1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
|
\newcommand{\degree}{\ensuremath{^\circ}}
%\documentclass[handout]{beamer}
\documentclass{beamer}
% This file is a solution template for:
% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice.
\mode<presentation>
{
\usetheme{CambridgeUS}
\usecolortheme{whale}
%\setbeamercolor{titlelike}{parent=palette primary,fg=black}
\setbeamercolor{frametitle}{use=block title,fg=black,bg=block title.bg!10!bg}
% from beamercolorthemeorchid.sty to make it look more like warsaw
\setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black}
\setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black}
\setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black}
\setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg}
\setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg}
\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg}
% or ...
%\setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\mode<handout>{
\usepackage{misc/handoutWithNotes}
\pgfpagesuselayout{2 on 1 with notes landscape}[a4paper,border shrink=5mm]
\usecolortheme{seahorse}
}
% ensure the page number is printed in front of the author name in the footer
%\newcommand*\oldmacro{}
%\let\oldmacro\insertshortauthor% save previous definition
%\renewcommand*\insertshortauthor{%
% \leftskip=.3cm% before the author could be a plus1fill ...
% \insertframenumber\,/\,\inserttotalframenumber\hfill\oldmacro}
\usepackage[english]{babel}
\usepackage[latin1]{inputenc}
\usepackage{times}
\usepackage[T1]{fontenc}
\usepackage{subfigure}
\usepackage{hyperref}
\usepackage{textcomp,listings}
%\usepackage{german}
\lstset{basicstyle=\scriptsize\ttfamily, upquote, tabsize=8}
\title{The Iuh protocol stack and osmo-iuh}
\subtitle{Implementing HNBAP, RUA and RANAP in Free Software}
\author{Harald~Welte}
\institute{Osmocom / sysmocom GmbH}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.
\date[October 2015] % (optional, should be abbreviation of conference name)
%{DeepSec Conference, November 2011, Vienna/Austria}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
% yourself) who are reading the slides online
\subject{UMTS}
% This is only inserted into the PDF information catalog. Can be left
% out.
% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
% \begin{frame}<beamer>{Outline}
% \tableofcontents[currentsection,currentsubsection]
% \end{frame}
%}
% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command:
%\beamerdefaultoverlayspecification{<+->}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution:
% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
% 15 and 30 frames, all told.
% - A conference audience is likely to know very little of what you
% are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
% enough. Leave out details, even if it means being less precise than
% you think necessary.
% - If you omit details that are vital to the proof/implementation,
% just say so once. Everybody will be happy with that.
\begin{frame}{About}
\begin{itemize}
\item Linux Kernel / bootloader / driver / firmware developer since 1999
\item Former core developer of Linux packet filter netfilter/iptables
\item Comms / Network Security beyond TCP/IP
\begin{itemize}
\item OpenPCD, librfid, libmtrd, OpenBeacon
\item deDECTed.org project
\item Openmoko - FOSS smartphone with focus on security + owner device control
\item OpenBSC as network-side FOSS GSM Stack
\item OsmocomBB - device-side GSM protocol stack + baseband firmware
\end{itemize}
\item practical security research / testing on baseband side and
telecom infrastructure side
\item running a small team at sysmocom GmbH in Berlin, building
custom tailored mobile communications technology
\end{itemize}
\end{frame}
\section{UMTS Architecture and Iuh}
\subsection{Classic UMTS}
\begin{frame}{UMTS Architecture}
\begin{figure}[h]
\centering
\includegraphics[width=105mm]{640px-UMTS_structures.png}
\end{figure}
UMTS Structure by Tsaitgaist - icons from Gnome
\end{frame}
\begin{frame}{UMTS Protocol stacking}
\begin{itemize}
\item Iu is split in Iu-CS (MSC) and Iu-PS (SGSN)
\item Next slides show protocol stacking of Iu-CS and Iu-PS
\item Notice all the ATM legacy that's way obsolete by now
\item IP based transport does away with a lot of it
\item however, M3UA and SCCP remain even on IP based Iu
\end{itemize}
\end{frame}
\begin{frame}{UMTS protocol stacking}
\begin{figure}[h]
\centering
\includegraphics[width=115mm]{umts_ps_control.pdf}
\end{figure}
\end{frame}
\begin{frame}{Iu-CS protocol stacking}
\begin{figure}[h]
\centering
\includegraphics[width=70mm]{iu_cs_stacking.png}
\end{figure}
from 3GPP TS 25.410
\end{frame}
\begin{frame}{Iu-PS protocol stacking}
\begin{figure}[h]
\centering
\includegraphics[width=75mm]{iu_ps_stacking.png}
\end{figure}
from 3GPP TS 25.410
\end{frame}
\subsection{UMTS for HomeNodeB}
\begin{frame}{UMTS Architecture for hNodeB}
\begin{figure}[h]
\centering
\includegraphics[width=105mm]{nodeb_hnb.png}
\end{figure}
nodeB and Home nodeB by Tsaitgaist - icons from Gnome
\end{frame}
\begin{frame}{UMTS protocol stacking with HomeNodeB}
\begin{figure}[h]
\centering
\includegraphics[width=115mm]{umts_hnb_control.pdf}
\end{figure}
\end{frame}
\begin{frame}{Differences NodeB to hNodeB}
\begin{itemize}
\item hNodeB is basically a NodeB with a RNC built-in
\item all lower-level protocols are implemented in the RNC
\item only RANAP is exposed
\item Iuh interface is similar to Iu-CS/Iu-PS
\item Iu interface is at much lower level.
