CS 8803 - Cellular and Mobile Network Security · current SGSN is stored so that packets can be...
Transcript of CS 8803 - Cellular and Mobile Network Security · current SGSN is stored so that packets can be...
Florida Institute for Cybersecurity (FICS) Research
CS 8803 - Cellular and Mobile Network Security:
Data Air Interface
Professor Patrick Traynor10/23/18
Florida Institute for Cybersecurity (FICS) Research
Packet-Switched Mobile Data
2
Florida Institute for Cybersecurity (FICS) Research
GSM/UMTS Data• Overview of System Architecture
• Compare and Contrast• Protocol Stacks
• GSM Overview• UMTS Overview
• Mobility Management
3
Florida Institute for Cybersecurity (FICS) Research
General Packet Radio Service (GPRS)• GSM
• overlay network on basic GSM infrastructure• new mobile “routers” introduced• supports both “GPRS” (2.5G) and “EDGE” (2.75G) wireless protocols
• UMTS• re-uses GPRS network from GSM• new air interface
4
Florida Institute for Cybersecurity (FICS) Research
GGSN Internet
HLRSS7 Network
IP Network
GSM Data Network Architecture
• SGSN - Serving GPRS Support Node• Serves mobile user based on location
• GGSN - Gateway GPRS Support Node• Serves mobile user based on address
• BTS/BSC - new call processing and channels for data• HLR - extended user profiles
5
BTS
BTS
BTS
SGSN
BSC
BSC
Florida Institute for Cybersecurity (FICS) Research
Network Attachment• Previous lectures covered the process of attaching to the network (i.e.,
authentication to the CS portion of the network).• This is known as “IMSI Attach”
• Mobile devices can/must also attach themselves to the data services provided by the network.
• This is known as “GPRS Attach”• The processes are largely the same, except that the MS interacts with the
MSC for an IMSI Attach and the SGSN for the GPRS Attach.• Most networks allow for a
“Combined GPRS/IMSI Attach”.
6
Florida Institute for Cybersecurity (FICS) Research
Combined Attach• The advantage to performing a combined attach is that both CS and PS
signaling can be dealt with at the SGSN.• The MSC/VLR really just provides look-up facilities.
• The absence of this combined attach means that the network provider must dedicate two sets of air interface resources to CS and PS signaling.
• Pros? Cons?• Reality: SGSNs and MSCs are often a single box.
7
Florida Institute for Cybersecurity (FICS) Research
Attach
8
New SGSN
Old SGSN HLRGGSN
Attach RequestID Request
(TMSI, IMSI)ID Request Auth Info
Auth & Cipher Update Location
Cancel Location
Insert Subscriber Data
Location Update AcceptedAttach
Accept
Florida Institute for Cybersecurity (FICS) Research
Detach
9
SGSN HLRGGSN
Detach RequestDelete PDP Context
Detach Accept
Purge MS
Florida Institute for Cybersecurity (FICS) Research
PDP Context• Once attached to the network, mobile devices need a means of communicating with
other data-enabled entities.• A Packet Data Protocol (PDP) Context is a virtual channel between a device and
a GGSN.• PDP Contexts serve two main functions in GPRS/UMTS:
• Assign the phone an IPv4/IPv6 address, making it reachable.• Associate a quality of service (QoS) profile with the device.
• The second point, while specified in the standards, is not currently implemented/used.• Accordingly, let’s view PDP Context establishment as a
high-level dual to DHCP - interaction with a DHCP server is actually one of the parts of this operation.
10
Florida Institute for Cybersecurity (FICS) Research
Multiple Contexts• This architecture allows for a single device to establish and maintain multiple
PDP Contexts.• Known as Primary and Secondary PDP Contexts
• Secondary PDP contexts are always associated with a Primary context.• Multiple primaries are also possible, generally connected to multiple PDNs.
• Secondary PDP contexts share an IP address with the Primary, but allow different QoS terms to be enforced.
