\newcommand{\degree}{\ensuremath{^\circ}} %\documentclass[handout]{beamer} \documentclass{beamer} % This file is a solution template for: % - Talk at a conference/colloquium. % - Talk length is about 20min. % - Style is ornate. % Copyright 2004 by Till Tantau . % % In principle, this file can be redistributed and/or modified under % the terms of the GNU Public License, version 2. % % However, this file is supposed to be a template to be modified % for your own needs. For this reason, if you use this file as a % template and not specifically distribute it as part of a another % package/program, I grant the extra permission to freely copy and % modify this file as you see fit and even to delete this copyright % notice. \mode { \usetheme{CambridgeUS} \usecolortheme{whale} %\setbeamercolor{titlelike}{parent=palette primary,fg=black} \setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg} % from beamercolorthemeorchid.sty to make it look more like warsaw \setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black} \setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black} \setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black} \setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg} \setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg} \setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg} % or ... %\setbeamercovered{transparent} % or whatever (possibly just delete it) } \mode{ \usepackage{misc/handoutWithNotes} \pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm] \usecolortheme{seahorse} } % ensure the page number is printed in front of the author name in the footer %\newcommand*\oldmacro{} %\let\oldmacro\insertshortauthor% save previous definition %\renewcommand*\insertshortauthor{% % \leftskip=.3cm% before the author could be a plus1fill ... % \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro} \usepackage[english]{babel} \usepackage[latin1]{inputenc} \usepackage{times} \usepackage[T1]{fontenc} \usepackage{subfigure} \usepackage{hyperref} \usepackage{textcomp,listings} %\usepackage{german} \lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8} \title{The Iuh protocol stack and osmo-iuh} \subtitle{Implementing HNBAP, RUA and RANAP in Free Software} \author{Harald~Welte} \institute{Osmocom / sysmocom GmbH} % - Use the \inst command only if there are several affiliations. % - Keep it simple, no one is interested in your street address. \date[October 2015] % (optional, should be abbreviation of conference name) %{DeepSec Conference, November 2011, Vienna/Austria} % - Either use conference name or its abbreviation. % - Not really informative to the audience, more for people (including % yourself) who are reading the slides online \subject{UMTS} % This is only inserted into the PDF information catalog. Can be left % out. % If you have a file called "university-logo-filename.xxx", where xxx % is a graphic format that can be processed by latex or pdflatex, % resp., then you can add a logo as follows: % \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename} % \logo{\pgfuseimage{university-logo}} % Delete this, if you do not want the table of contents to pop up at % the beginning of each subsection: %\AtBeginSubsection[] %{ % \begin{frame}{Outline} % \tableofcontents[currentsection,currentsubsection] % \end{frame} %} % If you wish to uncover everything in a step-wise fashion, uncomment % the following command: %\beamerdefaultoverlayspecification{<+->} \begin{document} \begin{frame} \titlepage \end{frame} % Structuring a talk is a difficult task and the following structure % may not be suitable. Here are some rules that apply for this % solution: % - Exactly two or three sections (other than the summary). % - At *most* three subsections per section. % - Talk about 30s to 2min per frame. So there should be between about % 15 and 30 frames, all told. % - A conference audience is likely to know very little of what you % are going to talk about. So *simplify*! % - In a 20min talk, getting the main ideas across is hard % enough. Leave out details, even if it means being less precise than % you think necessary. % - If you omit details that are vital to the proof/implementation, % just say so once. Everybody will be happy with that. \begin{frame}{About} \begin{itemize} \item Linux Kernel / bootloader / driver / firmware developer since 1999 \item Former core developer of Linux packet filter