\item Compared with GSM: Iu = Abis, Iuh = A
\end{itemize}
\end{frame}
\begin{frame}{Why work with hNodeB instead of NodeB}
\begin{itemize}
\item UMTS is not a single telephony system but a set of
re-configurable building blocks to create any type of
telephony system.
\item complexity at every level, particularly the lower levels
\item using hNodeB interface / stack (Iuh), we can avoid having
to worry about RLC/MAC, RRC, HNBAP, etc.
\item many femtocells implement Iuh
\item quite some small cells also implement Iuh
\end{itemize}
\end{frame}
\begin{frame}{UMTS channel mapping}
speaking of UMTS access stratum complexity...
\begin{figure}[h]
\centering
\includegraphics[width=105mm]{umts_channel_mapping.png}
\end{figure}
from 3GPP TS 25.301
\end{frame}
\section{Iuh interface protocols}
\begin{frame}{A closer look at Iuh}
\begin{itemize}
\item Iuh is {\em basically} just RANAP encapsulated in
something less complex over SCTP/IP
\item In addition to RANAP, there is
\begin{itemize}
\item RUA (RANAP User Adaption) to replace SCCP
\item HNBAP to register hNodeB and UE
\end{itemize}
\item RANAP for both CS and PS is sent together, but on RUA
level there is a {\em Domain Indicator} that helps
separating both.
\end{itemize}
\end{frame}
\begin{frame}{UMTS protocol stacking for Iuh}
\begin{figure}[h]
\centering
\includegraphics[width=65mm]{iuh_stacking.png}
\end{figure}
from 3GPP TS 25.467
\end{frame}
\subsection{RANAP User Adaption}
\begin{frame}{RUA Protocol (3GPP TS 25.468)}
\begin{itemize}
\item Very simple connection-oriented layer
\begin{itemize}
\item {\tt CONNECT}
\item {\tt DIRECT TRANSFER}
\item {\tt DISCONNECT}
\item {\tt CONNECTIONLESS TRANSFER}
\item {\tt ERROR INDICATION}
\end{itemize}
\item 24-bit Context ID differentiates multiple parallel RUA
connections
\end{itemize}
\end{frame}
\subsection{HomeNodeB Application Part}
\begin{frame}{HNBAP Protocol (3GPP TS 25.469)}
\begin{itemize}
\item HNBAP protocol has only very few messages/transactions
\begin{itemize}
\item {\tt HNB REGISTER (REQUEST, ACCEPT, REJECT)}
\item {\tt HNB DE-REGISTER}
\item {\tt UE REGISTER (REQUEST, ACCEPT, REJECT)}
\item {\tt UE DE-REGISTER}
\item {\tt TNL UPDATE (REQUEST, RESPONSE, FAILURE)}
\item {\tt HNB CONFIG TRANSFER (REQUEST, RESPONSE)}
\item {\tt ERROR INDICATION}
\item {\tt CSG MEMBERSHIP UPDATE}
\item {\tt RELOCATION COMPLETE}
\end{itemize}
\item most important is HNB and UE registration
\end{itemize}
\end{frame}
\subsection{RANAP}
\begin{frame}{RANAP Protocol (3GPP TS 25.413)}
\begin{itemize}
\item Lots of transactions, some key transactions here:
\begin{itemize}
\item {\tt RESET / RESET ACKNOWLEDGE}
\item {\tt INITIAL UE MESSAGE}
\item {\tt DIRECT TRANSFER}
\item {\tt IU RELEASE (COMMAND, COMPLETE)}
\item {\tt SECURITY MODE (COMMAND, COMPLETE, REJECT)}
\item {\tt PAGING}
\item {\tt RAB ASSIGNMENT (REQUEST, RESPONSE)}
\end{itemize}
\end{itemize}
\end{frame}
\section{Osmocom and Iu(h)}
\begin{frame}{SCCP in Free Software}
\begin{itemize}
\item comes in connection-less and connection-oriented flavor
\item is used a lot in SS7 core network protocols
\item connection-oriented SCCP is only used on classic GSM A
interface (over E1) and in UMTS Iu interface
\item no finished free software implementation of
