1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
\section{OpenBSC}
\subsection{OpenBSC Introduction}
\begin{frame}{OpenBSC software}
OpenBSC is a Open Source implementation of (not only) the BSC features
of a GSM network.
\begin{itemize}
\item Support A-bis interface over E1 and IP
\item Support for BTS vendor/model is modular, currently Siemens BS-11 and ip.access nanoBTS
\item Multiple BTS models/vendors can be mixed!
\item Can work as a {\em pure BSC} or as a full {\em network in a box}
\item Supports mobility management, authentication, intra-BSC hand-over, SMS, voice calls (FR/EFR/AMR)
\item GPRS + EDGE support if combined with OsmoSGSN and OpenGGSN
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC}
\begin{itemize}
\item Supports Siemens BS-11 BTS (E1) and ip.access nanoBTS (IP based)
\item Has classic 2G signalling, voice and SMS support
\item Implements various GSM protocols like
\begin{itemize}
\item A-bis RSL (TS 08.58) and OML (TS 12.21)
\item TS 04.08 Radio Resource, Mobility Management, Call Control
\item TS 04.11 Short Message Service
\end{itemize}
\item Telnet console with Cisco-style interface
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC software architecture}
\begin{itemize}
\item Implemented in pure C, similarities to Linux kernel
\begin{itemize}
\item Linked List handling, Timer API, coding style
\end{itemize}
\item Single-threaded event-loop / state machine design
\item Telnet based command line interface {\em Cisco-style}
\item Input driver abstraction (mISDN, Abis-over-IP)
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC: GSM network protocols}{The A-bis interface}
\begin{description}[Layer 4+]
\item[Layer 1] Typically E1 line, TS 08.54
\item[Layer 2] A variant of ISDN LAPD with fixed TEI's, TS 08.56
\item[Layer 3] OML (Organization and Maintenance Layer, TS 12.21)
\item[Layer 3] RSL (Radio Signalling Link, TS 08.58)
\item[Layer 4+] transparent messages that are sent to the MS via Um
\end{description}
\end{frame}
\begin{frame}{OpenBSC: How it all started}
\begin{itemize}
\item In 2006, I bought a Siemens BS-11 microBTS on eBay
\begin{itemize}
\item This is GSM900 BTS with 2 TRX at 2W output power (each)
\item A 48kg monster with attached antenna
\item 200W power consumption, passive cooling
\item E1 physical interface
\end{itemize}
\item I didn't have much time at the time (day job at Openmoko)
\item Started to read up on GSM specs whenever I could
\item Bought a HFC-E1 based PCI E1 controller, has mISDN kernel support
\item Found somebody in the GSM industry who provided protocol traces
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC: Timeline}
\begin{itemize}
\item November 2008: I started the development of OpenBSC
\item December 2008: we did a first demo at 25C3
\item January 2009: we had full voice call support
\item Q1/2009: Add support for ip.access nanoBTS
\item June 2009: I started with actual security related stuff
\item August 2009: We had the first field test with 2BTS and > 860 phones
\item Q1/2010: The first 25 OpenBSC instances running in a commercial network
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC: Field Test at HAR2009}
\begin{figure}[h]
\subfigure{\includegraphics[width=5cm]{bts_tree_full.jpg}}
\subfigure{\includegraphics[width=5cm]{openbsc_host.jpg}}
\end{figure}
\end{frame}
\subsection{OpenBSC Network In The Box}
\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode}
The {\tt osmo-nitb} program
\begin{itemize}
\item implements the A-bis interface towards any number of BTS
\item provides most typical features of a GSM network in one software
\item no need for MSC, AuC, HLR, VLR, EIR, ...
\begin{itemize}
\item HLR/VLR as SQLite3 table
\item Authentication + Ciphering support
\item GSM voice calls, MO/MT SMS
\item Hand-over between all BTS
\item Multiple Location Areas within one BSC
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC NITB features}
OpenBSC NITB features
\begin{itemize}
\item Run a small GSM network with 1-n BTS and OpenBSC
\item No need for MSC/HLR/AUC/...
