When we try to send an SBI message to SMF to release a session,
sometimes ran_ue is NULL. This happens when the Mobile Reachable Timer expires
and Implicit Deregistration is triggered.
To account for this case, we added the `ran_ue` parameter to the SBI interface
and made it work even if it is NULL.
* [SBI] Handle and store AMF info
* [SBI] Add "target GUAMI" discovery option
* [SBI] Handle UeContextTransfer request and response messages
* [AMF] Handle NF discovery from AMF to AMF
* [AMF] Add UE Context Transfer Request/Response from AMF to AMF
* [SCP] Handle UeContextTransfer
* Follow-up on #3052
* [AMF] force authentication after 'Ue context transfer' for now
* [AMF] force authentication after 'Ue context transfer' for now
---------
Co-authored-by: Sukchan Lee <acetcom@gmail.com>
There is an issue with SESSION RELEASE not working properly
depending on the PDU session release complete order
in the PDUSessionResourceReleaseResponse.
If the AMF receives PDUSessionResourceReleaseResponse
followed by PDU session release complete, it works correctly.
However, if it receives PDU session release complete
followed by PDUSessionResourceReleaseResponse, it does not work correctly
and sends an Error Indication to the UE/gNB.
To fix this issue, we added pdu_session_release_complete_received and
pdu_session_resource_release_response_received to the content
so that CLEAR_SM_CONTEXT_REF() is executed when both are received.
While they were continuing their fuzzy testing and developing PacketRusher, an unusual issue with the AMF was observed. The problem arises when a single Ethernet frame containing three bundled SCTP chunks is sent. This behavior is reproduced with PacketRusher when attempting to concurrently register two UEs with the same MSIN.
The expected behavior is that the PDU Session Establishment Accept is sent inside a DownlinkNASTransport to RAN UE NGAP ID 1. However, it is actually sent inside an InitialContextSetupRequest to RAN UE NGAP ID 2. The MAC of this NAS message is invalid for the Security Context of RAN UE NGAP ID 2 (probably valid for RAN UE NGAP ID 1)
According to 3GPP TS 29.510, the search parameter "tai" should be a
single item, not an array of items.
TS 29.510: Table 6.2.3.2.3.1-1:
URI query parameters supported by the GET method on this resource
Revert "[SBI] Change discovery option TAI from array to single item"
This reverts commit b4beff1ae16c64b3c6d84d8bdb47c36e19b705f2.
wip
TS23.007 17.4.1
19A PFCP based restart procedures
After a PFCP entity has restarted, it shall immediately update all local Recovery Time Stamps and shall clear all remote
Recovery Time Stamps. When peer PFCP entities information is available, i.e. when the PFCP Association is still alive,
the restarted PFCP entity shall send its updated Recovery Time Stamps in a Heartbeat Request message to the peer
PFCP entities before initiating any PFCP session signalling.
[ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf)
5.2.2 Registration procedure related measurements
SNSSAI labels are not provided.
- Number of registration requests received by the AMF is
exposed for each registration type.
```
fivegs_amffunction_rm_reginitreq 1
fivegs_amffunction_rm_regmobreq 0
fivegs_amffunction_rm_regperiodreq 0
fivegs_amffunction_rm_regemergreq 0
```
- Number of successful initial registrations at the AMF is
exposed for each registration type.
```
fivegs_amffunction_rm_reginitsucc 1
fivegs_amffunction_rm_regmobsucc 0
fivegs_amffunction_rm_regperiodsucc 0
fivegs_amffunction_rm_regemergsucc 0
```
- The existing counter of failed registrations at the AMF
is exposed separately for each registration type.
```
fivegs_amffunction_rm_reginitfail
fivegs_amffunction_rm_regmobfail
fivegs_amffunction_rm_regperiodfail
fivegs_amffunction_rm_regemergfail
```
5.2.5.2 Measurements for 5G paging
Number of 5G paging procedures initiated at the AMF:
```
fivegs_amffunction_mm_paging5greq 1
```
Number of successful 5G paging procedures initiated at the AMF:
```
fivegs_amffunction_mm_paging5gsucc 1
```
5.2.11 Authentication procedure related measurements
Number of authentication requests:
```
fivegs_amffunction_amf_authreq 2
```
Number of authentication rejections:
```
fivegs_amffunction_amf_authreject 1
```
Number of failed authentications due to parameter error:
```
fivegs_amffunction_amf_authfail{cause="21"} 1
```
5.2.8 UE Configuration Update procedure related measurements
Number of UE Configuration Update commands requested by the AMF:
```
fivegs_amffunction_mm_confupdate 2
```
Number of UE Configuration Update complete messages received by the AMF:
```
fivegs_amffunction_mm_confupdatesucc 1
```
23.501 (5G NAS stage 2)
5.4.4.1:
"When the AMF receives Registration Request with the Registration type set
to Initial Registration or when it receives the first Registration Request
after E-UTRA/EPC Attach with Registration type set to Mobility Registration
Update, the AMF deletes the UE radio capability."
o TS24.301(4G/LTE)
5.5.1 Attach procedure
5.5.1.2 Attach procedure for EPS services
5.5.1.2.4 Attach accepted by the network
If the attach request is accepted by the network,
the MME shall delete the stored UE radio capability information
or the UE radio capability ID, if any.
o TS24.501(5G)
5.5.2 De-registration procedure
5.5.2.1 General
When the AMF enters the state 5GMM-DEREGISTERED for 3GPP access,
the AMF shall delete the stored UE radio capability information
or the UE radio capability ID, if any.
