From 075e2b0c7c62474dddd8f6b537821d7afed31bfb Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Tue, 15 Mar 2016 16:34:38 +0100 Subject: add slides from telcosecday --- 2016/telcosecday/640px-UMTS_structures.png | Bin 0 -> 116704 bytes 2016/telcosecday/Gsm_structures.svg | 15874 +++++++++++++++++++++++++++ 2016/telcosecday/abstract.txt | 28 + 2016/telcosecday/bio.txt | 36 + 2016/telcosecday/foss-gsm.adoc | 528 + 2016/telcosecday/foss-gsm.html | 4996 +++++++++ 2016/telcosecday/foss-gsm__1.png | Bin 0 -> 45887 bytes 2016/telcosecday/foss-gsm__2.png | Bin 0 -> 49125 bytes 2016/telcosecday/foss-gsm__3.png | Bin 0 -> 10068 bytes 2016/telcosecday/foss-gsm__4.png | Bin 0 -> 54383 bytes 2016/telcosecday/foss-gsm__5.png | Bin 0 -> 27691 bytes 2016/telcosecday/foss-gsm__6.png | Bin 0 -> 75613 bytes 2016/telcosecday/foss-gsm__7.png | Bin 0 -> 35787 bytes 2016/telcosecday/gprs_user_stack.svg | 1357 +++ 2016/telcosecday/nodeb_hnb.png | Bin 0 -> 216922 bytes 2016/telcosecday/osmo-bts.svg | 342 + 2016/telcosecday/osmocom-gprs.svg | 1191 ++ 2016/telcosecday/osmocom-gsm.svg | 1980 ++++ 2016/telcosecday/umts_channel_mapping.png | Bin 0 -> 152875 bytes 2016/telcosecday/umts_hnb_control.pdf | Bin 0 -> 61656 bytes 20 files changed, 26332 insertions(+) create mode 100644 2016/telcosecday/640px-UMTS_structures.png create mode 100644 2016/telcosecday/Gsm_structures.svg create mode 100644 2016/telcosecday/abstract.txt create mode 100644 2016/telcosecday/bio.txt create mode 100644 2016/telcosecday/foss-gsm.adoc create mode 100644 2016/telcosecday/foss-gsm.html create mode 100644 2016/telcosecday/foss-gsm__1.png create mode 100644 2016/telcosecday/foss-gsm__2.png create mode 100644 2016/telcosecday/foss-gsm__3.png create mode 100644 2016/telcosecday/foss-gsm__4.png create mode 100644 2016/telcosecday/foss-gsm__5.png create mode 100644 2016/telcosecday/foss-gsm__6.png create mode 100644 2016/telcosecday/foss-gsm__7.png create mode 100644 2016/telcosecday/gprs_user_stack.svg create mode 100644 2016/telcosecday/nodeb_hnb.png create mode 100644 2016/telcosecday/osmo-bts.svg create mode 100644 2016/telcosecday/osmocom-gprs.svg create mode 100644 2016/telcosecday/osmocom-gsm.svg create mode 100644 2016/telcosecday/umts_channel_mapping.png create mode 100644 2016/telcosecday/umts_hnb_control.pdf diff --git a/2016/telcosecday/640px-UMTS_structures.png b/2016/telcosecday/640px-UMTS_structures.png new file mode 100644 index 0000000..61f8ff2 Binary files /dev/null and b/2016/telcosecday/640px-UMTS_structures.png differ diff --git a/2016/telcosecday/Gsm_structures.svg b/2016/telcosecday/Gsm_structures.svg new file mode 100644 index 0000000..cd68155 --- /dev/null +++ b/2016/telcosecday/Gsm_structures.svg @@ -0,0 +1,15874 @@ + + + + + GSM structure + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + GSM structure + 2012-08-14 + + + Kevin Redon + + + structure of a GSM network, based on 3GPP TS 23.002 version 9.2.0 Release 9 + + + + icons from gnome + + + https://secure.wikimedia.org/wikipedia/commons/wiki/File:Gsm_structures.svg, https://commons.wikimedia.org/w/index.php?title=File:UMTS_structures.svg + + + + + + + + Structure of a GSM network + CN: Core Network + + MS: Mobile Station + + UE: UserEquipment + + ME: MobileEquipment + + ICC + + GERAN: GSM EDGE RadioAccess Network BSS: Base Station System + + GPRS PS:Packet Switched + + PS & CS + CS: CircuitSwitched + AN: Access Network + + + MSC: MobileSwitching Centre + HSS + + + + + + + Um + + SIM-ME + + Abis + + Gb + PSTN + A + + + + + Nb + Mc + + Nc + E + + B + C + + H + + D + G + + F + + Gf,Sv + + Gd + + Gn + + + Gc + Gp + Gi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PSTN + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Internet + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + # + 0 + * + + + + + + + + + + + + BTS: BaseTransceiverStation + BSC:Base StationController + CS-MGW + SGSN + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MT/TE + + + + + + + + + + + + SIM + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + GGSN + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + VLR + EIR + MSC server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + # + 0 + * + + + + + + + + + + + + + + + + HLR + AuC + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SMS-GMSC + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + # + 0 + * + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + # + 0 + * + + + + GMSC + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/2016/telcosecday/abstract.txt b/2016/telcosecday/abstract.txt new file mode 100644 index 0000000..2c31014 --- /dev/null +++ b/2016/telcosecday/abstract.txt @@ -0,0 +1,28 @@ +Open Source Network Elements for Security Analysis of Mobile Networks + +For almost 20 years, digital cellular networks have been without Free / +Open Source software implementations of any of their protocols or +netwokr elements. + +In 2008, the two independent and architecturally completely different +projects OpenBTS and OpenBSC have changed that for 2G networks. In +2010, they were followed by OsmocomBB, an Open Source implementation of +the GSM Mobile Station protocol stack. + +It is not a coincidence that the above proejcts were a (if not the) key +enabler behind a lot of the cellular technology security research that +followed in the years after. + +Despite being of such prominent importance for researching (and +ultimately improving) cellular security, the mobile industry has not +learned from 2G and not taken up the cause to funded or support the +development of Open Source reference implementations of later (3G / 4G) +protocols and network elements. + +Despite the lack of support, the Osmocom project has started an +implementatation of the 3G core netwokr elements and is actively working +towards IuCS, IuPS and Iuh support in OsmoNITB and OsmoSGSN. The first +working alpha-versions