< Return to Video

LaForge: Running your own 3G/3.5G network

  • 0:00 - 0:10
    32C3 preroll music
  • 0:10 - 0:13
    Herald: For several years now, here
    at the Congress and at the Camp,
  • 0:13 - 0:19
    we see that we have a GSM network,
    that we operate our own network,
  • 0:19 - 0:23
    that we have some services
    like recently GPRS or
  • 0:23 - 0:29
    roaming between the different
    parts of the areas in the Camp.
  • 0:29 - 0:34
    All of this started around 7 years
    from now, with a talk at the 25C3;
  • 0:34 - 0:40
    and a bunch of projects emerged
    from that over the years.
  • 0:40 - 0:45
    But wait, there is more. Right now,
    the people running these services
  • 0:45 - 0:50
    and running these projects are
    starting to play around with 3G.
  • 0:50 - 0:55
    And for everybody who doesn’t know what
    3G is, like I did, for like 5 minutes ago,
  • 0:55 - 1:04
    3G means that we will have HDSPA and
    data services on our GSM networks.
  • 1:04 - 1:09
    And I’m very honoured to introduce
    to you this evening Harald Welte,
  • 1:09 - 1:14
    a member of our Chaos family for
    several years now, known maybe from
  • 1:14 - 1:21
    the Kernel development. I first read his
    name while debugging a chip card driver
  • 1:21 - 1:25
    that stated ‘All bugs introduced
    by…’ – this guy over there.
  • 1:25 - 1:29
    So, other people may know
    him from gpl-violations.org,
  • 1:29 - 1:34
    where they try to enforce
    the GPL. So. Please welcome
  • 1:34 - 1:36
    Harald Welte, and… the stage is yours!
  • 1:36 - 1:45
    applause
  • 1:45 - 1:49
    LaForge: Hi. Welcome everyone
    to this talk about, well,
  • 1:49 - 1:52
    running your own GSM network, or
    running your own 3G network, rather,
  • 1:52 - 1:57
    sorry for that. And in more
    technical terms, the slide titles
  • 1:57 - 2:01
    with lots of acronyms as it is
    customary in the telecom world.
  • 2:01 - 2:06
    So forgive me if there’s too many
    acronyms, but I didn’t invent them,
  • 2:06 - 2:12
    I just try to use them whenever
    appropriate. Okay. So, let’s start
  • 2:12 - 2:18
    with a little bit of a history of open
    source in mobile communication protocols.
  • 2:18 - 2:20
    You have to remember
    that we started about
  • 2:20 - 2:25
    16 years after the proprietary
    implementations, so the GSM network
  • 2:25 - 2:29
    that we are running
    here at the event, or that
  • 2:29 - 2:35
    we started to run 7 years ago, started
    16 years after GSM networks were run first
  • 2:35 - 2:40
    in the public in Europe, so, at public
    operators. So we’re really, really late,
  • 2:40 - 2:45
    and if you want to compare the status
    of open source mobile communications
  • 2:45 - 2:49
    with open source operating system, then
    I would say we are about where Linux was
  • 2:49 - 2:54
    in ’94 or ’95. So, very far from today,
    for those of you who are old enough
  • 2:54 - 2:59
    to remember these days. So, I would
    say “capable but not taken seriously”
  • 2:59 - 3:03
    is sort of the general status.
    The developer community
  • 3:03 - 3:08
    working on these projects is still very
    small. There’s a limited adoption
  • 3:08 - 3:13
    in the market and the users,
    often in niche applications,
  • 3:13 - 3:18
    but nevertheless it is functional. So,
    if we look a little bit at the timeline,
  • 3:18 - 3:23
    2008 we had the talk about
    “Running your own GSM network”
  • 3:23 - 3:28
    with a huge Siemens base
    station weighing I think 28 kg…
  • 3:28 - 3:31
    Did my microphone…? No, it works, sorry.
  • 3:31 - 3:35
    …weighing 28 kg and bulky old equipment
  • 3:35 - 3:39
    not using TCP/IP but using E1 lines etc.
  • 3:39 - 3:43
    Over the years we added more and more
    BTS model vendors. Basically it means
  • 3:43 - 3:47
    we can use Ericsson and Nokia
    and other equipment to actually
  • 3:47 - 3:53
    run these GSM networks today. People
    have been working on GPRS support
  • 3:53 - 3:58
    in a couple of sub projects
    called OsmoSGSN, OpenGGSN,
  • 3:58 - 4:04
    also the OsmoPCU project, so we’ve
    been growing the stack downwards,
  • 4:04 - 4:08
    also basically implementing
    the software inside such a BTS,
  • 4:08 - 4:12
    which we call OsmoBTS. There
    are some production deployments
  • 4:12 - 4:16
    – all spellings my mistake,
    by the way, as obviously – so,
  • 4:16 - 4:20
    production deployments in niche
    applications such as maritime markets.
  • 4:20 - 4:25
    So, if today you are on a ferry or on a
    cruise ship and you use GSM services, the
  • 4:25 - 4:30
    probability that you’re using OpenBSC and
    associated projects in the background is
  • 4:30 - 4:37
    very strong. There are hundreds of vessels
    using our software today. Now, then we…
  • 4:37 - 4:43
    applause
  • 4:43 - 4:47
    …then we moved on the telephone
    side, so we thought, well, you know,
  • 4:47 - 4:51
    network side GSM in one thing, but let’s
    do the phone as well, that was OsmocomBB,
  • 4:51 - 4:55
    started in 2010. We did improvements
    over the years, more and more
  • 4:55 - 5:00
    completed the stack, but it’s really
    all only old GSM/GPRS technology
  • 5:00 - 5:05
    until very recently.
    So in 2015, 15 years again
  • 5:05 - 5:10
    after the first commercial deployment
    of GPRS in a public network,
  • 5:10 - 5:14
    we start to have an open source
    implementation of EDGE, and that has just
  • 5:14 - 5:18
    started like 2 or 3 months ago. So
    again, 15..16 years late compared to
  • 5:18 - 5:23
    what happens in the
    proprietary world. Ok. But…
  • 5:23 - 5:28
    this talk is not about EDGE, which
    is 2.75G, if you want to speak
  • 5:28 - 5:35
    in generation numbers. Today
    we’re talking about 3G and 3.5G.
  • 5:35 - 5:40
    And there’s a bit of ambivalence
    with that subject because, well,
  • 5:40 - 5:43
    today, if you talk to people in the
    industry, they will say: “Ah, who cares
  • 5:43 - 5:47
    about 3G, you know, it’s dead anyway!”.
    We have already today at the point
  • 5:47 - 5:51
    where we have ‘Peak 3G’,
    so in the next few years,
  • 5:51 - 5:55
    the number of subscribers and the
    number of networks offering 3G services
  • 5:55 - 5:59
    is no longer growing, it’s
    basically stagnating and
  • 5:59 - 6:03
    will turn downwards in the near
    future. So LTE/4G networks
  • 6:03 - 6:09
    is basically what everyone is hot about.
    The other reason not to look at 3G
  • 6:09 - 6:13
    is that it’s mind-bogglingly complex.
    It’s not a single telephony system,
  • 6:13 - 6:17
    it’s actually a toolbox to build
    arbitrary telephony systems.
  • 6:17 - 6:21
    And if you really wanted to start
    implementing it from scratch
  • 6:21 - 6:27
    including all the lower layers, including
    the PHY, including the Layer 2 etc.
  • 6:27 - 6:33
    I think it would be a waste of a lot of
    time, actually. So we do what we did
  • 6:33 - 6:37
    with the GSM networks back then, we
    used proprietary base station hardware,
  • 6:37 - 6:41
    and we implement the higher level
    protocols, and then, if needed and
  • 6:41 - 6:44
    if there’s interest and contributions
    etc. we drive open source further
  • 6:44 - 6:50
    down the stack and also
    into the actual cells.
  • 6:50 - 6:55
    So, one term that’s going to be used here
  • 6:55 - 6:59
    in this context is ‘femtocells’. Quite some
    number of people may have heard
  • 6:59 - 7:03
    about femtocells before. In technical
    terms it’s a base station – which is
  • 7:03 - 7:09
    called NodeB in the UMTS language
    world – and a radio network controller,
  • 7:09 - 7:13
    which is the BSC, the base station
    controller – in UMTS in one box.
