29c3 openbts workshop - mini-workshop

OpenBT

S® Mini-

Workshop

OpenBT

S is a registered trademark of R

ange Netw

orks, Inc.

1

1Saturday, August 6, 2011

GSM

Basics

2


GSM

History

•1982 - C

EPT establishes G

SM group

•1987 - Basic param

eters selected

•1989 - G

SM standardization process m

oved to ETSI

•1990 - Phase 1 spec frozen

•1992 - First com

mercial service

•1995 - Phase 2 spec frozen

•2001 - 500M

GSM

users world-w

ide

•2009 - A

ccounts for about 80% of all cellular service

•2011 - 3G

UM

TS displacing 2G

GSM

in some places, but all 3G

U

MT

S phones still support 2G G

SM

3


GSM

Layers

•Layers sim

ilar to OSI m

odel.

•L1 - physical layer - bits and w

aveforms

•L2 - data link layer - m

akes the link reliable

•L3 - connection m

anagement layer - w

here m

ost of the cellular telephone application happens

4


Physical Layer (L1)

5


Cellular C

oncepts:FD

MA

•Frequency division m

ultiple access: users on different radio frequencies.

•T

he only MA

type in older analog systems.

6

Time

Freq


Cellular C

oncepts:T

DM

A•

Tim

e division multiple access: users share a channel,

using it at different times.

•C

an be sync or async (802.11).

7

Time

Freq


Cellular C

oncepts:FD

MA

and

TD

MA

•G

SM is both FD

MA

and TD

MA

.

•200 kH

z radio channel spacing

•8 tim

eslots per channel

8

Time

Freq


Tim

eslots

from “G

SM for D

umm

ies”, with perm

ission

9


The “A

RFC

N”

•A

bsolute Radio Frequency C

hannel N

umber

•200 kH

z radio channel spacing

•270.833 kH

z radio channel bandwidth

•C

annot use adjacent AR

FCN

s in the same

cell because they overlap.

•A

ssigned in fixed uplink/downlink pairs.

10


Frequency Duplexing

from “G

SM for D

umm

ies”, with perm

ission11


Com

mon G

SM Bands

12

Nam

eU

pD

own

AR

FCN

sR

egions

P-GSM

900890-915

935-9601-124

1, 3

E-GSM

900880-915

925-9600-125,

975-10231, 3

GSM

850824-849

869-894128-251

2

DC

S 18001710-1785

1805-1880512-885

1, 3

PCS 1900

1850-19101930-1990

512-8102


Duplexing

•H

andset and BTS cannot transm

it on the same

frequency at the same tim

e.

•T

DD

- Tim

e Division D

uplexing - Handset and BT

S tim

e transmissions to avoid conflict. T

his is cheapest.

•FD

D - Frequency D

ivision Duplexing - H

andset and BT

S operate on different frequencies. This requires

special RF filters.

•G

SM is FD

D in the BT

S, and both FDD

and

TD

D

for the handset.

13


Frequency Duplexing

from “G

SM for D

umm

ies”, with perm

ission14


Frequency Duplexing

15

“Cavity D

uplexer”


Tim

ing and Power

Control

•BT

S controls output power level of the

handset to maxim

ize battery life and optim

ize receiver performance.

•BT

S controls timing advance of the handset

to prevent collisions of arriving radio bursts.

•T

his happens on the SAC

CH

.

16


Link Layer (L2)

17


The Link Layer

•L3 has variable-length m

essages and assum

es reliable delivery.

•L1 has fixed-length fram

es and loses them

sometim

es.

•L2 connects these so that L3 can use L1.

18


Connection

Managem

ent Layer (L3)

19


GSM

Layer 3

•T

his is where things start to look like a

telephone system.

•Sublayers:

•R

adio Resource (R

R)

•M

obility Managem

ent (MM

)

•C

all Control (C

C)

•Short M

essage Service (SMS)

20


GSM

L3 RR

•R

adio Resource m

anagement.

•A

ssign and release radio channels.

•Page handsets for service.

•G

enerate the beacon.

•D

ata elements are descriptions of physical

layer parameters.

21


GSM

L3 MM

•M

obility Managem

ent.

•K

eep track of what part of the netw

ork is serving a given handset.

•A

uthenticate users.

