Hello, I noticed that when I start the mobile application, after the phone chooses a specific channel I get different messages regarding IMSI saying that it's not for us. What are these messages? Phones that camp on this channel? If so, I tried turning off/on a phone from the same operator but I can't see my IMSI showing up.
On Sun, 30 Jan 2011 03:42:43 -0800 (PST), Bogdan Alecu wrote:
Hello, I noticed that when I start the mobile application, after the phone chooses a specific channel I get different messages regarding IMSI saying that it's not for us. What are these messages? Phones that camp on this channel? If so, I tried turning off/on a phone from the same operator but I can't see my IMSI showing up.
These are paging requests for phones in your location area. As osmocombb receives them and checks them for its own imsi/tmsi, it discards those ones you observed. The imsi of your other phone should not ever be seen on the paging channel as gsm trys to avoid sending out imsis as much as possible. Instead the network attaches a tmsi to the imsi on your phones first network login (location update) and uses that from there on for addressing the phone. This tmsi is kept by storing on the sim card even over powercycle.
Regards, Mad
Hi Mad, Thanks for explaining me this. The case of the TMSI is different from network to network: some operators change it for every x minutes, others after a powercycle (at least here). You say that gsm tries to avoid sending out IMSIs but still some are sent. If I would send an SMS to the phone - so it will get a paging request - I should see the IMSI also in that list?
--- On Sun, 1/30/11, mad@auth.se mad@auth.se wrote:
From: mad@auth.se mad@auth.se Subject: Re: Channel info To: "Bogdan Alecu" b.alecu@yahoo.com Cc: baseband-devel@lists.osmocom.org Date: Sunday, January 30, 2011, 3:54 PM
On Sun, 30 Jan 2011 03:42:43 -0800 (PST), Bogdan Alecu wrote:
Hello, I noticed that when I start the mobile application, after the phone chooses a specific channel I get different messages regarding IMSI saying that it's not for us. What are these messages? Phones that camp on this channel? If so, I tried turning off/on a phone from the same operator but I can't see my IMSI showing up.
These are paging requests for phones in your location area. As osmocombb receives them and checks them for its own imsi/tmsi, it discards those ones you observed. The imsi of your other phone should not ever be seen on the paging channel as gsm trys to avoid sending out imsis as much as possible. Instead the network attaches a tmsi to the imsi on your phones first network login (location update) and uses that from there on for addressing the phone. This tmsi is kept by storing on the sim card even over powercycle.
Regards, Mad
On Sun, Jan 30, 2011 at 11:20 AM, Bogdan Alecu b.alecu@yahoo.com wrote:
Hi Mad, Thanks for explaining me this. The case of the TMSI is different from network to network: some operators change it for every x minutes, others after a powercycle (at least here). You say that gsm tries to avoid sending out IMSIs but still some are sent. If I would send an SMS to the phone - so it will get a paging request - I should see the IMSI also in that list?
If you send an SMS to the phone, the "typical scenario" would be: -Network pages the mobile, most likely with its TMSI (as stated before) -Mobile will send a RACH to request a dedicated channel -Network will assign the mobile to a dedicated channel (typically a SDCCH) -Network will perform contention resolution on the dedicated channel to ensure that it is the correct mobile (to cover the rare case where two mobiles RACH at the exact same time) -Network may or may not begin ciphering at this point -Network will deliver the SMS payload to the mobile through a series of messages on the dedicated channel -Mobile will ack each message, letting the network know that it has received what was sent -Network will release the dedicated channel, the mobile will go back to its idle mode (monitoring the paging channels etc), and the mobile will then have the SMS
It is up to the network to decide what ID type it wants to use to page a mobile, and this is dependent on a number of factors. Almost always it uses the TMSI, sometimes IMSI, and _very_ rarely an IMEI. It is certainly possible that the network can also request identity info (IMSI, IMEI) from the mobile on the dedicated channel, as well as a whole host of other message requests while on the dedicated channel.
So in short, unless you're lucky enough to have the network page you with your IMSI, it is unlikely you will see it.
On Sun, 30 Jan 2011 11:34:01 -0600, John Orlando wrote:
It is up to the network to decide what ID type it wants to use to page a mobile, and this is dependent on a number of factors. Almost always it uses the TMSI, sometimes IMSI, and _very_ rarely an IMEI.
In gsm 04.08 9.1.22.3 it says "The Mobile Identity 1 and 2 IEs shall not refer to IMEI.". So a standard compliant network should never do that.
