import of old now defunct presentation slides svn repo

1 files changed, 539 insertions, 0 deletions

diff --git a/2015/osmo_iuh/osmo_iuh.tex.bak b/2015/osmo_iuh/osmo_iuh.tex.bak
new file mode 100644
index 0000000..74c5820
--- /dev/null
+++ b/2015/osmo_iuh/osmo_iuh.tex.bak
@@ -0,0 +1,539 @@
+
+\newcommand{\degree}{\ensuremath{^\circ}}
+%\documentclass[handout]{beamer}
+\documentclass{beamer}
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{CambridgeUS}
+  \usecolortheme{whale}
+
+%\setbeamercolor{titlelike}{parent=palette primary,fg=black}
+\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg}
+% from beamercolorthemeorchid.sty to make it look more like warsaw
+\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black}
+\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black}
+\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black}
+
+\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg}
+\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg}
+\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg}
+
+
+
+  % or ...
+
+  %\setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+\mode<handout>{
+	\usepackage{misc/handoutWithNotes}
+	\pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm]
+	\usecolortheme{seahorse}
+}
+
+% ensure the page number is printed in front of the author name in the footer 
+%\newcommand*\oldmacro{}
+%\let\oldmacro\insertshortauthor% save previous definition
+%\renewcommand*\insertshortauthor{%
+%  \leftskip=.3cm% before the author could be a plus1fill ...
+%  \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}
+
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+\usepackage{times}
+\usepackage[T1]{fontenc}
+
+\usepackage{subfigure}
+\usepackage{hyperref}
+\usepackage{textcomp,listings}
+%\usepackage{german}
+\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8}
+
+
+\title{The Iuh protocol stack and osmo-iuh}
+
+\subtitle{Implementing HNBAP, RUA and RANAP in Free Software}
+
+\author{Harald~Welte}
+
+\institute{Osmocom Project / sysmocom GmbH}
+
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[October 2015] % (optional, should be abbreviation of conference name)
+%{DeepSec Conference, November 2011, Vienna/Austria}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{UMTS}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+\begin{frame}{About}
+\begin{itemize}
+	\item Linux Kernel / bootloader / driver / firmware developer since 1999
+	\item Former core developer of Linux packet filter netfilter/iptables
+	\item Comms / Network Security beyond TCP/IP
+	\begin{itemize}
+		\item OpenPCD, librfid, libmtrd, OpenBeacon
+		\item deDECTed.org project
+		\item Openmoko - FOSS smartphone with focus on security + owner device control
+		\item OpenBSC as network-side FOSS GSM Stack
+		\item OsmocomBB - device-side GSM protocol stack + baseband firmware
+	\end{itemize}
+	\item practical security research / testing on baseband side and
+		telecom infrastructure side
+	\item running a small team at sysmocom GmbH in Berlin, building
+		custom tailored mobile communications technology
+\end{itemize}
+\end{frame}
+
+\section{UMTS Architecture and Iuh}
+
+\subsection{Classic UMTS}
+
+\begin{frame}{UMTS Architecture}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=105mm]{640px-UMTS_structures.png}
+\end{figure}
+UMTS Structure by Tsaitgaist - icons from Gnome
+\end{frame}
+
+\begin{frame}{UMTS Protocol stacking}
+\begin{itemize}
+	\item Iu is split in Iu-CS (MSC) and Iu-PS (SGSN)
+	\item Next slides show protocol stacking of Iu-CS and Iu-PS
+	\item Notice all the ATM legacy that's way obsolete by now
+	\item IP based transport does away with a lot of it
+	\item however, M3UA and SCCP remain even on IP based Iu
+\end{itemize}
+\end{frame}
+
+\begin{frame}{UMTS protocol stacking}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=115mm]{umts_ps_control.pdf}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Iu-CS protocol stacking}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=70mm]{iu_cs_stacking.png}
+\end{figure}
+from 3GPP TS 25.410
+\end{frame}
+
+\begin{frame}{Iu-PS protocol stacking}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=75mm]{iu_ps_stacking.png}
+\end{figure}
+from 3GPP TS 25.410
+\end{frame}
+
+\subsection{UMTS for HomeNodeB}
+
+\begin{frame}{UMTS Architecture for hNodeB}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=105mm]{nodeb_hnb.png}
+\end{figure}
+nodeB and Home nodeB by Tsaitgaist - icons from Gnome
+\end{frame}
+
+\begin{frame}{UMTS protocol stacking with HomeNodeB}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=115mm]{umts_hnb_control.pdf}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Differences NodeB to hNodeB}
+\begin{itemize}
+	\item hNodeB is basically a NodeB with a RNC built-in
+	\item all lower-level protocols are implemented in the RNC
+	\item only RANAP is exposed
+	\item Iuh interface is similar to Iu-CS/Iu-PS
+	\item Iu interface is at much lower level.