•D

ata elements are subscriber identities and

authentication tokens.

22


GSM

L3 CC

•C

all Control.

•C

onnect the handset to the telephone sw

itch.

•N

early identical to ISDN

’s Q.931.

•D

ata elements are phone num

bers, call status codes and bearer capability descriptions.

23


GSM

L3 SMS

•SM

S L3 is just a connection layer for SMS

L4.

•Just a pass-through. N

othing really happens in SM

S until you hit L5.

24


Addressing in G

SM

•IM

SI: International Subscriber Mobile

Identity. A 14- 15-digit num

ber in the SIM

that uniquely identifies the subscriber. Encodes identity of issuing carrier, too.

•T

MSI: Tem

porary Subscriber Mobile

Identity. A 32-bit num

ber assigned by the netw

ork that uniquely identifies the subscriber w

ithin that network.

25


Addressing in G

SM

(cont.)

•IM

EI: International Mobile Equipm

ent Identity. A

15-digit number that uniquely

identifies the handset. Encodes m

anufacturer and model. N

ot used much in

GSM

except for fraud detection.

•M

SISDN

: The subscriber’s telephone

number.

26


Addressing in G

SM

(cont.)

•T

he MSISD

N-IM

SI association exists only in the netw

ork, not in the handset.

•T

here is no MSISD

N-IM

EI association.

•If a phone is “locked” that usually m

eans that it w

ill accept SIMs only from

a specific carrier.

27


Introduction to VoIP

28


The O

ld Analog PST

N•

Phone numbers form

an address space, like any other address space.

•A

phone line’s address is determined by w

here it is physically connected to the netw

ork.

•D

ialed numbers (“signaling”) are encoded as tones

in the audio stream (“in-band signaling”).

•T

he switch decodes signaling to connect com

pleted physical circuits betw

een phones.

•“C

ircuit Switched Telephony”

29


70’s-era Analog Sw

itch30


SS7•

Signaling System 7 (SS7) replaced analog lines w

ith synchronous digital ones, but it’s still circuit-sw

itched.

•Signaling and m

edia travel on different logical channels (“out-of-band signaling”).

•Telephony is just an application in the SS7 netw

ork.

•...so is the G

SM core netw

ork.

•T

he switch is just a com

puter, shuffling frames betw

een m

edia channels as instructed by the signaling.

•Phone num

bers are no longer physical addresses, but entries in a routing database.

31


Q.931 C

all SignalingSubscriber

Network

SE

TU

P

CA

LL P

RO

CE

ED

ING

ALE

RT

ING

CO

NN

EC

T

CO

NN

EC

T A

CK

DIS

CO

NN

EC

T

RE

LE

AS

E

RE

LE

AS

E C

OM

PLE

TE

32

Subscriber dials number.

Rem

ote phone ringing.

Rem

ote party answers.

Subscriber hangs up.

Dial tone.

Call connected.


VoIP

•R

eplace circuit-switched SS7 w

ith packet-switched

IP.

•Signaling and m

edia can follow entirely different

paths and use entirely different protocols.

•Telephony is an application running on the internet.

•T

he switch is just a com

puter shuffling packets as directed by the signaling.

•IP netw

ork gives additional layer of addressing.

33


VoIP Specifics: SIP & RT

P

•Session Initiation Protocol (SIP), R

FC-3261,

for signaling.

•SIP header design sim

ilar to HT

TP.

•R

eal-Tim

e Protocol (RTP), R

FC-3550, for

media.

•Both protocols already used internally by m

any telecom carriers, all renam

ed “IMS”.

34


SIP Call Flow

35

SubscriberNetw

orkINVITE

Trying 100Ringing 180

OK 200ACK

BYEACK

Subscriber dials number.

Rem

ote phone ringing.

Rem

ote party answers.

Subscriber hangs up.

Dial tone.

Call connected.


Putting it Together:O

penBTS =

GSM

+ VoIP

36


OpenBT

S Design

Principles

•Put as little functionality as possible into the G

SM-specific softw

are.

•Translate protocols to open standards w

henever possible.

•Exploit external applications w

henever possible.

37


OpenBT

S Design

Principles

•Term

inate L3 RR

inside OpenBT

S to elim

inate the need for a BSC.

•Translate M

M, C

C and SM

S to SIP and let the VoIP softw

are deal with them

.

