Bug #6400
closedosmo-epdg: AAA: missing implementation: S6b "Service Authorization Information Update Procedures"
100%
Description
S6b is defined in 3GPP TS 29.273, and is Diameter interface between AAA-Server and PGW (open5gs-smfd).
We still miss the Re-auth procedure (9.1.2.5, 9.2.2.6), which is not really needed for now afaict:
9.1.2.5 Service Authorization Information Update Procedures - S6b Re-authorization request PGW->AAA - S6b Re-authorization response PGW<-AAA
Related issues
Updated by pespin about 1 month ago
3GPP TS 29.273 9.1.2.5.1:
The S6b reference point allows the 3GPP AAA server to modify the authorization information previously provided to the PDN GW, [ during ... or] Service Authorization using PMIPv6 or GTPv2 or MIPv4, or the service authorization information provided during a previous Service Authorization update. This procedure is triggered by the modification of the non-3GPP profile of the UE or by activating or deactivating subscriber and equipment trace in the HSS or by the request of a P-CSCF restoration for WLAN. *This procedure is also triggered by the authentication and authorization via STa or SWm, when the 3GPP AAA Server detects that an S6b session already exists for the UE, as specified in clause 5.1.2.1.2 and 7.1.2.1.2. In this case, the 3GPP AAA Server shall use this procedure to send the trust relationship to the PDN GW.*
So AFAIU we need to send Re-Auth-Request (RAR) (9.2.2.6.1) from AAA-server to the PGW in 2 scenarios:
- When we receive AAR from SWm (ePDG) and we already have an S6b session.
- When we receive PPR from SWx (HSSS) (see https://osmocom.org/issues/6404)
Updated by pespin about 1 month ago
- Related to Feature #6404: osmo-epdg: AAA: missing progragation of SWx "HSS Initiated Update of User Profile Procedure" added
Updated by pespin about 1 month ago
- Subject changed from osmo-epdg: missing implementation: S6b "Service Authorization Information Update Procedures" to osmo-epdg: AAA: missing implementation: S6b "Service Authorization Information Update Procedures"
Updated by pespin about 1 month ago
- Status changed from New to In Progress
- % Done changed from 0 to 60
- When we receive PPR from SWx (HSSS) (see https://osmocom.org/issues/6404)
Implemented and tested here:
https://gerrit.osmocom.org/c/erlang/osmo-epdg/+/36308 Propagate SWx PPR as S6b Re-Auth-Request
https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36307 epdg: TC_hss_initiated_update_user_profile: test SWx PPR -> S6b RAR propagation
- When we receive AAR from SWm (ePDG) and we already have an S6b session.
TODO
Updated by pespin about 1 month ago
7.1.2.1.2
Upon receiving the authentication and authorization request from the ePDG, the 3GPP AAA Server marks the trust
relationship as "untrusted" with the User Identity. If the 3GPP AAA Server detects that an S6b session already exists for
this UE and the S6b session was established as a result of an authentication request for DSMIPv6, the 3GPP AAA
Server shall send the trust relationship to the PDN GW as specified in clause 9.1.2.5.
According to this text above this case only seems to be needed for DSIMPv6?
BTW, in TC_hss_initiated_update_user_profile we are probably missing step 2 in here:
The Service Authorization Information Update procedure is performed in two steps:
1. The 3GPP AAA server issues an unsolicited re-authentication and/or re-authorization request towards the PDN
GW. Upon receipt of this request, the PDN GW responds to the request and indicates the disposition of the
request. If the re-authorization request is used for the purpose of the P-CSCF restoration for WLAN, only the P-
CSCF Restoration Request bit shall be set in the RAR Flags. This procedure is based on the reuse of Diameter
RAR and RAA commands as specified in IETF RFC 6733 [58]. The information element content for these
messages is shown in tables 9.1.2.5.1/1 and 9.1.2.5.1/2.
2. After receiving the re-authorization request, the PDN GW invokes the authorization procedure for the APN
identified by the session ID included in the former re-authorization request message. The authorization
procedure for PMIPv6 or GTPv2 is described in the clause 9.1.2.2. Tables 9.1.2.5.1/3 and 9.1.2.5.1/4 describe
the message contents in case of DSMIPv6.
That's basically sending a new AAR + AAA in S6b when receiving RAR+RAA.
Updated by pespin about 1 month ago
- Status changed from In Progress to Feedback
- % Done changed from 60 to 90
BTW, in TC_hss_initiated_update_user_profile we are probably missing step 2 in here:
...
That's basically sending a new AAR + AAA in S6b when receiving RAR+RAA.
Done in last version of the patchset now in gerrit. Once merged, this ticket can be closed.
Updated by pespin about 1 month ago
- Status changed from Feedback to Resolved
- % Done changed from 90 to 100
Merged, closing.
