This tests P-TMSI assignment when P-TMSI patching is disabled. A test
with colliding P-TMSI in Attach Accept messages is included.
Note that P-TMSI collisions are not handled properly yet.
Sponsored-by: On-Waves ehf
Since this message puts the MS into DEREGISTERED state (like a detach
procedure), this message is parsed and the invalidate_tlli field is
set accordingly.
Sponsored-by: On-Waves ehf
Currently it is possible to create several tlli_info entries with the
same IMSI.
This patch disables this by adding a check before the imsi field
is updated.
Sponsored-by: On-Waves ehf
Currently a tlli_info entry is deleted when the TLLI gets invalidated
by a Detach message.
This patch introduces the possibility to keep tlli_info entries in
the list. Those entries then have cleared TLLI fields, are marked as
de-registered, and can only be retrieved by a message containing an
IMSI or a P-TMSI.
The following VTY configuration commands are added to the gbproxy
node:
- tlli-list keep-mode never : Don't keep the entries (default)
- tlli-list keep-mode re-attach : Only keep them, when a Detach
message with re-attach required has been received
- tlli-list keep-mode identified : Only keep entries which are
associated with an IMSI
- tlli-list keep-mode always : Keep all entries
Note that at least one of max-length or max-age should be set when
this feature is used to limit the number of entries.
Sponsored-by: On-Waves ehf
Currently when patching is basically enabled P-TMSI and TLLI gets
patched even when P-TMSI patching is not enabled. Albeit the result
is correct in this case (the same value is re-written), the counter
shows unexpected results.
This patch adds configuration checks for P-TMSI and TLLI patching. It
also reorders the code of gbproxy_patch_raid to return early if there
is nothing to patch.
Sponsored-by: On-Waves ehf
This test case consists of a sequence of several attach and detach
procedures. The kind of detach varies (mobile originated, mobile
terminated re-attach required, mobile terminated re-attach not
required, routing area update reject). To main focus is to check that
the tlli_info is de-registered correctly (not accessible via the
TLLI) and that can be re-used afterwards (which is not implemented
yet).
Sponsored-by: On-Waves ehf
If IMSI acquisition is enabled and the gbproxy receives a Detach
request from the MS, it cannot pass it to the SGSN since the
acquisition has not yet been completed.
This patch implements the generation of a Detach Accept message and
for this case and updates the TLLI state accordingly.
Sponsored-by: On-Waves ehf
Currently the RAI in the LLC part of the message is not updated if
the message has been taken from the list of stored messages. The
reason is, that old_raid_matches is update in
gbprox_process_bssgp_ul() but not in gbproxy_flush_stored_messages().
This patch moves the check to gprs_gb_parse_bssgp() which is called
at both places and where other fields like parse_ctx->tlli are set,
too.
In addition, old_raid_matches is replaced by old_raid_is_foreign
since this is clearer in the case when there is no old RAI at all.
Several RAI patch counter assertions are also added to
test_gbproxy_ra_patching().
Sponsored-by: On-Waves ehf
Add a Attach Request message to test_gbproxy_ra_patching, where the
BSSGP RAI differs from the old RAI signalled in the LLC part. This
case had not been tested explicitely yet.
Change the RAI in the first Attach Request in
test_gbproxy_imsi_acquisition from rai_unknown to rai_bss.
Add Detach Requests to test_gbproxy_imsi_acquisition, one for a
incomplete attach procedure and one for an unknown (fresh) TLLI.
In these cases, the acquisition of a IMSI is not necessary and also
doesn't work properly with an E71.
Sponsored-by: On-Waves ehf
This patch add explicit tests for
- gbproxy_peer_by_bvci
- gbproxy_peer_by_nsei
- gbproxy_cleanup_peers
- gbproxy_peer_by_rai
- gbproxy_peer_by_lai
- gbproxy_peer_by_lac
and for messages with an unknown TLLI sent by the SGSN.
Sponsored-by: On-Waves ehf
Currently the stored messages are only removed, when IMSI acquisition
has succeeded. In addition, receiving two ATTACH_REQ messages in
sequence (e.g. due to loss of a Identity Req/Resp message) will not
restart the IMSI acquisition procedure.