  • 7:13 - 7:18
    And using such femtocells or similar
    hardware is much easier to interface
  • 7:18 - 7:22
    than if you would use a regular
    base station. So that basically is
  • 7:22 - 7:27
    sort of a path that we think is doable
    without spending man-years of implementing
  • 7:27 - 7:33
    obscure and complex transport channels
    and bundles and mappings and whatnot.
  • 7:33 - 7:37
    There’s been a couple of talks about
    doing creative stuff with femtocells.
  • 7:37 - 7:44
    There’ve been talks by Kevin [Redon], Nico
    [Golde] and Ravishankar in 2010/2011
  • 7:44 - 7:50
    about security. There’s been a recent
    presentation this year at Black Hat
  • 7:50 - 7:54
    in the United States called
    ‘Adventures in Femtoland’.
  • 7:54 - 7:59
    Those talks focus on basically, well,
    the security of the femtocell itself,
  • 7:59 - 8:03
    breaking into such a cell, rooting it,
    owning it, doing creative things
  • 8:03 - 8:07
    and then from there e.g.
    attacking the mobile operator or
  • 8:07 - 8:12
    attacking the privacy of subscribers
    by using such a femtocell
  • 8:12 - 8:17
    as a man-in-the-middle platform e.g. But
    to my knowledge nobody has been talking
  • 8:17 - 8:22
    about free software or open source
    software, to run a network with
  • 8:22 - 8:28
    such femtocells or similar equipment.
    So, if we look at the UMTS architecture,
  • 8:28 - 8:33
    like you find it in a textbook or like
    in this particular slide or drawing
  • 8:33 - 8:38
    from Kevin, you will find
    several network elements
  • 8:38 - 8:43
    all over the network,
    so lots of different elements
  • 8:43 - 8:48
    with lots of different acronyms.
    We have a Mobile Equipment (ME)
  • 8:48 - 8:52
    which is the telephone. We have a radio
    interface called the Uu interface.
  • 8:52 - 8:57
    We have actual base stations
    called NodeB and we have
  • 8:57 - 9:01
    a base station controller that’s called
    the Radio Network Controller, the RNC;
  • 9:01 - 9:07
    and then here we have, on this boundary
    we have IuCS and IuPS interfaces
  • 9:07 - 9:11
    that interface the Base
    Station Controllers
  • 9:11 - 9:14
    with the core of the network which
    is the Mobile Switching Center,
  • 9:14 - 9:18
    the Media Gateway, the Serving GPRS
    Support Node, and then other elements
  • 9:18 - 9:24
    here. And this is actually the interface
    line which we have been implementing
  • 9:24 - 9:29
    in recent months at the boundary
    between the Access Network,
  • 9:29 - 9:34
    the Radio Access Network and the Core
    Network on the other side of the slide.
  • 9:34 - 9:40
    So, well, you could just get a NodeB
    and implement the protocol Iub.
  • 9:40 - 9:44
    This is what we did with GSM before,
    we basically started here. We only got
  • 9:44 - 9:49
    the actual BTS or NodeB and
    we implemented that protocol.
  • 9:49 - 9:53
    However, well, this protocol
    in UMTS is extremely complex
  • 9:53 - 9:57
    and fairly low down the stack.
    Just to give you an idea:
  • 9:57 - 10:02
    every single voice codec frame
    from a voice call that you receive
  • 10:02 - 10:05
    has 3 different classes of bits, and
    each class of bits gets put into
  • 10:05 - 10:10
    different UDP messages, and then you
    get basically 3 flows of UDP messages,
  • 10:10 - 10:14
    and you need to synchronize and
    inter-mangle (?) and re-interleave
  • 10:14 - 10:18
    those bits in order to get to a speech
    codec frame. So it’s… and I’m not even
  • 10:18 - 10:21
    talking about the signalling plane (?).
    So the lower you get in UMTS the more
  • 10:21 - 10:25
    complex it gets, let’s try to avoid that.
    And that’s the kind of complexity
  • 10:25 - 10:31
    that I like to avoid. This is from the
    official spec about the UMTS spectrum.
  • 10:31 - 10:36
    It’s an extremely obvious and
    self-explanatory slide, so I’ll…
  • 10:36 - 10:39
    laughter
    I leave it at this and say, yeah,
  • 10:39 - 10:44
    that’s not what we want to do.
    So, we… how can I say, we…
  • 10:44 - 10:50
    Even though we don’t like it we just use
    proprietary blobs to implement that. Now,
  • 10:50 - 10:54
    the protocol stacking on those interfaces
    that we actually want to implement
  • 10:54 - 10:58
    is what I’m going to look at the next
    couple of slides. The Iu interface,
  • 10:58 - 11:02
    and by the name, Iu has no specific
    meaning, it’s just the Iu interface,
  • 11:02 - 11:06
    you could say the A, the B, the C,
    the Z interface – it’s the ‘Iu interface’.
  • 11:06 - 11:11
    It’s split in CS and PS, that’s circuit-
    switched and packet-switched.
  • 11:11 - 11:16
    Circuit-switched means telephony services
    and packet-switched means data services.
  • 11:16 - 11:20
    And we’re going to look at the
    protocol stacking of those interfaces
  • 11:20 - 11:25
    in the next couple of slides. Originally,
    remember, well, maybe a good time
  • 11:25 - 11:30
    to go back in history, in sort of history
    of mobile communications, which
  • 11:30 - 11:36
    should be taught at every school, I think,
    including archeology of protocols,
  • 11:36 - 11:42
    which… no, honestly…
    laughter and applause
  • 11:42 - 11:46
    You need to do protocol archeology if you
    want to implement certain interfaces
  • 11:46 - 11:50
    today. So, on my blog you can find
    some posts about a couple of years ago
  • 11:50 - 11:56
    where I had to basically write a parser
    for Microsoft Word for DOS text files
  • 11:56 - 12:00
    to automatically extract snippets of
    ASN.1 syntax for MAP version 1
  • 12:00 - 12:06
    which is still used today. So, it’s… yes,
    it… sometimes you really need to do
  • 12:06 - 12:10
    archeology. So anyway, not for this,
    but any… when UMTS was specified,
  • 12:10 - 12:15
    this is the late 90s, this is when the
    first dotcom bubble basically got big,
  • 12:15 - 12:19
    this is when billions and
    billions of Euros or Dollars
  • 12:19 - 12:22
    or whatever unit of currency was
    poured into the development of the
  • 12:22 - 12:26
    ‘universal telephony mobile
    system’, the… sorry, the
  • 12:26 - 12:31
    ‘universal mobile telephony system’,
    the UMTS, which should basically
  • 12:31 - 12:36
    be the grand unifying theory
    of mobile communications.
  • 12:36 - 12:42
    And it was built on top of ATM, of course,
    because ATM was the most shiny and
  • 12:42 - 12:47
    brightest technology in the late 90s that
    all the universities were researching.
  • 12:47 - 12:51
    So, if you look at the classical protocol
    stacking and you look at the individual
  • 12:51 - 12:57
    interfaces; the Uu is the radio interface,
    Iub is between the NodeB and RNC,
  • 12:57 - 13:00
    but this is… the IuPS is actually what
    we want to implement. So basically
  • 13:00 - 13:04
    the left side of this slide is
    what is implemented
  • 13:04 - 13:08
    in the proprietary base stations
    or femtocells that we are using,
  • 13:08 - 13:12
    and the right-hand side of that
    slide is what we are implementing.
  • 13:12 - 13:16
    So we need to implement the protocol
    stackings here. As you can see
  • 13:16 - 13:21
    the protocol stack is deep
    and has many acronyms.
  • 13:21 - 13:25
    So, to make things more complicated
  • 13:25 - 13:28
    the femtocells that you can find
    on the market are slightly different
  • 13:28 - 13:33
    from the real, normal 3G architecture,
  • 13:33 - 13:36
    so if you try to compare
    this slide with that slide,
  • 13:36 - 13:40
    you will find some differences here.
    The difference is that they introduce
  • 13:40 - 13:46
    a security gateway which is basically
    just ITU and 3GPP language
  • 13:46 - 13:50
    for ‘IPsec gateway’,
  • 13:50 - 13:55
    and you have a HomeNodeB gateway
    that doesn’t really do anything useful,
  • 13:55 - 13:58
    rather than putting messages from
    one protocol stack on the left
  • 13:58 - 14:01
    to another protocol stack on the right
    with the underlying protocols
  • 14:01 - 14:06
    doing exactly the same thing
    but being differently encoded.
