From fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 25 Oct 2015 21:00:20 +0100 Subject: import of old now defunct presentation slides svn repo --- 2015/osmo_iuh/osmo_iuh.tex.bak | 539 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 539 insertions(+) create mode 100644 2015/osmo_iuh/osmo_iuh.tex.bak (limited to '2015/osmo_iuh/osmo_iuh.tex.bak') diff --git a/2015/osmo_iuh/osmo_iuh.tex.bak b/2015/osmo_iuh/osmo_iuh.tex.bak new file mode 100644 index 0000000..74c5820 --- /dev/null +++ b/2015/osmo_iuh/osmo_iuh.tex.bak @@ -0,0 +1,539 @@ + +\newcommand{\degree}{\ensuremath{^\circ}} +%\documentclass[handout]{beamer} +\documentclass{beamer} + +% This file is a solution template for: + +% - Talk at a conference/colloquium. +% - Talk length is about 20min. +% - Style is ornate. + + + +% Copyright 2004 by Till Tantau . +% +% In principle, this file can be redistributed and/or modified under +% the terms of the GNU Public License, version 2. +% +% However, this file is supposed to be a template to be modified +% for your own needs. For this reason, if you use this file as a +% template and not specifically distribute it as part of a another +% package/program, I grant the extra permission to freely copy and +% modify this file as you see fit and even to delete this copyright +% notice. + + +\mode +{ + \usetheme{CambridgeUS} + \usecolortheme{whale} + +%\setbeamercolor{titlelike}{parent=palette primary,fg=black} +\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg} +% from beamercolorthemeorchid.sty to make it look more like warsaw +\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black} +\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black} +\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black} + +\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg} +\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg} +\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg} + + + + % or ... + + %\setbeamercovered{transparent} + % or whatever (possibly just delete it) +} + +\mode{ + \usepackage{misc/handoutWithNotes} + \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm] + \usecolortheme{seahorse} +} + +% ensure the page number is printed in front of the author name in the footer +%\newcommand*\oldmacro{} +%\let\oldmacro\insertshortauthor% save previous definition +%\renewcommand*\insertshortauthor{% +% \leftskip=.3cm% before the author could be a plus1fill ... +% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} + +\usepackage[english]{babel} +\usepackage[latin1]{inputenc} +\usepackage{times} +\usepackage[T1]{fontenc} + +\usepackage{subfigure} +\usepackage{hyperref} +\usepackage{textcomp,listings} +%\usepackage{german} +\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8} + + +\title{The Iuh protocol stack and osmo-iuh} + +\subtitle{Implementing HNBAP, RUA and RANAP in Free Software} + +\author{Harald~Welte} + +\institute{Osmocom Project / sysmocom GmbH} + +% - Use the \inst command only if there are several affiliations. +% - Keep it simple, no one is interested in your street address. + +\date[October 2015] % (optional, should be abbreviation of conference name) +%{DeepSec Conference, November 2011, Vienna/Austria} +% - Either use conference name or its abbreviation. +% - Not really informative to the audience, more for people (including +% yourself) who are reading the slides online + +\subject{UMTS} +% This is only inserted into the PDF information catalog. Can be left +% out. + + + +% If you have a file called "university-logo-filename.xxx", where xxx +% is a graphic format that can be processed by latex or pdflatex, +% resp., then you can add a logo as follows: + +% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} +% \logo{\pgfuseimage{university-logo}} + + + +% Delete this, if