This patch adds gbproxy_tlli_info_discard_messages() to clean up the
message list and calls it from gbproxy_delete_tlli() fixing a
potential memory leak. It is also called when an Attach Request
message has been received. In that case the imsi_acq_pending flag is
cleared, too. This would (re-)trigger the IMSI acquisition procedure
at each of these messages. If an Ident Response has been lost,
resending the Ident Request with the same N(U) will not work.
Therefore the N(U) gets incremented on each Ident Request generated
by the gbproxy. The first N(U) used is 256 which shouldn't collide
with the V(UT) used by the SGSN given that P-TMSI patching is enabled
(since a new random TLLI is used initially on every new (no
tlli_info) connection and V(U) starts with zero then).
Ticket: OW#1261
Sponsored-by: On-Waves ehf
If the Attach Request procedure gets restarted e.g. because of a lost
message, all of these messages are stored if IMSI acquisition is in
progress.
This patch adds a test for this case and modifies the dump_peers
function to output the number of stored messages.
Note that the number of stored messages currently increases with each
(repeatedly) received Attach Request which is not the desired behaviour.
Sponsored-by: On-Waves ehf
Currently, a new P-TMSI within an Attach Accept or within an RA
Update Request is applied to the TLLI mapping (gbproxy_reassign_tlli)
_before_ patching is done. This can lead to inconsistent behaviour
when the TLLI validation has not been completed, which is the case
when subsequent RA UDP REQ are received. The new TLLI must not be
applied to the message itself yet, it should only be considered for
following messages.
This patch moves the TLLI reassignment to
gbproxy_update_tlli_state_after() to fix that.
It also separates the implementation of the feature that a new
tlli_info can be created when such a message is received from the
SGSN. This makes sense, when P-TMSI patching is not active and the
tlli_info entry has expired.
Sponsored-by: On-Waves ehf
Currently tlli_info are created for SGSN originated messages when
the SGSN TLLI cannot be found and P-TMSI patching is active. This
doesn't make much sense, since the BSS side TLLI is not known in this
case. Given that the SGSN is working properly, that can only happen
if either the tlli_info has expired or the gbproxy has been
restarted.
This patch disables the creation of a tlli_info in this case.
Note that these messages are passed unmodified to the MS so far.
Sponsored-by: On-Waves ehf
This adds a sequence of two RA update procedures to
test_gbproxy_ptmsi_patching(). Each of them assigns a new P-TMSI.
Note that the implementation fails to patch the RAI within the
message labelled 'RA UDP ACC (P-TMSI 3)' and logs 'TLLI sent by the
SGSN is unknown'.
Sponsored-by: On-Waves ehf
Currently the gbproxy sends STATUS messages that are not compliant to
GSM 08.18, 10.4.14.1: The BVCI must be included if (and only if) the
cause is either "BVCI blocked" or "BVCI unknown".
This patch adds a missing BVCI to UNKNOWN_BVCI and BVCI_BLOCKED
status messages if the BVCI is available. Otherwise, INV_MAND_INF is
used instead.
Sponsored-by: On-Waves ehf
Currently the numeric TLLI or tlli_info's enable_patching flag is
used to decide, whether a APN shall be patched or the secondary SGSN
shall be used. Using the numeric TLLI imposes a problem, when
TLLI/P-TMSI patching is used, since gbproxy_check_tlli uses the BSS
side TLLI namespace when trying to get the tlli_info.
This patch modifies the gbproxy_check_tlli() function to accept a
tlli_info pointer instead of a numeric TLLI. The tlli_info is already
available when the function is called. Since this a similar approach
has been used by accessing the enable_patching flag directly, this
commit unifies checking by always using this function instead of the
flag outside of gb_proxy_tlli.c.
This fixes the APN patching that doesn't work currently when P-TMSI
patching is enabled.
Sponsored-by: On-Waves ehf
This commit adds a single ACT PDP CTX REQ message to
test_gbproxy_ptmsi_patching() to check whether APN patching works in
this case, too.
Note that this doesn't work currently, the APN patch count is not
incremented.
Sponsored-by: On-Waves ehf
Some messages that are related to the BVC itself must be forwarded to
the secondary SGSN, too.
This patch implements this for BVC-RESET (BVCI != 0) and FLOW-CONTROL-BVC
messages. The resulting acknowledgement messages from the secondary
SGSN are silently dropped. The idea behind this is that the primary
SGSN is responsible for setting up and maintaining the BVC whereas
the secondary SGSN is rather passive and just has to accept it.
