Feature #5904
openHNBAP Register Request handling does checks that seem to make no sense
0%
Description
Looking at this code, a couple of things seem to make no sense:
- we are using getpeername() to compare the remote address of the current ctx to all other hnb. But we are handling a PDU in an accept()ed connection, and the hnb_context *ctx has already been looked up according to the remote address the PDU was received from.
- assuming there are two connections from the same remote address, what do we care about the IP address? if there are two HNB entities connecting via two distinct conns, so be it, from the same address or not. We should only care about the HNB id (LAC,SAC,RAC,CID,MCC,MNC identity)
- assuming we want to check the remote address: in the error checking path of failed getpeername(), we are still going on to compare as if the result from getpeername() was valid.
- the loop is guarding against two HNB registering with identical HNB id.
- When this occurs from the same remote address, we discard the old hnb_context. However, in practice it seems that instead of allocating another hnb_context on the same remote address, instead the HNB-Register-Req is dispatched to the same hnb_context in osmo-hnbgw, and this loop is essentially skipped (the log often shows the "(duplicated)" at the bottom of the function).
- When this occurs from a different remote address, we reject the new hnb_context (bottom of the loop body). Now, in recent efforts to hunt down UE state leaks in osmo-hnbgw, it became clear that a HNB disconnecting may go unnoticed. Imagine a HNB's conn being disrupted, its state still present in osmo-hnbgw. If a new conn is established for this HNB from another remote address, we refuse this new connection, favoring the disrupted connection. It may be frustrating for a user trying to reconnect a HNB via a different link. The comment names two reasons:
- misconfiguration: it is the user's responsibility to configure distinct HNBs with distinct identities. Is it helpful to refuse a new connection when a previous connection became stale and lingers? It may avoid oscillation of two HNBs with same id competing, but it is also hard to recover from a failed link when refusing new connections.
- impersonation: we have no authentication of HNB, we are utterly incapable of avoiding impersonation anyway.
3GPP TS 25.469 8.2.4 Abnormal Conditions:
"""
If the HNB-GW receives a duplicate HNB REGISTER REQUEST (i.e. for an already registered HNB identified by the
unique HNB identity), then the new HNB REGISTER REQUEST shall override the existing registration and the
handling of the new HNB REGISTER REQUEST is according to section 8.2.
"""
- this patch introduced the reject on duplicate HNB REGISTER REQ: https://gitea.osmocom.org/cellular-infrastructure/osmo-iuh/commit/c964a2cfa1b08e5bbda5d721a7a0095d26b53791
- this patch introduced accepting the new HNB REGISTER REQ when from the same address: https://gitea.osmocom.org/cellular-infrastructure/osmo-hnbgw/commit/12bc4afab3096c60554cd6d43fa11840bd76228c
It seems the initial motion to reject a duplicate HNB REGISTER was wrong, and the newer patch tried to alleviate this, but still kept the rejection based on the remote address for reasons not named.
My idea for this is:- do not check remote addresses at all.
- compare only HNB IDs. If they match, always discard the old hnb_context, allow the new HNB register.
To test this, I implemented this behavior, and HNBGW_Tests.ttcn3 still succeed
(with only the expected failure of TC_hnb_register_duplicate() that no longer gets the HNB Register Reject it wants to see)
https://gerrit.osmocom.org/c/osmo-hnbgw/+/31289
feedback welcome