you do not want the table of contents to pop up at +% the beginning of each subsection: +%\AtBeginSubsection[] +%{ +% \begin{frame}{Outline} +% \tableofcontents[currentsection,currentsubsection] +% \end{frame} +%} + + +% If you wish to uncover everything in a step-wise fashion, uncomment +% the following command: + +%\beamerdefaultoverlayspecification{<+->} + + +\begin{document} + +\begin{frame} + \titlepage +\end{frame} + + +% Structuring a talk is a difficult task and the following structure +% may not be suitable. Here are some rules that apply for this +% solution: + +% - Exactly two or three sections (other than the summary). +% - At *most* three subsections per section. +% - Talk about 30s to 2min per frame. So there should be between about +% 15 and 30 frames, all told. + +% - A conference audience is likely to know very little of what you +% are going to talk about. So *simplify*! +% - In a 20min talk, getting the main ideas across is hard +% enough. Leave out details, even if it means being less precise than +% you think necessary. +% - If you omit details that are vital to the proof/implementation, +% just say so once. Everybody will be happy with that. + +\begin{frame}{About} +\begin{itemize} + \item Linux Kernel / bootloader / driver / firmware developer since 1999 + \item Former core developer of Linux packet filter netfilter/iptables + \item Comms / Network Security beyond TCP/IP + \begin{itemize} + \item OpenPCD, librfid, libmtrd, OpenBeacon + \item deDECTed.org project + \item Openmoko - FOSS smartphone with focus on security + owner device control + \item OpenBSC as network-side FOSS GSM Stack + \item OsmocomBB - device-side GSM protocol stack + baseband firmware + \end{itemize} + \item practical security research / testing on baseband side and + telecom infrastructure side + \item running a small team at sysmocom GmbH in Berlin, building + custom tailored mobile communications technology +\end{itemize} +\end{frame} + +\section{UMTS Architecture and Iuh} + +\subsection{Classic UMTS} + +\begin{frame}{UMTS Architecture} +\begin{figure}[h] + \centering + \includegraphics[width=105mm]{640px-UMTS_structures.png} +\end{figure} +UMTS Structure by Tsaitgaist - icons from Gnome +\end{frame} + +\begin{frame}{UMTS Protocol stacking} +\begin{itemize} + \item Iu is split in Iu-CS (MSC) and Iu-PS (SGSN) + \item Next slides show protocol stacking of Iu-CS and Iu-PS + \item Notice all the ATM legacy that's way obsolete by now + \item IP based transport does away with a lot of it + \item however, M3UA and SCCP remain even on IP based Iu +\end{itemize} +\end{frame} + +\begin{frame}{UMTS protocol stacking} +\begin{figure}[h] + \centering + \includegraphics[width=115mm]{umts_ps_control.pdf} +\end{figure} +\end{frame} + +\begin{frame}{Iu-CS protocol stacking} +\begin{figure}[h] + \centering + \includegraphics[width=70mm]{iu_cs_stacking.png} +\end{figure} +from 3GPP TS 25.410 +\end{frame} + +\begin{frame}{Iu-PS protocol stacking} +\begin{figure}[h] + \centering + \includegraphics[width=75mm]{iu_ps_stacking.png} +\end{figure} +from 3GPP TS 25.410 +\end{frame} + +\subsection{UMTS for HomeNodeB} + +\begin{frame}{UMTS Architecture for hNodeB} +\begin{figure}[h] + \centering + \includegraphics[width=105mm]{nodeb_hnb.png} +\end{figure} +nodeB and Home nodeB by Tsaitgaist - icons from Gnome +\end{frame} + +\begin{frame}{UMTS protocol stacking with HomeNodeB} +\begin{figure}[h] + \centering + \includegraphics[width=115mm]{umts_hnb_control.pdf} +\end{figure} +\end{frame} + +\begin{frame}{Differences NodeB to hNodeB} +\begin{itemize} + \item hNodeB is basically a NodeB with a RNC built-in + \item all lower-level protocols are implemented in the RNC + \item only RANAP is exposed + \item Iuh interface is similar to Iu-CS/Iu-PS + \item