  • 14:06 - 14:09
    And this is what you can see here,
    basically, the HomeNodeB gateway
  • 14:09 - 14:13
    which is part of the software that we
    implemented. You can see basically,
  • 14:13 - 14:18
    well, you have RANAP,
    this is the protocol
  • 14:18 - 14:21
    that really is sort of what
    we’re interested in,
  • 14:21 - 14:25
    the Radio Access Network
    Application Part; and RANAP,
  • 14:25 - 14:29
    in order to implement that, there’s
    several other protocols underneath.
  • 14:29 - 14:33
    And on the femtocell which is called
    HNodeB, the HomeNodeB, because,
  • 14:33 - 14:38
    well, ‘femtocells’ is a marketing term
    and specs can never use marketing terms,
  • 14:38 - 14:43
    so they have technical
    terms. So, the femtocell
  • 14:43 - 14:51
    basically encapsulates RANAP
    into RUA, the ‘RANAP User…’,
  • 14:51 - 14:56
    what was it? Sorry, …Adaptation,
    yes. The ‘RANAP User Adaptation’.
  • 14:56 - 15:01
    So the ‘Radio Access Network
    Application Part User Adaptation’,
  • 15:01 - 15:05
    on top of the SCTP, the Streaming
    Control Transfer Protocol,
  • 15:05 - 15:09
    which some may know is a protocol
    that’s on the same layer as TCP or UDP
  • 15:09 - 15:13
    but has different properties. And
  • 15:13 - 15:17
    this RUA is implemented than (?) the
    HomeNodeB Gateway where it is replaced
  • 15:17 - 15:22
    by M3UA and SCCP. And basically
    the same RANAP message
  • 15:22 - 15:26
    gets passed from left to right. So
    it’s really… you could think like…
  • 15:26 - 15:31
    think of it like an IPv6 to IPv4 proxy.
  • 15:31 - 15:36
    If that’s more an area that you’re
    more familiar with. Okay.
  • 15:36 - 15:41
    So, I said there are some differences
    between an actual, regular,
  • 15:41 - 15:45
    old-fashioned UMTS base station,
    like your public operator would use it
  • 15:45 - 15:49
    and the HomeNodeB, or femtocell,
    that we like to use in this project,
  • 15:49 - 15:54
    at least initially. And I said the
    main difference is that the RNC,
  • 15:54 - 15:58
    the Radio Network Controller, is built-in,
    so a lot of the lower layer protocols
  • 15:58 - 16:00
    are terminated, and we don’t need
    to worry about that. If we look
  • 16:00 - 16:05
    at the protocol stacking again there
    is a lot of protocol layers here,
  • 16:05 - 16:10
    you can see the MAC layer, the RLC layer,
    the RRC layer… and all the PHYsical stuff
  • 16:10 - 16:14
    underneath is all basically already
    implemented because it’s part of the
  • 16:14 - 16:19
    femtocell, in this case. So the protocol
    stacking now looks a little bit like this.
  • 16:19 - 16:24
    We have the HomeNodeB,
    and the HomeNodeB gateway,
  • 16:24 - 16:28
    and then our core network elements
    already. So the SGSN and the GGSN,
  • 16:28 - 16:33
    if you’ve looked at GSM in the past, or
    GPRS, even the software that exists today
  • 16:33 - 16:38
    and for many years in the Osmocom
    project, we have implementations of those.
  • 16:38 - 16:40
    What we are missing is
    the HomeNodeB gateway,
  • 16:40 - 16:44
    and is all the fancy new protocols
    here. And some modifications.
  • 16:44 - 16:51
    So, well, what do we need to
    do to actually implement?
  • 16:51 - 16:55
    This Iuh protocol. As I said there’s the
    different protocol layers – there is RUA,
  • 16:55 - 17:00
    there is the RANAP protocol,
    and the HNBAP protocol.
  • 17:00 - 17:04
    Let’s look at those protocols, what they
    do, and how can we implement them.
  • 17:04 - 17:08
    I’m skipping a few slides in the
    middle because it’s illustrative
  • 17:08 - 17:12
    if somebody wants to check the slides
    later but it would go into too much detail
  • 17:12 - 17:18
    at this point. So the RANAP
    User Adaptation layer
  • 17:18 - 17:21
    – given the spec number above there,
    so if you look for that online
  • 17:21 - 17:26
    you can find the actual spec – is a very
    simple connection-oriented layer
  • 17:26 - 17:30
    that provides you the
    notion of a connection
  • 17:30 - 17:34
    over a datagram transport
    layer underneath.
  • 17:34 - 17:39
    It has very, very few operations
    and message types,
  • 17:39 - 17:44
    including CONNECT which – well,
    surprisingly – sets up a new connection.
  • 17:44 - 17:48
    DIRECT TRANSFER which transfers
    data inside a connection.
  • 17:48 - 17:51
    DISCONNECT – to terminate a connection.
    And CONNECTIONLESS TRANSFER
  • 17:51 - 17:55
    to transfer data outside of a connection.
    And, of course, an ERROR INDICATION,
  • 17:55 - 18:00
    in case something goes wrong. So we can
    have multiple connections in parallel
  • 18:00 - 18:06
    over a signalling link. And they are
    distinguished by a 24 bit context ID,
  • 18:06 - 18:10
    to differentiate those multiple
    parallel connections. Think of it like
  • 18:10 - 18:14
    a port number. In the case of UDP,
    or whatever else you might want
  • 18:14 - 18:18
    to compare it to. So, this… if you look
    at this and you read the specs like
  • 18:18 - 18:23
    “Oh, pfff, you know, it’s nothing, it’s
    like you implement like 5..6 message types
  • 18:23 - 18:27
    and that’s it”… well, there’s
    a bit more details to that,
  • 18:27 - 18:34
    but we’ll get back later to this.
    The HomeNodeB Application…
  • 18:34 - 18:39
    no, HomeNodeB Application
    Part, the HNBAP protocol
  • 18:39 - 18:43
    has a couple of more transactions
    which basically serve
  • 18:43 - 18:46
    for the registration of
    the cell to the network,
  • 18:46 - 18:50
    the registration of user equipment,
    UE, that’s your mobile phone,
  • 18:50 - 18:55
    and some additional messages.
  • 18:55 - 18:59
    So HNB is the HomeNodeB registration;
    we have Registration REQUEST, ACCEPT,
  • 18:59 - 19:03
    REJECT, De-registration, we have
    the same for mobile phones.
  • 19:03 - 19:08
    We have some more detailed
    transactions that I’m going to skip.
  • 19:08 - 19:13
    But also it’s really very simple,
    conceptially, it’s not very complex,
  • 19:13 - 19:15
    you don’t have like massive state
    machines or anything like that.
  • 19:15 - 19:20
    Very few, very limited messages.
  • 19:20 - 19:24
    Then we look at RANAP. That’s the Radio
    Access Network Application Part.
  • 19:24 - 19:27
    This is where your actual signalling
    messages from the phone
  • 19:27 - 19:31
    are tunneled through. So if your
    phone registers to the network
  • 19:31 - 19:35
    you may have heard the term LOCATION
    UPDATE where the phone basically
  • 19:35 - 19:39
    registers to the network or updates
    its location with the network.
  • 19:39 - 19:44
    That’s the first message you would
    see, encapsulated inside RANAP, and
  • 19:44 - 19:49
    transported to the core network element.
    Also things like PDP context activation,
  • 19:49 - 19:53
    if you activate a data connection to
    a certain APN over cellular protocols,
  • 19:53 - 20:00
    all this is encapsulated
    in the RANAP layer.
  • 20:00 - 20:04
    Also the number of messages that we
    actually need is extremely limited.
  • 20:04 - 20:08
    Again, it’s a very short list, it’s
    not like hundreds of messages.
  • 20:08 - 20:12
    But the messages themselves can be
    quite complex. With nesting levels
  • 20:12 - 20:17
    up to 12..14 layers deep.
    But we’ll see that later on.
  • 20:17 - 20:21
    So we have a couple of transactions.
    RESET – well, I don’t need to explain –
  • 20:21 - 20:26
    it’s a Reset. INITIAL UE MESSAGE
    means a new phone has connected,
  • 20:26 - 20:30
    and it has sent us the first message
    that this phone has transmitted,
  • 20:30 - 20:34
    that’s why it’s ‘initial’ message. DIRECT
    TRANSFER is all the follow-up transfer.