of this are expected to be available at the end +of Q1/2016. Let's hope they can have an equal impact in spawning +cellular security research than the releases of OpenBSC and OsmocomBB in +the past. diff --git a/2016/telcosecday/bio.txt b/2016/telcosecday/bio.txt new file mode 100644 index 0000000..56898a1 --- /dev/null +++ b/2016/telcosecday/bio.txt @@ -0,0 +1,36 @@ +Harald Welte is a data communications freelancer, enthusiast and hacker +who is working with Free Software (and particularly GNU/Linux) +since 1995 His major code contribution to the Linux kernel was as a +core developer of the netfilter/iptables packet filter. + +He has co-started a number of other Free Software and Free Hardware +projects, mainly related to RFID such as librfid, OpenMRTD, OpenBeacon, +OpenPCD, OpenPICC. During 2006 and 2007 Harald became the co-founder of +OpenMoko, where he served as Lead System Architect for the worlds first +100% Open Free Software based mobile phone. + +Aside from his technical contributions, Harald has been pioneering the legal +enforcement of the GNU GPL license as part of his gpl-violations.org project. +More than 150 inappropriate use of GPL licensed code by commercial companies +have been resolved as part of this effort, both in court and out of court. He +has received the 2007 "FSF Award for the Advancement of Free Software" and the +"2008 Google/O'Reilly Open Source award: Defender of Rights". + +In 2008, Harald started to work on Free Software on the GSM protocol side, both +for passive sniffing and protocol analysis, as well as an actual network-side +GSM stack implementation called OpenBSC. In 2010, he expanded those +efforts by creating OsmocomBB, a GSM telephony-side baseband processor +firmware and protocol stack. Other projects include +OsmocomTETRA, a receive-only implementation of the ETSI TETRA radio +interface. + +Together with fellow developer Dieter Spaar, Harald has been giving many +incarnations of deeply technical trainings about mobile communications +protocols from the air inteface to the core network, with a special +emphasis on security. + +Harald is co-founder of sysmocom GmbH, Berlin/Germany based company +working on innovative Free Software based products and solutions for +conventional and unconventional operators of mobile networks. Said +projects are also used by various entities in research of mobile +security. diff --git a/2016/telcosecday/foss-gsm.adoc b/2016/telcosecday/foss-gsm.adoc new file mode 100644 index 0000000..4aaf2c4 --- /dev/null +++ b/2016/telcosecday/foss-gsm.adoc @@ -0,0 +1,528 @@ +Open Source Network Elements for Security Analysis of Mobile Networks +===================================================================== +:author: Harald Welte +:copyright: sysmocom - s.f.m.c. GmbH (License: CC-BY-SA) +:backend: slidy +:max-width: 45em +//:data-uri: +//:icons: + + +== What this talk is about + +[role="incremental"] +* Importance of 3GPP network elements as FOSS for security research +* Applied Protocol Archeology since 2008 +* Current Status and working areas +* Doing all of that on top of Linux (in userspace) + + +== Running your own Internet-style network + +[role="incremental"] +* use off-the-shelf hardware (x86, Ethernet card) +* use any random Linux distribution +* configure Linux kernel TCP/IP network stack +** enjoy fancy features like netfilter/iproute2/tc +* use apache/lighttpd/nginx on the server +* use Firefox/chromium/konqueor/lynx on the client +* do whatever analysis/research/testing on any part of the stack + +== Doing security research on it + +[role="incremental"] +* FOSS implementations are key to any type of research +* ability to study not only the interfaces but actual code +* ability to test against other (proprietary) implementations +* ability to modify the code in any way needed to behave 'different + from spec', or in ways not originally intended in the spec + + +== Running your own GSM network + +Until 2009 the situation looked like this: + +* go to Ericsson/Huawei/ZTE/Nokia/Alcatel/... +* spend lots of time convincing them that you're an eligible customer +* spend a six-digit figure for even the most basic full network +* end up with black boxes you can neither study nor improve + +[role="incremental"] +- WTF? +- I've grown up with FOSS and the Internet. I know a better world. + + +== Why no cellular FOSS? + +- both cellular (2G/3G/4G) and TCP/IP/HTTP protocol specs are publicly + available for decades. Can you believe it? +- Internet protocol stacks have lots of FOSS implementations +- cellular protocol stacks have no FOSS implementations for the + first almost 20 years of their existence? +[role="incremental"] +- it's the classic conflict + * classic circuit-switched telco vs. the BBS community + * ITU-T/OSI/ISO vs. Arpanet and TCP/IP + + +== Enter Osmocom + +In 2008, some people started to write FOSS for GSM + +- to boldly go where no FOSS hacker has gone before +[role="incremental"] +** where protocol stacks are deep +** and acronyms are plentiful +** we went from `bs11-abis` to `bsc_hack` to 'OpenBSC' +** many other related projects were created +** finally leading to the 'Osmocom' umbrella project + + +== Classic GSM network architecture + +image::Gsm_structures.svg[width=850] + + +== Osmocom GSM components + +image::osmocom-gsm.svg[width=850] + + +== Classic GSM network as digraph + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="MS"] + MS1 [label="MS"] + MS2 [label="MS"] + MS3 [label="MS"] + BTS0 [label="BTS"] + BTS1 [label="BTS"] + MSC [label="MSC/VLR"] + HLR [label="HLR/AUC"] + MS0->BTS0 [label="Um"] + MS1->BTS0 [label="Um"] + MS2->BTS1 [label="Um"] + MS3->BTS1 [label="Um"] + BTS0->BSC [label="Abis"] + BTS1->BSC [label="Abis"] + BSC->MSC [label="A"] + MSC->HLR [label="C"] + MSC->EIR [label="F"] + MSC->SMSC +} +---- + +== Simplified OsmoNITB GSM network + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="MS"] + MS1 [label="MS"] + MS2 [label="MS"] + MS3 [label="MS"] + BTS0 [label="BTS"] + BTS1 [label="BTS"] + MS0->BTS0 [label="Um"] + MS1->BTS0 [label="Um"] + MS2->BTS1 [label="Um"] + MS3->BTS1 [label="Um"] + BTS0->BSC [label="Abis"] + BTS1->BSC [label="Abis"] + subgraph cluster_nitb { + label = "OsmoNITB"; + BSC + MSC [label="MSC/VLR"] + HLR [label="HLR/AUC"] + BSC->MSC [label="A"] + MSC->HLR [label="C"] + MSC->EIR [label="F"] + MSC->SMSC; + } +} +---- + +which further reduces to the following minimal setup: + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="MS"] + BTS0 [label="BTS"] + MS0->BTS0 [label="Um"] + BTS0->BSC [label="Abis"] + BSC [label="OsmoNITB"]; +} +---- + +So our minimal setup is a 'Phone', a 'BTS' and 'OsmoNITB'. + + +== Which BTS to use? + +* Proprietary BTS of classic vendor +** Siemens BS-11 is what we started with +** Nokia, Ericsson, and others available 2nd hand +* 'OsmoBTS' software implementation, running with +** Proprietary HW + PHY (DSP): 'sysmoBTS', or +** General purpose SDR (like USRP) + 'OsmoTRX' + +We assume a sysmoBTS in the following slides + + +== OsmoBTS Overview + +image::osmo-bts.svg[] + +* Implementation of GSM BTS +* supports variety of hardware/PHY options +** `osmo-bts-sysmo`: BTS family by sysmocom +** `osmo-bts-trx`: Used with 'OsmoTRX' + general-purpose SDR +** `osmo-bts-octphy`: Octasic OCTBTS hardware / OCTSDR-2G PHY +** `osmo-bts-litecell15`: Nutaq Litecell 1.5 hardware/PHY + + +== Extending the network with GPRS + +Now that GSM is working, up to the next challenge! + +* Classic GSM is circuit-switched only +* Packet switched support introduced first with GPRS +* GPRS adds new network elements (PCU, SGSN, GGSN) +* tunnel for external packet networks like IP/Internet +* tunnel terminates in MS and on GGSN + + +== Extending the network with GPRS support + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="MS"] + MS1 [label="MS"] + MS2 [label="MS"] + MS3 [label="MS"] + BTS0 [label="BTS"] + BTS1 [label="BTS"] + MSC [label="MSC/VLR"] + HLR [label="HLR/AUC"] + MS0->BTS0 [label="Um"] + MS1->BTS0 [label="Um"] + MS2->BTS1 [label="Um"] + MS3->BTS1 [label="Um"] + BTS0->BSC [label="Abis"] + BTS1->BSC [label="Abis"] + BSC->MSC [label="A"] + MSC->HLR [label="C"] + MSC->EIR [label="F"] + MSC->SMSC + + BTS0->PCU + subgraph cluster_gprs { + label = "GPRS Add-On" + PCU->SGSN [label="Gb"] + SGSN->GGSN [label="GTP"] + } +} +---- + +* 'PCU': Packet Control Unit. Runs RLC+MAC +* 'SGSN': Serving GPRS Support Node (like VLR/MSC) +* 'GGSN': Gateway GPRS Support Node (terminates tunnels) + + +== GPRS Protocol Stack + +image::gprs_user_stack.svg[width=850] + +== Simplified OsmoNITB network with GPRS + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="MS"] + BTS0 [label="OsmoBTS"] + BSC [label="OsmoNITB"] + PCU [label="OsmoPCU"] + SGSN [label="OsmoSGSN"] + GGSN [label="OpenGGSN"] + MS0->BTS0 [label="Um"] + BTS0->BSC [label="Abis"] + BTS0->PCU + subgraph cluster_gprs { + label = "GPRS Add-On" + PCU->SGSN [label="Gb"] + SGSN->GGSN [label="GTP"] + } +} +---- + +* 'OsmoPCU' is co-located with 'OsmoBTS' +** connects over unix-domain PCU socket to BTS +* 'OsmoSGSN' can run on any Linux machine +* 'OpenGGSN' can run on any Linux machine +** `tun` device is used for tunnel endpoints +* circuit-switched and packet-switched networks are completely separate + +We need to configure those additional components to provide GPRS +services. + +== Simplified OsmoNITB network with GPRS + +image::osmocom-gprs.svg[width=750] + +//* show IP addresses at nodes +//* show GSM functional elements, Osmocom programs and hardware + + +== Protocol tracing of cellular interfaces + +* many cellular protocols/interfaces are not specified over IP or Ethernet +** e.g. the radio interface (Um) is clearly +* Osmocom 'GSMTAP' to the rescue +** encapsulate non-IP protocols inside GSMTAP (inside UDP/IP) +** forward them over net-device ('lo' as fall-back) +** 'wireshark' can then capture them using regular packet socket +** 'wireshark' was extended with related dissectors +** any and every GSM network interface can be analyzed now +** was extended for TETRA, GMR, UMTS, LTE, ... + + +== Osmocom beyond GSM/GPRS RAN + NITB + +* Telephone-side GSM protocol stack 'OsmocomBB' +** circuit-switched GSM only. No GPRS/EDGE/3G/4G! +* Smalltalk implementation of SIGTRAN + TCAP/MAP +* Erlang implementation of SIGTRAN + TCAP/MAP +* Lots of special-purpose protocol mangling +** `bsc-nat` to introduce NAT-like functionality on A (BSSAP/BSSMAP) +** `mgw-nat` to transparently re-write MAP/ISUP/SCCP +* GSMTAP pseudo-header for feeding non-IP protocols into wireshark +* SIM card protocol tracer hardware + software ('SIMtrace') +* Lots of non-GSM projects from hardware to protocol stacks (TETRA, GMR, DECT, OP25) +* check http://git.osmocom.org/ for full project list + + +== So... I heard about OpenBTS? + +* OpenBTS is completely unrelated to the Osmocom stack +* was independently developed by David Burgess & Harvind Simra +** Kestrel Signal Processing -> Range Networks +* doesn't follow GSM system architecture at all +** no Abis, BSC, PCU, SGSN, GGSN +* is a bridge of the GSM air interface (Um) to SIP +* Osmocom follows classic GSM interfaces / system architecture +** if you research GSM beyond the radio interface, Osmocom offers an +implementation closer to real operator networks +* 'OsmoTRX' forked 'OpenBTS' SDR code to use 'OsmoBTS' with SDR hardware + + +== What about FOSS 2.75G (EDGE) + +* EDGE extends GPRS with higher data rates +** 8PSK instead of GMSK modulation +** lots of new MAC/RLC features (larger windows, incremental redundancy) +** No changes required in 'OmsoSGSN' and 'OsmoGGSN' +* 'OsmoPCU' is extended with initial EDGE support +* First working beta release was made in late January 2016 +** continues to make rapid progress ever since + + +== What about FOSS 3G (UMTS/WCDMA) + +* UMTS very similar to GSM/GPRS in principle +** still, almost every interface and protocol stack has changed +** all elements have been renamed -> more acronyms to learn +* UMTS is ridiculously complex, particular PHY + Layer 2 +** however, control plane L3 (MM/CC/CM/SM/GMM) mostly the same +* Implementing all of that from scratch is a long journey +* We've already reached 'Peak 3G' +* Osmocom 3G support strategy +** Implement Iu interface in NITB and SGSN +** Implement HNB-GW to offer Iuh interface +** Use existing femtocell / small cell hardware with proprietary PHY, RLC and MAC +** Status: Started in October 2015, WIP. Overall completion > 50%. + +== Classic UMTS Architecture + +image::640px-UMTS_structures.png[width=800] + +(UMTS Structure by Tsaitgaist - icons from Gnome) + +== Classic UMTS Architecture + +image::nodeb_hnb.png[width=800] + +(nodeB and Home nodeB by Tsaitgaist - icons from Gnome) + +== Differences NodeB to hNodeB + +* hNodeB is basically a NodeB with a RNC built-in +* all lower-level protocols are implemented in the RNC +* only RANAP is exposed +* Iuh interface is similar to Iu-CS/Iu-PS +* Iu interface is at much lower level. +* Compared with GSM: Iu = Abis, Iuh = A + +== Wy work with hNodeB instead of NodeB? + +* UMTS is not a single telephony system but a set of re-configurable + building blocks to create any type of telephony system. +* complexity at every level, particularly the lower levels +* using hNodeB interface / stack (Iuh), we can avoid having to worry + about RLC/MAC, RRC, HNBAP, etc. +* many femtocells implement Iuh +* quite some small cells also implement Iuh + +== Iuh: Avoiding complexity of the RNC + +speaking of UMTS access stratum complexity... + +image::umts_channel_mapping.png[width=900] + +wouldn't you want to avoid that, too? + + +== How to support UMTS from OsmoNITB, OsmoSGSN + +* Separation of MSC-part from NITB, generating Osmo-MSS +** OsmoBSC already implements BSC-side A interface, we need to add + MSC-side A interface +* UMTS AKA support as library, link into OsmoMSS and OsmoSGSN +* RANAP protocol support in a library, also linked into OsmoMSS and OsmoSGSN +* NITB: support 'subscriber_connection' over A (BSSMAP/BSSAP) and over RANAP +* SGSN: support 'mm_context' over Gb (LLC/BSSGP/NS) or over RANAP + +== Osmocom 3G Network Architecture + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="UE"] + MS1 [label="UE"] + MS2 [label="UE"] + MS3 [label="UE"] + HNBGW [label="HNB-GW"] + MS0->BTS0 [label="Uu"] + MS1->BTS0 [label="Uu"] + MS2->BTS1 [label="Uu"] + MS3->BTS1 [label="Uu"] + subgraph cluster_hnb0 { + label = "hNodeB" + BTS0 [label="NodeB"] + RNC0 [label="RNC"] + BTS0->RNC0 + } + subgraph cluster_hnb1 { + label = "hNodeB" + BTS1 [label="NodeB"] + RNC1 [label="RNC"] + BTS1->RNC1 + } + subgraph cluster_cscn { + label = "OsmoCSCN (ex-NITB)" + MSC [label="MSC/VLR"] + HLR [label="HLR/AUC"] + MSC->HLR [label="C"] + MSC->EIR [label="F"] + MSC->SMSC + } + RNC0->HNBGW [label="Iuh"] + RNC1->HNBGW [label="Iuh"] + HNBGW->MSC [label="IuCS"] + HNBGW->SGSN [label="IuPS"] + SGSN->GGSN [label="GTP"] +} +---- + +further simplified: + +[graphviz] +---- +digraph G { + rankdir=LR; + MS0 [label="UE"] + MS1 [label="UE"] + HNBGW [label="HNB-GW"] + MS0->BTS0 [label="Uu"] + MS1->BTS1 [label="Uu"] + BTS0 [label="hNodeB"] + BTS1 [label="hNodeB"] + BTS0->HNBGW [label="Iuh"] + BTS1->HNBGW [label="Iuh"] + HNBGW->OsmoCSCN [label="IuCS"] + HNBGW->OsmoSGSN [label="IuPS"] + OsmoSGSN->OpenGGSN [label="GTP"] +} +---- + +== Osmocom 3G Network Status + +Existing as of March 2016: + +* 'HNBAP', 'RUA', 'RANAP' protocol implementations +* 'osmo-hnbgw' converting Iuh to Iu-CS and Iu-PS +* 'OsmoSGSN' with IuPS interface +* 'OsmoCSCN' with IuCS interface + +TODO: + +* HLR/AUC extension for UMTS AKA +* testing, testing, testing +* actual voice handling (so far, signalling + packet data only) + + +== Outlook on FOSS 4G (LTE) + +* LTE has nothing in common with 2G/3G +* various FOSS activities +** 'OpenAirInterface' has some code for a software eNodeB +*** but they switched from GPLv3 to 'non-free' license :( +** 'srsLTE' (main focus on UE side, but large parts usable for eNodeB side) +** 'OpenLTE' is another active FOSS project +* No Osmocom involvement so far +** team is small, project scope of cellular infrastructure is gigantic +** most customer funding currently still on GSM/GPRS/EDGE +** if we'd start today, we'd start implementing MME + S-GW and use +existing LTE cells, similar to the 3G strategy + + +== Summary + +[role="incremental"] +* FOSS implementations of protocol stacks and functional elements are + 'vital for security research' +* Traditional Telcos + Equipment vendors do not contribute to this :( +* Existing implementations done by enthusiasts only, on extremely + tight budgets and resources +* Existing implementations are decades behind +* Result: Security research is often decades behind +* 'If we want to advance Cellular security research, we need to + advance FOSS implementations!' + + +== The End + +* so long, and thanks for all the fish +* I hope you have questions! + +* have fun exploring mobile technologies using Osmocom +* interested in working with more acronyms? Come join the project! + +* Check out http://openbsc.osmocom.org/ and openbsc@lists.osmocom.org + + +== Thanks to + +* the entire Osmocom team for what they have achieved +** notably Dieter Spaar, Holger Freyther, Andreas Eversberg, Sylvain Munaut +* last but not least: CEPT for making the GSM specs English +** (the official language of CEPT is french!) diff --git a/2016/telcosecday/foss-gsm.html b/2016/telcosecday/foss-gsm.html new file mode 100644 index 0000000..f400a8a --- /dev/null +++ b/2016/telcosecday/foss-gsm.html @@ -0,0 +1,4996 @@ + + + + +Open Source Network Elements for Security Analysis of Mobile Networks + + + + + + + + +
+