Iu interface is at much lower level. + \item Compared with GSM: Iu = Abis, Iuh = A +\end{itemize} +\end{frame} + +\begin{frame}{Why work with hNodeB instead of NodeB} +\begin{itemize} + \item UMTS is not a single telephony system but a set of + re-configurable building blocks to create any type of + telephony system. + \item complexity at every level, particularly the lower levels + \item using hNodeB interface / stack (Iuh), we can avoid having + to worry about RLC/MAC, RRC, HNBAP, etc. + \item many femtocells implement Iuh + \item quite some small cells also implemet Iuh +\end{itemize} +\end{frame} + +\begin{frame}{UMTS channel mapping} +speaking of UMTS access stratum complexity... +\begin{figure}[h] + \centering + \includegraphics[width=105mm]{umts_channel_mapping.png} +\end{figure} +from 3GPP TS 25.301 +\end{frame} + +\section{Iuh interface protocols} + +\begin{frame}{A closer look at Iuh} +\begin{itemize} + \item Iuh is {\em basically} just RANAP encapsulated in + something les complex over SCTP/IP + \item In addition to RANAP, there is + \begin{itemize} + \item RUA (RANAP User Adaption) to replace SCCP + \item HNBAP to register hNodeB and UE + \end{itemize} + \item RANAP for both CS and PS is sent together, but on RUA + level there is a {\em Domain Indicator} that helps + separating both. +\end{itemize} +\end{frame} + +\begin{frame}{UMTS protocol stacking for Iuh} +\begin{figure}[h] + \centering + \includegraphics[width=65mm]{iuh_stacking.png} +\end{figure} +from 3GPP TS 25.467 +\end{frame} + +\subsection{RANAP User Adaption} + +\begin{frame}{RUA Protocol (3GPP TS 25.468)} +\begin{itemize} + \item Very simple connection-oriented layer + \begin{itemize} + \item {\tt CONNECT} + \item {\tt DIRECT TRANSFER} + \item {\tt DISCONNECT} + \item {\tt CONNECTIONLESS TRANSFER} + \item {\tt ERROR INDICATION} + \end{itemize} + \item 24-bit Context ID differentiates multiple parallel RUA + connections +\end{itemize} +\end{frame} + +\subsection{HomeNodeB Application Part} + +\begin{frame}{HNBAP Protocol (3GPP TS 25.469)} +\begin{itemize} + \item HNBAP protocol has only very few messages/transactions + \begin{itemize} + \item {\tt HNB REGISTER (REQUEST, ACCEPT, REJECT)} + \item {\tt HNB DE-REGISTER} + \item {\tt UE REGISTER (REQUEST, ACCEPT, REJECT)} + \item {\tt UE DE-REGISTER} + \item {\tt TNL UPDATE (REQUEST, RESPONSE, FAILURE)} + \item {\tt HNB CONFIG TRANSFER (REQUEST, RESPONSE)} + \item {\tt ERROR INDICATION} + \item {\tt CSG MEMBERSHIP UPDATE} + \item {\tt RELOCATION COMPLETE} + \end{itemize} + \item most important is HNB and UE registration +\end{itemize} +\end{frame} + +\subsection{RANAP} + +\begin{frame}{RANAP Protocol (3GPP TS 25.413)} +\begin{itemize} + \item Lots of transactions, some key transactions here: + \begin{itemize} + \item {\tt RESET / RESET ACKNOWLEDGE} + \item {\tt INITIAL UE MESSAGE} + \item {\tt DIRECT TRANSFER} + \item {\tt IU RELEASE (COMMAND, COMPLETE)} + \item {\tt SECURITY MODE (COMMAND, COMPLETE, REJECT)} + \item {\tt PAGING} + \item {\tt RAB ASSIGNMENT (REQUEST, RESPONSE)} + \end{itemize} +\end{itemize} +\end{frame} + +\section{Osmocom and Iu(h)} + +\begin{frame}{SCCP in Free Software} +\begin{itemize} + \item comes in connection-less and connection-oriented flavor + \item is used a lot in SS7 core network protocols + \item connection-oriented SCCP is only used on classic GSM A + interface (over E1) and in UMTS Iu interface + \item no finished free software implementation of + connection-oriented SCCP exists + \begin{itemize} + \item libosmo-sccp, Yate, Mobicents only implement conneciton-less + \item osmo\_sccp Erlang code has partial but never + completed/tested code for connection-oriented mode + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{How to support UMTS from