Ticket: OW#1258
Sponsored-by: On-Waves ehf
This patch modifies gbprox_process_bssgp_ul() to send the message to
the secondary SGSN if the IMSI has matched and routing to the
secondary SGSN is enabled. The destination for stored messages is
modified accordingly.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
This patch adds a case to test the establishment (and shutdown) of
connection between 2 MS and 2 SGSN, where the assignment is based
on each IMSI. Since BVC-RESET and FLOW-CONTROL-BVC will have to be
sent to both SGSN, an ACK is simulated for both.
New functions to generate FLOW-CONTROL-BVC(-ACK) messages are
provided.
It modifies dump_peers to add the string "IMSI matches" to a TLLI dump
line if appropriate.
Note that there is no real support to use a secondary SGSN in the
gbproxy yet, but the test code reflects the expected behaviour when
the feature is implemented.
Sponsored-by: On-Waves ehf
To modify or route messages based on the IMSI the latter must be known
when the action shall take place.
This patch modifies the gbproxy to optionally retain and enqueue
messages from the MS while initiating an identification procedure.
Further message processing of the LLC PTP link towards the SGSN will
be done, when the identity of the MS has been acquired.
Note that the N(U) of the LLC GMM SAPI are not adjusted, so it is
possible that adjacent messages of a single LLC link arriving either
at the BSS or the SGSN have the same N(U) and might get discarded,
leading to retransmissions and additional delay.
Note also that retransmissions and packet loss are not yet handled
explicitely. If for instance the generated IDENT REQ gets lost, the
gbproxy will not act on its own. In this case, the MS will time out
and eventually resend the Attach Request on which the gbproxy will
act exactly like before (thus having two Attach Req messages in its
queue, which will both be sent after the Ident Resp arrives).
This has been tested successfully with an E71, needing one
retransmission by the SGSN due to an N(U) collision.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
This patch copies test_gbproxy_ptmsi_patching to
test_gbproxy_imsi_acquisition as a base for a later test for IMSI
acquisition (which is not yet implemented). The idea behind this is
to make the different behaviour visible in the ok file without
compromising the P-TMSI test.
Sponsored-by: On-Waves ehf
Currently when patching is enabled and an error happens when
receiving a message from the SGSN, the patched message is sent back
with the PDU_IN_ERROR IE.
This patch modifies gbprox_rx_sig_from_sgsn() to copy the message
before it is patched, so that the original message can be used with
the STATUS message. gbprox_rx_ptp_from_sgsn() does all checks before
the message is patched, so copying is not necessary.
Since gbprox_rx_sig_from_sgsn() is not called for BSSGP UNITDATA
messages and the msgb is already been copied in the gbprox_relay2peer
function, the relative performance impact is expected to be low.
Note that the PDU IE of STATUS messages received from an MS and
forwarded to the SGSN will not be patched. STATUS messages from the
SGSN are only logged and not forwarded to the MS.
Sponsored-by: On-Waves ehf
Currently messages like these with a TLLI IE (BSSGP) are not
tested (properly) with TLLI patching.
This patch extends the send_bssgp_suspend* functions to accept a
TLLI as argument and adds the send_bssgp_llc_discarded function.
These are then used in test_gbproxy_ptmsi_patching() with a valid
TLLI.
Note that the TLLI IE patching doesn't work currently.
Sponsored-by: On-Waves ehf
Add LLC test messages containing XID (SAPI LLGMM, U frame) and IP traffic
(SAPI LL11, UI frame).
Add a test case containing a complete SGSN session with TLLI/PTMSI
patching enabled.
Sponsored-by: On-Waves ehf
This patch separates BSS side from SGSN side TLLI/PTMSI tracking. When
TLLI/PTMSI patching is not enabled, the corresponding states shall be
identical. The TLLI/PTMSI state has been moved into the struct
gbproxy_tlli_state and is used twice in gbproxy_tlli_info.
Since the state handling for uplink and downlink messages is
diverging, gbprox_update_state() is replaced by two functions
gbprox_update_state_dl/gbprox_update_state_ul and
gbprox_process_bssgp_message() is replaced by
gbprox_process_bssgp_dl/gbprox_process_bssgp_ul.