+	\item Compared with GSM: Iu = Abis, Iuh = A
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Why work with hNodeB instead of NodeB}
+\begin{itemize}
+	\item UMTS is not a single telephony system but a set of
+		re-configurable building blocks to create any type of
+		telephony system.
+	\item complexity at every level, particularly the lower levels
+	\item using hNodeB interface / stack (Iuh), we can avoid having
+		to worry about RLC/MAC, RRC, HNBAP, etc.
+	\item many femtocells implement Iuh
+	\item quite some small cells also implemet Iuh
+\end{itemize}
+\end{frame}
+
+\begin{frame}{UMTS channel mapping}
+speaking of UMTS access stratum complexity...
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=105mm]{umts_channel_mapping.png}
+\end{figure}
+from 3GPP TS 25.301
+\end{frame}
+
+\section{Iuh interface protocols}
+
+\begin{frame}{A closer look at Iuh}
+\begin{itemize}
+	\item Iuh is {\em basically} just RANAP encapsulated in
+		something les complex over SCTP/IP
+	\item In addition to RANAP, there is
+	\begin{itemize}
+		\item RUA (RANAP User Adaption) to replace SCCP
+		\item HNBAP to register hNodeB and UE
+	\end{itemize}
+	\item RANAP for both CS and PS is sent together, but on RUA
+		level there is a {\em Domain Indicator} that helps
+		separating both.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{UMTS protocol stacking for Iuh}
+\begin{figure}[h]
+	\centering
+	\includegraphics[width=65mm]{iuh_stacking.png}
+\end{figure}
+from 3GPP TS 25.467
+\end{frame}
+
+\subsection{RANAP User Adaption}
+
+\begin{frame}{RUA Protocol (3GPP TS 25.468)}
+\begin{itemize}
+	\item Very simple connection-oriented layer
+	\begin{itemize}
+		\item {\tt CONNECT}
+		\item {\tt DIRECT TRANSFER}
+		\item {\tt DISCONNECT}
+		\item {\tt CONNECTIONLESS TRANSFER}
+		\item {\tt ERROR INDICATION}
+	\end{itemize}
+	\item 24-bit Context ID differentiates multiple parallel RUA
+		connections
+\end{itemize}
+\end{frame}
+
+\subsection{HomeNodeB Application Part}
+
+\begin{frame}{HNBAP Protocol (3GPP TS 25.469)}
+\begin{itemize}
+	\item HNBAP protocol has only very few messages/transactions
+	\begin{itemize}
+		\item {\tt HNB REGISTER (REQUEST, ACCEPT, REJECT)}
+		\item {\tt HNB DE-REGISTER}
+		\item {\tt UE REGISTER (REQUEST, ACCEPT, REJECT)}
+		\item {\tt UE DE-REGISTER}
+		\item {\tt TNL UPDATE (REQUEST, RESPONSE, FAILURE)}
+		\item {\tt HNB CONFIG TRANSFER (REQUEST, RESPONSE)}
+		\item {\tt ERROR INDICATION}
+		\item {\tt CSG MEMBERSHIP UPDATE}
+		\item {\tt RELOCATION COMPLETE}
+	\end{itemize}
+	\item most important is HNB and UE registration
+\end{itemize}
+\end{frame}
+
+\subsection{RANAP}
+
+\begin{frame}{RANAP Protocol (3GPP TS 25.413)}
+\begin{itemize}
+	\item Lots of transactions, some key transactions here:
+	\begin{itemize}
+		\item {\tt RESET / RESET ACKNOWLEDGE}
+		\item {\tt INITIAL UE MESSAGE}
+		\item {\tt DIRECT TRANSFER}
+		\item {\tt IU RELEASE (COMMAND, COMPLETE)}
+		\item {\tt SECURITY MODE (COMMAND, COMPLETE, REJECT)}
+		\item {\tt PAGING}
+		\item {\tt RAB ASSIGNMENT (REQUEST, RESPONSE)}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\section{Osmocom and Iu(h)}
+
+\begin{frame}{SCCP in Free Software}
+\begin{itemize}
+	\item comes in connection-less and connection-oriented flavor
+	\item is used a lot in SS7 core network protocols
+	\item connection-oriented SCCP is only used on classic GSM A
+		interface (over E1) and in UMTS Iu interface
+	\item no finished free software implementation of
+		connection-oriented SCCP exists
+	\begin{itemize}
+		\item libosmo-sccp, Yate, Mobicents only implement conneciton-less
+		\item osmo\_sccp Erlang code has partial but never
+			completed/tested code for connection-oriented mode
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{How to support UMTS from OsmoNITB, OsmoSGSN}
+\begin{itemize}