What this talk is about

+
+
    +
  • + +Importance of 3GPP network elements as FOSS for security research + +
  • +
  • + +Applied Protocol Archeology since 2008 + +
  • +
  • + +Current Status and working areas + +
  • +
  • + +Doing all of that on top of Linux (in userspace) + +
  • +
+
+
+
+

Running your own Internet-style network

+
+
    +
  • + +use off-the-shelf hardware (x86, Ethernet card) + +
  • +
  • + +use any random Linux distribution + +
  • +
  • + +configure Linux kernel TCP/IP network stack + +
      +
    • + +enjoy fancy features like netfilter/iproute2/tc + +
    • +
    +
  • +
  • + +use apache/lighttpd/nginx on the server + +
  • +
  • + +use Firefox/chromium/konqueor/lynx on the client + +
  • +
  • + +do whatever analysis/research/testing on any part of the stack + +
  • +
+
+
+
+

Doing security research on it

+
+
    +
  • + +FOSS implementations are key to any type of research + +
  • +
  • + +ability to study not only the interfaces but actual code + +
  • +
  • + +ability to test against other (proprietary) implementations + +
  • +
  • + +ability to modify the code in any way needed to behave different + from spec, or in ways not originally intended in the spec + +
  • +
+
+
+
+

Running your own GSM network

+
+

Until 2009 the situation looked like this:

+
    +
  • + +go to Ericsson/Huawei/ZTE/Nokia/Alcatel/… + +
  • +
  • + +spend lots of time convincing them that you’re an eligible customer + +
  • +
  • + +spend a six-digit figure for even the most basic full network + +
  • +
  • + +end up with black boxes you can neither study nor improve + +
      +
    • + +WTF? + +
    • +
    • + +I’ve grown up with FOSS and the Internet. I know a better world. + +
    • +
    +
  • +
+
+
+
+

Why no cellular FOSS?

+
+
    +
  • + +both cellular (2G/3G/4G) and TCP/IP/HTTP protocol specs are publicly + available for decades. Can you believe it? + +
  • +
  • + +Internet protocol stacks have lots of FOSS implementations + +
  • +
  • + +cellular protocol stacks have no FOSS implementations for the + first almost 20 years of their existence? + +
  • +
  • + +it’s the classic conflict + +
      +
    • + +classic circuit-switched telco vs. the BBS community + +
    • +
    • + +ITU-T/OSI/ISO vs. Arpanet and TCP/IP + +
    • +
    +
  • +
+
+
+
+

Enter Osmocom

+
+

In 2008, some people started to write FOSS for GSM

+
    +
  • + +to boldly go where no FOSS hacker has gone before + +
      +
    • + +where protocol stacks are deep + +
    • +
    • + +and acronyms are plentiful + +
    • +
    • + +we went from bs11-abis to bsc_hack to OpenBSC + +
    • +
    • + +many other related projects were created + +
    • +
    • + +finally leading to the Osmocom umbrella project + +
    • +
    +
  • +
+
+
+
+

Classic GSM network architecture

+
+
+
+Gsm_structures.svg +
+
+
+
+
+

Osmocom GSM components

+
+
+
+osmocom-gsm.svg +
+
+
+
+
+

Classic GSM network as digraph

+
+
+
+foss-gsm__1.png +
+
+
+
+
+

Simplified OsmoNITB GSM network

+
+
+
+foss-gsm__2.png +
+
+

which further reduces to the following minimal setup:

+
+
+foss-gsm__3.png +
+
+

So our minimal setup is a Phone, a BTS and OsmoNITB.

+
+
+
+

Which BTS to use?

+
+
    +
  • + +Proprietary BTS of classic vendor + +
      +
    • + +Siemens BS-11 is what we started with + +
    • +
    • + +Nokia, Ericsson, and others available 2nd hand + +
    • +
    +
  • +
  • + +OsmoBTS software implementation, running with + +
      +
    • + +Proprietary HW + PHY (DSP): sysmoBTS, or + +
    • +
    • + +General purpose SDR (like USRP) + OsmoTRX + +
    • +
    +
  • +
+

We assume a sysmoBTS in the following slides

+
+
+
+

OsmoBTS Overview

+
+
+
+osmo-bts.svg +
+
+
    +
  • + +Implementation of GSM BTS + +
  • +
  • + +supports variety of hardware/PHY options + +
      +
    • + +osmo-bts-sysmo: BTS family by sysmocom + +
    • +
    • + +osmo-bts-trx: Used with OsmoTRX + general-purpose SDR + +
    • +
    • + +osmo-bts-octphy: Octasic OCTBTS hardware / OCTSDR-2G PHY + +
    • +
    • + +osmo-bts-litecell15: Nutaq Litecell 1.5 hardware/PHY + +
    • +
    +
  • +
+
+
+
+

Extending the network with GPRS

+
+

Now that GSM is working, up to the next challenge!