Sponsored-by: On-Waves ehf
The following parts of the messages have been fixed
- Attach Accept: checksum
- Attach Complete: checksum
- RA Update Accept: Use the same MS Radio Access Capabilities and
DRX Parameters like the other messages
The N(U) of most messages have not been fixed.
Sponsored-by: On-Waves ehf
Don't replace the current TLLI immediately, store it in an additional
'assigned_tlli' field and discard the old TLLI when both sides have
used the new one (see GSM 04.08, 4.7.1.5).
Add an Attach Complete message to test and check, whether the related
field of the corresponding tlli_info struct are set as expected
during the local TLLI validation cycle.
Sponsored-by: On-Waves ehf
Currently the enable_patching field in tlli_info is not updated,
when an IMSI is assigned to a TLLI that is already known.
This patch fixes this in gbprox_update_state() after the call to
gbprox_update_tlli_info().
The number of APN increases and the test output file is updated
accordingly.
Sponsored-by: On-Waves ehf
GSM 24.008 also allows a P-TMSI field in Detach request messages.
This patch adds gbprox_parse_gmm_detach_req() to parse Detach Request
messages which sets the ptmsi field if the IE is present.
In addition, when power_off is set to 1 (MO only), the
invalidate_tlli field is set, since Detach Request message is
expected in this case.
The second detach test (see 'RA update') is modified to use
power_off instead of relying on a Detach Accept from the network.
To make this work, the PTMSI of the RA Update Accept is fixed to
match the TLLI of the Detach Request.
Sponsored-by: On-Waves ehf
This patch adds a combined expiry test to remove one entry by list
length and another by age.
This patch also modifies the existing age based test to register both
TLLI with a different timestamp and to remove only one of the TLLI
entries by age based expiration.
Sponsored-by: On-Waves ehf
This patches removes the call to gbprox_remove_stale_tllis()
from gbprox_register_tlli(), so it must be called explicitly now.
The call is now done from within gbprox_update_state_after().
In addition, the TLLI cache size counter is also kept in sync when
gbprox_remove_stale_tllis is called manually. The call to
gbproxy_peer_free() in gbproxy_peer_free() is moved behind the TLLI
to allow for counter updates in gbprox_delete_tlli().
Sponsored-by: On-Waves ehf
This adds a test for gbprox_set_patch_filter() and
gbprox_check_imsi().
It also fixes the masking of the type field when IMSIs are checked by
using GSM_MI_TYPE_MASK (0x07) instead of 0x0f.
Sponsored-by: On-Waves ehf
Currently only TLLIs for which it is known that they may be patched
are put into the TLLI list.
This patch changes this to add TLLIs even when the IMSI is not yet
known. A enable_patching flag is added to the gbproxy_tlli_info
structure to control patching.
Note that this puts every active TLLI into the list where accesses
are O(N) currently.
Sponsored-by: On-Waves ehf
This adds parsing support for the following messages:
- Attach Request: IMSI/PTMSI
- Identity Response: IMSI/PTMSI
- BSSGP: Optional TLLI IE
- BSSGP/PAGING_PS: PTMSI
A new new_ptmsi_enc field is added for newly assigned PTMSI in
SGSN->BSS messages (instead of ptmsi_enc). The ptmsi_enc field is now
used for informational PTMSI IE in messages.
Sponsored-by: On-Waves ehf
This adds a unit test for gbprox_register_tlli() and
gbprox_remove_stale_tllis().
The dump_peers() function is extended by a cfg parameter to support
a non-global gbproxy_config.
Done with Jacob
This commit adds code to parse the PTMSI in network originated
messages
- Attach Accept,
- Routing Area Update Accept, and
- P-TMSI Reallocation Command (see below)
to keep track of the TLLI identifying the LLC connection.
The P_TMSI Realloc Command specific code is not being tested yet, so
a corresponding notice is logged when such a message will be
received.
NOTE:
The gbproxy will lose the TLLI when the MS doesn't receive/use
the message (normally the SGSN remembers the old TLLI for some time
to avoid this kind of problem). If this happens the MS will
probably restart the procedure and the network will have to answer
again eventually using one of the above messages which will
re-associate the IMSI with the TLLI before the MS can send a
PDP Context Request message.