  • 20:34 - 20:38
    IU RELEASE means we’re releasing
    a connection. Some commands
  • 20:38 - 20:44
    to configure the security, the ciphering,
    the encryption. A PAGING command
  • 20:44 - 20:48
    by which the network can initiate
    a transaction to the phone.
  • 20:48 - 20:52
    And RAB ASSIGNMENT. RAB
    is the Radio Access Bearer
  • 20:52 - 20:57
    which is basically an abstract notion
  • 20:57 - 21:03
    of a bearer able to
    transport communication.
  • 21:03 - 21:07
    If you come from classic
    telephony the bearer was
  • 21:07 - 21:11
    an analog voice channel.
    If you go to ISDN the bearer is
  • 21:11 - 21:15
    a 64kbps synchronous channel
  • 21:15 - 21:19
    where you have Alaw Ulaw (?)
    inside, and voice data.
  • 21:19 - 21:25
    Or you have some HTLC (?) or X75
    or whatever data inside.
  • 21:25 - 21:30
    In GSM the bearer is
    typically voice bearers,
  • 21:30 - 21:36
    with different voice codecs.
    The same it is in UMTS.
  • 21:36 - 21:40
    And basically you can configure
    those bearers in UMTS because
  • 21:40 - 21:46
    that’s a very universal and
    flexible part of the system.
  • 21:46 - 21:49
    Now, one of the protocols we have
    seen in the stack – I’m just going back
  • 21:49 - 21:55
    a couple of slides to reiterate – that
    is the SCCP which is introduced here.
  • 21:55 - 21:59
    The ‘Signalling Connection Control Part’,
  • 21:59 - 22:03
    if I remember correctly. It’s a protocol
    that’s used a lot in core networks
  • 22:03 - 22:09
    of mobile operators. So if you
    look at Roaming interfaces,
  • 22:09 - 22:14
    at classic SS7 interfaces – think of the
    SS7 security talks etc. we’ve had here
  • 22:14 - 22:19
    at CCC events a lot of times – this is
    a protocol that’s very often used
  • 22:19 - 22:25
    in a lot of different parts of
    telecom. But the problem is –
  • 22:25 - 22:30
    everywhere except [at] this
    particular point in UMTS and GSM
  • 22:30 - 22:34
    it is used only in connection-less
    mode; and this is the only point
  • 22:34 - 22:38
    where it uses connection-oriented
    SCCP. And therefor none of the existing
  • 22:38 - 22:42
    free software implementations is
    implemented. You can look to Yate,
  • 22:42 - 22:45
    you can look to the libosmo-sccp,
    the library that we have in
  • 22:45 - 22:50
    the Osmocom project. You can
    look at the Mobicents Java stack
  • 22:50 - 22:55
    for these protocols. You can look
    at the osmo_sccp Erlang code.
  • 22:55 - 22:58
    Basically no implementation
    exists, so we also had to
  • 22:58 - 23:04
    implement that part,
    at least to the point,
  • 23:04 - 23:07
    to those features that are required.
    But once we have implemented
  • 23:07 - 23:12
    all these protocols – RUA, SCCP,
  • 23:12 - 23:15
    the RANAP, the HNBAP, then
  • 23:15 - 23:21
    we need to somehow interface
    those protocols with the existing
  • 23:21 - 23:25
    network elements that we have for GSM. And
  • 23:25 - 23:29
    there are sort of several
    challenges in this area,
  • 23:29 - 23:34
    in what people know
    as the OpenBSC project.
  • 23:34 - 23:38
    Actually the program that most
    people use is called OsmoNITB
  • 23:38 - 23:42
    – the network in the box – which is called
    ‘network in the box’ because it implements
  • 23:42 - 23:47
    all the network elements that you
    need in one box, or in one program.
  • 23:47 - 23:51
    Unfortunately we need to separate
    those individual pieces which are
  • 23:51 - 23:57
    all in one blob, in order to interface
    at the point where we want to interface.
  • 23:57 - 24:01
    So this separation of the MSC part
    and the BSC part needs to be done
  • 24:01 - 24:05
    inside the ‘network in the box’.
    We need the UMTS authentication
  • 24:05 - 24:08
    and key agreement support,
  • 24:08 - 24:13
    and we need the different
    protocols that I just mentioned
  • 24:13 - 24:18
    and link them in on the SGSN side.
  • 24:18 - 24:23
    For the data services we need
    to introduce some extraction
  • 24:23 - 24:28
    to basically differentiate the packet data
    connections coming from GPRS networks
  • 24:28 - 24:33
    and those coming from the new
    3G networks or base stations
  • 24:33 - 24:38
    that we are supporting.
    But that’s all manageable.
  • 24:38 - 24:43
    Now, the question is,
  • 24:43 - 24:47
    do we really want to go for the
    full stack as it has been described,
  • 24:47 - 24:54
    or can we take some shortcuts, do we
    really need to implement the full SCCP,
  • 24:54 - 24:59
    for example? Do we need to implement M3UA,
  • 24:59 - 25:04
    which is another protocol layer in there?
    Can we basically simplify that?
  • 25:04 - 25:08
    The initial idea was
    – if we go back to that slide –
  • 25:08 - 25:11
    to reduce the complexity, I already
    mentioned this HomeNodeB gateway
  • 25:11 - 25:15
    which basically passes RANAP
    from left to right, and just changes
  • 25:15 - 25:22
    the underlying encapsulation. Why don’t we
    just continue using RUA up into the SGSN
  • 25:22 - 25:26
    and thereby avoid having
    to do SCCP and M3UA,
  • 25:26 - 25:30
    avoid having to implement more protocols
    without having any functional gain.
  • 25:30 - 25:34
    I mean it would just work the same way
    if we take RUA and we take it all the way
  • 25:34 - 25:38
    into the SGSN. So there’s been
    some thinking along those lines
  • 25:38 - 25:44
    but the idea was to…
  • 25:44 - 25:48
    …go sort of in a compromise so what
    we’re using here is yet another protocol
  • 25:48 - 25:52
    called SUA, the SCCP User Adaption.
  • 25:52 - 25:56
    And that replaces those 2 layers
    and keeps things a little bit simpler
  • 25:56 - 26:03
    from the implementation side. OK, now we
    have all these different protocol layers,
  • 26:03 - 26:08
    and the integration into the core
    network elements. Now the fun starts.
  • 26:08 - 26:11
    We have a plan, we know
    what needs to be done,
  • 26:11 - 26:15
    we know what needs to be done,
    and now we actually need to do it.
  • 26:15 - 26:20
    So the theory was easy – read a couple
    of specs, find out 6..7 messages,
  • 26:20 - 26:25
    not too many transactions, no
    complex state machines. Okay, now,
  • 26:25 - 26:28
    a lot of the more modern telecom
    protocols use ASN.1 syntax.
  • 26:28 - 26:35
    It’s an abstract syntax notation
    for defining data structures
  • 26:35 - 26:40
    or procedures to be communicated, and
    then you can use code generation tools
  • 26:40 - 26:44
    to generate code in your favorite
    language from this syntax
  • 26:44 - 26:47
    doing all the marshalling and
    demarshalling of the messages.
  • 26:47 - 26:51
    That’s at least what’s the idea. This is
    very different from what we used to do
  • 26:51 - 26:56
    in the GSM world because GSM
    was specified in the late 1980s.
  • 26:56 - 27:00
    ASN.1 didn’t exist to my knowledge back
    then, or at least they didn’t know about it,
  • 27:00 - 27:05
    and/or they thought it was not something
    that you could do in a mobile phone
  • 27:05 - 27:07
    at that time. Think about 8 bit
    microcontrollers and whatnot,
  • 27:07 - 27:12
    what they were using these days.
    So the GSM messages,
  • 27:12 - 27:16
    basically you have…, you look at the spec
    and you see “Oh, there’s one byte this,
  • 27:16 - 27:19
    then there’s a 2 byte length field, and
    then there’s that”. And you need
  • 27:19 - 27:24
    to implement that basically in your code,
    based on the textual representation.
  • 27:24 - 27:28
    Now, for UMTS almost all the
    protocols and particularly these
  • 27:28 - 27:33
    that we’re looking [at] here are specified
    in abstract syntax notation which, well,
  • 27:33 - 27:36
    on the one hand side you would say: “Oh
    yes, great, now we don’t need to write
  • 27:36 - 27:41
    all this message encoding and decoding
    code, and then we end up interpreting
  • 27:41 - 27:45
    the spec different[ly] and we have sort of
    incompatible messages and whatnot”.