•M

ost new features w

ill be external modules

on socket interfaces.38


OpenBT

S VoIP Principles

•O

penBTS itself is invisible. T

he VoIP netw

ork sees only the phones.

•Each handset appears as a SIP endpoint at the IP address of its serving BT

S.

•Each handset is a SIP user called “IM

SIxxxxxxxxxxxxxxxx”, where

“xxxxxxxxxxxxxxx” is the IMSI of the SIM

in the handset.

39


Mobile-O

riginated Call

40

SIP

Sw

itch

Op

en

BT

SH

an

dset

IMM

ED

. AS

SIG

N.

CH

AN

. RE

Q.

RT

P tra

ffic

GS

M tra

ffic

CM

SV

C. R

EQ

.

CM

SV

C. A

CC

EP

T

SE

TU

P

INV

ITE

CA

LL P

RO

CE

ED

ING

Sta

tus: 1

82

Rin

gin

gA

LE

RT

ING

Sta

tus: 2

00

OK

CO

NN

EC

T

CO

NN

EC

T A

CK

.

Sta

tus: 1

00

Try

ing


SIP

Sw

itch

Op

en

BT

SH

an

dset

IMM

ED

. AS

SIG

N.

CH

AN

. RE

Q.

RT

P tra

ffic

GS

M tra

ffic

CM

SV

C. R

EQ

.

CM

SV

C. A

CC

EP

T

SE

TU

P

INV

ITE

CA

LL P

RO

CE

ED

ING

Sta

tus: 1

82

Rin

gin

gA

LE

RT

ING

Sta

tus: 2

00

OK

CO

NN

EC

T

CO

NN

EC

T A

CK

.

Sta

tus: 1

00

Try

ing

Mobile-O

riginated Call

41

RR

MM

CC

This is w

here we skip

the encryption step.


SIP

Sw

itch

Op

en

BT

SH

an

dset

IMM

ED

. AS

SIG

N.

CH

AN

. RE

Q.

RT

P tra

ffic

GS

M tra

ffic

CM

SV

C. R

EQ

.

CM

SV

C. A

CC

EP

T

SE

TU

P

INV

ITE

CA

LL P

RO

CE

ED

ING

Sta

tus: 1

82

Rin

gin

gA

LE

RT

ING

Sta

tus: 2

00

OK

CO

NN

EC

T

CO

NN

EC

T A

CK

.

Sta

tus: 1

00

Try

ing

Mobile-O

riginated Call

42


Backhaul Loading

•G

SM FR

codec is about 13 kbit/sec/call.

•A

sterisk can transcode to other codecs ranging from

2.4-64 kbit/sec/call, with

varying quality.

•R

egardless of codec type, RTP overhead is

about 17 kbit/sec/call.

•IA

X overhead is closer to 20 kbit/sec/call,

but can be shared across multiple calls.

43


Backhaul Requirem

ents

44

6.6

.B

AC

KH

AU

LC

APA

CIT

YR

EQ

UIR

EM

EN

TS

61

Table

6.1

:B

ackhaul

bandw

idth

for

vario

us

codec/trunkin

gconfiguratio

ns.

All

rates

inkbit

/sec

and

as-

sum

ing

20

ms

fram

ing.

Codec

per

call

per

call

7calls

7calls

speech

raw

rate

over

RT

Pover

RT

PIA

Xtrunkin

gquality

G.7

11

64

81

567

468

toll-q

uality

GSM

-FR

13

30

210

124

toll-q

uality

G.7

29

825

175

97

near-t

oll-q

uality

Speex

825

175

97

near-t

oll-q

uality

Speex

421

147

60

not

toll-q

uality

LP

C-1

02.4

20

136

37

not

toll-q

uality

OpenBTSAPs

SIP/RTPLocalSw

itchSIP/RTP

SIP/RTP

Rem

oteSw

itch

Satellite-Based Site

PSTN

VoIP

VoIP

T1IAX

IAXIAX

IAX

Fig

ure

6.5

:Pair

ed

OpenSw

itch

servers

for

IAX

trunkin

gin

satellit

e-b

ased

applic

atio

ns. 44

Saturday, August 6, 2011

Using IA

X on V

SAT Links

45

6.6

.B

AC

KH

AU

LC

APA

CIT

YR

EQ

UIR

EM

EN

TS

61

Table

6.1

:B

ackhaul

bandw

idth

for

vario

us

codec/trunkin

gconfiguratio

ns.

