osmodevcon2024: osmo_epdg: add more waffles

Source: http://avegantisch.de/waffel-sonntag/

2024/osmodevcon2024/open5gs_feedback/slides.adoc

@@ -7,6 +7,10 @@ open5gs - feedback from user point of view
 
 == open5gs - feedback from user point of view
 
+* First of all: open5gs is awesome!
+
+== open5gs - feedback from user point of view
+
 * Source file structure:
 ** (*-build.c, *-path.c, *-handler.c, *-context.c, *-sm.c)
 
@@ -22,7 +26,7 @@ open5gs - feedback from user point of view
 
 * Commits:
 ** Meaningful commit messages
-** Logical change per commit
+** (Ideally just one!) logical change per commit
 
 == open5gs - feedback from user point of view
 
@@ -33,6 +37,33 @@ open5gs - feedback from user point of view
 
 * Config file syntax backward compatibility
 
+Very recently:
+
+....
+commit a6830b30a0093ed2fa9d563445bf67026588a8f2
+Author: Sukchan Lee <acetcom@gmail.com>
+Date:   Sat Apr 13 19:28:36 2024 +0900
+
+    [SMF/UPF] Changes subnet configuration (#2975)
+
+    The way subnet is set up has changed as shown below.
+
+    ```
+    <OLD Format>
+    smf:
+      session:
+        - subnet: 10.45.0.1/16
+
+    <NEW Format>
+    smf:
+      session:
+        - subnet: 10.45.0.0/16
+          gateway: 10.45.0.1
+    ```
+
+    For more information, please refer to Pull Request #2975.
+....
+
 == open5gs - feedback from user point of view
 
 * mongodb backend:
@@ -43,6 +74,7 @@ open5gs - feedback from user point of view
 
 * make new features optional
 * open5gs-smfd: Failed to connect to SBI
+** (This is actually optional, but not very obvious? -> documentation?)
 
 == open5gs - congress 36c3 (2023)
 
@@ -55,3 +87,7 @@ open5gs - feedback from user point of view
 
 * interface to inspect state
 * 
+
+== EOF
+
+* again: open5gs is awesome!

2024/osmodevcon2024/osmo_epdg/Makefile

@@ -1,8 +1,7 @@
-OSMO_GSM_MANUALS ?= "/home/$(USER)/projects/osmo-gsm-manuals/"
 html: slides.html
 
 slides.html: *.adoc
-	asciidoc -f "$(OSMO_GSM_MANUALS)/build/mscgen-filter.conf" slides.adoc
+	asciidoc -f "./build/mscgen-filter.conf" slides.adoc
 
 .PHONY: html
 

2024/osmodevcon2024/osmo_epdg/ansible_setup.dot

@@ -0,0 +1,46 @@
+digraph G {
+    
+  UE -> strongSwan;
+
+  subgraph cluster_0 {
+    label = "ePDG";
+    osmoepdg [label="osmo-epdg/erlang"];
+    strongSwan;
+  }
+
+  subgraph cluster_1 {
+    label = "epc/Open5GS";
+    HSS;
+    PCRF;
+    SMF;
+    UPF;
+    mongo [label="MongoDB"];
+  }
+  
+  subgraph cluster_2 {
+    label = "IMS";
+    PCSCF [label="P-CSCF"];
+    ICSCF [label="I-CSCF"];
+    SCSCF [label="S-CSCF"];
+    mysql;
+  }
+  
+  strongSwan -> osmoepdg;
+  osmoepdg -> HSS;
+  osmoepdg -> SMF;
+  osmoepdg -> PCRF;
+  
+  SMF -> UPF;
+  SMF -> HSS;
+  
+  HSS -> mongo;
+  PCRF -> mongo;
+  
+  UPF -> PCSCF;
+  UPF -> ICSCF;
+  UPF -> SCSCF;
+  
+  PCSCF -> mysql;
+  SCSCF -> mysql;
+  
+}

2024/osmodevcon2024/osmo_epdg/build/filter-wrapper.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+"""Simple wrapper for filter programs which ensures that a blank
+is returned as output.  The purpose is to silence the
+AsciiDoc warning "no output from filter".
+"""
+
+import sys, subprocess
+
+p = subprocess.Popen(sys.argv[1:])
+sys.stdout.write(' ') # To suppress asciidoc 'no output from filter' warnings.
+sys.exit(p.wait())
+