netfilter/iptables \item Comms / Network Security beyond TCP/IP \begin{itemize} \item OpenPCD, librfid, libmtrd, OpenBeacon \item deDECTed.org project \item Openmoko - FOSS smartphone with focus on security + owner device control \item OpenBSC as network-side FOSS GSM Stack \item OsmocomBB - device-side GSM protocol stack + baseband firmware \end{itemize} \item practical security research / testing on baseband side and telecom infrastructure side \item running a small team at sysmocom GmbH in Berlin, building custom tailored mobile communications technology \end{itemize} \end{frame} \section{UMTS Architecture and Iuh} \subsection{Classic UMTS} \begin{frame}{UMTS Architecture} \begin{figure}[h] \centering \includegraphics[width=105mm]{640px-UMTS_structures.png} \end{figure} UMTS Structure by Tsaitgaist - icons from Gnome \end{frame} \begin{frame}{UMTS Protocol stacking} \begin{itemize} \item Iu is split in Iu-CS (MSC) and Iu-PS (SGSN) \item Next slides show protocol stacking of Iu-CS and Iu-PS \item Notice all the ATM legacy that's way obsolete by now \item IP based transport does away with a lot of it \item however, M3UA and SCCP remain even on IP based Iu \end{itemize} \end{frame} \begin{frame}{UMTS protocol stacking} \begin{figure}[h] \centering \includegraphics[width=115mm]{umts_ps_control.pdf} \end{figure} \end{frame} \begin{frame}{Iu-CS protocol stacking} \begin{figure}[h] \centering \includegraphics[width=70mm]{iu_cs_stacking.png} \end{figure} from 3GPP TS 25.410 \end{frame} \begin{frame}{Iu-PS protocol stacking} \begin{figure}[h] \centering \includegraphics[width=75mm]{iu_ps_stacking.png} \end{figure} from 3GPP TS 25.410 \end{frame} \subsection{UMTS for HomeNodeB} \begin{frame}{UMTS Architecture for hNodeB} \begin{figure}[h] \centering \includegraphics[width=105mm]{nodeb_hnb.png} \end{figure} nodeB and Home nodeB by Tsaitgaist - icons from Gnome \end{frame} \begin{frame}{UMTS protocol stacking with HomeNodeB} \begin{figure}[h] \centering \includegraphics[width=115mm]{umts_hnb_control.pdf} \end{figure} \end{frame} \begin{frame}{Differences NodeB to hNodeB} \begin{itemize} \item hNodeB is basically a NodeB with a RNC built-in \item all lower-level protocols are implemented in the RNC \item only RANAP is exposed \item Iuh interface is similar to Iu-CS/Iu-PS \item Iu interface is at much lower level. \item Compared with GSM: Iu = Abis, Iuh = A \end{itemize} \end{frame} \begin{frame}{Why work with hNodeB instead of NodeB} \begin{itemize} \item UMTS is not a single telephony system but a set of re-configurable building blocks to create any type of telephony system. \item complexity at every level, particularly the lower levels \item using hNodeB interface / stack (Iuh), we can avoid having to worry about RLC/MAC, RRC, HNBAP, etc. \item many femtocells implement Iuh \item quite some small cells also implement Iuh \end{itemize} \end{frame} \begin{frame}{UMTS channel mapping} speaking of UMTS access stratum complexity... \begin{figure}[h] \centering \includegraphics[width=105mm]{umts_channel_mapping.png} \end{figure} from 3GPP TS 25.301 \end{frame} \section{Iuh interface protocols} \begin{frame}{A closer look at Iuh} \begin{itemize} \item Iuh is {\em basically} just RANAP encapsulated in something less complex over SCTP/IP \item In addition to RANAP, there is \begin{itemize} \item RUA (RANAP User Adaption) to replace SCCP \item HNBAP to register hNodeB and UE \end{itemize} \item RANAP for both CS and PS is sent together, but on RUA level there is a {\em Domain Indicator} that helps separating both. \end{itemize} \end{frame} \begin{frame}{UMTS protocol stacking for Iuh} \begin{figure}[h] \centering \includegraphics[width=65mm]{iuh_stacking.png} \end{figure} from 3GPP TS 25.467 \end{frame} \subsection{RANAP User Adaption} \begin{frame}{RUA Protocol (3GPP TS 25.468)} \begin{itemize} \item Very simple connection-oriented layer \begin{itemize} \item {\tt CONNECT} \item {\tt DIRECT TRANSFER} \item {\tt DISCONNECT} \item {\tt CONNECTIONLESS TRANSFER} \item {\tt ERROR INDICATION} \end{itemize} \item 24-bit Context ID differentiates multiple parallel RUA connections \end{itemize} \end{frame} \subsection{HomeNodeB Application Part} \begin{frame}{HNBAP Protocol (3GPP TS 25.469)} \begin{itemize} \item HNBAP protocol has only very few messages/transactions \begin{itemize} \item {\tt HNB REGISTER (REQUEST, ACCEPT, REJECT)} \item {\tt HNB