All

rates

inkbit

/sec

and

as-

sum

ing

20

ms

fram

ing.

Codec

per

call

per

call

7calls

7calls

speech

raw

rate

over

RT

Pover

RT

PIA

Xtrunkin

gquality

G.7

11

64

81

567

468

toll-q

uality

GSM

-FR

13

30

210

124

toll-q

uality

G.7

29

825

175

97

near-t

oll-q

uality

Speex

825

175

97

near-t

oll-q

uality

Speex

421

147

60

not

toll-q

uality

LP

C-1

02.4

20

136

37

not

toll-q

uality

OpenBTSAPs

SIP/RTPLocalSw

itchSIP/RTP

SIP/RTP

Rem

oteSw

itch

Satellite-Based Site

PSTN

VoIP

VoIP

T1IAX

IAXIAX

IAX

Fig

ure

6.5

:Pair

ed

OpenSw

itch

servers

for

IAX

trunkin

gin

satellit

e-b

ased

applic

atio

ns.


Subscriber Registry

46


The A

uthentication Problem

•T

he IMSI is exposed in m

any places.

•M

aking a SIM w

ith a controlled IMSI is

trivial.

47


GSM

Authentication

•C

hallenge-Response based on shared secret key K

i.

•N

etwork generates 128-bit random

string (RA

ND

) to send to phone.

•Phone encrypts R

AN

D w

ith Ki and a hash function

(A3) to produce SR

ES.

•N

etwork perform

s identical SRES calculation w

ith sam

e RA

ND

, Ki and A

3.

•Phone returns SR

ES and network com

pares results.

48


Cache-Based

Authentication

•C

an be used in OpenBT

S when you don’t know

Ki

or A3 for a SIM

.

•Perform

RA

ND

-SRES exchange and save the result.

•A

ssume the first exchange is valid and allow

access.

•U

se the same R

AN

D for subsequent exchanges

and see if you get the same SR

ES.

•N

ot full authentication, but better than nothing.

49


SIM Param

eters•

To perform R

AN

D-SR

ES authentication, you must

know K

i and the A3 algorithm

used by the SIM.

•SIM

s do not disclose Ki; it is norm

ally known only

by the party that issues the SIM.

•A

3 is usually a variant of CO

MP-128; the current

industry standard is v3.

•To perform

full authentication you must by able to

issue SIMs and have the softw

are to implem

ent the A

3 in those SIMs.

50


Subscriber Registry

•“R

ealtime” A

sterisk using external databases.

•C

ore is an sqlite3 database file, /var/lib/asterisk/sqlite3dir/sqlite3.db.

•H

TT

P interface for remote access.

•SIP interface for registration.

•C

aching Behavior.

51


Subscriber Registry

sip_buddies Table•

Based on pre-existing Asterisk “sip-buddies”

schema w

ith extra per-subscriber fields:

•K

i, the SIM secret key for this subscriber

•R

AN

D, SR

ES, the most recent challenge-

response pair used with this subscriber

•a3a8, the A

3/A8 algorithm

to be used with

this subscriber

52


Subscriber Registry

dialdata_table

•U

sed by Asterisk dialplan for realtim

e num

ber resolution.

•A

simple IM

SI-number m

apping.

•C

alls to unresolvable numbers get passed

up to a higher-level switch.

53


SR R

AN

D-SR

ES A

uthentication via SIP

•SIP Interface; follow

s form of R

FC-2543

Section 14, using

•R

AN

D as the nonce

•A

3 instead of MD

5

•SR

ES as the response

54


SIP-Style Authentication

55

MS

OpenBTS

RegistryCHAN. REQ

.

IMM

ED. ASSIGN.

LOC. UPDATE REQ

.REG

ISTER

401 Unauthorized

LOC. UPDATE ACCEPT

CHAN. REL.

AUTH. REQ.

AUTH. RESP.REG

ISTER

200 OK


SR A

uthentication via H

TT

P

•H

TT

P Interface

•A

d hoc but easy to implem

ent

•Send IM

SI in UR

L, get RA

ND

result.

