCH]
+		\item[PCH] paging channel for network-originated transactions
+		\item[AGCH] access grant channel
+		\item[RACH] uplink access request
+	\end{description}
+\end{description}
+\end{frame}
+
+\begin{frame}{Understanding Um}{SCH -- Synchronization CHannel}
+\begin{itemize}
+	\item First channel acquired by a handset
+	\item T1, T2, T3' -- TDM clocks for GSM frame number
+	\item BCC -- 3 bits, identifies BTS in the local group
+	\item NCC -- 3 bits, identifies network within a region
+	\item BSIC is NCC:BCC
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Understanding Um}{BCCH -- Broadcast Control CHannel}
+\begin{itemize}
+	\item Second channel acquired by the handset.
+	\item A repeating cycle of system information messages.
+	\begin{description}[Type 4]
+		\item[Type 1] ARFCN set
+		\item[Type 2] Neighbor list
+		\item[Type 3] Cell/Network identity, CCCH configuration
+		\item[Type 4] Network identity, cell selection parameters
+		\item[GPRS] adds a few more (7, 9, 13, 16, 17)
+	\end{description}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Understanding Um}{CCCH -- Common Control CHannel}
+\begin{description}[AGCH]
+	\item[PCH] Paging
+	\begin{itemize}
+		\item Unicast. Handsets addressed by IMSI or TMSI, never IMEI.
+		\item Handset sees paging request and then requests service on RACH.
+	\end{itemize}
+	\item[RACH] Random Access
+	\begin{itemize}
+		\item Handset requests channel with RACH burst, 8-bit tag.
+	\end{itemize}
+	\item[AGCH] Access Grant
+	\begin{itemize}
+		\item BTS answers on AGCH, echoing tag and timestamp.
+	\end{itemize}
+\end{description}
+\end{frame}
+
+\begin{frame}{Understanding Um}{Dm Channels}
+\begin{description}[SDCCH]
+	\item[SDCCH] Most heavily used control channel: registration, SMS transfers, call setup in many networks.  Payload rate of 0.8 kb/s.
+	\item[FACCH] Blank and burst channel steals bandwidth from traffic.  Used for in-call signaling, call setup in some networks.  Payload rate up to 9.2 kb/s on TCH/F.
+	\item[SACCH] Low rate channel muxed onto every other logical channel type.  Used for timing/power control, measurement reports and in-call SMS transfers.
+\end{description}
+\end{frame}
+
+\begin{frame}{Frequency Hopping}
+\begin{itemize}
+	\item Intended to improve radio performance through diversity in fading and interference
+	\item Two ways to implement hopping
+	\begin{itemize}
+		\item Baseband hopping: $N$ fixed-frequency transceivers are connected to $N$ baseband processors through a switch or commutator.  Allows CA of $N$ ARFCNs.  C0 can be in the CA.
+		\item Synthesizer hopping: Each of $N$ baseband processors connects to a dedicated transceiver.  This requires transceivers that can be retuned and settled in less than 30~$\mu$s.  Allows CA to have $\gg N$ ARFNCs.  C0 is not in the CA.
+	\end{itemize}
+	\item Some networks implement synchronous hopping to prevent collisions of hopping bursts from neighboring cells.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Frequency Hopping Parameters}
+A {\em hopping sequence} is an ordered list of ARFCNs used by a given physical channel (PCH), synced to the GSM frame clock.
+Each PCH can have an independent hopping sequence.
+\begin{description}[MAIO]
+	\item[CA] Cell Allocation, set of ARFCNs used for hopping in BTS
+	\item[HSN] Hopping Sequence Number, parameter used in pseudorandom algorithm generating hopping sequence
+	\item[MA] Mobile Allocation, subset of CA used by a particular PCH
+	\item[MAIO] MA Index Offset, offset added to hopping sequence when indexing  MA.
+\end{description}
+\begin{itemize}
+	\item CA is the same for every PCH in the BTS
+	\item HSN, MA and MAIO can be different for every PCH, usually only MAIO is unique
+\end{itemize}
+\end{frame}
+
+\subsection{The Layers of the Um Interface}
+
+\begin{frame}{Understanding Um}{The Layers}
+The Layers are not exactly the ISO model, but a similar theme.
+\begin{description}
+	\item[L1] The radiomodem, TDM and FEC functions
+	\item[L2] Frame segmentation and retransmission
+	\item[L3] Connection \& mobility management
+	\item[L4] Relay functions between BSC and other entities
+\end{description}
+\end{frame}
+
+
+\begin{frame}{Understanding Um}{The Layers}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=85mm]{L2Figure.pdf}
+	\caption{Layers of a Dm channel}
+\end{figure}
+\end{frame}
+
+\subsection{Um Layer 1}
+
+\begin{frame}{Understanding Um}{L1}
+\begin{itemize}
+	\item Analog radio path (transceiver, amplifiers, duplexer, antenna)
+	\item{GMSK or GMSK/EDGE radiomodem (``L0'')}
+	\item{TDM to define logical channels}
+	\item{FEC (Forward Error Correction)}
+	\begin{itemize}
+		\item{Rate-1/2 convolutional code is typical.}
+		\item{40-bit Fire code parity word on most control channels.}
+		\item{4-burst or 8-burst interleaving is typical.}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{L1 Overview (see handout)}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=50mm]{UmL1Overview.pdf}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Um L1 Interleaving}
+\begin{itemize}
+	\item Every GSM data frame is spread over 4 or 8 radio bursts.