[AMF] Implicit Network-initiated Deregistration
Two timers are introduced (both with duration of T3512 + 4 min):
-MOBILE_REACHABLE
-IMPLICIT_DEREGISTRATION
MOBILE_REACHABLE is set when NAS connection for the UE is released.
IMPLICIT_DEREGISTRATION is set when MOBILE_REACHABLE expires.
On MOBILE_REACHABLE expiry Paging is ignored.
On IMPLICIT_DEREGISTRATION expiry:
-UE's RM_State is set to DEREGISTERED
-UE is Nudm_SDM_Unsubscribed
-UE is Nudm_UECM_Deregistered
-PDU sessions are released
-AM policies are deleted
Existing flag amf_ue->network_initiated_de_reg is used.
o Generate the private key as below.
$ openssl genpkey -algorithm X25519 -out /etc/open5gs/hnet/curve25519-1.key
$ openssl ecparam -name prime256v1 -genkey -conv_form compressed -out /etc/open5gs/hnet/secp256r1-2.key
o The private and public keys can be viewed with the command.
The public key is used when creating the SIM.
$ openssl pkey -in /etc/open5gs/hnet/curve25519-1.key -text
$ openssl ec -in /etc/open5gs/hnet/secp256r1-2.key -conv_form compressed -text
In ausf/udm.yaml
hnet:
o Home network public key identifier(PKI) value : 1
Protection scheme identifier : ECIES scheme profile A
- id: 1
scheme: 1
key: /etc/open5gs/hnet/curve25519-1.key
o Home network public key identifier(PKI) value : 2
Protection scheme identifier : ECIES scheme profile B
- id: 2
scheme: 2
key: /etc/open5gs/hnet/secp256r1-2.key
o Home network public key identifier(PKI) value : 3
Protection scheme identifier : ECIES scheme profile A
- id: 3
scheme: 1
key: /etc/open5gs/hnet/curve25519-1.key
o Home network public key identifier(PKI) value : 4
Protection scheme identifier : ECIES scheme profile B
- id: 4
scheme: 2
key: /etc/open5gs/hnet/secp256r1-2.key
Related to #1779
In case that APN name sent from UE does not case-match with the one
configured in the database, AMF would reject the registration with the
message:
[gmm] WARNING: [imsi-xxx] DNN Not Supported OR Not Subscribed in the
Slice (../src/amf/gmm-handler.c:1051)
== Known limitation ==
Placing npcf-smpolicycontrol and pcf-policyauthorization
in different NFs is not supported. Both npcf-smpolicycontrol
and pcf-policyauthorization should be placed in the same NF.
When a UE that requests slices tries to connect and there are no slices configured, the reject message is:
5GMM cause = 0x7 (5GS Services not allowed)
however it should be:
5GMM cause = 0x3e (No network slices available)
All 5GMM cause value in reject message is reviewed in this commit
For null protection scheme the SUCI needs to be BCD encoded. Whereas for
protection scheme profiles A and B the SUCI needs to be converted from
hexadecimal to ASCII.
This still needs the support for protection schemes A and B in UDM to
work.
3GPP TS 24.501 version 16.6.0 Release 16
4.4 NAS security
4.4.6 Protection of initial NAS signalling messages
1) the UE needs to send non-cleartext IEs in a REGISTRATION REQUEST
or SERVICE REQUEST message, the UE includes the entire REGISTRATION
REQUEST or SERVICE REQUEST message (i.e. containing both cleartext IEs
and non-cleartext IEs) in the NAS message container IE and shall cipher
the value part of the NAS message container IE. The UE shall then send
a REGISTRATION REQUEST or SERVICE REQUEST message containing
the cleartext IEs and the NAS message container IE;
TS24.501
8.2.11 DL NAS transport
8.2.11.4 5GMM cause
The AMF shall include this IE when the Payload container IE
contains an uplink payload which was not forwarded and
the Payload container type IE is not set to "Multiple payloads".
-0-
As such, this function 'nas_5gs_send_gsm_reject()' must be used
only when an N1 SM message has been forwarded to the SMF.
Confirmation for non-cleartext IE should only be applied
to the initial NAS message. Registration requests and Service requests
with UplinkNASTransport do not have to.
All process will be forcely exited if it failed to encode the S1AP/NGAP/GTP/PFCP message. It is to make sure there was no problem with the encoding of open5gs.
1. If UE does not use a NAS container for Non-cleartext IEs,
Open5GS AMF will send Registration reject message.
2. If UE sends Non-cleartext IEs without Integrity-protected,
Open5GS AMF will send Registration reject message.
3. If UE does not send NAS container in Security mode complete message,
Open5GS AMF will send Registration reject message.
Sukchan Lee
Matej Gradišar
Bostjan Meglic
Gaber Stare
Bostjan Meglic
Miguel Borges de Freitas
mitmitmitm
Bostjan Meglic
endika