2024/osmodevcon2024/osmo_epdg/build/mscgen-filter.conf

@@ -0,0 +1,23 @@
+#
+# AsciiDoc mscgen filter configuration file.
+# ${OSMO_GSM_MANUALS}/build is symlinked to ./build when building.
+#
+
+[mscgen-filter-style]
+mscgen-style=template="mscgen-block",subs=(),posattrs=("style","target"),filter='./build/filter-wrapper.py mscgen -o "{outdir={indir}}/{imagesdir=}{imagesdir?/}{target}" -T{format={basebackend-docbook!svg}{basebackend-docbook?svg}} -'
+
+[blockdef-listing]
+template::[mscgen-filter-style]
+
+[paradef-default]
+template::[mscgen-filter-style]
+
+[mscgen-block]
+template::[filter-image-pngsvg-blockmacro]
+
+[filter-image-pngsvg-blockmacro]
+{target%}{counter2:target-number}
+{target%}{set2:target:{docname}__{target-number}.{format={basebackend-docbook!svg}{basebackend-docbook?svg}}}
+|
+template::[image-blockmacro]
+

2024/osmodevcon2024/osmo_epdg/sip_register_msc_gen.dot

@@ -1,5 +1,5 @@
 msc{
-  hscale = 2;
+  width = 1400;
   UE, DNS, ePDG, IMS;
   
   UE => DNS [label="A/AAAA epdg.epc.mnc070.mcc901.pub.3gppnetwork.org"];

2024/osmodevcon2024/osmo_epdg/slides.adoc

@@ -1,6 +1,6 @@
 osmo-epdg: The osmocom ePDG for VoWiFi
 ======================================
-:author:	Pau Espin Pedrol <pespin@sysmocom.de>
+:author:	Alexander Couzens <acouzens@sysmocom.de>, Pau Espin Pedrol <pespin@sysmocom.de>
 :copyright:	2024 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de> (License: CC-BY-SA)
 :backend:	slidy
 :max-width:	54em
@@ -13,6 +13,8 @@ osmo-epdg: The osmocom ePDG for VoWiFi
 * link:https://nlnet.nl/project/Osmocom-ePDG/[NLnet Foundation grant] to implement open source EPDG.
 * link:https://osmocom.org/projects/osmo-epdg/wiki[osmo-epdg] is implemented
 
+image:waffles-2812276262.jpg[height=400]
+
 
 == Architecture: Control plane
 
@@ -22,132 +24,26 @@ include::osmo_epdg_architecture_control_plane.adoc[]
 
 include::osmo_epdg_architecture_user_plane.adoc[]
 
-== UE
+== strongSwan / Why?
 
-* UE can behave nice and just work.
-* but they don't
+* IKEv2 (control plane)
+* ESP (user plane)
+* EAP/AKA implementation
 
-== What a phone should do?
+== strongSwan / Why?
 
-* Read Simcard related files (name it)
-* Read UE configuration
-* Do DNS query
-* Connect to ePDG (SWu/IPsec/IKEv2)
-* IMS connection with SIP + ESP protection
-
-== What a phone should do?
-
-[mscgen]
-----
-include::sip_register_msc_gen.dot[]
-----
-
-== What a phone should do?
-
-* Read Simcard related files (name it)
-* Read UE configuration
-* **Read hidden baseband configuration**
-* Do DNS query
-* Connect to ePDG (SWu/IPsec/IKEv2)
-* IMS connection (*sorry we don't do spec compliant IMS*)
-
-== Android
-
-* use Open Mobile Network Toolkit
-* Thanks to Peter, Johann, ...
-* (usually) requires Android Carrier Settings
-
-== Pixel (6/7/7a)
-
-* All based on Google/Samsung SoC
-* Shannon baseband (Samsung)
-
-== Pixel (6/7/7a)
-
-* All based on Google/Samsung SoC
-* Shannon baseband (Samsung)
-* Insert commerical SIM
-* Insert osmocom SIM
-* Connect to ePDG
-
-== Pixel 6 IMS
-
-* Pixel 6
-* Connect to IMS
-* Does SIP Auth/AKA
-* **forgets** to do ESP on the SIP
-
-== Pixel 7/7a IMS
-
-* Connect to IMS
-* **Tries** SIP Auth/AKA
-* Depends on the IMS
-* Doesn't encode SIP auth fields correct
-
-image:screenshot_pixel7_wireshark.png[height=600]
-
-== Pixel 7/7a IMS
-
-* Connect to IMS
-* **Tries** SIP Auth/AKA
-* Depends on the IMS
-* Doesn't encode SIP auth fields correct
-
-image:screenshot_pixel7_wireshark_errors.png[height=600]
-
-== Pixel 7/7a IMS
-
-* Connect to IMS
-* **Tries** SIP Auth/AKA
-* Depends on the IMS
-* Doesn't encode SIP auth fields correct
-
-image:screenshot_pixel7_wireshark_errors_correct.png[height=600]
-
-== Pixel 7/7a IMS
-
-* Connect to IMS
-* **Tries** SIP Auth/AKA
-* Depends on the IMS
-* Doesn't encode SIP auth fields correct
-
-image:screenshot_pixel7_wireshark_errors_correct2.png[height=600]
-
-== iPhones
-
-* Seems to be a good testing phone
-* MCC 999 only support data! Skip 999
-
-== iPhones
-
-* Seems to be a good testing phone
-* MCC 999 only support data!
-
-image:screenshot_iphone_ipsec_failure.png[height=600]
-
-== other phones?
-
-* unsure
-* Qualcomm seems problematic requires additional configs 
-
-== strongSwan
-
-* Instead of impementing IKEv2
+[role="incremental"]
+* Instead of impementing IKEv2/ESP/crypto
 * use strongSwan to do it
 * other people seems to have done it as well
 * plugin architecture
 