•Send IM

SI, RA

ND

and SRES in U

RL, get

success/failure result.

56


HT

TP-Based A

uthentication

57

MS

OpenBTS

RegistryCHAN. REQ

.

IMM

ED. ASSIGN.

LOC. UPDATE REQ

.HTTP G

ET

200 OK

LOC. UPDATE ACCEPT

CHAN. REL.

AUTH. REQ.

AUTH. RESP.HTTP G

ET

200 OK


Generating SIM

s

•For full authentication, you m

ust know K

i.

•T

he only way to know

Ki is to put it there

yourself.

•Program

mable SIM

s with w

rite-only Ki

records!

•SIM

-programm

ing SW w

rites new entries

directly in to SR database.

58


SIM Security

•C

OM

P128 and cracking

•SIM

protection

•C

OM

P128v3

•Fraud detection

59


Netw

ork Security

•SR

caching makes isolated nodes robust.

•SR

caching also moves a lot of sensitive

information around the netw

ork.

•Securing the backhaul is critical.

60


Subscriber Security

•C

2.8 generates TM

SIs on a per-BTS basis.

•G

ood: TM

SIs not globally significant

•Bad: Lots of T

MSI reassignm

ents

•C

2.8 does not support A5/x. Future

versions will.

•A

5/1 export restrictions

•A

5/2 depreciation

61


SMS Text M

essaging

62


GSM

SMS

•Session-less transfer over D

m channel.

•A

ddress is ISDN

/E.164 or e-mail.

•M

aximum

payload is 140 bytes, 160 characters in G

SM 7-bit alphabet.

•SM

SC acts as a store-and-forw

ard server, since handsets are only interm

ittently connected.

•SM

S defined in 5 layers on Um

, but 2 of them

are just relays.

63


SIP RFC

-3428

•Session-less transfer over an IP channel.

•A

llows for interm

ediary store-and-forward

servers.

•A

ddressing is same as any other SIP.

•O

penBTS uses M

IME-encoded R

PDU

(application/vnd.3gpp.sm

s).

64


SMS in O

penBTS

•Term

inate SMS L3 and L4 locally.

•Translate SM

S L5 to SIP RFC

-3428 with vnd.

3gpp.sms content.

•O

utgoing RFC

-3428 addressed numerically.

•Inbound R

FC-3428 addressed to IM

SI-derived SIP users.

•C

annot send directly from one handset to

another.

65


Smqueue

•R

FC-3428 store-and-forw

ard server.

•U

ses vnd.3gpp.sms content, m

aking it payload-agnostic.

•Translates SU

MBIT

TPD

Us into D

ELIVER

TPD

Us.

•A

ccepts numeric addresses, resolves to SIP users

with the Subscriber R

egistry.

•In C

2.8, must be running on the sam

e computer

as the subscriber registry.

66


MO

-SMS

smqueue

OpenBTS

Handset

AS

SIG

NM

EN

T

CH

AN

. RE

Q.

CM

SV

C. R

EQ

.

CM

SV

C. A

CC

EP

T

CP

-DA

TA

/RP

-DA

TA

ME

SS

AG

E

CP

-AC

K

CP

-DA

TA

/RP

-AC

K

OK

CP

-AC

K

CH

AN

NE

L R

ELE

AS

E

67


MO

-SMS

smqueue

OpenBTS

Handset

AS

SIG

NM

EN

T

CH

AN

. RE

Q.

CM

SV

C. R

EQ

.

CM

SV

C. A

CC

EP

T

CP

-DA

TA

/RP

-DA

TA

ME

SS

AG

E

CP

-AC

K

CP

-DA

TA

/RP

-AC

K

OK

CP

-AC

K

CH

AN

NE

L R

ELE

AS

E

68


OpenM

essageOpenBTS

MS

MESSAG

EPAG

ING REQ

.

PAGING

RESP.IM

MED. ASSIG

N.CHAN. REQ

.

CP-DATA/RP-DATACP-ACK

CP-DATA/RP-ACK

CP-ACKCHANNEL RELEASE

OK M

T-SMS

69


OpenM

essageOpenBTS

MS

MESSAG

EPAG

ING REQ

.

PAGING

RESP.IM

MED. ASSIG

N.CHAN. REQ

.