  • 27:45 - 27:51
    That’s true to some extent, okay. Now
    what you need to know about ASN.1 is,
  • 27:51 - 27:55
    there are different encoding rules that
    define how the abstract syntax notation
  • 27:55 - 28:00
    gets converted into a concrete
    binary representation. There is a
  • 28:00 - 28:05
    Basic Encoding Rules (BER),
    there is all kinds of encoding rules,
  • 28:05 - 28:10
    there is even JSON encoding rules these
    days. There’s also XML encoding rules.
  • 28:10 - 28:14
    But what’s used here in these specs is
    called ‘aligned Packed Encoding Rules’
  • 28:14 - 28:20
    (APER). This is a particular encoding rule
    that was not… or is not supported
  • 28:20 - 28:26
    by any of the ASN.1 compilers that exist
    in open source that generate C code.
  • 28:26 - 28:31
    So we first had to teach the ASN.1
    compiler this encoding rule.
  • 28:31 - 28:35
    And the second big problem is the ASN.1
    syntax used in those protocol specs
  • 28:35 - 28:40
    uses a construct called ‘Information
    Object Classes’, which is sort of…
  • 28:40 - 28:48
    well, you know, an interesting way
    how to express or how to have…
  • 28:48 - 28:53
    a different notation on how to construct
    those messages and how to construct
  • 28:53 - 28:58
    operations that have like an initiating
    request, a ‘successful’ response,
  • 28:58 - 29:03
    a ‘successful error’ outcome or something
    like that. And you can express that
  • 29:03 - 29:06
    in a really nice way but then you need
    a compiler and a code generator
  • 29:06 - 29:12
    that can parse that, and that’s really
    difficult in the free software world
  • 29:12 - 29:17
    within some constraints. I’ll get into
    the details. Now the next thing is
  • 29:17 - 29:21
    that the way how they use ASN.1
    in these protocol specs
  • 29:21 - 29:25
    – ASN.1 being the abstract syntax
    notation – is not abstract enough.
  • 29:25 - 29:30
    They need to have another
    abstraction layer. So they use ASN.1
  • 29:30 - 29:35
    to describe containers, containers
    for information elements,
  • 29:35 - 29:38
    containers for messages, containers
    for lists of information elements
  • 29:38 - 29:42
    and containers for pairs of information
    elements. It’s very important.
  • 29:42 - 29:46
    You cannot just have a list of 2.
    No, you need to have a pair
  • 29:46 - 29:51
    that says, well, this is a pair of
    2 information elements. Not sure why,
  • 29:51 - 29:55
    but somebody probably had
    his reasons for doing so.
  • 29:55 - 30:00
    Now the point is, basically,
    you use the ASN.1 syntax
  • 30:00 - 30:04
    and you generate some code for
    encoding or decoding and then
  • 30:04 - 30:07
    you’re not really done at that point.
    Because then you basically:
  • 30:07 - 30:10
    “Oh, this is a list of containers”, and
    then you look into each of the containers
  • 30:10 - 30:14
    and then call the decoder again for each
    of the elements in the list. And then
  • 30:14 - 30:17
    in there there might be another level
    of containers and you unpack it again,
  • 30:17 - 30:22
    so it’s a little bit like matryoshka
    or, you know, these dolls
  • 30:22 - 30:28
    nested in each other; or somebody
    sends you a large packet etc. Well,
  • 30:28 - 30:32
    to illustrate that, if you’ve ever seen
    ASN.1, this is a relatively simple example
  • 30:32 - 30:38
    describing authentication couples
    or triplets or quintuplets.
  • 30:38 - 30:42
    Basically, the authentication data that’s
    used for authenticating subscribers
  • 30:42 - 30:46
    in networks. This is what is used
    also in GSM. It’s relatively simple,
  • 30:46 - 30:51
    so it basically tells you, well, there’s
    an authentication set list which contains
  • 30:51 - 30:55
    [consists] of a choice of either a triplet
    or a quintuplet list. Each of those lists
  • 30:55 - 30:59
    either have a length from 1..5, and then
    you have basically a sequence which is
  • 30:59 - 31:03
    sort of struct or a record of the below
    items in those lists. That is how [it] is
  • 31:03 - 31:09
    and should look like and how it
    normally looks like. Now in RANAP
  • 31:09 - 31:13
    and these protocols they first – as said –
    they define these containers, they say:
  • 31:13 - 31:18
    “We have…”. So it reminds me a bit
    of some mathematicians. It’s like
  • 31:18 - 31:21
    “We define we have this, and then we have
    that, and therefore we can construct
  • 31:21 - 31:27
    such a new structure” and whatnot. So
    basically, they define first a container
  • 31:27 - 31:32
    for protocol information elements,
    protocol IEs. And in the protocol IE
  • 31:32 - 31:37
    is the actual information element. Each
    element has an ID, it has a criticality.
  • 31:37 - 31:40
    The criticality tells you whether,
    if you do not understand
  • 31:40 - 31:44
    such an information element, should
    you ignore it, should you reject it,
  • 31:44 - 31:49
    should you ignore it but report to the
    sender that you did not understand it
  • 31:49 - 31:54
    despite proceeding with your operation,
    and then the actual value.
  • 31:54 - 31:58
    And the value is an ANY type which
    means there is another ASN.1 syntax
  • 31:58 - 32:02
    in that value that you then need to parse.
  • 32:02 - 32:07
    So you need to do these
    2 steps in the code. You first
  • 32:07 - 32:12
    unwrap the containers and then you
    decode what is inside the containers.
  • 32:12 - 32:15
    So working with ASN.1 really is not
    as simple and as straightforward
  • 32:15 - 32:19
    and as automatic as it should be. And you
    end up with messages looking like this
  • 32:19 - 32:24
    in Wireshark. So believe it or not,
    the content, the useful content
  • 32:24 - 32:29
    of this entire message
    is 4 bytes here, the c0…
  • 32:29 - 32:38
    laughter and applause
  • 32:38 - 32:42
    …is the 4 bytes starting from c0, and
    those people who have seen an IP address,
  • 32:42 - 32:48
    an IPv4 address in a 192.168. address
    range will recognize those bytes here
  • 32:48 - 32:52
    at the end. So the c0 is 192. etc.
    And in order to communicate
  • 32:52 - 32:56
    this message actually, this is a message
    that tells us to which IP address
  • 32:56 - 33:01
    something has been bound to. In this case
    it’s the GTP connection for communicating
  • 33:01 - 33:06
    packet data. And you see all these
    abstractions and encapsulations
  • 33:06 - 33:09
    and the nested tree, so it’s…
    it starts with… well, ok,
  • 33:09 - 33:13
    this is an outcome. It is an outcome to
    the Radio Access Bearer Assignment.
  • 33:13 - 33:17
    “If you do not understand
    it please reject it”.
  • 33:17 - 33:21
    We have an Assignment Response. It
    contains [consists] of a list of one item
  • 33:21 - 33:27
    of protocol information elements. This
    one item is a SetupOrModifiedList,
  • 33:27 - 33:31
    which again has a criticality of ‘Ignore’.
    If you don’t understand it…
  • 33:31 - 33:35
    oh no sorry, here it says “If you don’t
    understand it just ignore it.
  • 33:35 - 33:38
    Don’t report an error”. It’s quite
    interesting because you have a message
  • 33:38 - 33:42
    that only contains one element and it
    says, well, you should reject the message
  • 33:42 - 33:45
    if you don’t understand it; but then the
    information element says: “Oh, if you
  • 33:45 - 33:50
    don’t understand it please
    ignore it”. So, okay.
  • 33:50 - 33:54
    Then inside the SetupOrModifiedList
    we have one item
  • 33:54 - 33:58
    which is a protocol IE
    container with one item
  • 33:58 - 34:01
    which has an item which is the
    SetupOrModifiedItem, which is
  • 34:01 - 34:05
    a Radio Access Bearer Modified
    Item, which contains
  • 34:05 - 34:11
    a Radio Access Bearer SetupOrModifiedItem
    with a Radio Access Bearer ID of 1
  • 34:11 - 34:15
    and a transport layer address of
    this. And in case you’re wondering
  • 34:15 - 34:20
    why the IP address has such
    binary crap in front – it is
  • 34:20 - 34:26
    because it’s too difficult to express
    in ASN.1 that this is an IP address.