-== strongSwan
-
-* IKEv2
-* ESP
-* EAP/AKA implementation
-
-== strongSwan
+== strongSwan / How?
 
+[role="incremental"]
 * create a plugin
 * use hooks
-* implement a GSUP protocol to handle state
+* CEIA: a GSUP protocol to handle state
 
 == strongSwan
 
@@ -156,9 +52,6 @@ image:screenshot_iphone_ipsec_failure.png[height=600]
 include::strongswan_internal.dot[]
 ----
 
-
-* TODO-lynxis: Talk about strongswan, ipsec, IKEv2, specific configs which were needed
-
 == Erlang domain: osmo-epdg
 
 .Control Plane
@@ -187,20 +80,184 @@ include::osmo_epdg_sample_cfg_file.adoc[]
 
 == open5gs
 
+[role="incremental"]
 * Some specific patches for S2b were merged open5gs upstream:
 ** APCO IE (DNS, P-CSCF addr) handling link:https://github.com/open5gs/open5gs/commit/4aaac999f7bc337bcaed2789ccc6269c256564d2[(1)].
 ** Gy bugs in S2b: link:https://github.com/open5gs/open5gs/commit/32de75b1a50ffbd324b60f93103dbe2853a45bc5[(1)].
 
-* TODO-lynxis: Maybe talk about the required specific open5gs configs?
+* Configs
+** PGW/SMF: P-CSCF PCO
+** HSS: Allow APN ims
 