CP-DATA/RP-DATACP-ACK

CP-DATA/RP-ACK

CP-ACKCHANNEL RELEASE

OK M

T-SMS

70


Short Codes

•Short codes are special SM

S addresses that go to program

s instead of to other users.

•Short codes can be used to build interactive applications based on SM

S.

•Sm

queue supports sort codes, but the functions m

ust be hard-coded into the system

.

71


Short Code Exam

ple: A

uto-Provisioning•

Short code function adds a new SIP user

and a new dialplan entry in the Subscriber

Registry.

•C

an be used for automatic provisioning in

some applications.

•O

nly effective if used with open

registration.

72


Connecting SM

S to the O

utside World

•Em

ail gateways

•the return address problem

•SIP R

FC-3428 gatew

ays

•the registration problem

•SM

PP

•T

he dual-address problem.

•N

ew trends in com

bined VoIP services (Voxbone and Voxeo).

73


Connecting to the

PSTN74


VoIP Carrier Services

75

•R

oute outbound calls to the PSTN

(“origination”)

•Lease D

ID (“direct inbound dialed”) E.164

addresses (“telephone numbers”)

•R

oute inbound calls from PST

N to D

IDs

(“termination”)

•G

enerate billing records (CD

Rs)


VoIP Carrier Prices

•D

ID leases typically run $0.25/m

o - $5/mo

depending on

•quantity

•w

here numbers are located

•C

alling rates typically run $0.003/min - $0.050/

min. depending on

•quantity

•call destination

76


VoIP Carrier Technical

Connection

•N

early all support SIP/RTP; m

any support IA

X, too.

•N

early all support G.711 (a-law

/mu-law

) and G

.729 (AD

PCM

); some support G

SM

full-rate directly.

•T

he interface to the carrier appears as a SIP or IA

X user in the gatew

ay switch

configuration.

77


Putting It All Together

78


79

"Transcevier"Radiom

odem

Full-BandDigital RadioTransceiver

"OpenBTS"

GSM

/SIPProtocol Processor

USB2

UD

P

smqueue

RFC-3428SM

S Processor

SIP/IAXSoftswitch

subscriber registryDatabase/Server

IP NetworkInterface

SIP

SIPSQ

L

SIP/RTPSIP/RTP

IAX

SIPH

TTP/S

SIPSM

TPSQ

L

SQL

IP Netw

ork

SIP/RTPIAX

HTTP/S

SMTP

Inside Each BTS N

ode79

Saturday, August 6, 2011

private IP netw

ork

SIP/RTPIAX

HTTP/S

SMTP

OpenBTS

cell sites

SIP/RTPIAX

HTTP/S

public IP netw

ork

PSTN

SIP/RTPIAX

ISDN

/SS7

SIP switch &

subscriber registry

smqueue

SIP

SMTP

otherservices

HTTP/S

VoIP Carriers

SIP/RTPIAX

ISDN

/SS7

80

A Full N

etwork


Mobility

81


Some C

onfusion

•Handove

r - The ability to transfer a live

call from one cell to another. A

nd in GSM

it’s call “handover”, not “handoff”.

•Roaming - T

he ability to integrate call routing and billing w

ith other carriers.

•Mobility

- The ability to transfer service

as a handset moves from

one cell to another.

82


Dependencies

•You need m

obility to support handover.

•You do not need handover to support m

obility.

•You need m

obility to support roaming.

•You do not need handover to support roam

ing.

•You do not need roam

ing to support m

obility.

83


Simple M

obility84

AC Bprivate IP netw

ork

SIP switch

subscriber registrysm

queue

OpenBTSAPs

public IP netw

ork

PSTN

CentralServer


Good

•Leverages existing dynam

ic-host support for SIP users.

•SIP core netw

ork needs no information

about the BTS units.

•RT

P traffic can still be shortest-path routing.

85


Not So G

ood

•H

andsets must register every tim

e they change cells.

•C

entral server is a central point of failure.

•Loss of backhaul shuts dow

n a cell.

86


Better Mobility

87

1A

private IP netw

orkCS

OpenBTSAPs

2B

public IP netw

ork

PSTN

S1

SIP switch


queue

S2

1B1C2A2CSIP sw

itchsubscriber registry

smqueue

SIP switch


queue


29c3 openbts workshop - mini-workshop

Documents