• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
29c3 OpenBTS workshop - Mini-Workshop
 

29c3 OpenBTS workshop - Mini-Workshop

on

  • 1,956 views

Event: https://events.ccc.de/congress/2012/wiki/OpenBTS_workshop

Event: https://events.ccc.de/congress/2012/wiki/OpenBTS_workshop
Video: http://www.youtube.com/playlist?list=PLifX8tOt8ajpmUnIabqsqMD0MxcCHNI08

Statistics

Views

Total Views
1,956
Views on SlideShare
1,952
Embed Views
4

Actions

Likes
1
Downloads
133
Comments
0

1 Embed 4

http://www.slashdocs.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    29c3 OpenBTS workshop - Mini-Workshop 29c3 OpenBTS workshop - Mini-Workshop Document Transcript

    • OpenBTS® Mini- Workshop OpenBTS is a registered trademark of Range Networks, Inc. 1Saturday, August 6, 2011 1
    • GSM Basics 2Saturday, August 6, 2011 2
    • GSM History • 1982 - CEPT establishes GSM group • 1987 - Basic parameters selected • 1989 - GSM standardization process moved to ETSI • 1990 - Phase 1 spec frozen • 1992 - First commercial service • 1995 - Phase 2 spec frozen • 2001 - 500M GSM users world-wide • 2009 - Accounts for about 80% of all cellular service • 2011 - 3G UMTS displacing 2G GSM in some places, but all 3G UMTS phones still support 2G GSM 3Saturday, August 6, 2011 3
    • GSM Layers • Layers similar to OSI model. • L1 - physical layer - bits and waveforms • L2 - data link layer - makes the link reliable • L3 - connection management layer - where most of the cellular telephone application happens 4Saturday, August 6, 2011 4
    • Physical Layer (L1) 5Saturday, August 6, 2011 5
    • Cellular Concepts: FDMA • Frequency division multiple access: users on different radio frequencies. • The only MA type in older analog systems. F r e q Time 6Saturday, August 6, 2011 6
    • Cellular Concepts: TDMA • Time division multiple access: users share a channel, using it at different times. • Can be sync or async (802.11). F r e q Time 7Saturday, August 6, 2011 7
    • Cellular Concepts: FDMA and TDMA • GSM is both FDMA and TDMA. • 200 kHz radio channel spacing • 8 timeslots per channel F r e q Time 8Saturday, August 6, 2011 8
    • Timeslots from “GSM for Dummies”, with permission 9Saturday, August 6, 2011 9
    • The “ARFCN” • Absolute Radio Frequency Channel Number • 200 kHz radio channel spacing • 270.833 kHz radio channel bandwidth • Cannot use adjacent ARFCNs in the same cell because they overlap. • Assigned in fixed uplink/downlink pairs. 10Saturday, August 6, 2011 10
    • Frequency Duplexing from “GSM for Dummies”, with permission 11Saturday, August 6, 2011 11
    • Common GSM Bands Name Up Down ARFCNs Regions P-GSM 900 890-915 935-960 1-124 1, 3 E-GSM 900 880-915 925-960 0-125, 1, 3 975-1023 GSM 850 824-849 869-894 128-251 2 DCS 1800 1710-1785 1805-1880 512-885 1, 3 PCS 1900 1850-1910 1930-1990 512-810 2 12Saturday, August 6, 2011 12
    • Duplexing • Handset and BTS cannot transmit on the same frequency at the same time. • TDD - Time Division Duplexing - Handset and BTS time transmissions to avoid conflict. This is cheapest. • FDD - Frequency Division Duplexing - Handset and BTS operate on different frequencies. This requires special RF filters. • GSM is FDD in the BTS, and both FDD and TDD for the handset. 13Saturday, August 6, 2011 13
    • Frequency Duplexing from “GSM for Dummies”, with permission 14Saturday, August 6, 2011 14
    • Frequency Duplexing “Cavity Duplexer” 15Saturday, August 6, 2011 15