DE-REGISTER} \item {\tt UE REGISTER (REQUEST, ACCEPT, REJECT)} \item {\tt UE DE-REGISTER} \item {\tt TNL UPDATE (REQUEST, RESPONSE, FAILURE)} \item {\tt HNB CONFIG TRANSFER (REQUEST, RESPONSE)} \item {\tt ERROR INDICATION} \item {\tt CSG MEMBERSHIP UPDATE} \item {\tt RELOCATION COMPLETE} \end{itemize} \item most important is HNB and UE registration \end{itemize} \end{frame} \subsection{RANAP} \begin{frame}{RANAP Protocol (3GPP TS 25.413)} \begin{itemize} \item Lots of transactions, some key transactions here: \begin{itemize} \item {\tt RESET / RESET ACKNOWLEDGE} \item {\tt INITIAL UE MESSAGE} \item {\tt DIRECT TRANSFER} \item {\tt IU RELEASE (COMMAND, COMPLETE)} \item {\tt SECURITY MODE (COMMAND, COMPLETE, REJECT)} \item {\tt PAGING} \item {\tt RAB ASSIGNMENT (REQUEST, RESPONSE)} \end{itemize} \end{itemize} \end{frame} \section{Osmocom and Iu(h)} \begin{frame}{SCCP in Free Software} \begin{itemize} \item comes in connection-less and connection-oriented flavor \item is used a lot in SS7 core network protocols \item connection-oriented SCCP is only used on classic GSM A interface (over E1) and in UMTS Iu interface \item no finished free software implementation of connection-oriented SCCP exists \begin{itemize} \item libosmo-sccp, Yate, Mobicents only implement connection-less \item osmo\_sccp Erlang code has partial but never completed/tested code for connection-oriented mode \end{itemize} \end{itemize} \end{frame} \begin{frame}{How to support UMTS from OsmoNITB, OsmoSGSN} \begin{itemize} \item Separation of MSC-part from NITB, generating Osmo-MSS \begin{itemize} \item OsmoBSC already implements BSC-side A interface, we need to add MSC-side A interface \end{itemize} \item UMTS AKA support as library, link into OsmoMSS and OsmoSGSN \item RANAP protocol support in a library, also linked into OsmoMSS and OsmoSGSN \item NITB: support {\tt subscriber\_connection} over A (BSSMAP/BSSAP) and over RANAP \item SGSN: support {\tt mm\_context} over Gb (LLC/BSSGP/NS) or over RANAP \end{itemize} \end{frame} \begin{frame}{How to encapsulate RANAP towards the RAN} \begin{itemize} \item we could either \begin{itemize} \item Try to convert from Iuh to A interface, make (h)NodeB look like GSM BTS+BSC. \item Implement classic Iu-CS and Iu-PS over SCCP/M3Ua and have a classic HNB-GW to convert to Iuh \item Implement Iuh directly, avoiding SCCP and M3UA \end{itemize} \item Iu-CS/PS requires connection-oriented SCCP \item when implementing Iuh directly, we still need to somehow split CS and PS plane \item Idea: Simple proxy that speaks Iuh to hNodeB, MSS and SGSN \item Iu-CS/PS over SCCP/M3UA could be added later, if required \end{itemize} \end{frame} \subsection{Protocol Encoding} \begin{frame}{RANAP, RUA and HNBAP Encoding} \begin{itemize} \item Use ASN.1 syntax for defining protocol messages \item Use APER (Aligned Packed Encoding Rules) \begin{itemize} \item unlike BER: No Tag/Length values \item unlike UPER: all fields start at octet boundary \end{itemize} \item ASN.1 syntax uses Information Object Classes heavily \item ASN.1 is not abstract enough for them, so they use ASN.1 to define containers, i.e. they build something like a TLV structure inside ASN.1 \begin{itemize} \item Every IE is its own ASN.1 SEQUENCE, and it gets wrapped into an IE container indicating an IEI and the encoded sequence \item The Main message then simply has an array (SEQUENCE OF) of IE containers \end{itemize} \item Regular ASN.1 code generator will not generate very useful code for this, i.e. it will not be able to parse the entire message in one go, but it requires manual iteration code that calls the generated decoder separately for every IE Container \end{itemize} \end{frame} \subsection{RANAP, RUA, HNBAP and asn1c} \begin{frame}{RANAP, RUA, HNBAP and asn1c} \begin{itemize} \item Lev Walkins asn1c is a Free Software ASN.1 compiler / code generator \item it is good for basic usage, but lacks many if not most of the features required in telecom \begin{itemize} \item No support for information object classes \item No support for aligned PER support \item No support for type prefixing, i.e. every type uses the same global C namespace and you have problems if RANAP, RUA and/or HNBAP all have types of the same name \end{itemize} \item No other free software alternatives exist \item Somebody with firm knowledge on compiler theory needs to help out, I'm at a loss