+	\item Separation of MSC-part from NITB, generating Osmo-MSS
+	\begin{itemize}
+		\item OsmoBSC already implements BSC-side A interface,
+			we need to add MSC-side A interface
+	\end{itemize}
+	\item UMTS AKA support as library, link into OsmoMSS and OsmoSGSN
+	\item RANAP protocol support in a library, also linked into OsmoMSS and OsmoSGSN
+	\item NITB: support {\tt subscriber\_connection} over A (BSSMAP/BSSAP) and over RANAP
+	\item SGSN: support {\tt mm\_context} over Gb (LLC/BSSGP/NS) or over RANAP
+\end{itemize}
+\end{frame}
+
+\begin{frame}{How to encapulate RANAP towards the RAN}
+\begin{itemize}
+	\item we could either
+	\begin{itemize}
+		\item Try to convert from Iuh to A interface, make
+			(h)NodeB look like GSM BTS+BSC.
+		\item Implement classic Iu-CS and Iu-PS over SCCP/M3Ua
+			and have a classic HNB-GW to convert to Iuh
+		\item Implement Iuh directly, avoiding SCCP and M3UA
+	\end{itemize}
+	\item Iu-CS/PS requires connection-oriented SCCP
+	\item when implementing Iuh directly, we still need to somehow
+		split CS and PS plane
+	\item Idea: Simple proxy that speaks Iuh to hNodeB, MSS and SGSN
+	\item Iu-CS/PS over SCCP/M3UA could be added later, if required
+\end{itemize}
+\end{frame}
+
+\subsection{Protocol Encoding}
+
+\begin{frame}{RANAP, RUA and HNBAP Encoding}
+\begin{itemize}
+	\item Use ASN.1 syntax for defining protocol messages
+	\item Use APER (Aligned Packed Encoding Rules)
+	\begin{itemize}
+		\item unlike BER: No Tag/Length values
+		\item unlike UPER: all fields start at octet boundary
+	\end{itemize}
+	\item ASN.1 syntax uses Information Object Classes havily
+	\item ASN.1 is not abstract enough for them, so they use ASN.1 to
+		define containers, i.e. they build something like a TLV structure inside ASN.1
+	\begin{itemize}
+		\item Every IE is its own ASN.1 SEQUENCE, and it gets wrapped into an IE container indicating an IEI and the encoded sequence
+		\item The Main message then simply has an array (SEQUENCE OF) of IE containers
+	\end{itemize}
+	\item Regular ASN.1 code generator will not generate very useful code
+		for this, i.e. it wil not be able to parse the entire message
+		in one go, but it requires manual iteration code that calls the
+		generated decoder separetely for every IE Container
+\end{itemize}
+\end{frame}
+
+\subsection{RANAP, RUA, HNBAP and asn1c}
+
+\begin{frame}{RANAP, RUA, HNBAP and asn1c}
+\begin{itemize}
+	\item Lev Walkins asn1c is a Free Software ASN.1 compiler / code generator
+	\item it is good for basic usage, but lacks many if not most of the features required in telecom
+	\begin{itemize}
+		\item No support for information object classes
+		\item No support for aligned PER support
+		\item No support for type prefixing, i.e. evey type uses the same global C namespace and you have problems if RANAP, RUA and/or HNBAP all have types of the same name
+	\end{itemize}
+	\item No other free software alternatives exist
+	\item Somebody with firm knowledge on compiler theory needs to help out, I'm at a loss here.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Alternatives to asn1c}
+\begin{itemize}
+	\item Write all related code in Erlang
+	\begin{itemize}
+		\item I tried that in the past, but nobody ever contributed to any of the osmcoom Erlang projects :(
+		\item At Osmocom we're mostly low-level C guys with an inherent dislike of abstract/complex languages, VMs and the like
+	\end{itemize}
+	\item Use proprietary asn1 compiler
+	\begin{itemize}
+		\item In theory not a problem, as the compiler has no copyright on the generated C code, we can use it from FOSS
+		\item Problem: Mandatory runtime code is proprietary
+		\item We certainly don't want proprietary blobs in Free Software, ever
+		\item FOSS code would have to be MIT/BSD/LGPL, incompatible with osmo-* GPL/AGPL.