    • Timing and Power Control • BTS controls output power level of the handset to maximize battery life and optimize receiver performance. • BTS controls timing advance of the handset to prevent collisions of arriving radio bursts. • This happens on the SACCH. 16Saturday, August 6, 2011 16
    • Link Layer (L2) 17Saturday, August 6, 2011 17
    • The Link Layer • L3 has variable-length messages and assumes reliable delivery. • L1 has fixed-length frames and loses them sometimes. • L2 connects these so that L3 can use L1. 18Saturday, August 6, 2011 18
    • Connection Management Layer (L3) 19Saturday, August 6, 2011 19
    • GSM Layer 3 • This is where things start to look like a telephone system. • Sublayers: • Radio Resource (RR) • Mobility Management (MM) • Call Control (CC) • Short Message Service (SMS) 20Saturday, August 6, 2011 20
    • GSM L3 RR • Radio Resource management. • Assign and release radio channels. • Page handsets for service. • Generate the beacon. • Data elements are descriptions of physical layer parameters. 21Saturday, August 6, 2011 21
    • GSM L3 MM • Mobility Management. • Keep track of what part of the network is serving a given handset. • Authenticate users. • Data elements are subscriber identities and authentication tokens. 22Saturday, August 6, 2011 22
    • GSM L3 CC • Call Control. • Connect the handset to the telephone switch. • Nearly identical to ISDN’s Q.931. • Data elements are phone numbers, call status codes and bearer capability descriptions. 23Saturday, August 6, 2011 23
    • GSM L3 SMS • SMS L3 is just a connection layer for SMS L4. • Just a pass-through. Nothing really happens in SMS until you hit L5. 24Saturday, August 6, 2011 24
    • Addressing in GSM • IMSI: International Subscriber Mobile Identity. A 14- 15-digit number in the SIM that uniquely identifies the subscriber. Encodes identity of issuing carrier, too. • TMSI: Temporary Subscriber Mobile Identity. A 32-bit number assigned by the network that uniquely identifies the subscriber within that network. 25Saturday, August 6, 2011 25
    • Addressing in GSM (cont.) • IMEI: International Mobile Equipment Identity. A 15-digit number that uniquely identifies the handset. Encodes manufacturer and model. Not used much in GSM except for fraud detection. • MSISDN: The subscriber’s telephone number. 26Saturday, August 6, 2011 26
    • Addressing in GSM (cont.) • The MSISDN-IMSI association exists only in the network, not in the handset. • There is no MSISDN-IMEI association. • If a phone is “locked” that usually means that it will accept SIMs only from a specific carrier. 27Saturday, August 6, 2011 27
    • Introduction to VoIP 28Saturday, August 6, 2011 28
    • The Old Analog PSTN • Phone numbers form an address space, like any other address space. • A phone line’s address is determined by where it is physically connected to the network. • Dialed numbers (“signaling”) are encoded as tones in the audio stream (“in-band signaling”). • The switch decodes signaling to connect completed physical circuits between phones. • “Circuit Switched Telephony” 29Saturday, August 6, 2011 29
    • 70’s-era Analog Switch 30Saturday, August 6, 2011 30
    • SS7 • Signaling System 7 (SS7) replaced analog lines with synchronous digital ones, but it’s still circuit-switched. • Signaling and media travel on different logical channels (“out-of-band signaling”). • Telephony is just an application in the SS7 network. • ...so is the GSM core network. • The switch is just a computer, shuffling frames between media channels as instructed by the signaling. • Phone numbers are no longer physical addresses, but entries in a routing database. 31Saturday, August 6, 2011 31
