Hi Vadim,
On 6/14/19 6:39 AM, Vadim Yanitskiy wrote:
doc/manuals/vty/sgsn_vty_reference.xml
Allow MS to attach via GERAN without authentication
(default and only possible value for non-remote auth-policy)
Actually, no. My motivation for introducing this VTY parameter
was exactly the ability to use remote auth-policy (i.e. OsmoHLR)
to check if a subscriber is known, but not to require
authentication, just like we can do in CS-domain. In other words,
'authentication optional' should work with 'auth-policy remote'.
I think you are reading it wrong / too quickly, or perhaps it's me not
expressing it correctly, but to me what you say and what I say there is
the same. In there I'm saying auth-policy DIFFERENT THAN "remote"
(non-remote) can only take the value "optional". Hence, I'm NOT stating
that "remote" cannot take the value "optional". As a result, optional
is
a possible value for "remote".
So the important thing here is: If you are using any auth-policy other
than "remote", you MUST use this authentication value (even implicitly
since anyway it doesn't make sense and doesn't really apply). If you are
using remote, use whichever you want.
src/gprs/sgsn_vty.c
DEFUN(cfg_authentication, cfg_authentication_cmd,
[...]
Allow MS to attach via GERAN without authentication
(default and only possible value for non-remote auth-policy)
Same here. It *is* possible for 'auth-policy remote' too.
Same string as above, not repeating.
src/gprs/gprs_sgsn.c
struct sgsn_instance *sgsn_instance_alloc(void *talloc_ctx)
[...]
inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED;
/* only applies if auth_policy is REMOTE */
inst->cfg.require_authentication = true;
[...]
Are you sure this wouldn't break non-remote auth-policy use cases?
AFAIR, the GMM layer requests authentication regardless of the
'auth-policy', so then in 'gprs/sgsn_auth.c' we conditionally
perform authentication or immediately return SGSN_AUTH_ACCEPTED.
Only places where "require_authentication" is checked are:
src/gprs/sgsn_auth.c:115
src/gprs/sgsn_auth.c:177
And both are code paths only executed under condition that auth_policy
is SGSN_AUTH_POLICY_REMOTE. Which means "require_authentication" is not
checked/used at all for other auth_policy scenarios. So we are safe, the
change is not affecting other auth_policy.
So I think my patch is fine and actually simplifies older state. I'm
happy to rework stuff it you can find any flaw I didn't see.
Regards,
Pau
--
- Pau Espin Pedrol <pespin(a)sysmocom.de>
http://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Alt-Moabit 93
* 10559 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Director: Harald Welte