+
    +
  • + +Classic GSM is circuit-switched only + +
  • +
  • + +Packet switched support introduced first with GPRS + +
  • +
  • + +GPRS adds new network elements (PCU, SGSN, GGSN) + +
  • +
  • + +tunnel for external packet networks like IP/Internet + +
  • +
  • + +tunnel terminates in MS and on GGSN + +
  • +
+
+
+
+

Extending the network with GPRS support

+
+
+
+foss-gsm__4.png +
+
+
    +
  • + +PCU: Packet Control Unit. Runs RLC+MAC + +
  • +
  • + +SGSN: Serving GPRS Support Node (like VLR/MSC) + +
  • +
  • + +GGSN: Gateway GPRS Support Node (terminates tunnels) + +
  • +
+
+
+
+

GPRS Protocol Stack

+
+
+
+gprs_user_stack.svg +
+
+
+
+
+

Simplified OsmoNITB network with GPRS

+
+
+
+foss-gsm__5.png +
+
+
    +
  • + +OsmoPCU is co-located with OsmoBTS + +
      +
    • + +connects over unix-domain PCU socket to BTS + +
    • +
    +
  • +
  • + +OsmoSGSN can run on any Linux machine + +
  • +
  • + +OpenGGSN can run on any Linux machine + +
      +
    • + +tun device is used for tunnel endpoints + +
    • +
    +
  • +
  • + +circuit-switched and packet-switched networks are completely separate + +
  • +
+

We need to configure those additional components to provide GPRS +services.

+
+
+
+

Simplified OsmoNITB network with GPRS

+
+
+
+osmocom-gprs.svg +
+
+
+
+
+

Protocol tracing of cellular interfaces

+
+
    +
  • + +many cellular protocols/interfaces are not specified over IP or Ethernet + +
      +
    • + +e.g. the radio interface (Um) is clearly + +
    • +
    +
  • +
  • + +Osmocom GSMTAP to the rescue + +
      +
    • + +encapsulate non-IP protocols inside GSMTAP (inside UDP/IP) + +
    • +
    • + +forward them over net-device (lo as fall-back) + +
    • +
    • + +wireshark can then capture them using regular packet socket + +
    • +
    • + +wireshark was extended with related dissectors + +
    • +
    • + +any and every GSM network interface can be analyzed now + +
    • +
    • + +was extended for TETRA, GMR, UMTS, LTE, … + +
    • +
    +
  • +
+
+
+
+

Osmocom beyond GSM/GPRS RAN + NITB

+
+
    +
  • + +Telephone-side GSM protocol stack OsmocomBB + +
      +
    • + +circuit-switched GSM only. No GPRS/EDGE/3G/4G! + +
    • +
    +
  • +
  • + +Smalltalk implementation of SIGTRAN + TCAP/MAP + +
  • +
  • + +Erlang implementation of SIGTRAN + TCAP/MAP + +
  • +
  • + +Lots of special-purpose protocol mangling + +
      +
    • + +bsc-nat to introduce NAT-like functionality on A (BSSAP/BSSMAP) + +
    • +
    • + +mgw-nat to transparently re-write MAP/ISUP/SCCP + +
    • +
    +
  • +
  • + +GSMTAP pseudo-header for feeding non-IP protocols into wireshark + +
  • +
  • + +SIM card protocol tracer hardware + software (SIMtrace) + +
  • +
  • + +Lots of non-GSM projects from hardware to protocol stacks (TETRA, GMR, DECT, OP25) + +
  • +
  • + +check http://git.osmocom.org/ for full project list + +
  • +
+
+
+
+

So… I heard about OpenBTS?

+
+
    +
  • + +OpenBTS is completely unrelated to the Osmocom stack + +
  • +
  • + +was independently developed by David Burgess & Harvind Simra + +
      +
    • + +Kestrel Signal Processing → Range Networks + +
    • +
    +
  • +
  • + +doesn’t follow GSM system architecture at all + +
      +
    • + +no Abis, BSC, PCU, SGSN, GGSN + +
    • +
    +
  • +
  • + +is a bridge of the GSM air interface (Um) to SIP + +
  • +
  • + +Osmocom follows classic GSM interfaces / system architecture + +
      +
    • + +if you research GSM beyond the radio interface, Osmocom offers an +implementation closer to real operator networks + +
    • +
    +
  • +
  • + +OsmoTRX forked OpenBTS SDR code to use OsmoBTS with SDR hardware + +
  • +
+
+
+
+

What about FOSS 2.75G (EDGE)

+
+
    +
  • + +EDGE extends GPRS with higher data rates + +
      +
    • + +8PSK instead of GMSK modulation + +
    • +
    • + +lots of new MAC/RLC features (larger windows, incremental redundancy) + +
    • +
    • + +No changes required in OmsoSGSN and OsmoGGSN + +
    • +
    +
  • +
  • + +OsmoPCU is extended with initial EDGE support + +
  • +
  • + +First working beta release was made in late January 2016 + +
      +
    • + +continues to make rapid progress ever since + +
    • +
    +
  • +
+
+
+
+

What about FOSS 3G (UMTS/WCDMA)

+
+
    +
  • + +UMTS very similar to GSM/GPRS in principle + +
      +
    • + +still, almost every interface and protocol stack has changed + +
    • +
    • + +all elements have been renamed → more acronyms to learn + +
    • +
    +
  • +
  • + +UMTS is ridiculously complex, particular PHY + Layer 2 + +
      +
    • + +however, control plane L3 (MM/CC/CM/SM/GMM) mostly the same + +
    • +
    +
  • +
  • + +Implementing all of that from scratch is a long journey + +
  • +
  • + +We’ve already reached Peak 3G + +
  • +
  • + +Osmocom 3G support strategy + +
      +
    • + +Implement Iu interface in NITB and SGSN + +
    • +
    • + +Implement HNB-GW to offer Iuh interface + +
    • +
    • + +Use existing femtocell / small cell hardware with proprietary PHY, RLC and MAC + +
    • +
    • + +Status: Started in October 2015, WIP. Overall completion > 50%. + +
    • +
    +
  • +
+
+
+
+

Classic UMTS Architecture

+
+
+
+640px-UMTS_structures.png +
+
+

(UMTS Structure by Tsaitgaist - icons from Gnome)

+
+
+
+

Classic UMTS Architecture

+
+
+
+nodeb_hnb.png +
+
+

(nodeB and Home nodeB by Tsaitgaist - icons from Gnome)

+
+
+
+

Differences NodeB to hNodeB

+
+
    +
  • + +hNodeB is basically a NodeB with a RNC built-in + +
  • +
  • + +all lower-level protocols are implemented in the RNC + +
  • +
  • + +only RANAP is exposed + +
  • +
  • + +Iuh interface is similar to Iu-CS/Iu-PS + +
  • +
  • + +Iu interface is at much lower level. + +
  • +
  • + +Compared with GSM: Iu = Abis, Iuh = A + +
  • +
+
+
+
+

Wy work with hNodeB instead of NodeB?