-== IMS
+== IMS / kamailio
 
-* TODO-lynxis: Talk about kamailio, specific configs which were needed
+[role="incremental"]
+* follow open5gs/IMS howto
+* better use an old version
+[role="incremental"]
+** (or have crashes)
+* example dialplan not perfect
+** can't call itself
+** might want to add a pbx
+
+== UE
+
+[role="incremental"]
+* UE can behave nice and just work.
+[role="incremental"]
+* but they don't
+
+== What a phone should do?
+
+* Read Simcard related files
+* Read UE configuration
+* Do DNS query
+* Connect to ePDG (SWu/IPsec/IKEv2)
+* IMS connection with SIP + ESP protection
+
+== What a phone should do?
+
+[mscgen]
+----
+include::sip_register_msc_gen.dot[]
+----
+
+== DNS override
+
+* required for testing
+* epdg.epc.mnc070.mcc901.pub.3gppnetwork.org
+* 213.95.46.81 (epdg.osmocom.org)
+
+== What a phone should do?
+
+* Read Simcard related files
+* Read UE configuration
+* Do DNS query
+* Connect to ePDG (SWu/IPsec/IKEv2)
+* IMS connection with SIP + ESP protection
+
+== What a phone should do?
+
+* Read Simcard related files
+* Read UE configuration
+* **Read hidden baseband configuration**
+* Do DNS query
+* Connect to ePDG (SWu/IPsec/IKEv2)
+* IMS *hacks* (*sorry we don't do spec compliant IMS*)
+
+== Android
+
+* use Open Mobile Network Toolkit
+* use CoIMS
+* Thanks to Supreeth, Peter, Johann, ...
+* (usually) requires Android Carrier Settings
+
+== Android / Carrier Profiles
+
+* .xml on the filesystem
+** MCC/MNC
+** SPN/GID1/GID2
+** IMSI ranges
+* Android application (trust by simcard)
+
+== Pixel (6/7/7a)
+
+* All based on Google/Samsung SoC
+* Shannon baseband (Samsung)
+
+== Pixel (6/7/7a)
+
+* All based on Google/Samsung SoC
+* Shannon baseband (Samsung)
+[role="incremental"]
+* Insert commerical SIM
+* Insert osmocom SIM
+* Connect to ePDG
+
+== Pixel 6 IMS
+
+* Connect to IMS
+* Does SIP Auth/AKA
+[role="incremental"]
+* **forgets** to do ESP on the SIP
+
+== Pixel 7/7a IMS
+
+* Connect to IMS
+[role="incremental"]
+* **Tries** SIP Auth/AKA
+* Depends on the IMS
+* Doesn't encode SIP auth fields correct
+
+image:screenshot_pixel7_wireshark.png[height=400]
+
+== Pixel 7/7a IMS
+
+* Connect to IMS
+* **Tries** SIP Auth/AKA
+* Depends on the IMS
+* Doesn't encode SIP auth fields correct
+
+image:screenshot_pixel7_wireshark_errors.png[height=400]
+
+== Pixel 7/7a IMS
+
+* Connect to IMS
+* **Tries** SIP Auth/AKA
+* Depends on the IMS
+* Doesn't encode SIP auth fields correct
+
+image:screenshot_pixel7_wireshark_errors_correct.png[height=400]
+
+== Pixel 7/7a IMS
+
+* Connect to IMS
+* **Tries** SIP Auth/AKA
+* Depends on the IMS
+* Doesn't encode SIP auth fields correct
+
+image:screenshot_pixel7_wireshark_errors_correct2.png[height=400]
+
+== iPhones
+
+* Seems to be a good testing phone
+* MCC 999 only support data! Don't use 999 for Voice
+
+== iPhones
+
+* Seems to be a good testing phone
+* MCC 999 only support data! Don't use 999 for Voice
+
+image:screenshot_iphone_ipsec_failure.png[height=100]
+
+== iPhones
+
+* Seems to be a good testing phone
+* MCC 999 only support data! Don't use 999 for Voice
+
+image:screenshot_iphone_ipsec_failure.png[height=100]
+
+* This might be a config option
+
+== other phones?
+
+[role="incremental"]
+* unsure
+* qualcomm! ACLs on the baseband filesystem
+* mediatek?
+* huawei?
 
 == Ansible setup
 
-* TODO: Talk about ansible-prototype and the manual tests we did
-* Tell how to test with SWu-EMulator
+* 3 VMs
+** ePDG/AAA
+** epc
+** IMS
+
+[graphviz]
+----
+include::ansible_setup.dot[]
+----
 
 == TTCN-3: EPDG_Tests
 
@@ -209,14 +266,34 @@ include::ttcn3_component_diagram.adoc[]
 * Extra script to set up iface + routing for userplane in docker-playground setup
 * 15 tests so far
 
+== Testing SWu-IKEv2
+
+* python script
+* 3.5k
+[role="incremental"]
+* implement IKEv2, ESP, EAP, ..
+* tun interface
+* pcscd, csv file, https server
+
 == Future work
 
-* Implement SWm Diameter interface over the wire
+[role="incremental"]
 * Split AAA out of osmo-epdg into its own process
+** Implement SWm Diameter interface over the wire
 * Implement GTPUv1 inner IPv6 support
 * Implement GTPUv1 outter IPv6 support
 * Implement GTPCv2 IPv6 support
 * Get changes to erlang repositories gtplib, gtp_u_kmod, gen_netlink, gen_socket merged upstream (travelping)
+* IKEv2 Notify Payloads (Network error code, Request IMEI)
+
+== Thanks!
+
+* Thanks to NLnet for funding
+* Open5GS
+* CoIMS
+* OMNT
+* kamailio
+* strongSwan
 
 == Know more
 
@@ -224,3 +301,4 @@ include::ttcn3_component_diagram.adoc[]
 * link:https://osmocom.org/projects/osmo-epdg/wiki[osmo-epdg redmine osmocom project]
 * link:https://gitea.osmocom.org/ims-volte-vowifi/ansible-prototype[Deploy with Ansible]
 * link:https://github.com/fasferraz/SWu-IKEv2[SWu-IKEv2]
+