Hi Harald,
in osmo-iuh/doc/hnb_cs_lu.msc I find that after the location update request from the UE, an identity request "should" follow from the CN.
Yesterday I made my first pcap using our hNodeB and that weighty black UE we use for testing, and saw that the MSC indeed sends out an identity request at that time [1], however, the UE simply never responds to it.
My question: is the hnb_cs_lu.msc declarative and definitely correct, or could it be that in 3G, UEs in general expect authentication first, as the "osmo-iuh/pcap/UPP RANAP.pcap" suggests (starting at packet #335).
Since my sources tell me (i.e. Daniel) that an identity request at that time is indeed kinda special practise by openbsc to collect all IMEIs we possibly can, I'm going for authentication first.
Just wanted to make sure you agree that the hnb_cs_lu.msc may be erratic in that case. Thanks!
~Neels
[1] near openbsc/src/libmsc/gsm_04_08.c:589 (thanks Daniel!)
Update: it seems that for IuPS/SGSN, a quite identical Identity Request message is indeed answered upon by the UE, so the reason why I'm not receiving one for IuCS/CSCN is unclear.
~Neels
On Wed, Feb 17, 2016 at 02:18:54PM +0100, Neels Hofmeyr wrote:
Hi Harald,
in osmo-iuh/doc/hnb_cs_lu.msc I find that after the location update request from the UE, an identity request "should" follow from the CN.
Yesterday I made my first pcap using our hNodeB and that weighty black UE we use for testing, and saw that the MSC indeed sends out an identity request at that time [1], however, the UE simply never responds to it.
My question: is the hnb_cs_lu.msc declarative and definitely correct, or could it be that in 3G, UEs in general expect authentication first, as the "osmo-iuh/pcap/UPP RANAP.pcap" suggests (starting at packet #335).
Since my sources tell me (i.e. Daniel) that an identity request at that time is indeed kinda special practise by openbsc to collect all IMEIs we possibly can, I'm going for authentication first.
Just wanted to make sure you agree that the hnb_cs_lu.msc may be erratic in that case. Thanks!
~Neels
[1] near openbsc/src/libmsc/gsm_04_08.c:589 (thanks Daniel!)
--
- Neels Hofmeyr nhofmeyr@sysmocom.de http://www.sysmocom.de/
=======================================================================
- sysmocom - systems for mobile communications GmbH
- Alt-Moabit 93
- 10559 Berlin, Germany
- Sitz / Registered office: Berlin, HRB 134158 B
- Geschäftsführer / Managing Directors: Holger Freyther, Harald Welte
Hi Neels,
On Wed, Feb 17, 2016 at 02:18:54PM +0100, Neels Hofmeyr wrote:
in osmo-iuh/doc/hnb_cs_lu.msc I find that after the location update request from the UE, an identity request "should" follow from the CN.
it is no 'should at all'. There are some "Common MM Procedures" that can be invoked by MM (on the network side) at any time. This includes, AFAIR: * IDENTITY REQ / RESP * AUTHENTICATION REQ / RESP * MM INFO
So the network can at any point in time ask the MS/UE about any of its identities.
Yesterday I made my first pcap using our hNodeB and that weighty black UE we use for testing, and saw that the MSC indeed sends out an identity request at that time [1], however, the UE simply never responds to it.
OsmoNITB was originally developed as part of security research, and thus we wanted to demonstrate the fact that we can query the IMSI and IMEI of every phone at a very early stage. This is why we always ask for the IMEI, and we ask for the IMSI if we don't already know it (because it was contained in the LU / CM SERV REQ, or because we know the TMSI and can use it to map to the IMSI).
If there's no response from the phone, then it's likely something is going wrong somehwere in between. Do you see the request on the RUA interface towards the HNB? What does the HNB logging/tracing tell you about that message? What does a protocol trace on a UE with xgoldmon tell you?
My question: is the hnb_cs_lu.msc declarative and definitely correct, or could it be that in 3G, UEs in general expect authentication first, as the "osmo-iuh/pcap/UPP RANAP.pcap" suggests (starting at packet #335).
No. There might still be situtaions where the IMSI is not known to the network at LU time, and the network must be able to obtain it via IDENTITY REQUEST before being able to obtain the auth quintuples and perform authentication.
What else would you do if you'd get a LU with an unknown TMSI?
-
Harald Welte -
Neels Hofmeyr