Have you actually seen that on any live network?
So in short, unless youre lucky enough to have the network page you with your IMSI, it is unlikely you will see it.
Sometimes when some network components like the auth server/vlr are overloaded with entrys or requests, then there are many imsis on the air. And often at not-so-busy times, too. I've observed that regulary but have not heard any fully explainatory conclusion to that yet.
Regards, Mad
Hi,
On 30.01.2011 18:59, mad@auth.se wrote:
In gsm 04.08 9.1.22.3 it says "The Mobile Identity 1 and 2 IEs shall not refer to IMEI.". So a standard compliant network should never do that.
Have you actually seen that on any live network?
"The reason why you see paging by IMSI in real-world GSM networks" http://laforge.gnumonks.org/weblog/2010/06/28/
Regards, Steve
Hi again,
On 30.01.2011 19:05, Steve Markgraf wrote:
In gsm 04.08 9.1.22.3 it says "The Mobile Identity 1 and 2 IEs shall not refer to IMEI.". So a standard compliant network should never do that.
"The reason why you see paging by IMSI in real-world GSM networks"
Sorry, I confused IMEI/IMSI. Forget about my last message, although Haralds blogpost may still be interesting in the context of this thread.
Regards, Steve
On Sun, 30 Jan 2011 19:32:04 +0100, Steve Markgraf wrote:
Hi again,
On 30.01.2011 19:05, Steve Markgraf wrote:
In gsm 04.08 9.1.22.3 it says "The Mobile Identity 1 and 2 IEs shall not refer to IMEI.". So a standard compliant network should never do that.
"The reason why you see paging by IMSI in real-world GSM networks"
Sorry, I confused IMEI/IMSI. Forget about my last message, although Haralds blogpost may still be interesting in the context of this thread.
No, you were right about that, second part of my post was about imsis on air.
I already had read Haralds post but I'm not fully convinced of all of his explainations. At least not on modern state-of-the-art core networks. Too less ram or volatile storage on restarting VLRs, is that really still an issue there?
The third point, that expired tmsis on unreachable phones with a fallback on imsi paging as the main cause sounds much more convincing to me.
But as David pointed out, 10-25% imsi paging is a lot, even about constant 2-5% as I observed are much for a location area or whole msc area. Did anyone do some research on that?
Regards, Mad
On Sun, Jan 30, 2011 at 11:59 AM, mad@auth.se wrote:
On Sun, 30 Jan 2011 11:34:01 -0600, John Orlando wrote:
It is up to the network to decide what ID type it wants to use to page a mobile, and this is dependent on a number of factors. Almost always it uses the TMSI, sometimes IMSI, and _very_ rarely an IMEI.
In gsm 04.08 9.1.22.3 it says "The Mobile Identity 1 and 2 IEs shall not refer to IMEI.". So a standard compliant network should never do that.
Have you actually seen that on any live network?
Hmm...I stand corrected regarding the use of IMEI to page the mobile in GSM. It should only be TMSI or IMSI. I was mixing up the GSM paging options with the Iridium satellite phone paging options (where the IMEI can be used to page the mobile in some situations). Too many standards to remember...
I find that real-world networks page by IMSI 10%-25% of the time, depending on the operator and location. According to Harald's blog post on this topic, recently referenced on this list, he has made similar observations and offers some possibilities as to why.
Also, as Steve Markgraf pointed out, GSM 04.08 9.1.22.3 explicitly disallows paging by IMEI. Networks are not supposed to do it and phones are not supposed to respond to it. It would be easy for someone to hack OpenBTS or OpenBSC to see how phones respond to this type of paging, but I have never seen it in a real network. I doubt seriously if any phone will respond, but I do wonder how many will crash their baseband stacks when presented with these messages.
On Jan 30, 2011, at 9:34 AM, John Orlando wrote:
It is up to the network to decide what ID type it wants to use to page a mobile, and this is dependent on a number of factors. Almost always it uses the TMSI, sometimes IMSI, and _very_ rarely an IMEI. It is certainly possible that the network can also request identity info (IMSI, IMEI) from the mobile on the dedicated channel, as well as a whole host of other message requests while on the dedicated channel.
David A. Burgess Kestrel Signal Processing, Inc.
baseband-devel@lists.osmocom.org
-
Bogdan Alecu -
David A. Burgess -
John Orlando -
mad@auth.se -
Steve Markgraf