CS 8803 - Cellular and Mobile Network Security · current SGSN is stored so that packets can be...

Florida Institute for Cybersecurity (FICS) Research

CS 8803 - Cellular and Mobile Network Security:

Data Air Interface

Professor Patrick Traynor10/23/18


Packet-Switched Mobile Data

2


GSM/UMTS Data• Overview of System Architecture

• Compare and Contrast• Protocol Stacks

• GSM Overview• UMTS Overview

• Mobility Management

3


General Packet Radio Service (GPRS)• GSM

• overlay network on basic GSM infrastructure• new mobile “routers” introduced• supports both “GPRS” (2.5G) and “EDGE” (2.75G) wireless protocols

• UMTS• re-uses GPRS network from GSM• new air interface

4


GGSN Internet

HLRSS7 Network

IP Network

GSM Data Network Architecture

• SGSN - Serving GPRS Support Node• Serves mobile user based on location

• GGSN - Gateway GPRS Support Node• Serves mobile user based on address

• BTS/BSC - new call processing and channels for data• HLR - extended user profiles

5

BTS

BTS

BTS

SGSN

BSC

BSC


Network Attachment• Previous lectures covered the process of attaching to the network (i.e.,

authentication to the CS portion of the network).• This is known as “IMSI Attach”

• Mobile devices can/must also attach themselves to the data services provided by the network.

• This is known as “GPRS Attach”• The processes are largely the same, except that the MS interacts with the

MSC for an IMSI Attach and the SGSN for the GPRS Attach.• Most networks allow for a

“Combined GPRS/IMSI Attach”.

6


Combined Attach• The advantage to performing a combined attach is that both CS and PS

signaling can be dealt with at the SGSN.• The MSC/VLR really just provides look-up facilities.

• The absence of this combined attach means that the network provider must dedicate two sets of air interface resources to CS and PS signaling.

• Pros? Cons?• Reality: SGSNs and MSCs are often a single box.

7


Attach

8

New SGSN

Old SGSN HLRGGSN

Attach RequestID Request

(TMSI, IMSI)ID Request Auth Info

Auth & Cipher Update Location

Cancel Location

Insert Subscriber Data

Location Update AcceptedAttach

Accept


Detach

9

SGSN HLRGGSN

Detach RequestDelete PDP Context

Detach Accept

Purge MS


PDP Context• Once attached to the network, mobile devices need a means of communicating with

other data-enabled entities.• A Packet Data Protocol (PDP) Context is a virtual channel between a device and

a GGSN.• PDP Contexts serve two main functions in GPRS/UMTS:

• Assign the phone an IPv4/IPv6 address, making it reachable.• Associate a quality of service (QoS) profile with the device.

• The second point, while specified in the standards, is not currently implemented/used.• Accordingly, let’s view PDP Context establishment as a

high-level dual to DHCP - interaction with a DHCP server is actually one of the parts of this operation.

10


Multiple Contexts• This architecture allows for a single device to establish and maintain multiple

PDP Contexts.• Known as Primary and Secondary PDP Contexts

• Secondary PDP contexts are always associated with a Primary context.• Multiple primaries are also possible, generally connected to multiple PDNs.

• Secondary PDP contexts share an IP address with the Primary, but allow different QoS terms to be enforced.

• A device may specify to the network that its SIP flows are more important than those delivering traffic to its mobile browser.

11


PDP Context Activation

12

SGSN GGSN

Activate PDP Context

Activate PDP Context Accept

Create PDP Context


Call vs Data Path

13

HLRBTS

SGSN

SS7 Network

BTS

BSC

BSCBTS

IP Network

GGSN Internet


GTP and RAB• GPRS Tunneling Protocol (GTP) allows the mobility of a device to be

hidden to the outside world.• The IP address is fixed by the GGSN, and a “tunnel” to that device’s

current SGSN is stored so that packets can be correctly forwarded.• Each tunnel is differentiated by its Tunnel Endpoint Identifier (TEI).

• This allows the SGSN to allocate an arbitrary local address for a device (and change that address) without telling the GGSN.

• The SGSN then forwards packets through the Radio Access Bearer (RAB) service, which connects the core network to the wireless device.

14


RAB GTP Tunnel

Tunnels, etc

• Each PDP Context allows a set of flows to request a QoS from the RAB. These include Conversational (voice), Streaming (YouTube), Interactive (web surfing) and Background (FTP).

• RAB ends at a lower layer of the MS protocol stack.

15

SGSN GGSN Internet

BS

PDP Context

MS


GSM/GPRS Protocol Stacks

16

InternetSGSN GGSNBS

Server

GTP

TCP/UDP

IP

LAPD

L1

SNDCP

LLC

BSSGP

LAPD

L1

GTP

TCP/UDP

IP

LAPD

L1

IP/X25

L1

LAPD

BSSGPRLC/MAC

GSM

IP/X25

App

TCP/UDP

GSM

RLC/MAC

LLC

SNDCP

App

TCP/UDP

IP

Lower Layers


UMTS Architecture

• Re-used from GSM/GPRS Core Network• SGSN - signaling interface and some access protocols change• GGSN - re-used (PDP contexts remain)• HLR - some extensions

• Main differences• Much higher data rates, soft handoffs

17

HLRNode B

SGSN

SS7 Network

RNC

BSCBTS

IP Network

GGSN Internet

UE


UMTS/GPRS Protocol Stacks

18

InternetSGSN GGSNBS

Server

GTP-U

TCP/UDP

IP

L2

L1

GTP-U

TCP/UDP

IP

L2

L1

IP/PPPIP/PPP

App

TCP/UDP

UMTS

RLC/MAC

PDCP

App

TCP/UDP

IP

Lower Layers

AAL5

ATM

IP

GTP-U

TCP/UDP

ATM

AAL5

IP

TCP/UDP

GTP-U

RLC/MAC

UMTS

PDCP


Inter-SGSN Move

19

New SGSN

Old SGSN HLRGGSN

RA UpdateSGSN

ContextID Request Auth Info

Auth & Cipher

Update Location Cancel Location

Location Update Accepted

Attach Accept

SGSN Context Ack

FWD Packets

Update PDP Context



Inter-SGSN Move: Data

20

New SGSN

Old SGSN HLRGGSN

RA UpdateSGSN

ContextID Request Auth Info

Auth & Cipher

Update Location Cancel Location

Location Update Accepted

Attach Accept

SGSN Context Ack

FWD Packets Update PDP Context


Packets Flowing to Old SGSN

New Tunnel


Data Network Functionality Redux

21

CS 8803 - Cellular and Mobile Network Security · current SGSN is stored so that packets can be...

Documents

Transcript of CS 8803 - Cellular and Mobile Network Security · current SGSN is stored so that packets can be...