connection-oriented SCCP exists
\begin{itemize}
\item libosmo-sccp, Yate, Mobicents only implement connection-less
\item osmo\_sccp Erlang code has partial but never
completed/tested code for connection-oriented mode
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{How to support UMTS from OsmoNITB, OsmoSGSN}
\begin{itemize}
\item Separation of MSC-part from NITB, generating Osmo-MSS
\begin{itemize}
\item OsmoBSC already implements BSC-side A interface,
we need to add MSC-side A interface
\end{itemize}
\item UMTS AKA support as library, link into OsmoMSS and OsmoSGSN
\item RANAP protocol support in a library, also linked into OsmoMSS and OsmoSGSN
\item NITB: support {\tt subscriber\_connection} over A (BSSMAP/BSSAP) and over RANAP
\item SGSN: support {\tt mm\_context} over Gb (LLC/BSSGP/NS) or over RANAP
\end{itemize}
\end{frame}
\begin{frame}{How to encapsulate RANAP towards the RAN}
\begin{itemize}
\item we could either
\begin{itemize}
\item Try to convert from Iuh to A interface, make
(h)NodeB look like GSM BTS+BSC.
\item Implement classic Iu-CS and Iu-PS over SCCP/M3Ua
and have a classic HNB-GW to convert to Iuh
\item Implement Iuh directly, avoiding SCCP and M3UA
\end{itemize}
\item Iu-CS/PS requires connection-oriented SCCP
\item when implementing Iuh directly, we still need to somehow
split CS and PS plane
\item Idea: Simple proxy that speaks Iuh to hNodeB, MSS and SGSN
\item Iu-CS/PS over SCCP/M3UA could be added later, if required
\end{itemize}
\end{frame}
\subsection{Protocol Encoding}
\begin{frame}{RANAP, RUA and HNBAP Encoding}
\begin{itemize}
\item Use ASN.1 syntax for defining protocol messages
\item Use APER (Aligned Packed Encoding Rules)
\begin{itemize}
\item unlike BER: No Tag/Length values
\item unlike UPER: all fields start at octet boundary
\end{itemize}
\item ASN.1 syntax uses Information Object Classes heavily
\item ASN.1 is not abstract enough for them, so they use ASN.1 to
define containers, i.e. they build something like a TLV structure inside ASN.1
\begin{itemize}
\item Every IE is its own ASN.1 SEQUENCE, and it gets wrapped into an IE container indicating an IEI and the encoded sequence
\item The Main message then simply has an array (SEQUENCE OF) of IE containers
\end{itemize}
\item Regular ASN.1 code generator will not generate very useful code
for this, i.e. it will not be able to parse the entire message
in one go, but it requires manual iteration code that calls the
generated decoder separately for every IE Container
\end{itemize}
\end{frame}
\subsection{RANAP, RUA, HNBAP and asn1c}
\begin{frame}{RANAP, RUA, HNBAP and asn1c}
\begin{itemize}
\item Lev Walkins asn1c is a Free Software ASN.1 compiler / code generator
\item it is good for basic usage, but lacks many if not most of the features required in telecom
\begin{itemize}
\item No support for information object classes
\item No support for aligned PER support
\item No support for type prefixing, i.e. every type uses the same global C namespace and you have problems if RANAP, RUA and/or HNBAP all have types of the same name
\end{itemize}
\item No other free software alternatives exist
\item Somebody with firm knowledge on compiler theory needs to help out, I'm at a loss here.
