Hi Zecke,
On Thu, Apr 15, 2010 at 02:53:02AM +0200, Holger Freyther wrote:
They are both doing security analysis and want to achieve a clean way how an external application can get access to a more or less transparent communication channel to the phone.
The purpose of this is to be able to send intentionally malformed packets to the mobile phone GSM stack at various different levels within the stack.
Let me answer to your question from the bottom. If our only goal is to send malformed packets to the MS I think this interface is way too low level and for now all requirements can be handled by basic GSM08.08 messages.
what do you mean by 'low level'? Their intent really is to send arbitrary L3 messages in L2, even on strange SAPIs or on an unexpected logical channel (SACCH vs. SDCCH).
- Ability to establish a SDCCH or TCH channel by paging the phone As of now, the 'silent call' feature from the VTY already does this.
GSM08.08 Paging Request which will be answered with a GSM08.08 Complete Layer3 Information (a new connection)
true.
- Ability to send arbitrary layer3 protocol messages to the phone Adding this is relatively easy (use rsl_sendmsg on the lchan from the silent call)
GSM08.08 DTAP
true.
- Ability to receive responses from the phone, as well as error conditions such as 'readio link failure'. We don't have a solution for this yet, and we also have no clean way to identify what might be a response from the phone to the external app, and what might be a message from the phone to the normal network code in OpenBSC
GSM08.08 DTAP and GSM08.08 Cleanup Request (Error Cause Radio Link Failure)
true.
However, the MSC talks GSM 08.08 to the BSC. So are you proposing of having a 08.08 interface between APP and MSC, or to have a BSC with multiple 08.08 interfaces? After all, in almost all the use cases we still want the regular MSC around for things like location updating, authentication, etc.
The other question then is: Why 08.08? Wouldn't the logical consequence be to implement actual MAP (like the E interface between MSC and MSC in a real gsm network)?
Regards, Harald