here. \end{itemize} \end{frame} \begin{frame}{Alternatives to asn1c} \begin{itemize} \item Write all related code in Erlang \begin{itemize} \item I tried that in the past, but nobody ever contributed to any of the Osmocom Erlang projects :( \item At Osmocom we're mostly low-level C guys with an inherent dislike of abstract/complex languages, VMs and the like \end{itemize} \item Use proprietary asn1 compiler \begin{itemize} \item In theory not a problem, as the compiler has no copyright on the generated C code, we can use it from FOSS \item Problem: Mandatory runtime code is proprietary \item We certainly don't want proprietary blobs in Free Software, ever \item FOSS code would have to be MIT/BSD/LGPL, incompatible with osmo-* GPL/AGPL. \end{itemize} \item So it seems we have to stick with asn1c, after all \end{itemize} \end{frame} \begin{frame}{How to make asn1c work for Iuh} \begin{itemize} \item Eurecom has a patch for adding APER support to asn1c \begin{itemize} \item it's against an ages old version of asn1c \item I forward-ported that to current asn1c master \item Probably needs some clean-up before it can be merged \end{itemize} \item Information Object Classes are hard \begin{itemize} \item compile only the IE and PDU definitions of the ASN.1 \item skip all parts related to Information Object Classes \end{itemize} \item Type prefixing \begin{itemize} \item Could be done in the ASN.1 source files, but that's ugly \item I hacked asn1c for a day until I finally had found all the locations where prefixing must be used (or not) \item Code is at {\tt git://git.osmocom.org/asn1c.git} \end{itemize} \end{itemize} \end{frame} \begin{frame}{But what about the IE Containers?} \begin{itemize} \item Eurecom has an {\tt asn1tostruct.py} script \begin{itemize} \item Another layer on top of asn1c to handle the IE containers and un-do the damage caused by the additional layer of abstraction of RANAP and related protocols \item Developed to cope with S1-AP (RANAP equivalent for LTE) \item Can be used for Iuh with some modifications \item Also had to be taught type prefixing \end{itemize} \end{itemize} \end{frame} \subsection{osmo-iuh, after all} \begin{frame}{Putting it all together} Brief history of what I did so far: \begin{itemize} \item copy+paste Asn.1 syntax from 3GPP .doc files \item use hacked asn1c to generate C code \item don't use copied runtime code but shared osmocom libasn1c \item use modified asn1tostruct.py for the obfuscation layer \item write some code to dispatch messages \item implement minimally required transactions like {\tt HNB REGISTER}, {\tt UE REGISTER} \item see the {\tt INITIAL UE MESSAGE} with the {\tt LOCATION UPDATE} \end{itemize} {\tt git clone git://git.osmocom.org/osmo-iuh.git} \end{frame} \begin{frame}{Where do we go from here?} \begin{itemize} \item Implement UMTS AKA in libosmogsm, test over GSM and GPRS \item Crete small HNB-GW with RANAP-over-RUA on both sides, splitting CS and PS \item Split OsmoMSS from OsmoNITB, add RANAP interface \item Add RANAP-over-RUA to OsmoSGSN \item More Volunteers needed! \end{itemize} \end{frame} \begin{frame}{What kind of hardware can we use?} \begin{itemize} \item The (undisclosed) small cell hardware I currently use is very expensive (several thousand EUR) and thus not suitable to most hackers \item Many consumer-grade femtocells in the market, most modern ones should use Iuh \begin{itemize} \item they are typically quite locked down and provide no local console / JTAG \item they establish an IPsec tunnel to the SEGW (Security Gateway) and then only talk Iuh inside the tunnel \item Several groups of people have looked at them in the past (including Kevin, Nico and myself) \item maybe we can find a model that's easily convinced to talk to a different HNB-GW? \end{itemize} \end{itemize} \end{frame} \begin{frame}{Summary} \begin{itemize} \item Iuh is actually not difficult conceptually \item Lack of good FOSS asn1 tools is biggest factor \item Obfuscation by IE Containers must be overcome \item In the end you spend 90\% of the time on tooling, before you can spend the remaining 10\% on actual code \item Core Iuh protocol code exists now as {\tt osmo-iuh} \item Work on OsmoMSS and OsmoSGSN has not even started yet \item Volunteers needed. Now! \end{itemize} \end{frame} \begin{frame}{Thanks} Thanks for your attention. I hope we have time for Q\&A. \end{frame} \end{document}