18 Oct
2011
18 Oct
'11
6:18 a.m.
Hi,
we own a frequency usage licence from the Bundesnetzagentur and ran our
network with auth policy token. So every new phone trying to attach to our
network will receive a SMS with information how to register and a token.
Thereafter, the phone is kicked out and will no longer be able to register
again.
Now there was a problem with some phones from Cupertino which, as I heard,
registered to our network, received the SMS, were kicked out again but did not
try to re-register with their home network. So some "nice" guys threaten to
call the Bundesnetzagentur if we will not shut down the network immediately.
As a quick solution, we changed the registration procedure from Token-Input to
IMEI-Input.
My question is: Are there really legal problems when using the "Auth Token"
policy?
Many Thanks,
Lennart
18 Oct
18 Oct
7:27 a.m.
On 10/18/2011 08:18 AM, Lennart Müller wrote:
Hi,
Hi Lennart,
IANAL, regarding the token auth, you might find a way instead of sending the
MM Auth Reject to omit the LU Accept and schedule a LU Reject after the SMS is
sent? Did the user accidently end in your network and thanks to a broken phone
stayed in it, but didn't read the SMS that is on the lock-screen of his fruit
phone? Did the "nice' guy open a ticket with the fruit company too?
7:46 a.m.
Hi Holger,
On Tue, Oct 18, 2011 at 09:27:00AM +0200, Holger Hans Peter Freyther wrote:
IANAL, regarding the token auth, you might find a way
instead of sending the
MM Auth Reject to omit the LU Accept and schedule a LU Reject after the SMS is
sent? Did the user accidently end in your network and thanks to a broken phone
stayed in it, but didn't read the SMS that is on the lock-screen of his fruit
phone? Did the "nice' guy open a ticket with the fruit company too?
We tried this early in the project: Many phones don't accept CP-DATA
before having received a LU Accept.
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
7:49 a.m.
Hi Holger,
IANAL, regarding the token auth, you might find a way
instead of sending
the MM Auth Reject to omit the LU Accept and schedule a LU Reject after
the SMS is sent?
I think a phone can only receive SMS after it successfully registered itself
at the network?
Did the user accidently end in your network and thanks
to
a broken phone stayed in it, but didn't read the SMS that is on the
lock-screen of his fruit phone?
He saw it - thats the reason why he blame us.
I think his home network was not reachable and so his phone simply tried to
"roam" into our network. The configured reject cause is:
location updating reject cause 11
So in my understanding, after kicking out the phone, it should not try to
automatically register to our network again until switched off or manually
selecting our network, and instead simply switch back to the home network.
Probable instead of switching back, it stayed offline - until a power cycle as I
heard.
Did the "nice' guy open a ticket with the
fruit company too?
Certainly not - "This never happened elsewhere - it must be your network!".
Regards,
Lennart
7:33 a.m.
Hi Lennart,
On Tue, Oct 18, 2011 at 08:18:24AM +0200, Lennart Müller wrote:
we own a frequency usage licence from the
Bundesnetzagentur and ran our
network with auth policy token. So every new phone trying to attach to our
network will receive a SMS with information how to register and a token.
Thereafter, the phone is kicked out and will no longer be able to register
again.
Now there was a problem with some phones from
Cupertino which, as I heard,
registered to our network, received the SMS, were kicked out again but did not
try to re-register with their home network. So some "nice" guys threaten to
call the Bundesnetzagentur if we will not shut down the network immediately.
we have only used the "Auth Token" mechanism in the Netherlands, where
the regulatory authority didn't make any complaint. However, I
remember some people with the (then not all-omnipresent) iPhone
reporting some issues.
In order to be on the safe side, we started issuing our own sim cards at
CCC Congress and related events. This means that people have to obtain
such a card before being able to acces the network. I believe legally,
this is the better situation anyway, as the "real operator" SIM card in
their device belongs to their "real operator", and we don't know the
details of the agreement they have with their operator. They could have
some fine print that that SIM is only permitted to be used with
roaming partners of the "real operator". So by not accepting foreign
SIM cards, we make sure nobody is violating such terms. Furthermore, we
can of course use A3/A8 and as a result also A5/1, if we want.
My question is: Are there really legal problems when
using the "Auth Token"
policy?
The fact that we have the auth-token (or any other) functionality in our
software doesn't mean that it is safe to run it, or that you will hve
legal guarantees about regulatory approval in any jurisdiction!
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
8:10 a.m.
Hi Harald,
we have only used the "Auth Token" mechanism
in the Netherlands, where
the regulatory authority didn't make any complaint. However, I
remember some people with the (then not all-omnipresent) iPhone
reporting some issues.
Seems to be a general problem...
In order to be on the safe side, we started issuing
our own sim cards at
CCC Congress and related events. This means that people have to obtain
such a card before being able to acces the network. I believe legally,
this is the better situation anyway, as the "real operator" SIM card in
their device belongs to their "real operator", and we don't know the
details of the agreement they have with their operator. They could have
some fine print that that SIM is only permitted to be used with
roaming partners of the "real operator". So by not accepting foreign
SIM cards, we make sure nobody is violating such terms. Furthermore, we
can of course use A3/A8 and as a result also A5/1, if we want.
Everybody using our sim cards would be the best of couse - we have some there
lying in the drawer. But simply switching the network seems to be more popular
- only one person came to get a programmed SIM card.
We will put a legal notice about fine prints onto the registration page.
So after all we will probably leave the Auth Token Policy off and let the users
enter their IMEI (followed by a registration) before accepting a location
update the first time.
The fact that we have the auth-token (or any other)
functionality in our
software doesn't mean that it is safe to run it, or that you will hve
legal guarantees about regulatory approval in any jurisdiction!
That's clear. But as I configured it some time ago, I thought it would not be a
problem, since normally the phones should only try to roam if they cannot
establish a connection to their home network. Since they are only one time in
our network for about 5 seconds to send the SMS, I saw no problem in there -
believing phones try to register back immediately after being thrown out.
Regards,
Lennart
6:02 p.m.
Lennart -
Similarly, with public OpenBTS tests, we either issue our own SIMs (with known Ki), or we
issue expired China Mobile SIMs (when we are sure that none of the carriers in the area
have roaming agreements with China Mobile). Another thing we have found useful for these
events is to have accept/reject decisions based on regular expression matching of the
IMSIs, so that the regular expression is just a string in the configuration table.
And to echo Harald's *next* email, we have also found that many phones refuse SMS
transfers prior to receiving LU accept.
-- David
On Oct 18, 2011, at 12:33 AM, Harald Welte wrote:
In order to be on the safe side, we started issuing our own sim cards at
CCC Congress and related events. This means that people have to obtain
such a card before being able to acces the network. I believe legally,
this is the better situation anyway, as the "real operator" SIM card in
their device belongs to their "real operator", and we don't know the
details of the agreement they have with their operator. They could have
some fine print that that SIM is only permitted to be used with
roaming partners of the "real operator". So by not accepting foreign
SIM cards, we make sure nobody is violating such terms. Furthermore, we
can of course use A3/A8 and as a result also A5/1, if we want.
5048
days inactive
5048
days old
6 comments
4 participants
participants (4)
-
David A. Burgess -
Harald Welte -
Holger Hans Peter Freyther -
Lennart Müller