Ticket: OW#1192
Sponsored-by: On-Waves ehf
This adds a set of function that parse a single tlv, lv, tv, or v
encoded information element. They are complementary to the *_put
functions defined in libosmocore's tlv.h file. The functions update
the data and data_len fields unless they are a 'match' function and
the tag field doesn't match.
Sponsored-by: On-Waves ehf
Currently the enabled_tllis_count field isn't always decremented when
an element is removed from the TLLI cache list.
This patch adds the missing update and also adjusts the counter
accordingly.
Sponsored-by: On-Waves ehf
Add TLLI cache output to gbprox_dump_peers() to include this info
into the test output.
Separate RA Update Req message handling from Attach Request handling.
Note: There is no test case for the P-TMSI Reallocation Command yet.
Sponsored-by: On-Waves ehf
This commit adds the following counters:
- attach-reqs: Number of Attach Request messages
- attach-rejs: Number of Attach Reject messages
- tlli-cache: Size of the TLLI cache
Sponsored-by: On-Waves ehf
This patch adds IMSI/TLLI connection tracking and uses it to control
APN patching based on the IMSI. TLLI entries can expire based on age
and/or by limiting the TLLI list size.
VTY config-gbproxy:
no core-access-point-name disable APN patching
core-access-point-name none remove APN if present
core-access-point-name APN replace APN if present
core-access-point-name none match-imsi RE remove if IMSI matches
core-access-point-name APN match-imsi RE replace if IMSI matches
tlli-list max-age SECONDS expire after SECONDS
no tlli-list max-age don't expire by age
tlli-list max-length N keep N entries only
no tlli-list max-length don't limit list length
RE is an extended regular expression, e.g. ^12345|^23456
Ticket: OW#1192
Sponsored-by: On-Waves ehf
Currently, all patching state is stored globally in the gbproxy. Thus
the feature cannot be used safely with a concentrating gbproxy (NAT).
This patch moves the state and relevant counters to the gbprox_peer
structure. It adds code to resolve the corresponding peer when
packets are received by looking at BVCI, NSEI, and BSSGP IEs (BVCI,
RAI/LAI/LAC) when the peer is not passed to the
gbprox_patch_bssgp_message() function.
Test cases are also added for the SGSN->BSS case including test cases
with invalid identifiers.
Note that this patch should make it possible to use RAI patching at a
NAT gbproxy as long as the messages are not encrypted.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This patch adds a Detach Request (MO) / Detach Accept sequence to the
test, followed by another (here invalid) Act PDP Context Req which
should be APN patched.
Sponsored-by: On-Waves ehf
Add a DTAP GMM Information message with an IMSI in the BSSGP header
to enable the association between IMSI and TLLI.
The TLLI of the Routing Area Update messages is set to foreign.
Sponsored-by: On-Waves ehf
Patch the APN in every 'Activate PDP Context Request' message to the
value given by the 'core-access-point-name' command. If the command is
given without an APN, the whole APN IE will be removed. If the
command is being prefixed by a 'no', the APN IE remains unmodified.
The patch mode 'llc-gsm' is added to selectively enable the patching
of LLC session management messages. This is enabled implicitely by
the patch mode 'llc'.
Note that the patch mode should not be set to a value not enabling
the patching of LLC GSM messages ('llc-gsm', 'llc', and 'default' are
sufficient to patch 'Activate PDP Context Request' messages).
Ticket: OW#1192
Sponsored-by: On-Waves ehf
This patch extends the BSSGP patch code to also patch LLC information
elements along with MCC/MNC patching support for the following messages:
- Attach Request
- Attach Accept
- Routing Area Update Request
- Routing Area Update Accept
- P-TMSI reallocation command
Note that encrypted packets will not be patched.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This adds a feature to patch the BSSGP MNC/MCC fields of messages going
to and coming from the SGSN. To enable this feature, the gbproxy's
VTY commands 'core-mobile-country-code' and/or
'core-mobile-network-code' must be used. All packets to the SGSN are
patched to match the configured values. Packets received from the
SGSN are patched to the corresponding values as last seen from the BSS
side.
Note that this will probably not work with a gbproxy used for several
BSS simultaneously.
Note also, that MCC/MNC contained in a LLC IE will not be patched.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
Jacob Erlbeck