+	\end{itemize}
+	\item So it seems we have to stick with asn1c, after all
+\end{itemize}
+\end{frame}
+
+\begin{frame}{How to make asn1c work for Iuh}
+\begin{itemize}
+	\item Eurecom has a patch for adding APER support to asn1c
+	\begin{itemize}
+		\item it's against an agest old version of asn1c
+		\item I forward-ported that to current asn1c master
+		\item Probably needs some clean-up before it can be merged
+	\end{itemize}
+	\item Information Object Classes are hard
+	\begin{itemize}
+		\item compile only the IE and PDU definitions of the ASN.1
+		\item skip all parts related to Information Object Classes
+	\end{itemize}
+	\item Type prefixing
+	\begin{itemize}
+		\item Could be done in the ASN.1 source files, but that's ugly
+		\item I hacked asn1c for a day until I finally had found all the locations where prefixing must be used (or not)
+		\item Code is at {\tt git://git.osmocom.org/asn1c.git}
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{But what about the IE Containers?}
+\begin{itemize}
+	\item Eurecom has an {\tt asn1tostruct.py} script
+	\begin{itemize}
+		\item Another layer on top of asn1c to handle the IE containers and un-do the damage caused by the additional layer of abstraction of RANAP and related protocols
+		\item Developed to cope with S1-AP (RANAP equipvalent for LTE)
+		\item Can be used for Iuh wit some modifications
+		\item Also had to be taught type prefixing
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{osmo-iuh, after all}
+
+\begin{frame}{Putting it all together}
+Brief history of what I did so far:
+\begin{itemize}
+	\item copy+paste Asn.1 syntax from 3GPP .doc files
+	\item use hacked asn1c to generate C code
+	\item don't use copied runtime code but shared osmocom libasn1c
+	\item use modified asn1tostruct.py for the obfuscation layer
+	\item write some code to dispatch messages
+	\item implement minimally required transactions like {\tt HNB REGISTER}, {\tt UE REGISTER}
+	\item see the {\tt INITIAL UE MESSAGE} with the {\tt LOCATION UPDATE}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Where do we go from here?}
+\begin{itemize}
+	\item Implement UMTS AKA in libosmogsm, test over GSM and GPRS
+	\item Crete small HNB-GW with RANAP-over-RUA on both sides, splitting CS and PS
+	\item Split OsmoMSS from OsmoNITB, add RANAP interface
+	\item Add RANAP-over-RUA to OsmoSGSN
+	\item More Volunteers needed!
+\end{itemize}
+\end{frame}
+
+\begin{frame}{What kind of hardware can we use?}
+\begin{itemize}
+	\item The (undisclosed) small cell hardware I currently use is very expensive (several thousand EUR) and thus not suitable to most hackers
+	\item Many consumer-grade femtocells in the market, most modern ones should use Iuh
+	\begin{itemize}
+		\item they are typically quite locked down and provide no local console / JTAG
+		\item they establish an IPsec tunnel to the SEGW (Security Gateway) and then only talk Iuh inside the tunnel
+		\item Several groups of people have looked at them in the past (including Kevin, Nico and myself)
+		\item maybe we can find a model that's easily convinced to talk to a different HNB-GW?
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Summary}
+\begin{itemize}
+	\item Iuh is actually not difficult conceptually
+	\item Lack of good FOSS asn1 tools is biggest factor
+	\item Obfuscation by IE Containers must be overcome
+	\item In the end you spend 90\% of the time on tooling, before you can spend the remaining 10\% on actual code
+	\item Core Iuh protocol code exists now as {\tt osmo-iuh}
+	\item Work on OsmoMSS and OsmoSGSN has not even started yet
+	\item Volunteers needed. Now!
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Thanks}
+Thanks for your attention.  I hope we have time for Q\&A.
+\end{frame}
+
+
+\end{document}