hnb_cs_lu.msc

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Harald Welte hwelte at sysmocom.de
Wed Feb 17 16:26:52 UTC 2016 

Hi Neels,

On Wed, Feb 17, 2016 at 02:18:54PM +0100, Neels Hofmeyr wrote:
> in osmo-iuh/doc/hnb_cs_lu.msc I find that after the location update
> request from the UE, an identity request "should" follow from the CN.

it is no 'should at all'.  There are some "Common MM Procedures" that
can be invoked by MM (on the network side) at any time.  This includes,
AFAIR:
* IDENTITY REQ / RESP
* AUTHENTICATION REQ / RESP
* MM INFO

So the network can at any point in time ask the MS/UE about any of its
identities.

> Yesterday I made my first pcap using our hNodeB and that weighty black UE
> we use for testing, and saw that the MSC indeed sends out an identity
> request at that time [1], however, the UE simply never responds to it.

OsmoNITB was originally developed as part of security research, and thus
we wanted to demonstrate the fact that we can query the IMSI and IMEI of
every phone at a very early stage.  This is why we always ask for the
IMEI, and we ask for the IMSI if we don't already know it (because it
was contained in the LU /  CM SERV REQ, or because we know the TMSI and
can use it to map to the IMSI).

If there's no response from the phone, then it's likely something is
going wrong somehwere in between.  Do you see the request on the RUA
interface towards the HNB?  What does the HNB logging/tracing tell you
about that message?  What does a protocol trace on a UE with xgoldmon
tell you?

> My question: is the hnb_cs_lu.msc declarative and definitely correct, or
> could it be that in 3G, UEs in general expect authentication first, as
> the "osmo-iuh/pcap/UPP RANAP.pcap" suggests (starting at packet #335).

No.  There might still be situtaions where the IMSI is not known to the
network at LU time, and the network must be able to obtain it via
IDENTITY REQUEST before being able to obtain the auth quintuples and
perform authentication.

What else would you do if you'd get a LU with an unknown TMSI?

-- 
- Harald Welte <hwelte at sysmocom.de>             http://www.sysmocom.de/
=======================================================================
* sysmocom - systems for mobile communications GmbH
* Alt-Moabit 93
* 10559 Berlin, Germany
* Sitz / Registered office: Berlin, HRB 134158 B
* Geschaeftsfuehrer / Managing Directors: Holger Freyther, Harald Welte

More information about the OpenBSC mailing list