+
+
    +
  • + +UMTS is not a single telephony system but a set of re-configurable + building blocks to create any type of telephony system. + +
  • +
  • + +complexity at every level, particularly the lower levels + +
  • +
  • + +using hNodeB interface / stack (Iuh), we can avoid having to worry + about RLC/MAC, RRC, HNBAP, etc. + +
  • +
  • + +many femtocells implement Iuh + +
  • +
  • + +quite some small cells also implement Iuh + +
  • +
+
+
+
+

Iuh: Avoiding complexity of the RNC

+
+

speaking of UMTS access stratum complexity…

+
+
+umts_channel_mapping.png +
+
+

wouldn’t you want to avoid that, too?

+
+
+
+

How to support UMTS from OsmoNITB, OsmoSGSN

+
+
    +
  • + +Separation of MSC-part from NITB, generating Osmo-MSS + +
      +
    • + +OsmoBSC already implements BSC-side A interface, we need to add + MSC-side A interface + +
    • +
    +
  • +
  • + +UMTS AKA support as library, link into OsmoMSS and OsmoSGSN + +
  • +
  • + +RANAP protocol support in a library, also linked into OsmoMSS and OsmoSGSN + +
  • +
  • + +NITB: support subscriber_connection over A (BSSMAP/BSSAP) and over RANAP + +
  • +
  • + +SGSN: support mm_context over Gb (LLC/BSSGP/NS) or over RANAP + +
  • +
+
+
+
+

Osmocom 3G Network Architecture

+
+
+
+foss-gsm__6.png +
+
+

further simplified:

+
+
+foss-gsm__7.png +
+
+
+
+
+

Osmocom 3G Network Status

+
+

Existing as of March 2016:

+
    +
  • + +HNBAP, RUA, RANAP protocol implementations + +
  • +
  • + +osmo-hnbgw converting Iuh to Iu-CS and Iu-PS + +
  • +
  • + +OsmoSGSN with IuPS interface + +
  • +
  • + +OsmoCSCN with IuCS interface + +
  • +
+

TODO:

+
    +
  • + +HLR/AUC extension for UMTS AKA + +
  • +
  • + +testing, testing, testing + +
  • +
  • + +actual voice handling (so far, signalling + packet data only) + +
  • +
+
+
+
+

Outlook on FOSS 4G (LTE)

+
+
    +
  • + +LTE has nothing in common with 2G/3G + +
  • +
  • + +various FOSS activities + +
      +
    • + +OpenAirInterface has some code for a software eNodeB + +
        +
      • + +but they switched from GPLv3 to non-free license :( + +
      • +
      +
    • +
    • + +srsLTE (main focus on UE side, but large parts usable for eNodeB side) + +
    • +
    • + +OpenLTE is another active FOSS project + +
    • +
    +
  • +
  • + +No Osmocom involvement so far + +
      +
    • + +team is small, project scope of cellular infrastructure is gigantic + +
    • +
    • + +most customer funding currently still on GSM/GPRS/EDGE + +
    • +
    • + +if we’d start today, we’d start implementing MME + S-GW and use +existing LTE cells, similar to the 3G strategy + +
    • +
    +
  • +
+
+
+
+

Summary

+
+
    +
  • + +FOSS implementations of protocol stacks and functional elements are + vital for security research + +
  • +
  • + +Traditional Telcos + Equipment vendors do not contribute to this :( + +
  • +
  • + +Existing implementations done by enthusiasts only, on extremely + tight budgets and resources + +
  • +
  • + +Existing implementations are decades behind + +
  • +
  • + +Result: Security research is often decades behind + +
  • +
  • + +If we want to advance Cellular security research, we need to + advance FOSS implementations! + +
  • +
+
+
+
+

The End

+
+
    +
  • + +so long, and thanks for all the fish + +
  • +
  • + +I hope you have questions! + +
  • +
  • + +have fun exploring mobile technologies using Osmocom + +
  • +
  • + +interested in working with more acronyms? Come join the project! + +
  • +
  • + +Check out http://openbsc.osmocom.org/ and openbsc@lists.osmocom.org + +
  • +
+
+
+
+