  • 34:26 - 34:29
    You could not just define a type for an
    IP address. That would be too simple.
  • 34:29 - 34:34
    No, you need to refer from this
    specification to another specification,
  • 34:34 - 34:40
    another 3G specification,
    which then refers to ITU-T X213
  • 34:40 - 34:46
    which tells you how you can encode
    any possible transport layer address
  • 34:46 - 34:51
    in any possible network protocol on the
    planet by using a hierarchical structure
  • 34:51 - 34:57
    like OUI IDs or something like that. And
    ‘35’ means it’s an IETF allocated address.
  • 34:57 - 35:02
    ‘0001’ means it’s an IPv4 address and
    then you actually have the payload.
  • 35:02 - 35:05
    And you can see Wireshark is too
    stupid to decode such brilliance!
  • 35:05 - 35:15
    laughter and applause
  • 35:15 - 35:19
    Yeah, so. Then it’s hard to find
    example traces. You want to implement
  • 35:19 - 35:22
    the protocol and you want to find some
    example traces. This is a mail I …
  • 35:22 - 35:27
    actually I was looking for this this
    year, in 2015. I was googling
  • 35:27 - 35:32
    for Iuh protocol traces. And what
    did I find? My own e-mail from 2009
  • 35:32 - 35:37
    where I was asking for protocol traces.
    But nobody ever responded.
  • 35:37 - 35:41
    So the situation is better today.
    You can actually find, I think,
  • 35:41 - 35:47
    2 or 3 public pcap files containing
    each maybe a handful of messages
  • 35:47 - 35:51
    on those interfaces. It’s really… it’s
    odd, you know? These are protocols
  • 35:51 - 35:56
    that are specified publicly. They’re used
    in production. Billions of users are using
  • 35:56 - 36:01
    these networks but nobody even has an
    example protocol trace of those protocols.
  • 36:01 - 36:05
    Okay, now we have a couple of
    protocol traces. We understand
  • 36:05 - 36:09
    the nesting level is deep. We are happy
    that Wireshark decodes at least most of it,
  • 36:09 - 36:13
    which by the way we have to thank
    one particular Ericsson employee
  • 36:13 - 36:19
    who is contributing those
    dissectors to Wireshark.
  • 36:19 - 36:23
    So then we need to basically set up
    a tool chain to generate code
  • 36:23 - 36:29
    from these ASN.1 syntaxes. So there is
    an ASN.1 C compiler from Lev Walkins.
  • 36:29 - 36:33
    It’s good for a lot of things and I’m
    very happy it exists. But it lacks many
  • 36:33 - 36:36
    if not most of the features that you
    need in the Telecom world. That’s
  • 36:36 - 36:39
    sort of unfortunate. There’s no
    information object classes, there is
  • 36:39 - 36:44
    no aligned PER support, there’s no
    support for prefixing the type names.
  • 36:44 - 36:47
    Because we have 3 different protocols, we
    want to use them from one program.
  • 36:47 - 36:51
    We need to prefix the type names because
    of course each of those 3 protocols
  • 36:51 - 36:54
    has a type called ‘protocol information
    element container’. But of course
  • 36:54 - 36:57
    it’s not the same protocol information
    element container, there it said(?).
  • 36:57 - 37:02
    You know, each of the protocols
    has its own containers.
  • 37:02 - 37:07
    So we had to add these pieces to the
    asn1c, at least in a minimal way
  • 37:07 - 37:12
    in order to use it. And unfortunately
    I don’t know anyone, and I’m certainly
  • 37:12 - 37:15
    no one who understands something
    about compiler theory, so it’s
  • 37:15 - 37:21
    a little bit challenging. Now,
    alternatives to asn1c, well,
  • 37:21 - 37:25
    the most complete tool kit you
    can find for working with ASN.1
  • 37:25 - 37:30
    exists in the Erlang OTP system.
    I used this in the past
  • 37:30 - 37:36
    for a lot of Osmocom projects,
    but the fact is the C projects…
  • 37:36 - 37:40
    there are other developers and people
    that contribute. In the Erlang projects
  • 37:40 - 37:44
    there is nobody that contributes except
    from me. So I thought, well okay,
  • 37:44 - 37:48
    it’s very nice to work with ASN.1 in
    Erlang, but then if nobody contributes
  • 37:48 - 37:54
    I’d rather go the difficult C way and then
    have contributors in the project.
  • 37:54 - 37:58
    Also of course in the Osmocom project
    we’re mostly low-level C guys;
  • 37:58 - 38:04
    and people are very wary of
    virtual machines and the
  • 38:04 - 38:09
    – at least perceived – bloat they
    introduce. The third alternative is
  • 38:09 - 38:14
    to use a proprietary ASN.1 compiler, and
    in my day job I actually use such tools.
  • 38:14 - 38:18
    But in the first sight you think,
  • 38:18 - 38:24
    well, okay, so it’s a code compiler, it
    compiles code, and copyright law says,
  • 38:24 - 38:28
    well, code that was generated by
    a machine is not copyrightable because
  • 38:28 - 38:33
    the act of automatically compiling
    code from one form into another form
  • 38:33 - 38:38
    does not make this… that does not
    create a copyrightable work as itself.
  • 38:38 - 38:42
    So basically, you can take a proprietary
    ASN.1 compiler, compile C code and then
  • 38:42 - 38:46
    use the resulting C code in an open source
    project without having any problems
  • 38:46 - 38:51
    with the license of the ASN.1 compiler.
    And that’s true, however
  • 38:51 - 38:54
    all those compilers I know, and I think
    I know all of them, they have
  • 38:54 - 39:00
    a runtime library and that you only either
    get as a binary library or you get it
  • 39:00 - 39:06
    in source code that’s not available
    under a free software compatible license.
  • 39:06 - 39:10
    No option to do that. So we
    have to stick with asn1c,
  • 39:10 - 39:14
    which as I said I don’t want to complain
    about, it’s a great project. It just
  • 39:14 - 39:17
    doesn’t do all the things that we need.
    But then, it was not written for us, so
  • 39:17 - 39:24
    of course it doesn’t do everything
    we need. Luckily, a research group
  • 39:24 - 39:29
    at Eurecom, the European Communications
    Research organization, has developed
  • 39:29 - 39:34
    a patch for adding aligned PER support
    to asn1c. Unfortunately it was
  • 39:34 - 39:38
    against an old version because, well,
    they probably don’t want to submit
  • 39:38 - 39:42
    this main line (?) and they don’t care
    about porting it and rebasing (?) it.
  • 39:42 - 39:47
    I did that. It probably still needs some
    clean-up before it can be submitted,
  • 39:47 - 39:53
    but my goal is to have
    this included in asn1c.
  • 39:53 - 39:57
    And also we found quite a number
    of bugs still in the code,
  • 39:57 - 40:01
    so it’s in the process of being improved.
    Now information object classes are hard,
  • 40:01 - 40:05
    at least for me. Basically we skip that.
  • 40:05 - 40:11
    I manually edit the ASN.1 syntax for not
    using information object classes anymore,
  • 40:11 - 40:14
    so I’m rewriting the ASN.1, that’s
    supposed to be there to guarantee
  • 40:14 - 40:19
    that the encoding is a… so it circumvents
  • 40:19 - 40:22
    sort of the purpose. The idea is you take
    the ASN.1 from the spec, you use it,
  • 40:22 - 40:26
    you don’t modify it. But I’m modifying
    it because, well, the tools we have
  • 40:26 - 40:31
    are not good for what we want
    to do. Type prefixing is done.
  • 40:31 - 40:35
    Now we have the information
    element containers. Eurecom has
  • 40:35 - 40:41
    another idea about this.
    They have a long Perl script.
  • 40:41 - 40:47
    I recommend you not to look at it, it
    consists of a neverending sequence
  • 40:47 - 40:53
    of regular expressions, basically grep-ing
    out certain parts of the ASN.1 syntax
  • 40:53 - 40:57
    without really formally parsing it,
    or lexing it, or tokenizing it;
  • 40:57 - 41:00
    and then based on those regular
    expressions generating C code that then
  • 41:00 - 41:05
    you can use with asn1c and link
    against it. And surprisingly it works,
  • 41:05 - 41:09
    surprisingly good actually. We had to
    teach it all the things that we needed
  • 41:09 - 41:14
    in addition to that.