OsmoNITB, OsmoSGSN} +\begin{itemize} + \item Separation of MSC-part from NITB, generating Osmo-MSS + \begin{itemize} + \item OsmoBSC already implements BSC-side A interface, + we need to add MSC-side A interface + \end{itemize} + \item UMTS AKA support as library, link into OsmoMSS and OsmoSGSN + \item RANAP protocol support in a library, also linked into OsmoMSS and OsmoSGSN + \item NITB: support {\tt subscriber\_connection} over A (BSSMAP/BSSAP) and over RANAP + \item SGSN: support {\tt mm\_context} over Gb (LLC/BSSGP/NS) or over RANAP +\end{itemize} +\end{frame} + +\begin{frame}{How to encapulate RANAP towards the RAN} +\begin{itemize} + \item we could either + \begin{itemize} + \item Try to convert from Iuh to A interface, make + (h)NodeB look like GSM BTS+BSC. + \item Implement classic Iu-CS and Iu-PS over SCCP/M3Ua + and have a classic HNB-GW to convert to Iuh + \item Implement Iuh directly, avoiding SCCP and M3UA + \end{itemize} + \item Iu-CS/PS requires connection-oriented SCCP + \item when implementing Iuh directly, we still need to somehow + split CS and PS plane + \item Idea: Simple proxy that speaks Iuh to hNodeB, MSS and SGSN + \item Iu-CS/PS over SCCP/M3UA could be added later, if required +\end{itemize} +\end{frame} + +\subsection{Protocol Encoding} + +\begin{frame}{RANAP, RUA and HNBAP Encoding} +\begin{itemize} + \item Use ASN.1 syntax for defining protocol messages + \item Use APER (Aligned Packed Encoding Rules) + \begin{itemize} + \item unlike BER: No Tag/Length values + \item unlike UPER: all fields start at octet boundary + \end{itemize} + \item ASN.1 syntax uses Information Object Classes havily + \item ASN.1 is not abstract enough for them, so they use ASN.1 to + define containers, i.e. they build something like a TLV structure inside ASN.1 + \begin{itemize} + \item Every IE is its own ASN.1 SEQUENCE, and it gets wrapped into an IE container indicating an IEI and the encoded sequence + \item The Main message then simply has an array (SEQUENCE OF) of IE containers + \end{itemize} + \item Regular ASN.1 code generator will not generate very useful code + for this, i.e. it wil not be able to parse the entire message + in one go, but it requires manual iteration code that calls the + generated decoder separetely for every IE Container +\end{itemize} +\end{frame} + +\subsection{RANAP, RUA, HNBAP and asn1c} + +\begin{frame}{RANAP, RUA, HNBAP and asn1c} +\begin{itemize} + \item Lev Walkins asn1c is a Free Software ASN.1 compiler / code generator + \item it is good for basic usage, but lacks many if not most of the features required in telecom + \begin{itemize} + \item No support for information object classes + \item No support for aligned PER support + \item No support for type prefixing, i.e. evey type uses the same global C namespace and you have problems if RANAP, RUA and/or HNBAP all have types of the same name + \end{itemize} + \item No other free software alternatives exist + \item Somebody with firm knowledge on compiler theory needs to help out, I'm at a loss here. +\end{itemize} +\end{frame} + +\begin{frame}{Alternatives to asn1c} +\begin{itemize} + \item Write all related code in Erlang + \begin{itemize} + \item I tried that in the past, but nobody ever contributed to any of the osmcoom Erlang projects :( + \item At Osmocom we're mostly low-level C guys with an inherent dislike of abstract/complex languages, VMs and the like + \end{itemize} + \item Use proprietary asn1 compiler + \begin{itemize} + \item In theory not a problem, as the compiler has no copyright on the generated C code, we can use it from FOSS + \item Problem: Mandatory runtime code is proprietary + \item We certainly don't want proprietary blobs in Free Software, ever + \item FOSS code would have to be MIT/BSD/LGPL, incompatible with