Bug #2980

in bssmap_rx_l3_compl(), we decode the L3-complete MCC-MNC but never verify their actual value

Added by neels over 3 years ago. Updated over 3 years ago.

Target version:
Start date:
Due date:
% Done:


Spec Reference:


It seems that messages coming in over the A interface are allowed to completely mismatch the MCC-MNC setting in the MSC's config.
It might be a valid feature to serve more than one MCC-MNC with our MSC, but if we do, we shouldn't have an MCC-MNC configured in the osmo-msc.cfg that gets ignored silently.

See in bssmap_rx_l3_compl(), that we decode the LAI, but the resulting mcc and mnc never get compared to or passed on to anything.


#1 Updated by neels over 3 years ago

related, the VLR accepts any LAI (MCC-MNC-LAC), see vlr_lu_fsm.c:

/* Determine if given location area is served by this VLR */
static bool lai_in_this_vlr(struct vlr_instance *vlr,
                            const struct osmo_location_area_id *lai)
        /* TODO: VLR needs to keep a locally configued list of LAIs */
        return true;

#2 Updated by neels over 3 years ago

vlr_proc_acc_req() stores a LAI in struct proc_arq_priv but it is never used.

#3 Updated by laforge over 3 years ago

We shouldn't allow arbitrary non matching MCC/MNC. Please add a ttcn3 test for it whose failure wil be a reminder

#4 Updated by laforge over 3 years ago

  • Assignee set to stsp

#5 Updated by stsp over 3 years ago

I have written a small test case:

private const Cell_Identity unknown_cid := { '678'H, 'f90'H, 1, 0 };

/* Paging by CGI with unknown MCC/MNC: Verify nothing is paged. */
testcase TC_paging_imsi_nochan_cgi_unknown_cid() runs on test_CT {
       var template BSSMAP_FIELD_CellIdentificationList cid_list;
       cid_list := { cIl_CGI := { ts_BSSMAP_CI_CGI(unknown_cid.mcc, unknown_cid.mnc, unknown_cid.lac, } };
       f_pageing_helper('001010000000006'H, cid_list, c_BtsId_none);

However, I cannot verify it because my ttcn3 setup no longer works. It keeps failing with

Dynamic test case error: Port IPA_CTRL has neither connections nor mappings. Message cannot be sent on it.

The same problem started happening on jenkins in ttcn3-hacks build #109:

I might eventually need support to figure this out to make progress on this issue.
I have been trying to figure out the problem but haven't gotten anywhere.

#6 Updated by stsp over 3 years ago

  • Status changed from New to In Progress

#7 Updated by stsp over 3 years ago

Regression test proposed in

#8 Updated by stsp over 3 years ago

  • Status changed from In Progress to Resolved

Above change has been merged. Looks like we're all good now.

#9 Updated by neels over 3 years ago

  • Status changed from Resolved to New

Sorry, but this issue is not about paging and not about ttcn3, it is about l3_compl and the VLR,
i.e. when a subscriber comes in with a LU, CM Service Request or a paging response, that we look at what PLMN it is sending along.
I'm not actually entirely sure of the meaning of the PLMN sent in those l3 compl messages:
if it's just the SIM card's home PLMN we may not need to validate it at all.
The VLR has a comment that we need a local list of LAIs managed by the VLR...
This issue is thus about clarifying those questions and actually implementing things in our code base if needed.

#10 Updated by stsp over 3 years ago

For Location Update Requests, the value is obtained from the SIM:

(GSM 04.08) Location area identification
The location area identification stored in the SIM is used.

CM Service Requests do not contain a PLMN.
The LAI is derived from the subscriber connection in libmsc/gsm_04_08.c:gsm48_rx_mm_serv_req().

Paging responses do not contain a PLMN either.
The LAI is derived from the subscriber connection in libmsc/gsm_04_08.c:gsm48_rx_mm_pag_resp().

Does this information help?

#11 Updated by stsp over 3 years ago

Additionally, vlr_proc_acc_req() receives a LAI but does nothing with it.

#12 Updated by neels over 3 years ago

  • Status changed from New to Feedback

I notice that this patch of yours actually fixes the part in bssmap_rx_l3_compl() to match the cell identifier to the network's PLMN. That's certainly interesting to note here.

The open question is whether we want to validate that the SIM card's PLMN matches the current network.
I assume "disallow mismatching PLMN" vs. "allow this list of PLMN" vs. "allow all PLMN".
Adding this feature is certainly not urgent. A nice thing to do would be to log the mismatch, but then again we also log the IMSI all the time...

Slightly confusing here is that I've created the issue to talk about two completely separate aspects,

  • one is the cell identity of the BSC/RNC during L3 complete,
  • and the other is the SIM card's PLMN to be validated in the VLR.

Remaining now is the SIM<->VLR part.
So, do we have a SIM <-> Network PLMN mismatch test in ttcn3 yet?

#13 Updated by neels over 3 years ago

  • Status changed from Feedback to Rejected

To avoid cross-discussing separate issues, I've created the following issues to replace this one:
#3162 #3163 #3164 #3165

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)