    But really it works surprisingly.
  • 41:14 - 41:19
    Now. Putting things together:
    Copy and paste the ASN.1 syntax
  • 41:19 - 41:24
    from the 3GPP DOC files. Because 3GPP
    specs are published as PDF files
  • 41:24 - 41:28
    and as Word documents, and you don’t
    get the actual syntax as a text file.
  • 41:28 - 41:32
    You have to copy and paste from each page,
    make sure you don’t get intermixed
  • 41:32 - 41:38
    like headlines or something like that.
    Then you use the hacked-up, patched asn1c
  • 41:38 - 41:46
    to generate C code. You have to modify it
    to make a shared library of the runtime
  • 41:46 - 41:50
    for the ASN.1 compiler because we have,
    again, 3 syntaxes that we want to mix,
  • 41:50 - 41:54
    and that doesn’t really work with how
    asn1c works. We use asn1tostruct
  • 41:54 - 41:59
    to remove this what I call the obfuscation
    layer, these containers. We write
  • 41:59 - 42:04
    some code to dispatch the messages,
    and then finally, we see some messages.
  • 42:04 - 42:10
    So we have those HNB register,
    INITIAL_UE_MESSAGE and all these things.
  • 42:10 - 42:14
    This is what you can now get from
    osmo-iuh.git, the Git repository
  • 42:14 - 42:18
    on the Osmocom server which
    contains all this code.
  • 42:18 - 42:22
    It takes a long time to compile,
    because asn1c generates one C file
  • 42:22 - 42:27
    and one header file for each type. And
    they have lots of types in those specs.
  • 42:27 - 42:31
    So you end up with like 300..400
    C files and header files compiled
  • 42:31 - 42:38
    into a 5 megabyte binary, and then finally
    you want to get 4 bytes in a message.
  • 42:38 - 42:44
    So well, where do we go from here?
    We have a couple of other things to do.
  • 42:44 - 42:48
    One interesting question is – and I’m
    going to do a demo in a few minutes –
  • 42:48 - 42:52
    is what kind of hardware can be used?
    Well, the hardware that I currently use
  • 42:52 - 42:55
    for this development is undisclosed
    manufacturer, very expensive.
  • 42:55 - 43:01
    It’s not actually a femtocell, it’s a real
    cell, it costs several thousand Euros,
  • 43:01 - 43:05
    not really suitable for hackers. However
    many consumer grade femtocells
  • 43:05 - 43:09
    have also this Iuh protocol with the
    same stacking. The problem is
  • 43:09 - 43:15
    they’re locked down, in a way that they
    have certificates and connect over IPsec
  • 43:15 - 43:21
    to the operator network etc. So if
    somebody can break this IPsec layer
  • 43:21 - 43:25
    and insert its own a certificate, or
    disable the IPsec altogether then you can
  • 43:25 - 43:30
    talk Iuh to the osmo-iuh and then you
    can use that hardware. This is something
  • 43:30 - 43:33
    that a couple of people have looked
    at, and hopefully in the near future
  • 43:33 - 43:38
    we will have 1 or 2 femtocells
    that people can use inexpensively
  • 43:38 - 43:41
    in order to use the software. At the
    moment, I said, unfortunately
  • 43:41 - 43:48
    it’s not possible. As a summary,
    before I go into the demo
  • 43:48 - 43:54
    of demonstrating it and you having
    basically a look in the marvelous depth
  • 43:54 - 44:00
    of the Wireshark decodes, Iuh is
    conceptually very easy to understand.
  • 44:00 - 44:05
    The lack of good ASN.1 tools is the
    biggest problem in the free software world.
  • 44:05 - 44:09
    You need to overcome these containers,
    and in the end you spend 90% of your time
  • 44:09 - 44:13
    in improving the tooling, fixing the
    tooling and working around these
  • 44:13 - 44:19
    layers of abstraction rather than
    doing the actual functionality.
  • 44:19 - 44:23
    We have started the work on the core
    network components, the integration.
  • 44:23 - 44:27
    I was hoping that I could do a full demo
    with a call, or a full demo with actually
  • 44:27 - 44:32
    having a data connection over this setup
    that I have here, over the test setup.
  • 44:32 - 44:36
    I’m almost there. The signalling,
    everything gets established,
  • 44:36 - 44:40
    the authentication works but then
    somehow the data, the actual IP data
  • 44:40 - 44:45
    doesn’t want to come through. And that
    is under investigation, but I’m sure
  • 44:45 - 44:51
    it will be available rather soon.
    Now before we go for Q&A
  • 44:51 - 44:59
    let me just do a quick demo and let me
    show you how this looks at the moment.
  • 44:59 - 45:03
    This is still a protocol trace
  • 45:03 - 45:08
    basically that was running in the past.
    I’m just going to leave this here
  • 45:08 - 45:11
    at the left-hand side, I’m going to leave
    the… on the right-hand side. So
  • 45:11 - 45:15
    what we can see is basically
    on the left-hand side
  • 45:15 - 45:20
    we have the RUA encapsulated messages.
    This is basically the Iuh interface
  • 45:20 - 45:24
    between the HomeNodeB and the
    HomeNodeB gateway. Then we have
  • 45:24 - 45:28
    the osmo-iuh HomeNodeB gateway invisible
    in between here, and that’s the program
  • 45:28 - 45:33
    running in the background. And then the
    other side is this protocol stacking here,
  • 45:33 - 45:39
    where we see we have the SUA, this SCCP
    User Adaption rather than the RUA
  • 45:39 - 45:42
    on the left-hand side. The RANAP messages
    are the same on left and right, it’s
  • 45:42 - 45:50
    basically just converting. What I’m
    going to start in the background is
  • 45:50 - 45:56
    basically – this is the wrong window,
    I thought I had prepared everything just…
  • 45:56 - 46:01
    Yeah. Exactly. Good, that’s the one part,
  • 46:01 - 46:06
    that’s the other part…
    So I’m going to start the…
  • 46:06 - 46:09
    I know the font is too small, you don’t
    need to read that. I’m just going
  • 46:09 - 46:16
    to tell you the… I can make it larger,
    then we won’t see really a lot.
  • 46:16 - 46:25
    What’s this? Why is it not…?
  • 46:25 - 46:31
    “Cannot listen on… socket…”.
    Now that’s the demo effect!
  • 46:45 - 46:50
    Why on earth is it not binding?
  • 46:50 - 47:01
    What a pity! Okay, that’s embarrassing.
  • 47:01 - 47:06
    Then you get a larger font size!
    And then let’s have a quick look.
  • 47:06 - 47:11
    I’ll try it very quickly. So I’m trying
    this, it cannot bind to the sockets.
  • 47:11 - 47:14
    Probably my IP address has
    disappeared on the laptop
  • 47:14 - 47:18
    while I’ve been talking here and now
    it wants to bind to an address
  • 47:18 - 47:28
    that doesn’t exist anymore. And that
    seems [to be] exactly what has happened.
  • 47:28 - 47:34
    Now don’t shout your SUDO! (?)
    laughter
  • 47:34 - 47:39
    It will not like you. I can tell you.
  • 47:39 - 47:48
    Yeah. Now this should do the trick.
  • 47:48 - 47:50
    I’m starting this in Valgrind
    because I’m still debugging, yeah…
  • 47:50 - 47:54
    Now it’s actually running, okay. Now
    we do the same on the other side,
  • 47:54 - 48:00
    we go for a huge font size,
    and I’m starting the HNB gateway.
  • 48:00 - 48:05
    We see a yellow line, that a connection
    has been established. So now
  • 48:05 - 48:11
    we are waiting for the initial message
    from the HomeNodeB to arrive.
  • 48:11 - 48:14
    We should see it here at the bottom
    of this trace. We should see
  • 48:14 - 48:19
    a couple of Reset requests. Basically the
    HomeNodeB this… the NodeB here
  • 48:19 - 48:25
    is trying to reconnect all the time
    to its HomeNodeB gateway.
  • 48:25 - 48:28
    Of course there’s some backup… some
    back off included and given that it was
  • 48:28 - 48:32
    not connected for the first 40 minutes or
    so it will take some time to reconnect
  • 48:32 - 48:36
    to the SGSN and then I can have
    the phone that I have here regist…
  • 48:36 - 48:59
    audio recording blanks out
  • 48:59 - 49:32
    one minute of audio missing
  • 49:32 - 49:36
    Herald: …is there somebody somewhere
    at a mike? Mike 2, please!