osmo-* GPL/AGPL. + \end{itemize} + \item So it seems we have to stick with asn1c, after all +\end{itemize} +\end{frame} + +\begin{frame}{How to make asn1c work for Iuh} +\begin{itemize} + \item Eurecom has a patch for adding APER support to asn1c + \begin{itemize} + \item it's against an agest old version of asn1c + \item I forward-ported that to current asn1c master + \item Probably needs some clean-up before it can be merged + \end{itemize} + \item Information Object Classes are hard + \begin{itemize} + \item compile only the IE and PDU definitions of the ASN.1 + \item skip all parts related to Information Object Classes + \end{itemize} + \item Type prefixing + \begin{itemize} + \item Could be done in the ASN.1 source files, but that's ugly + \item I hacked asn1c for a day until I finally had found all the locations where prefixing must be used (or not) + \item Code is at {\tt git://git.osmocom.org/asn1c.git} + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{But what about the IE Containers?} +\begin{itemize} + \item Eurecom has an {\tt asn1tostruct.py} script + \begin{itemize} + \item Another layer on top of asn1c to handle the IE containers and un-do the damage caused by the additional layer of abstraction of RANAP and related protocols + \item Developed to cope with S1-AP (RANAP equipvalent for LTE) + \item Can be used for Iuh wit some modifications + \item Also had to be taught type prefixing + \end{itemize} +\end{itemize} +\end{frame} + +\subsection{osmo-iuh, after all} + +\begin{frame}{Putting it all together} +Brief history of what I did so far: +\begin{itemize} + \item copy+paste Asn.1 syntax from 3GPP .doc files + \item use hacked asn1c to generate C code + \item don't use copied runtime code but shared osmocom libasn1c + \item use modified asn1tostruct.py for the obfuscation layer + \item write some code to dispatch messages + \item implement minimally required transactions like {\tt HNB REGISTER}, {\tt UE REGISTER} + \item see the {\tt INITIAL UE MESSAGE} with the {\tt LOCATION UPDATE} +\end{itemize} +\end{frame} + +\begin{frame}{Where do we go from here?} +\begin{itemize} + \item Implement UMTS AKA in libosmogsm, test over GSM and GPRS + \item Crete small HNB-GW with RANAP-over-RUA on both sides, splitting CS and PS + \item Split OsmoMSS from OsmoNITB, add RANAP interface + \item Add RANAP-over-RUA to OsmoSGSN + \item More Volunteers needed! +\end{itemize} +\end{frame} + +\begin{frame}{What kind of hardware can we use?} +\begin{itemize} + \item The (undisclosed) small cell hardware I currently use is very expensive (several thousand EUR) and thus not suitable to most hackers + \item Many consumer-grade femtocells in the market, most modern ones should use Iuh + \begin{itemize} + \item they are typically quite locked down and provide no local console / JTAG + \item they establish an IPsec tunnel to the SEGW (Security Gateway) and then only talk Iuh inside the tunnel + \item Several groups of people have looked at them in the past (including Kevin, Nico and myself) + \item maybe we can find a model that's easily convinced to talk to a different HNB-GW? + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{Summary} +\begin{itemize} + \item Iuh is actually not difficult conceptually + \item Lack of good FOSS asn1 tools is biggest factor + \item Obfuscation by IE Containers must be overcome + \item In the end you spend 90\% of the time on tooling, before you can spend the remaining 10\% on actual code + \item Core Iuh protocol code exists now as {\tt osmo-iuh} + \item Work on OsmoMSS and OsmoSGSN has not even started yet + \item Volunteers needed. Now! +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks for your attention. I hope we have time for Q\&A. +\end{frame} + + +\end{document} -- cgit v1.2.3