Thanks to

+
+
    +
  • + +the entire Osmocom team for what they have achieved + +
      +
    • + +notably Dieter Spaar, Holger Freyther, Andreas Eversberg, Sylvain Munaut + +
    • +
    +
  • +
  • + +last but not least: CEPT for making the GSM specs English + +
      +
    • + +(the official language of CEPT is french!) + +
    • +
    +
  • +
+
+
+ + diff --git a/2016/telcosecday/foss-gsm__1.png b/2016/telcosecday/foss-gsm__1.png new file mode 100644 index 0000000..880083f Binary files /dev/null and b/2016/telcosecday/foss-gsm__1.png differ diff --git a/2016/telcosecday/foss-gsm__2.png b/2016/telcosecday/foss-gsm__2.png new file mode 100644 index 0000000..72646b2 Binary files /dev/null and b/2016/telcosecday/foss-gsm__2.png differ diff --git a/2016/telcosecday/foss-gsm__3.png b/2016/telcosecday/foss-gsm__3.png new file mode 100644 index 0000000..9c3f807 Binary files /dev/null and b/2016/telcosecday/foss-gsm__3.png differ diff --git a/2016/telcosecday/foss-gsm__4.png b/2016/telcosecday/foss-gsm__4.png new file mode 100644 index 0000000..110cf4d Binary files /dev/null and b/2016/telcosecday/foss-gsm__4.png differ diff --git a/2016/telcosecday/foss-gsm__5.png b/2016/telcosecday/foss-gsm__5.png new file mode 100644 index 0000000..248ecd4 Binary files /dev/null and b/2016/telcosecday/foss-gsm__5.png differ diff --git a/2016/telcosecday/foss-gsm__6.png b/2016/telcosecday/foss-gsm__6.png new file mode 100644 index 0000000..642fc57 Binary files /dev/null and b/2016/telcosecday/foss-gsm__6.png differ diff --git a/2016/telcosecday/foss-gsm__7.png b/2016/telcosecday/foss-gsm__7.png new file mode 100644 index 0000000..6b57e72 Binary files /dev/null and b/2016/telcosecday/foss-gsm__7.png differ diff --git a/2016/telcosecday/gprs_user_stack.svg b/2016/telcosecday/gprs_user_stack.svg new file mode 100644 index 0000000..6b702a2 --- /dev/null +++ b/2016/telcosecday/gprs_user_stack.svg @@ -0,0 +1,1357 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + MAC + RLC + LLC + + LLC + + E1 + + + IP + Ethernet + + GTP-U + + + IP + Ethernet + + GTP-U + + + + + + PhysicalLayer + + + + + + + Um + A-bis + Gb + Gn + MS + BTS+CCU + BSC+PCU + SGSN + GGSN + GPRS User Plane + + + FrameRelay + NS + + BSSGP + + + E1 + + PhysicalLayer + TRAUFraming + + + MAC + RLC + + + E1 + + + + E1 + FrameRelay + NS + + BSSGP + TRAUFraming + + + UDP + + UDP + SNDCP + + SNDCP + + + + IP + + + + IP + + + + + TCP + + + + TCP + + + + HTTP + + + + HTTP + + + + + + + diff --git a/2016/telcosecday/nodeb_hnb.png b/2016/telcosecday/nodeb_hnb.png new file mode 100644 index 0000000..b285b74 Binary files /dev/null and b/2016/telcosecday/nodeb_hnb.png differ diff --git a/2016/telcosecday/osmo-bts.svg b/2016/telcosecday/osmo-bts.svg new file mode 100644 index 0000000..5f24c35 --- /dev/null +++ b/2016/telcosecday/osmo-bts.svg @@ -0,0 +1,342 @@ + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + Abis/IP + + + + SDR Hardware + + + + OsmoTRX + + + + Transceiver + + + + + + + + VTY + OsmoBTS + + + osmo-bts-trx + + + + osmo-bts-sysmo + + + + CTRL + + + + + sysmoBTS PHYsysmoBTS Hardware + + + + + diff --git a/2016/telcosecday/osmocom-gprs.svg b/2016/telcosecday/osmocom-gprs.svg new file mode 100644 index 0000000..0506053 --- /dev/null +++ b/2016/telcosecday/osmocom-gprs.svg @@ -0,0 +1,1191 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + Gb/IP + + + sysmoBTS direct PHY access + PCU Sock + + + SDR Hardware + + + + OsmoTRX + + + + Transceiver + + + + + + + + VTY + OsmoBTS + + + osmo-bts-trx + + + + osmo-bts-sysmo + + + + CTRL + + + + + sysmoBTS PHYsysmoBTS Hardware + + + + + Abis/IP + + + + + VTY + + + + CTRL + + + OsmoSGSN + + OsmoNITB + + + VTY + + + + CTRL + + Includes functionality of* BSC* MSC/VLR* HLR/AUC* SMSC + + OsmoPCU + + + CTRL + + + + VTY + + + + + + GTP/IP + + + + OpenGGSN + + + + + + SMPP + + + + MNCC + + + diff --git a/2016/telcosecday/osmocom-gsm.svg b/2016/telcosecday/osmocom-gsm.svg new file mode 100644 index 0000000..8f2ac6d --- /dev/null +++ b/2016/telcosecday/osmocom-gsm.svg @@ -0,0 +1,1980 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + Gb/IP + + + + Abis/IP + + + sysmoBTS direct PHY access + PCU Sock + + + SDR Hardware + + + + OsmoTRX + + + + Transceiver + + + + + + + + VTY + OsmoBTS + + + osmo-bts-trx + + + + osmo-bts-sysmo + + + + CTRL + + + + + sysmoBTS PHYsysmoBTS Hardware + + + + + Abis/IP + + + OsmoBSC + + + VTY + + + + CTRL + + + + + + + VTY + + + + CTRL + + + OsmoSGSN + + + + A/IP + + OsmoNITB + + + VTY + + + + CTRL + + Includes functionality of* BSC* MSC/VLR* HLR/AUC* SMSC + + OsmoPCU + + + CTRL + + + + VTY + + + + + + Gb/IP + + + + 3rd Party SGSN + + + + GTP/IP + + + + GTP/IP + + + + OpenGGSN + + + + 3rd PartyGGSN + + + + GTP/IP + + + + GTP/IP + + + + OpenGGSN + + + + 3rd PartyGGSN + + + + 3rd Party MSC + and/or existing othercore network elements + + + + + Linux Call Router + SoftSwitch / PBX + + SIP + + + + + E1/PRI + + + + BRI + + + External SMSApplications + + + SS7 + + + + SS7 + + + + SS7 + + + + 3rd Party BTS + Some support for* Siemens* Nokia* Ericsson* ip.access + + + + + Abis/IP + + + + Abis/E1 + + + + SMPP + + + + MNCC + + + diff --git a/2016/telcosecday/umts_channel_mapping.png b/2016/telcosecday/umts_channel_mapping.png new file mode 100644 index 0000000..9fc25fa Binary files /dev/null and b/2016/telcosecday/umts_channel_mapping.png differ diff --git a/2016/telcosecday/umts_hnb_control.pdf b/2016/telcosecday/umts_hnb_control.pdf new file mode 100644 index 0000000..2837008 Binary files /dev/null and b/2016/telcosecday/umts_hnb_control.pdf differ -- cgit v1.2.3