  • 49:36 - 49:42
    Question: So if 3G is so annoying why
    not skip it and go directly to LTE?
  • 49:42 - 49:47
    LaForge: Well, there’s a
    couple of reasons for that.
  • 49:47 - 49:51
    First of all some people
    really need it in terms of
  • 49:51 - 49:56
    there’s an actual demand
    for 3G small networks
  • 49:56 - 50:00
    or 3G cells in applications where
    it’s used. The second reason is
  • 50:00 - 50:06
    it’s a relatively limited incremental
    step because the Layer 3 protocols
  • 50:06 - 50:11
    of GSM and UMTS are the same.
    And that’s why basically we can use…
  • 50:11 - 50:15
    reuse the call control and the mobility
    management, all those parts from GSM,
  • 50:15 - 50:21
    reuse them with 3G. I’m not saying we
    shouldn’t do the same with LTE as well
  • 50:21 - 50:25
    but there are actually quite a number of
    projects already involved in that area.
  • 50:25 - 50:33
    And LTE, well, to be frank, it’s so much
    IP it’s not really telecom anymore.
  • 50:33 - 50:36
    You know I’m always interested in
    the more obscure things that people
  • 50:36 - 50:41
    are not really looking so much at. IP,
    I found IP boring when I stopped working
  • 50:41 - 50:44
    on Netfilter in 2004 or so. IP, well
    everyone knows about IP, that’s…
  • 50:44 - 50:48
    you know, we need
    something more interesting.
  • 50:48 - 50:52
    Herald: Microphone 1 please!
  • 50:52 - 50:56
    Question: So you say that you have
    a lot of trouble parsing ASN.1.
  • 50:56 - 51:02
    But if it’s always the same containers
    can’t you simply have a static dump
  • 51:02 - 51:08
    of the binary crap before and after that
    stuff, and ignore the whole parsing part?
  • 51:08 - 51:15
    LaForge: You probably could. But then,
    how can I say, my code athletics
  • 51:15 - 51:22
    demand better behavior from code I write
    than just doing something like that. So
  • 51:22 - 51:29
    yes, you could, probably, but I’d rather
    have a more clean way of doing that.
  • 51:29 - 51:34
    Herald: And continue on microphone 1!
  • 51:34 - 51:40
    Question: You said that UMTS
    or 3G is a toolbox for creating
  • 51:40 - 51:46
    arbitrary telephony systems while
    my knowledge tells me that GSM
  • 51:46 - 51:50
    is a much more rigid standard,
    but, if you could please elaborate
  • 51:50 - 51:58
    on that concept of “arbitrary networks”!
  • 51:58 - 52:03
    LaForge: Well, I could illustrate that
    very much with a certain protocol trace.
  • 52:03 - 52:08
    UMTS basically… when UMTS was specified
    they didn’t know where the journey
  • 52:08 - 52:12
    was going to. Basically, it was not clear
    that the internet would be the thing
  • 52:12 - 52:16
    that we know as of today. They didn’t
    know that smartphones would exist.
  • 52:16 - 52:20
    They didn’t know that IP data services are
    the type of data services that people
  • 52:20 - 52:27
    are interested in. Rather they were
    thinking of… in generic terms.
  • 52:27 - 52:33
    So it could have been that
    we needed all X.25 over UMTS.
  • 52:33 - 52:38
    It could be that, you know, people
    wanted to do ATM over UMTS.
  • 52:38 - 52:42
    It was not clear that circuit-switched
    services would basically go downhill
  • 52:42 - 52:49
    like they did meanwhile with
    voice-over-IP telephony etc.
  • 52:49 - 52:54
    It was not clear that modem calls or
    actual video calls that exist in UMTS
  • 52:54 - 52:58
    would not be the future. So it was very
    unclear. And they tried to define something
  • 52:58 - 53:02
    that’s as flexible as possible to do
    anything that you could imagine.
  • 53:02 - 53:06
    And if you look at the way how the layers
    are structured and the fact that you have
  • 53:06 - 53:11
    transport channels, and transport channel
    bundles, and radio access bearers etc.,
  • 53:11 - 53:15
    basically the structure. Even
    only to transmit voice again
  • 53:15 - 53:21
    you have to set up with AMR for all
    the codecs you need to configure
  • 53:21 - 53:26
    in the physical layer, I think,
    for the 3 different bit classes
  • 53:26 - 53:31
    10 different combinations. So you end
    up with something like 30 parameters
  • 53:31 - 53:36
    or 30 sets of parameters that you need
    to communicate to the lower layers only
  • 53:36 - 53:40
    to configure it for establishing a voice
    channel. And then the transport channels,
  • 53:40 - 53:44
    that where the bits are included, the
    payload like how many bits fit in
  • 53:44 - 53:48
    into one frame doesn’t match with your
    codec bitrate because they didn’t know
  • 53:48 - 53:52
    what codecs they would use. So it’s
    really… it’s all arbitrary and with padding
  • 53:52 - 53:59
    and universal. So it’s not like GSM.
    GSM is very simple and straightforward.
  • 53:59 - 54:02
    Herald: Okay, we have 5 minutes left
    so we will have 2 quick questions
  • 54:02 - 54:05
    from the internet because
    everybody on the stream:
  • 54:05 - 54:08
    you can actually ask questions
    on the chat. Please!
  • 54:08 - 54:12
    Signal Angel: Okay, thanks. We have 2
    questions as you said. The first one is:
  • 54:12 - 54:15
    if there would be interest in
    implementing, you know, the whole stack
  • 54:15 - 54:22
    in a safe and non-VM based language
    if the tooling was good enough?
  • 54:22 - 54:26
    LaForge breathes out heavily
    laughter
  • 54:26 - 54:29
    LaForge: Well, I mean I’ve… It depends
    on… I don’t want to find Language Wars
  • 54:29 - 54:36
    here. I would have been tempted to
    do things in Erlang but then, I said,
  • 54:36 - 54:40
    the question is who else
    would have been tempted?
  • 54:40 - 54:44
    I don’t think… I mean the point is what
    we’re trying to do now is to basically
  • 54:44 - 54:51
    use most of what we already have
    with the least additional effort
  • 54:51 - 54:55
    and I don’t think anyone will want
    to start from scratch all over again.
  • 54:55 - 54:59
    But if they do so I would be happy
    to see a clean implementation,
  • 54:59 - 55:03
    but I’m not so sure that will happen.
  • 55:03 - 55:07
    Signal Angel: Okay, thanks. The second
    question is: why don’t we just
  • 55:07 - 55:11
    start over for a clean slate with hardware
    and software and do a basically
  • 55:11 - 55:16
    100% nerd and hacker
    driven mobile networks?
  • 55:16 - 55:17
    LaForge: Sorry, 100%…?
  • 55:17 - 55:21
    Signal Angel: …nerd/hacker
    driven networks.
  • 55:21 - 55:26
    LaForge: Ah, well, I mean the point
    of implementing all those specs is
  • 55:26 - 55:30
    you want to use the existing
    devices out there. You want to use
  • 55:30 - 55:34
    the existing billions of mobile phones
    that exist on the planet. And if you
  • 55:34 - 55:37
    want to talk to them then you need
    to implement those protocols
  • 55:37 - 55:41
    and those systems that they implement.
    If you want to start from something else
  • 55:41 - 55:45
    and do things from scratch, well, yes,
    you can do that. But then keep in mind
  • 55:45 - 55:50
    that you will have very bulky end user
    equipment with large like clusters
  • 55:50 - 55:55
    of FPGAs and DSPs, draining batteries,
    having fans inside. Because you
  • 55:55 - 55:59
    will not be able to implement your system
    in the same level of energy efficiency,
  • 55:59 - 56:05
    in the same level of, you know, ASICs
    and optimized silicon processes etc.
  • 56:05 - 56:11
    like is the case for the
    billions of existing devices.
  • 56:11 - 56:14
    Herald: Okay, thank you, Harald Welte!
  • 56:14 - 56:17
    LaForge: Yeah, thank you!
    applause
  • 56:17 - 56:23
    postroll music
  • 56:23 - 56:29
    Subtitles created by c3subtitles.de
    in the year 2017. Join, and help us!
Title:
LaForge: Running your own 3G/3.5G network
Description:

more » « less
Video Language:
English
Duration:
56:29

English subtitles

Revisions