I found the interesting situation while trying to find the minimal
network-in-the-box installation with the new split components:
For CS, the MSC/VLR happily accept a subscriber that has no auth tokens in the
HLR, as long as the IMSI is present in the HLR and authentication is set to
optional.
For PS, the SGSN on auth policy remote naturally asks the HLR for auth tuples
for the subscriber. The HLR then finds the IMSI allright, but no 2G nor 3G auth
tokens, and says so to the SGSN. That leads to total rejection:
HLR:
DLINP <0006> ../../../src/libosmo-abis/src/input/ipa.c:383 connected read/write
DLINP <0006> ../../../src/libosmo-abis/src/input/ipa.c:338 message received
DAUC <0003> ../../../src/osmo-hlr/src/db_auc.c:127 IMSI='901700000014701':
No 2G Auth Data
DAUC <0003> ../../../src/osmo-hlr/src/db_auc.c:163 IMSI='901700000014701':
No 3G Auth Data
SGSN:
<000f> ../../../../src/osmo-sgsn/src/gprs/gprs_subscriber.c:493
SUBSCR(901700000014701) GPRS send auth info req failed, GMM cause = 'Network
failure' (17)
<0002> ../../../../src/osmo-sgsn/src/gprs/sgsn_auth.c:236
MM(901700000014701/ccb050ce) Missing auth tuples, authorization not possible
<0002> ../../../../src/osmo-sgsn/src/gprs/gprs_gmm.c:1140
MM(901700000014701/ccb050ce) Not authorized, rejecting ATTACH REQUEST with cause
'Network failure' (17)
<0002> ../../../../src/osmo-sgsn/src/gprs/gprs_gmm.c:491
MM(901700000014701/ccb050ce) <- GPRS ATTACH REJECT: Network failure
It appears that in the SGSN, I either have to accept all IMSIs or also have
auth tokens for each IMSI in the HLR. There's apparently no way to just accept
IMSIs (without cryptographic auth) as long as the IMSIs exists in the HLR.
In production networks, we usually have auth tokens for each SIM, but in open /
community networks, IIUC operating without auth+ciph is an important option in
Osmocom. It appears to me that we should support this case.
Or do we already support it by issuing accept-all policy, and rely on the
subscriber being rejected by the MSC before establishing GMM? (In that case we
can't use the HLR at all, i.e. not for other IMSIs where we'd know auth tokens.)
What do you guys think? Should we open an issue on it?
Related: I'm often confused by the SGSN auth code and have wished before that
it were a well-defined FSM instead... like the libvlr...
~N
Show replies by date