\item No need for your own SIM cards (unless crypto/auth rqd)
\item Establish signalling and voice channels
\item Make incoming and outgoing voice calls between phones
\item Send/receive SMS between phones
\item Connect to ISDN PBX or public ISDN via Linux Call Router
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC in NITB mode}{Network In a Box Mode}
The {\tt osmo-nitb} program
\begin{itemize}
\item does not implement any other GSM interfaces apart from A-bis
\item no SS7 / TCAP / MAP based protocols
\item no integration (roaming) with existing traditional GSM networks
\item wired telephony interfacing with ISDN PBX {\tt lcr} (Linux Call Router)
\item Has been tested with up to 800 subscribers on 5 BTS
\item Intended for R\&D use or private PBX systems
\end{itemize}
\end{frame}
\begin{frame}{OpenBSC LCR integration}{Interfacing with wired telephony}
OpenBSC (NITB mode) can be linked into Linux Call Router ({\tt lcr})
\begin{itemize}
\item OpenBSC is compiled as libbsc.a
\item libbsc.a includes full OpenBSC NITB mod code
\item linking the library into {\tt lcr} results in GSM {\em line interfaces} to become available inside {\tt lcr}
\item OpenBSC no longer takes care of call control, but simply hands everything off to {\tt lcr}
\item Dialling plan, etc. is now configure in {\tt lcr} like for any other wired phones
\end{itemize}
\end{frame}
\subsection{OpenBSC BSC-only mode}
\begin{frame}{OpenBSC in BSC-only mode}
The {\tt osmo-bsc} program
\begin{itemize}
\item behaves like a classic GSM BSC
\item uses SCCP-Lite (ip.access multipex) to any SoftMSC like ADC
\item used in production/commercial deployments (~ 75 BSCs)
\item mainly intended to replace proprietary BSC in traditional GSM networks
\end{itemize}
\end{frame}
%\begin{frame}<handout:0>{OpenBSC}
% Demonstration
%\end{frame}
\subsection{OpenBSC GPRS support}
\begin{frame}{GPRS and OpenBSC}
\begin{itemize}
\item The BSC doesn't really do anything related to GPRS
\item GPRS implemented in separate SGSN and GGSN nodes
\item GPRS uses its own Gb interface to RAN, independent of A-bis
\item OpenBSC can configure the nanoBTS for GPRS+EDGE support via OML
\item Actual SGSN and GGSN implemented as OsmoSGSN and OpenGGSN programs
\end{itemize}
\end{frame}
\begin{frame}{OsmoSGSN}
The Osmocom SGSN program implements
\begin{itemize}
\item basic/minimal SGSN functionality
\item the Gb interface (NS/BSSGP/LLC/SNDCP)
\item mobility management, session management
\end{itemize}
It's a work in progress, many missing features
\begin{itemize}
\item no HLR integration yet
\item no paging coordination with MSC/BSC
\item no encryption support yet
\end{itemize}
\end{frame}
\begin{frame}{OpenGGSN}
\begin{itemize}
\item GPL licensed Linux program implementing GGSN node
\item Implements GTP-U protocol between SGSN and GGSN
\item User-configurable range/pool of IPv4 addresses for MS
\item Uses {\tt tun} device for terminating IP tunnel from MS
\item provides GTP implementation as libgtp
\item Experimental patches for IPv6 support
\end{itemize}
\end{frame}
%\begin{frame}<handout:0>{OpenBSC + OpenGGSN + OsmoSGSN}
% Demonstration
%\end{frame}
\begin{frame}{OpenBSC and OsmoSGSN based network}
\begin{figure}[h]
\includegraphics[width=10cm]{osmosgsn.png}
\end{figure}
\end{frame}
% FIXME: include slide showing full OpenBSC+OsmoSGSN+OpenGGSN network
|