Project

General

Profile

Feature #2461

Updated by neels over 6 years ago

Currently the "encryption" parameter lets define which cipher is allowed by BSC, but only one can be allowed at a given time: "encryption a5 (0|1|2|3)". 

 In AoIP protocol, however, the cipher is negotiated between MSC<->BSC (BSC interesected with BTS and MS capabilities). Once "Authentication Response" reaches MSC with correct challenge response, the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers. 

 Tests in osmo-gsm-tester showed that currently if "encryption a5 X" is set in osmo-msc, then same config (with X) must also be applied to osmo-bsc, otherwise the set of ciphers coming from MSC will be rejected. The osmo-bsc encryption settings need improvement. 

 Proposed way: 
 The cipher should be negotiated between MSC, BSC and MS: 

 * in this case, needs to intersect the MSC allows a set of a5/x received by VTY configuration (the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers). 
 * set of supported ciphers by te MS and the BSC should know which a5/x set of supported ciphers by the connected BTS hardware supports, which BTS, and return the user tells us by VTY configuration. 
 * intersection or send back a "Reject" if intersection is void. 

 The list of ciphers supported by MS is received as explained in 3GPP TS 24.008: classmark 1 says whether a5/1 is supported, classmark 2 has a5/3 and a5/2 and classmark 3 has the rest of them. 

 The list of ciphers supported by the BTS is unknown. We need have 2 options here: 
 # In BSC VTY, move the "encryption" parameter from net->encryption to intersect these three capabilites/requirements and pick the highest possible a5/x (except never allow a5/2), net->bts[N]->encryption, that is, make it per-BTS. It should also be converted to a bitmask or send back a "Reject" if intersection is void. 

 projected osmo-bsc behavior: 

 * By default, accept all A5/x (except 2) list as explained in osmo-bsc. #2460. 
 * Allow the user # Remove "encryption" parameter from BSC VTY, and expect every BTS to pick a subset send list of allowed a5/x via VTY command, globally. 
 * And/or we could allow setting an A5/x bitmask on per-BTS VTY config. ciphers to BSC. (Not sure if this is currently possible). 

 e.g. 

 <pre> 
 encryption a5 <0..7> [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>] 
 </pre> 

 allowing 

 <pre> 
 encryption a5 0 1 3 
 </pre>

Back

Add picture from clipboard (Maximum size: 48.8 MB)