    • Q.931 Call Signaling Subscriber Network Subscriber dials number. SETUP CALL PROCEEDING Remote phone ringing. ALERTING Remote party answers. CONNECT CONNECT ACK Call connected. Subscriber hangs up. DISCONNECT RELEASE RELEASE COMPLETE Dial tone. 32Saturday, August 6, 2011 32
    • VoIP • Replace circuit-switched SS7 with packet-switched IP. • Signaling and media can follow entirely different paths and use entirely different protocols. • Telephony is an application running on the internet. • The switch is just a computer shuffling packets as directed by the signaling. • IP network gives additional layer of addressing. 33Saturday, August 6, 2011 33
    • VoIP Specifics: SIP & RTP • Session Initiation Protocol (SIP), RFC-3261, for signaling. • SIP header design similar to HTTP. • Real-Time Protocol (RTP), RFC-3550, for media. • Both protocols already used internally by many telecom carriers, all renamed “IMS”. 34Saturday, August 6, 2011 34
    • SIP Call Flow Subscriber Network Subscriber dials number. INVITE Trying 100 Remote phone ringing. Ringing 180 Remote party answers. OK 200 ACK Call connected. Subscriber hangs up. BYE ACK Dial tone. 35Saturday, August 6, 2011 35
    • Putting it Together: OpenBTS = GSM + VoIP 36Saturday, August 6, 2011 36
    • OpenBTS Design Principles • Put as little functionality as possible into the GSM-specific software. • Translate protocols to open standards whenever possible. • Exploit external applications whenever possible. 37Saturday, August 6, 2011 37
    • OpenBTS Design Principles • Terminate L3 RR inside OpenBTS to eliminate the need for a BSC. • Translate MM, CC and SMS to SIP and let the VoIP software deal with them. • Most new features will be external modules on socket interfaces. 38Saturday, August 6, 2011 38
    • OpenBTS VoIP Principles • OpenBTS itself is invisible. The VoIP network sees only the phones. • Each handset appears as a SIP endpoint at the IP address of its serving BTS. • Each handset is a SIP user called “IMSIxxxxxxxxxxxxxxxx”, where “xxxxxxxxxxxxxxx” is the IMSI of the SIM in the handset. 39Saturday, August 6, 2011 39
    • Mobile-Originated Call SIP Switch OpenBTS Handset CHAN. REQ. IMMED. ASSIGN. CM SVC. REQ. CM SVC. ACCEPT SETUP INVITE CALL PROCEEDING Status: 100 Trying Status: 182 Ringing Status: 200 OK ALERTING CONNECT CONNECT ACK. RTP traffic GSM traffic 40Saturday, August 6, 2011 40
    • Mobile-Originated Call SIP Switch OpenBTS Handset CHAN. REQ. IMMED. ASSIGN. RR This is where we skip CM SVC. REQ. the encryption step. CM SVC. ACCEPT MM SETUP INVITE CALL PROCEEDING Status: 100 Trying Status: 182 Ringing CC Status: 200 OK ALERTING CONNECT CONNECT ACK. RTP traffic GSM traffic 41Saturday, August 6, 2011 41
    • Mobile-Originated Call SIP Switch OpenBTS Handset CHAN. REQ. IMMED. ASSIGN. CM SVC. REQ. CM SVC. ACCEPT SETUP INVITE CALL PROCEEDING Status: 100 Trying Status: 182 Ringing Status: 200 OK ALERTING CONNECT CONNECT ACK. RTP traffic GSM traffic 42Saturday, August 6, 2011 42
    • Backhaul Loading • GSM FR codec is about 13 kbit/sec/call. • Asterisk can transcode to other codecs ranging from 2.4-64 kbit/sec/call, with varying quality. • Regardless of codec type, RTP overhead is about 17 kbit/sec/call. • IAX overhead is closer to 20 kbit/sec/call, but can be shared across multiple calls. 43Saturday, August 6, 2011 43