+	\begin{itemize}
+		\item 4-burst block interleave on most channels
+		\item 8-burst diagonal interleave on TCHs
+	\end{itemize}
+	\item Loss of one burst means 1/4 or 1/8 missing channel bits, scattered throughout a frame.
+	\item Allows a slow-hopping system to achieve many performance gains associated with fast-hopping.
+\end{itemize}
+\end{frame}
+
+\subsection{Um Layer 2}
+
+\begin{frame}{Understanding Um}{L2}
+\begin{itemize}
+	\item L1 drops frames, but L3 assumes a reliable link.
+	\item L1 uses fixed-length frames, but L3 uses variable-length messages.
+	\item L2 (Data Link Layer) bridges the gap with segmentation, sequencing and retransmission.
+	\item ISDN uses LAPD for L2, derived from HDLC, derived from SDLC, dating back to IBM's SNA mainframe networks.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Understanding Um}{L2}
+\begin{itemize}
+	\item{LAPDm on Dm channels, a HDLC derivative, similar to ISDN's LAPD but simplified.}
+	\item{LLC on GPRS channels, another HDLC derivative.}
+	\item{GSM defines no L2 in Bm channels.}
+	\begin{itemize}
+		\item{Speech/fax are just media and have no L2.}
+		\item{CSD typically used with PPP for L2.}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\section{TODO}
+
+\subsection{GSMTAP}
+
+\begin{frame}{GSMTAP Interface}
+It's important to find the right level of the GSMTAP interface
+\begin{itemize}
+	\item If we simply pass every GSM burst, then wireshark would need to do the burst-rerassembly, forward error correction, etc - something it traditionally doesn't do
+	\item If we pass every Layer 2 Frame (23 bytes)
+	\begin{itemize}
+		\item burst decoding, reassembly, etc. is done in receiver
+		\item however, every burst might have different RF parameters like ARFCN, RX level, error rate, ...
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}[containsverbatim]{Current GSMTAP Header}
+\tiny{
+\begin{lstlisting}
+struct gsmtap_hdr {
+	u_int8_t version;		/* version, set to 0x01 currently */
+	u_int8_t hdr_len;		/* length in number of 32bit words */
+	u_int8_t type;			/* see GSMTAP_TYPE_* */
+	u_int8_t timeslot;		/* timeslot (0..7 on Um) */
+
+	u_int16_t arfcn;		/* ARFCN (frequency) */
+	u_int8_t noise_db;		/* noise figure in dB */
+	u_int8_t signal_db;		/* signal level in dB */
+
+	u_int32_t frame_number;		/* GSM Frame Number (FN) */
+
+	u_int8_t burst_type;		/* Type of burst, see above */
+	u_int8_t antenna_nr;		/* Antenna Number */
+	u_int16_t res;			/* reserved for future use (RFU) */
+
+} __attribute__((packed));
+\end{lstlisting}
+}
+\end{frame}
+
+\subsection{ip.access wireshark dissectors}
+
+\begin{frame}{ip.access wireshark dissectors}
+\begin{itemize}
+	\item ip.access wrote some wireshark dissectors against an old wireshark version
+	\item they never submtited them upstream, but we have the source under GPL
+	\item meanwhile, upstream wireshark has parts of that functionality
+	\item we now need to port those old dissectors to current wireshark
+\end{itemize}
+\end{frame}
+
+\begin{frame}{ip.access wireshark dissectors}
+\begin{itemize}
+	\item IPA protocol as encapsulation layer
+	\begin{itemize}
+		\item different implementation in upstream (packet-gsm\_ipa.c)
+		\item maybe some few bits missing from upstream
+		\item port the missing bits from ip.access to upstream
+	\end{itemize}
+	\item GSM 12.21 (A-bis OML)
+	\begin{itemize}
+		\item different implementation in openbsc (abis-oml.patch)
+		\item quite a number of bits missing from upstream
+		\item BTS vendor specific decoding preference needed
+	\end{itemize}
+	\item GSM 08.58 (A-bis RSL)
+	\begin{itemize}
+		\item different implementation in upstream (packet-rsl.c)
+		\item many ip.access specific bits missing
+		\item port the missing bits from ip.access to upstream
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{ip.access wireshark dissectors}
+\begin{itemize}
+	\item IPA IML (internal management link)
+	\begin{itemize}
+		\item no implementation in upstream
+		\item simply merge it into current upstream
+	\end{itemize}
+	\item RTP Multiplex (packet-rtp\_mux.c)
+	\begin{itemize}
+		\item no implementation in upstream
+		\item simply merge it into current upstream
+	\end{itemize}
+	\item GSM CSD (packet-gsm\_csd.c)
+	\begin{itemize}
+		\item no implementation in upstream
+		\item simply merge it into current upstream
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\end{document}