manual: adjust and fix auth and ciph docs

Change-Id: Iffe159d4c0e0e9439f8719e0ddd28f06d4c80d9f
changes/21/15021/2
Neels Hofmeyr 4 years ago
parent 3e1e47679d
commit 75bdbbf45d
  1. 68
      doc/manuals/chapters/net.adoc

@ -101,32 +101,56 @@ operating system on which OsmoMSC is running.
=== Authentication
Authorized subscribers must be entered in the HLR database, see the _OsmoHLR
reference manual_ <<userman-osmohlr>>. If authentication tokens (such as KI for
2G, or K and OP/OPC for UMTS) are present in the HLR, OsmoMSC will only attach
a subscriber after successful authentication.
A subscriber's IMSI must be entered in the HLR database to be able to attach. A
subscriber-create-on-demand feature is also available, see the _OsmoHLR
reference manual_ <<userman-osmohlr>>.
If no authentication keys are present in the HLR for a given subscriber,
OsmoMSC will attach the subscriber _without_ authentication. You can reject
subscribers that lack authentication info in the HLR with this setting:
A known IMSI in the HLR may or may not have authentication keys associated,
which profoundly affects the ability to attach and the algorithms used to
negotiate authentication, as the following sections explain for 2G and 3G.
==== Authentication on 2G
If authentication tokens (such as KI for 2G, or K and OP/OPC for UMTS) are
present in the HLR, OsmoMSC will only attach a subscriber after successful
authentication. Note that the 3G authentication keys are also used on 2G when
the MS indicates UMTS AKA capability, in which case the full UMTS style mutual
authentication may indeed take place on 2G (GERAN).
On 2G, if no authentication keys are present in the HLR for a given subscriber,
OsmoMSC will attach the subscriber _without_ authentication. Subscribers that
lack authentication keys can always be rejected with this setting:
----
network
authentication required
----
==== Authentication on 3G
3G (UTRAN) always requires authentication (a.k.a. Integrity Protection) by
specification, and hence authentication keys must be present in the HLR for a
subscriber to be able to attach on 3G.
OsmoMSC always indicates UIA1 and UIA2 as permitted Integrity Protection
algorithms on 3G.
=== Ciphering
To enable ciphering on the radio link, authentication must take place first:
the Kc resulting from authentication is the key used for ciphering. Hence, all
subscribers must have authentication tokens available in the HLR for ciphering.
the Kc resulting from authentication is the key used for ciphering. Hence, to
be able to use ciphering, a subscriber must have authentication tokens
available in the HLR.
==== Ciphering on 2G
The MS, BTS and MSC must agree on a ciphering algorithm to use.
- The MS sends its supported ciphering algorithms via Classmark IEs during
Location Updating.
- Typically the BSC needs to know which A5 ciphers are supported by connected
BTSes.
BTSes, see the `network / encryption a5` configuration item for OsmoBSC
<<vty-ref-osmobsc>>.
- Finally, OsmoMSC may impose that specific A5 ciphers shall not be considered.
It is the responsibility of the BSC to then pick an A5 cipher that satisfies
@ -143,12 +167,28 @@ network
+
----
network
encryption a5 3
encryption a5 1 3
----
- Never use A5/2: it is an "export grade cipher" and has been deprecated for
its low ciphering strength.
NOTE: At the time of writing, OsmoMSC supports setting only a single A5 cipher,
while it should be able to allow a set of ciphers. This is subject to ongoing
development.
- To allow either no encryption or any of A5/1 or A5/3 based on the presence of
authentication keys and abilities of the MS, SIM and BSC configuration, it is
recommended to enable all ciphers in OsmoMSC. The highest available A5 cipher
will be used; the order in which the A5 options are configured does not
affect the choice.
+
----
network
encryption a5 0 1 3
----
==== Ciphering on 3G
While authentication is always required on 3G, ciphering is optional.
So far OsmoMSC lacks explicit configuration for ciphering on 3G. As an interim
solution, ciphering is always enabled on 3G.
OsmoMSC indicates UEA1 and UEA2 as permitted encryption algorithms on 3G.

Loading…
Cancel
Save