    • Backhaul Requirementsable 6.1: Backhaul bandwidth for various codec/trunking configurations. All rates in kbit/sec and a ming 20 ms framing. Codec per call per call 7 calls 7 calls speech raw rate over RTP over RTP IAX trunking quality G.711 64 81 567 468 toll-quality GSM-FR 13 30 210 124 toll-quality G.729 8 25 175 97 near-toll-quality Speex 8 25 175 97 near-toll-quality Speex 4 21 147 60 not toll-quality LPC-10 2.4 20 136 37 not toll-quality 44 Saturday, August 6, 2011 44
    • Using IAX on VSAT Links IAX IAX OpenBTS APs PSTN SIP/RTP IAX IAX Local T1 Remote SIP/RTP Switch Switch VoIP SIP/RTP VoIP Satellite-Based Site Figure 6.5: Paired OpenSwitch servers for IAX trunking in satellite-based applications. 45Saturday, August 6, 2011 45
    • Subscriber Registry 46Saturday, August 6, 2011 46
    • The Authentication Problem • The IMSI is exposed in many places. • Making a SIM with a controlled IMSI is trivial. 47Saturday, August 6, 2011 47
    • GSM Authentication • Challenge-Response based on shared secret key Ki. • Network generates 128-bit random string (RAND) to send to phone. • Phone encrypts RAND with Ki and a hash function (A3) to produce SRES. • Network performs identical SRES calculation with same RAND, Ki and A3. • Phone returns SRES and network compares results. 48Saturday, August 6, 2011 48
    • Cache-Based Authentication • Can be used in OpenBTS when you don’t know Ki or A3 for a SIM. • Perform RAND-SRES exchange and save the result. • Assume the first exchange is valid and allow access. • Use the same RAND for subsequent exchanges and see if you get the same SRES. • Not full authentication, but better than nothing. 49Saturday, August 6, 2011 49
    • SIM Parameters • To perform RAND-SRES authentication, you must know Ki and the A3 algorithm used by the SIM. • SIMs do not disclose Ki; it is normally known only by the party that issues the SIM. • A3 is usually a variant of COMP-128; the current industry standard is v3. • To perform full authentication you must by able to issue SIMs and have the software to implement the A3 in those SIMs. 50Saturday, August 6, 2011 50
    • Subscriber Registry • “Realtime” Asterisk using external databases. • Core is an sqlite3 database file, /var/lib/ asterisk/sqlite3dir/sqlite3.db. • HTTP interface for remote access. • SIP interface for registration. • Caching Behavior. 51Saturday, August 6, 2011 51
    • Subscriber Registry sip_buddies Table • Based on pre-existing Asterisk “sip-buddies” schema with extra per-subscriber fields: • Ki, the SIM secret key for this subscriber • RAND, SRES, the most recent challenge- response pair used with this subscriber • a3a8, the A3/A8 algorithm to be used with this subscriber 52Saturday, August 6, 2011 52
    • Subscriber Registry dialdata_table • Used by Asterisk dialplan for realtime number resolution. • A simple IMSI-number mapping. • Calls to unresolvable numbers get passed up to a higher-level switch. 53Saturday, August 6, 2011 53
    • SR RAND-SRES Authentication via SIP • SIP Interface; follows form of RFC-2543 Section 14, using • RAND as the nonce • A3 instead of MD5 • SRES as the response 54Saturday, August 6, 2011 54
    • SIP-Style Authentication MS OpenBTS Registry CHAN. REQ. IMMED. ASSIGN. LOC. UPDATE REQ. REGISTER 401 Unauthorized AUTH. REQ. AUTH. RESP. REGISTER 200 OK LOC. UPDATE ACCEPT CHAN. REL. 55Saturday, August 6, 2011 55
    • SR Authentication via HTTP • HTTP Interface • Ad hoc but easy to implement • Send IMSI in URL, get RAND result. • Send IMSI, RAND and SRES in URL, get success/failure result. 56Saturday, August 6, 2011 56
