CS 8803 - Cellular and Mobile Network Security: Data Air Interface Professor Patrick Traynor 10/23/18 Florida Institute for Cybersecurity (FICS) Research
Packet-Switched Mobile Data Florida Institute for Cybersecurity (FICS) Research 2
GSM/UMTS Data Overview of System Architecture • Compare and Contrast • Protocol Stacks • GSM Overview • UMTS Overview • Mobility Management • Florida Institute for Cybersecurity (FICS) Research 3
General Packet Radio Service (GPRS) GSM • overlay network on basic GSM infrastructure • new mobile “routers” introduced • supports both “GPRS” (2.5G) and “EDGE” (2.75G) wireless protocols • UMTS • re-uses GPRS network from GSM • new air interface • Florida Institute for Cybersecurity (FICS) Research 4
GSM Data Network Architecture BSC SS7 HLR Network BTS Internet SGSN GGSN BTS IP Network BSC BTS SGSN - Serving GPRS Support Node • Serves mobile user based on location • GGSN - Gateway GPRS Support Node • Serves mobile user based on address • BTS/BSC - new call processing and channels for data • HLR - extended user profiles • Florida Institute for Cybersecurity (FICS) Research 5
Network Attachment Previous lectures covered the process of attaching to the network (i.e., • authentication to the CS portion of the network). This is known as “IMSI Attach” • Mobile devices can/must also attach themselves to the data services provided • by the network. This is known as “GPRS Attach” • The processes are largely the same, except that the MS interacts with the • MSC for an IMSI Attach and the SGSN for the GPRS Attach. Most networks allow for a • “Combined GPRS/IMSI Attach”. Florida Institute for Cybersecurity (FICS) Research 6
Combined Attach The advantage to performing a combined attach is that both CS and PS • signaling can be dealt with at the SGSN. The MSC/VLR really just provides look-up facilities. • The absence of this combined attach means that the network provider • must dedicate two sets of air interface resources to CS and PS signaling. Pros? Cons? • Reality: SGSNs and MSCs are often a single box. • Florida Institute for Cybersecurity (FICS) Research 7
Attach Old New GGSN HLR SGSN SGSN Attach Request I D Request (TMSI, IMSI) ID Request Auth Info Auth & Update Location Cipher Cancel Location Insert Subscriber Data Location Update Attach Accepted Accept Florida Institute for Cybersecurity (FICS) Research 8
Detach GGSN HLR SGSN Detach Request Delete PDP Context Detach Accept Purge MS Florida Institute for Cybersecurity (FICS) Research 9
PDP Context Once attached to the network, mobile devices need a means of communicating with • other data-enabled entities. A Packet Data Protocol (PDP) Context is a virtual channel between a device and • a GGSN. PDP Contexts serve two main functions in GPRS/UMTS: • Assign the phone an IPv4/IPv6 address, making it reachable. • Associate a quality of service (QoS) profile with the device. • The second point, while specified in the standards, is not currently implemented/used. • Accordingly, let’s view PDP Context establishment as a • high-level dual to DHCP - interaction with a DHCP server is actually one of the parts of this operation. Florida Institute for Cybersecurity (FICS) Research 10
Multiple Contexts This architecture allows for a single device to establish and maintain multiple • PDP Contexts. Known as Primary and Secondary PDP Contexts • Secondary PDP contexts are always associated with a Primary context. • Multiple primaries are also possible, generally connected to multiple PDNs. • Secondary PDP contexts share an IP address with the Primary, but allow • different QoS terms to be enforced. A device may specify to the network that its SIP flows are more important • than those delivering traffic to its mobile browser. Florida Institute for Cybersecurity (FICS) Research 11
PDP Context Activation SGSN GGSN Activate PDP Context Create PDP Context Activate PDP Context Accept Florida Institute for Cybersecurity (FICS) Research 12
Call vs Data Path SS7 BSC HLR Network BTS Internet SGSN GGSN BTS IP Network BSC BTS Florida Institute for Cybersecurity (FICS) Research 13
GTP and RAB GPRS Tunneling Protocol (GTP) allows the mobility of a device to be • hidden to the outside world. The IP address is fixed by the GGSN, and a “tunnel” to that device’s • current SGSN is stored so that packets can be correctly forwarded. Each tunnel is differentiated by its Tunnel Endpoint Identifier (TEI). • This allows the SGSN to allocate an arbitrary local address for a device • (and change that address) without telling the GGSN. The SGSN then forwards packets through the Radio Access Bearer (RAB) • service, which connects the core network to the wireless device. Florida Institute for Cybersecurity (FICS) Research 14
Tunnels, etc Internet SGSN GGSN MS BS PDP Context RAB GTP Tunnel Each PDP Context allows a set of flows to request a QoS from the RAB. • These include Conversational (voice), Streaming (YouTube), Interactive (web surfing) and Background (FTP). RAB ends at a lower layer of the MS protocol stack. • Florida Institute for Cybersecurity (FICS) Research 15
GSM/GPRS Protocol Stacks Internet SGSN GGSN Server BS App App TCP/UDP TCP/UDP IP IP/X25 IP/X25 SNDCP GTP SNDCP GTP LLC TCP/UDP TCP/UDP LLC Lower BSSGP BSSGP IP IP RLC/ Layers RLC/MAC MAC LAPD LAPD LAPD LAPD L 1 L 1 L 1 L 1 GSM GSM Florida Institute for Cybersecurity (FICS) Research 16
UMTS Architecture RNC SS7 HLR Network Node B Internet SGSN GGSN UE IP Network BSC BTS Re-used from GSM/GPRS Core Network • SGSN - signaling interface and some access protocols change • GGSN - re-used (PDP contexts remain) • HLR - some extensions • Main differences • Much higher data rates, soft handoffs • Florida Institute for Cybersecurity (FICS) Research 17
UMTS/GPRS Protocol Stacks Internet SGSN GGSN Server BS App App TCP/UDP TCP/UDP IP IP/PPP IP/PPP GTP-U GTP-U GTP-U GTP-U PDCP PDCP TCP/UDP TCP/UDP TCP/UDP TCP/UDP Lower IP IP IP IP RLC/ Layers RLC/MAC MAC AAL5 AAL5 L2 L2 L 1 L 1 UMTS UMTS ATM ATM Florida Institute for Cybersecurity (FICS) Research 18
Inter-SGSN Move Old New GGSN HLR SGSN SGSN RA Update SGSN Context ID Request Auth Info Auth & Cipher SGSN Context Ack FWD Packets Update PDP Context Update Location Cancel Location Insert Subscriber Data Location Update Attach Accepted Accept Florida Institute for Cybersecurity (FICS) Research 19
Inter-SGSN Move: Data Old New GGSN HLR SGSN SGSN RA Update Packets Flowing SGSN to Old SGSN Context ID Request Auth Info Auth & Cipher SGSN Context Ack FWD Packets Update PDP Context New Tunnel Update Location Cancel Location Insert Subscriber Data Location Update Attach Accepted Accept Florida Institute for Cybersecurity (FICS) Research 20
Data Network Functionality Redux Florida Institute for Cybersecurity (FICS) Research 21
Recommend
More recommend