OsmoSGSN: optional / mandatory authentication

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Vadim Yanitskiy axilirator at gmail.com
Fri Jun 14 04:39:01 UTC 2019


Hi Pau,

today I cannot sign in to Gerrit for some magic reason,
so I would like to post some notes about your change [1].

[1] https://gerrit.osmocom.org/#/c/osmo-sgsn/+/14445/

> [...] it changed the default logic for remote policy to not require
> authentication, which broke TTCN3 tests because sgsn no longer
> tries to authenticate the users.

My bad, sorry for that.

> let's enable it by default when on auth-policy remote.

ACK.

> doc/manuals/vty/sgsn_vty_reference.xml
> Allow MS to attach via GERAN without authentication
> (default and only possible value for non-remote auth-policy)

Actually, no. My motivation for introducing this VTY parameter
was exactly the ability to use remote auth-policy (i.e. OsmoHLR)
to check if a subscriber is known, but not to require
authentication, just like we can do in CS-domain. In other words,
'authentication optional' should work with 'auth-policy remote'.

> src/gprs/sgsn_vty.c
> DEFUN(cfg_authentication, cfg_authentication_cmd,
> [...]
> Allow MS to attach via GERAN without authentication
> (default and only possible value for non-remote auth-policy)

Same here. It *is* possible for 'auth-policy remote' too.

> src/gprs/gprs_sgsn.c
> struct sgsn_instance *sgsn_instance_alloc(void *talloc_ctx)
> [...]
> inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED;
> /* only applies if auth_policy is REMOTE */
> inst->cfg.require_authentication = true;
> [...]

Are you sure this wouldn't break non-remote auth-policy use cases?

AFAIR, the GMM layer requests authentication regardless of the
'auth-policy', so then in 'gprs/sgsn_auth.c' we conditionally
perform authentication or immediately return SGSN_AUTH_ACCEPTED.

An alternative solution is to invert 'cfg.require_authentication',
e.g. to 'cfg.omit_authentication', so by default we will require
authentication since it's initialized to false.

With best regards,
Vadim Yanitskiy.



More information about the OpenBSC mailing list