    • HTTP-Based Authentication MS OpenBTS Registry CHAN. REQ. IMMED. ASSIGN. LOC. UPDATE REQ. HTTP GET 200 OK AUTH. REQ. AUTH. RESP. HTTP GET 200 OK LOC. UPDATE ACCEPT CHAN. REL. 57Saturday, August 6, 2011 57
    • Generating SIMs • For full authentication, you must know Ki. • The only way to know Ki is to put it there yourself. • Programmable SIMs with write-only Ki records! • SIM-programming SW writes new entries directly in to SR database. 58Saturday, August 6, 2011 58
    • SIM Security • COMP128 and cracking • SIM protection • COMP128v3 • Fraud detection 59Saturday, August 6, 2011 59
    • Network Security • SR caching makes isolated nodes robust. • SR caching also moves a lot of sensitive information around the network. • Securing the backhaul is critical. 60Saturday, August 6, 2011 60
    • Subscriber Security • C2.8 generates TMSIs on a per-BTS basis. • Good: TMSIs not globally significant • Bad: Lots of TMSI reassignments • C2.8 does not support A5/x. Future versions will. • A5/1 export restrictions • A5/2 depreciation 61Saturday, August 6, 2011 61
    • SMS Text Messaging 62Saturday, August 6, 2011 62
    • GSM SMS • Session-less transfer over Dm channel. • Address is ISDN/E.164 or e-mail. • Maximum payload is 140 bytes, 160 characters in GSM 7-bit alphabet. • SMSC acts as a store-and-forward server, since handsets are only intermittently connected. • SMS defined in 5 layers on Um, but 2 of them are just relays. 63Saturday, August 6, 2011 63
    • SIP RFC-3428 • Session-less transfer over an IP channel. • Allows for intermediary store-and-forward servers. • Addressing is same as any other SIP. • OpenBTS uses MIME-encoded RPDU (application/vnd.3gpp.sms). 64Saturday, August 6, 2011 64
    • SMS in OpenBTS • Terminate SMS L3 and L4 locally. • Translate SMS L5 to SIP RFC-3428 with vnd. 3gpp.sms content. • Outgoing RFC-3428 addressed numerically. • Inbound RFC-3428 addressed to IMSI-derived SIP users. • Cannot send directly from one handset to another. 65Saturday, August 6, 2011 65
    • Smqueue • RFC-3428 store-and-forward server. • Uses vnd.3gpp.sms content, making it payload- agnostic. • Translates SUMBIT TPDUs into DELIVER TPDUs. • Accepts numeric addresses, resolves to SIP users with the Subscriber Registry. • In C2.8, must be running on the same computer as the subscriber registry. 66Saturday, August 6, 2011 66
    • MO-SMSsmqueue OpenBTS Handset CHAN. REQ. ASSIGNMENT CM SVC. REQ. CM SVC. ACCEPT CP-DATA/RP-DATA CP-ACK MESSAGE OK CP-DATA/RP-ACK CP-ACK CHANNEL RELEASE 67Saturday, August 6, 2011 67
    • MO-SMSsmqueue OpenBTS Handset CHAN. REQ. ASSIGNMENT CM SVC. REQ. CM SVC. ACCEPT CP-DATA/RP-DATA CP-ACK MESSAGE OK CP-DATA/RP-ACK CP-ACK CHANNEL RELEASE 68Saturday, August 6, 2011 68
    • MT-SMS OpenMessage OpenBTS MS MESSAGE PAGING REQ. CHAN. REQ. IMMED. ASSIGN. PAGING RESP. CP-DATA/RP-DATA CP-ACK CP-DATA/RP-ACK OK CP-ACK CHANNEL RELEASE 69Saturday, August 6, 2011 69
    • MT-SMS OpenMessage OpenBTS MS MESSAGE PAGING REQ. CHAN. REQ. IMMED. ASSIGN. PAGING RESP. CP-DATA/RP-DATA CP-ACK CP-DATA/RP-ACK OK CP-ACK CHANNEL RELEASE 70Saturday, August 6, 2011 70
    • Short Codes • Short codes are special SMS addresses that go to programs instead of to other users. • Short codes can be used to build interactive applications based on SMS. • Smqueue supports sort codes, but the functions must be hard-coded into the system. 71Saturday, August 6, 2011 71