• A device may specify to the network that its SIP flows are more important than those delivering traffic to its mobile browser.
11
Florida Institute for Cybersecurity (FICS) Research
PDP Context Activation
12
SGSN GGSN
Activate PDP Context
Activate PDP Context Accept
Create PDP Context
Florida Institute for Cybersecurity (FICS) Research
Call vs Data Path
13
HLRBTS
SGSN
SS7 Network
BTS
BSC
BSCBTS
IP Network
GGSN Internet
Florida Institute for Cybersecurity (FICS) Research
GTP and RAB• GPRS Tunneling Protocol (GTP) allows the mobility of a device to be
hidden to the outside world.• The IP address is fixed by the GGSN, and a “tunnel” to that device’s
current SGSN is stored so that packets can be correctly forwarded.• Each tunnel is differentiated by its Tunnel Endpoint Identifier (TEI).
• This allows the SGSN to allocate an arbitrary local address for a device (and change that address) without telling the GGSN.
• The SGSN then forwards packets through the Radio Access Bearer (RAB) service, which connects the core network to the wireless device.
14
Florida Institute for Cybersecurity (FICS) Research
RAB GTP Tunnel
Tunnels, etc
• Each PDP Context allows a set of flows to request a QoS from the RAB. These include Conversational (voice), Streaming (YouTube), Interactive (web surfing) and Background (FTP).
• RAB ends at a lower layer of the MS protocol stack.
15
SGSN GGSN Internet
BS
PDP Context
MS
Florida Institute for Cybersecurity (FICS) Research
GSM/GPRS Protocol Stacks
16
InternetSGSN GGSNBS
Server
GTP
TCP/UDP
IP
LAPD
L1
SNDCP
LLC
BSSGP
LAPD
L1
GTP
TCP/UDP
IP
LAPD
L1
IP/X25
L1
LAPD
BSSGPRLC/MAC
GSM
IP/X25
App
TCP/UDP
GSM
RLC/MAC
LLC
SNDCP
App
TCP/UDP
IP
Lower Layers
Florida Institute for Cybersecurity (FICS) Research
UMTS Architecture
• Re-used from GSM/GPRS Core Network• SGSN - signaling interface and some access protocols change• GGSN - re-used (PDP contexts remain)• HLR - some extensions
• Main differences• Much higher data rates, soft handoffs
17
HLRNode B
SGSN
SS7 Network
RNC
BSCBTS
IP Network
GGSN Internet
UE
Florida Institute for Cybersecurity (FICS) Research
UMTS/GPRS Protocol Stacks
18
InternetSGSN GGSNBS
Server
GTP-U
TCP/UDP
IP
L2
L1
GTP-U
TCP/UDP
IP
L2
L1
IP/PPPIP/PPP
App
TCP/UDP
UMTS
RLC/MAC
PDCP
App
TCP/UDP
IP
Lower Layers
AAL5
ATM
IP
GTP-U
TCP/UDP
ATM
AAL5
IP
TCP/UDP
GTP-U
RLC/MAC
UMTS
PDCP
Florida Institute for Cybersecurity (FICS) Research
Inter-SGSN Move
19
New SGSN
Old SGSN HLRGGSN
RA UpdateSGSN
ContextID Request Auth Info
Auth & Cipher
Update Location Cancel Location
Location Update Accepted
Attach Accept
SGSN Context Ack
FWD Packets
Update PDP Context
Insert Subscriber Data
Florida Institute for Cybersecurity (FICS) Research
Inter-SGSN Move: Data
20
New SGSN
Old SGSN HLRGGSN
RA UpdateSGSN
ContextID Request Auth Info
Auth & Cipher
Update Location Cancel Location
Location Update Accepted
Attach Accept
SGSN Context Ack
FWD Packets Update PDP Context
Insert Subscriber Data
Packets Flowing to Old SGSN
New Tunnel
Florida Institute for Cybersecurity (FICS) Research
Data Network Functionality Redux
21