\end{itemize}
\end{frame}
\begin{frame}{Alternatives to asn1c}
\begin{itemize}
\item Write all related code in Erlang
\begin{itemize}
\item I tried that in the past, but nobody ever contributed to any of the Osmocom Erlang projects :(
\item At Osmocom we're mostly low-level C guys with an inherent dislike of abstract/complex languages, VMs and the like
\end{itemize}
\item Use proprietary asn1 compiler
\begin{itemize}
\item In theory not a problem, as the compiler has no copyright on the generated C code, we can use it from FOSS
\item Problem: Mandatory runtime code is proprietary
\item We certainly don't want proprietary blobs in Free Software, ever
\item FOSS code would have to be MIT/BSD/LGPL, incompatible with osmo-* GPL/AGPL.
\end{itemize}
\item So it seems we have to stick with asn1c, after all
\end{itemize}
\end{frame}
\begin{frame}{How to make asn1c work for Iuh}
\begin{itemize}
\item Eurecom has a patch for adding APER support to asn1c
\begin{itemize}
\item it's against an ages old version of asn1c
\item I forward-ported that to current asn1c master
\item Probably needs some clean-up before it can be merged
\end{itemize}
\item Information Object Classes are hard
\begin{itemize}
\item compile only the IE and PDU definitions of the ASN.1
\item skip all parts related to Information Object Classes
\end{itemize}
\item Type prefixing
\begin{itemize}
\item Could be done in the ASN.1 source files, but that's ugly
\item I hacked asn1c for a day until I finally had found all the locations where prefixing must be used (or not)
\item Code is at {\tt git://git.osmocom.org/asn1c.git}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{But what about the IE Containers?}
\begin{itemize}
\item Eurecom has an {\tt asn1tostruct.py} script
\begin{itemize}
\item Another layer on top of asn1c to handle the IE containers and un-do the damage caused by the additional layer of abstraction of RANAP and related protocols
\item Developed to cope with S1-AP (RANAP equivalent for LTE)
\item Can be used for Iuh with some modifications
\item Also had to be taught type prefixing
\end{itemize}
\end{itemize}
\end{frame}
\subsection{osmo-iuh, after all}
\begin{frame}{Putting it all together}
Brief history of what I did so far:
\begin{itemize}
\item copy+paste Asn.1 syntax from 3GPP .doc files
\item use hacked asn1c to generate C code
\item don't use copied runtime code but shared osmocom libasn1c
\item use modified asn1tostruct.py for the obfuscation layer
\item write some code to dispatch messages
\item implement minimally required transactions like {\tt HNB REGISTER}, {\tt UE REGISTER}
\item see the {\tt INITIAL UE MESSAGE} with the {\tt LOCATION UPDATE}
\end{itemize}
{\tt git clone git://git.osmocom.org/osmo-iuh.git}
\end{frame}
\begin{frame}{Where do we go from here?}
\begin{itemize}
\item Implement UMTS AKA in libosmogsm, test over GSM and GPRS
\item Crete small HNB-GW with RANAP-over-RUA on both sides, splitting CS and PS
\item Split OsmoMSS from OsmoNITB, add RANAP interface
\item Add RANAP-over-RUA to OsmoSGSN
\item More Volunteers needed!
\end{itemize}
\end{frame}
\begin{frame}{What kind of hardware can we use?}
\begin{itemize}
\item The (undisclosed) small cell hardware I currently use is very expensive (several thousand EUR) and thus not suitable to most hackers
\item Many consumer-grade femtocells in the market, most modern ones should use Iuh
\begin{itemize}
\item they are typically quite locked down and provide no local console / JTAG
\item they establish an IPsec tunnel to the SEGW (Security Gateway) and then only talk Iuh inside the tunnel
\item Several groups of people have looked at them in the past (including Kevin, Nico and myself)
\item maybe we can find a model that's easily convinced to talk to a different HNB-GW?
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Summary}
\begin{itemize}
\item Iuh is actually not difficult conceptually
\item Lack of good FOSS asn1 tools is biggest factor
\item Obfuscation by IE Containers must be overcome
\item In the end you spend 90\% of the time on tooling, before you can spend the remaining 10\% on actual code
\item Core Iuh protocol code exists now as {\tt osmo-iuh}
\item Work on OsmoMSS and OsmoSGSN has not even started yet
\item Volunteers needed. Now!
\end{itemize}
\end{frame}
\begin{frame}{Thanks}
Thanks for your attention. I hope we have time for Q\&A.
\end{frame}
\end{document}
|