    • Short Code Example: Auto-Provisioning • Short code function adds a new SIP user and a new dialplan entry in the Subscriber Registry. • Can be used for automatic provisioning in some applications. • Only effective if used with open registration. 72Saturday, August 6, 2011 72
    • Connecting SMS to the Outside World • Email gateways • the return address problem • SIP RFC-3428 gateways • the registration problem • SMPP • The dual-address problem. • New trends in combined VoIP services (Voxbone and Voxeo). 73Saturday, August 6, 2011 73
    • Connecting to the PSTN 74Saturday, August 6, 2011 74
    • VoIP Carrier Services • Route outbound calls to the PSTN (“origination”) • Lease DID (“direct inbound dialed”) E.164 addresses (“telephone numbers”) • Route inbound calls from PSTN to DIDs (“termination”) • Generate billing records (CDRs) 75Saturday, August 6, 2011 75
    • VoIP Carrier Prices • DID leases typically run $0.25/mo - $5/mo depending on • quantity • where numbers are located • Calling rates typically run $0.003/min - $0.050/ min. depending on • quantity • call destination 76Saturday, August 6, 2011 76
    • VoIP Carrier Technical Connection • Nearly all support SIP/RTP; many support IAX, too. • Nearly all support G.711 (a-law/mu-law) and G.729 (ADPCM); some support GSM full-rate directly. • The interface to the carrier appears as a SIP or IAX user in the gateway switch configuration. 77Saturday, August 6, 2011 77
    • Putting It All Together 78Saturday, August 6, 2011 78
    • Full-Band Digital Radio Transceiver IP Network USB2 smqueue "Transcevier" RFC-3428 SIP/RTP Radiomodem SMS Processor IAX HTTP/S SIP SMTP UDP SIP SQL SMTP "OpenBTS" SIP subscriber registry SIP IP Network GSM/SIP SQL Database/Server HTTP/S Interface Protocol Processor SIP/RTP SIP/RTP SQL IAX SIP/IAX Softswitch Inside Each BTS Node 79Saturday, August 6, 2011 79
    • smqueue public IP SMTP network SIP/RTP IAX SIP HTTP/S SIP/RTP SIP/RTP SMTP IAX IAX SIP/RTPOpenBTS private IP SIP switch &cell sites network IAX subscriber registry VoIP Carriers HTTP/S ISDN/SS7 ISDN/SS7 HTTP/S other PSTN services A Full Network 80Saturday, August 6, 2011 80
    • Mobility 81Saturday, August 6, 2011 81
    • Some Confusion • Handover - The ability to transfer a live call from one cell to another. And in GSM it’s call “handover”, not “handoff”. • Roaming - The ability to integrate call routing and billing with other carriers. • Mobility - The ability to transfer service as a handset moves from one cell to another. 82Saturday, August 6, 2011 82
    • Dependencies • You need mobility to support handover. • You do not need handover to support mobility. • You need mobility to support roaming. • You do not need handover to support roaming. • You do not need roaming to support mobility. 83Saturday, August 6, 2011 83
    • public IP A Central networkOpenBTS Server APs B private IP network SIP switch PSTN C subscriber registry smqueue Simple Mobility 84Saturday, August 6, 2011 84
    • Good • Leverages existing dynamic-host support for SIP users. • SIP core network needs no information about the BTS units. • RTP traffic can still be shortest-path routing. 85Saturday, August 6, 2011 85
    • Not So Good • Handsets must register every time they change cells. • Central server is a central point of failure. • Loss of backhaul shuts down a cell. 86Saturday, August 6, 2011 86
    • 1A public IP 1B S1 network 1C SIP switch private IPOpenBTS subscriber registry network CS APs smqueue 2A SIP switch PSTN subscriber registry 2B smqueue S2 2C SIP switch subscriber registry smqueue Better Mobility 87Saturday, August 6, 2011 87