Feature #2461
Updated by neels over 6 years ago
Currently the "encryption" parameter lets define which cipher is allowed by BSC, but only one can be allowed at a given time: "encryption a5 (0|1|2|3)". In AoIP protocol, however, the cipher is negotiated between MSC<->BSC (BSC interesected with BTS and MS capabilities). Once "Authentication Response" reaches MSC with correct challenge response, the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers. Tests in osmo-gsm-tester showed that currently if "encryption a5 X" is set in osmo-msc, then same config (with X) must also be applied to osmo-bsc, otherwise the set of ciphers coming from MSC will be rejected. The osmo-bsc encryption settings need improvement. Proposed way: The cipher should be negotiated between MSC, BSC and MS: * in this case, needs to intersect the MSC allows a set of a5/x received by VTY configuration (the MSC sends a "Cipher Mode Command" to the BSC with a bitmask stating the allowed ciphers). * set of supported ciphers by te MS and the BSC should know which a5/x set of supported ciphers by the connected BTS hardware supports, which BTS, and return the user tells us by VTY configuration. * intersection or send back a "Reject" if intersection is void. The list of ciphers supported by MS is received as explained in 3GPP TS 24.008: classmark 1 says whether a5/1 is supported, classmark 2 has a5/3 and a5/2 and classmark 3 has the rest of them. The list of ciphers supported by the BTS is unknown. We need have 2 options here: # In BSC VTY, move the "encryption" parameter from net->encryption to intersect these three capabilites/requirements and pick the highest possible a5/x (except never allow a5/2), net->bts[N]->encryption, that is, make it per-BTS. It should also be converted to a bitmask or send back a "Reject" if intersection is void. projected osmo-bsc behavior: * By default, accept all A5/x (except 2) list as explained in osmo-bsc. #2460. * Allow the user # Remove "encryption" parameter from BSC VTY, and expect every BTS to pick a subset send list of allowed a5/x via VTY command, globally. * And/or we could allow setting an A5/x bitmask on per-BTS VTY config. ciphers to BSC. (Not sure if this is currently possible). e.g. <pre> encryption a5 <0..7> [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>] [<0..7>] </pre> allowing <pre> encryption a5 0 1 3 </pre>