Project

General

Profile

Feature #2461

Updated by neels over 2 years ago

Currently the "encryption" parameter lets define which cipher is allowed by BSC, but only one can be allowed at a given time: "encryption a5 (0|1|2|3)".

In AoIP protocol, however, the cipher is negotiated between MSC<->BSC (BSC interesected with BTS and MS capabilities). Once "Authentication Response" reaches MSC with correct challenge response, the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers.

Tests in osmo-gsm-tester showed that currently if "encryption a5 X" is set in osmo-msc, then same config (with X) must also be applied to osmo-bsc, otherwise the set of ciphers coming from MSC will be rejected. The osmo-bsc encryption settings need improvement.

Proposed way:
The cipher should be negotiated between MSC, BSC and MS:

*
in this case, needs to intersect the MSC allows a set of a5/x received by VTY configuration (the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers).
*
set of supported ciphers by te MS and the BSC should know which a5/x set of supported ciphers by the connected BTS hardware supports, which BTS, and return the user tells us by VTY configuration.
*
intersection or send back a "Reject" if intersection is void.

The list of ciphers supported by MS is received as explained in 3GPP TS 24.008: classmark 1 says whether a5/1 is supported, classmark 2 has a5/3 and a5/2 and classmark 3 has the rest of them.

The list of ciphers supported by the BTS is unknown. We need have 2 options here:
# In BSC VTY, move the "encryption" parameter from net->encryption
to intersect these three capabilites/requirements and pick the highest possible a5/x (except never allow a5/2), net->bts[N]->encryption, that is, make it per-BTS. It should also be converted to a bitmask or send back a "Reject" if intersection is void.

projected osmo-bsc behavior:

* By default, accept all A5/x (except 2)
list as explained in osmo-bsc. #2460.
* Allow the user # Remove "encryption" parameter from BSC VTY, and expect every BTS to pick a subset send list of allowed a5/x via VTY command, globally.
* And/or we could allow setting an A5/x bitmask on per-BTS VTY config.
ciphers to BSC. (Not sure if this is currently possible).

e.g.

<pre>
encryption a5 <0..7> [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>]
</pre>

allowing

<pre>
encryption a5 0 1 3
</pre>

Back

Add picture from clipboard (Maximum size: 48.8 MB)