CS 8803 - Cellular and Mobile Network Security: Data Air Interface - - PowerPoint PPT Presentation

cs 8803 cellular and mobile network security
SMART_READER_LITE
LIVE PREVIEW

CS 8803 - Cellular and Mobile Network Security: Data Air Interface - - PowerPoint PPT Presentation

Dec 05, 2022 580 likes •808 views

CS 8803 - Cellular and Mobile Network Security: Data Air Interface Professor Patrick Traynor 10/23/18 Florida Institute for Cybersecurity (FICS) Research Packet-Switched Mobile Data Florida Institute for Cybersecurity (FICS) Research 2

slide-1
SLIDE 1

Florida Institute for Cybersecurity (FICS) Research

CS 8803 - Cellular and Mobile Network Security:

Data Air Interface

Professor Patrick Traynor 10/23/18

slide-2
SLIDE 2

Florida Institute for Cybersecurity (FICS) Research

Packet-Switched Mobile Data

2

slide-3
SLIDE 3

Florida Institute for Cybersecurity (FICS) Research

GSM/UMTS Data

  • Overview of System Architecture
  • Compare and Contrast
  • Protocol Stacks
  • GSM Overview
  • UMTS Overview
  • Mobility Management

3

slide-4
SLIDE 4

Florida Institute for Cybersecurity (FICS) Research

General Packet Radio Service (GPRS)

  • GSM
  • verlay network on basic GSM infrastructure
  • new mobile “routers” introduced
  • supports both “GPRS” (2.5G) and “EDGE” (2.75G) wireless protocols
  • UMTS
  • re-uses GPRS network from GSM
  • new air interface

4

slide-5
SLIDE 5

Florida Institute for Cybersecurity (FICS) Research

GGSN

Internet

HLR

SS7 Network IP Network

GSM Data Network Architecture

  • SGSN - Serving GPRS Support Node
  • Serves mobile user based on location
  • GGSN - Gateway GPRS Support Node
  • Serves mobile user based on address
  • BTS/BSC - new call processing and channels for data
  • HLR - extended user profiles

5

BTS BTS BTS

SGSN

BSC BSC

slide-6
SLIDE 6

Florida Institute for Cybersecurity (FICS) Research

Network Attachment

  • Previous lectures covered the process of attaching to the network (i.e.,

authentication to the CS portion of the network).

  • This is known as “IMSI Attach”
  • Mobile devices can/must also attach themselves to the data services provided

by the network.

  • This is known as “GPRS Attach”
  • The processes are largely the same, except that the MS interacts with the

MSC for an IMSI Attach and the SGSN for the GPRS Attach.

  • Most networks allow for a 


“Combined GPRS/IMSI Attach”.

6

slide-7
SLIDE 7

Florida Institute for Cybersecurity (FICS) Research

Combined Attach

  • The advantage to performing a combined attach is that both CS and PS

signaling can be dealt with at the SGSN.

  • The MSC/VLR really just provides look-up facilities.
  • The absence of this combined attach means that the network provider

must dedicate two sets of air interface resources to CS and PS signaling.

  • Pros? Cons?
  • Reality: SGSNs and MSCs are often a single box.

7

slide-8
SLIDE 8

Florida Institute for Cybersecurity (FICS) Research

Attach

8

New SGSN Old SGSN HLR GGSN Attach Request ID Request

(TMSI, IMSI)

ID Request Auth Info Auth & Cipher Update Location Cancel Location Insert Subscriber Data Location Update Accepted Attach Accept

slide-9
SLIDE 9

Florida Institute for Cybersecurity (FICS) Research

Detach

9

SGSN HLR GGSN Detach Request Delete PDP Context Detach Accept Purge MS

slide-10
SLIDE 10

Florida Institute for Cybersecurity (FICS) Research

PDP Context

  • Once attached to the network, mobile devices need a means of communicating with
  • ther data-enabled entities.
  • A Packet Data Protocol (PDP) Context is a virtual channel between a device and

a GGSN.

  • PDP Contexts serve two main functions in GPRS/UMTS:
  • Assign the phone an IPv4/IPv6 address, making it reachable.
  • Associate a quality of service (QoS) profile with the device.
  • The second point, while specified in the standards, is not currently implemented/used.
  • Accordingly, let’s view PDP Context establishment as a 


high-level dual to DHCP - interaction with a DHCP 
 server is actually one of the parts of this operation.

10

slide-11
SLIDE 11

Florida Institute for Cybersecurity (FICS) Research

Multiple Contexts

  • This architecture allows for a single device to establish and maintain multiple

PDP Contexts.

  • Known as Primary and Secondary PDP Contexts
  • Secondary PDP contexts are always associated with a Primary context.
  • Multiple primaries are also possible, generally connected to multiple PDNs.
  • Secondary PDP contexts share an IP address with the Primary, but allow

different QoS terms to be enforced.

  • A device may specify to the network that its SIP flows are more important

than those delivering traffic to its mobile browser.

11

slide-12
SLIDE 12

Florida Institute for Cybersecurity (FICS) Research

PDP Context Activation

12

SGSN GGSN Activate PDP Context Activate PDP Context Accept Create PDP Context

slide-13
SLIDE 13

Florida Institute for Cybersecurity (FICS) Research

Call vs Data Path

13

HLR

BTS

SGSN

SS7 Network

BTS BSC BSC BTS

IP Network

GGSN

Internet

slide-14
SLIDE 14

Florida Institute for Cybersecurity (FICS) Research

GTP and RAB

  • GPRS Tunneling Protocol (GTP) allows the mobility of a device to be

hidden to the outside world.

  • The IP address is fixed by the GGSN, and a “tunnel” to that device’s

current SGSN is stored so that packets can be correctly forwarded.

  • Each tunnel is differentiated by its Tunnel Endpoint Identifier (TEI).
  • This allows the SGSN to allocate an arbitrary local address for a device

(and change that address) without telling the GGSN.

  • The SGSN then forwards packets through the Radio Access Bearer (RAB)

service, which connects the core network to the wireless device.

14

slide-15
SLIDE 15

Florida Institute for Cybersecurity (FICS) Research

RAB GTP Tunnel

Tunnels, etc

  • Each PDP Context allows a set of flows to request a QoS from the RAB.

These include Conversational (voice), Streaming (YouTube), Interactive (web surfing) and Background (FTP).

  • RAB ends at a lower layer of the MS protocol stack.

15

SGSN GGSN

Internet

BS

PDP Context

MS

slide-16
SLIDE 16

Florida Institute for Cybersecurity (FICS) Research

GSM/GPRS Protocol Stacks

16

Internet

SGSN GGSN

BS

Server

GTP TCP/UDP IP LAPD L1 SNDCP LLC BSSGP LAPD L1 GTP TCP/UDP IP LAPD L1 IP/X25 L1 LAPD BSSGP RLC/ MAC GSM IP/X25 App TCP/UDP GSM RLC/MAC LLC SNDCP App TCP/UDP IP Lower Layers

slide-17
SLIDE 17

Florida Institute for Cybersecurity (FICS) Research

UMTS Architecture

  • Re-used from GSM/GPRS Core Network
  • SGSN - signaling interface and some access protocols change
  • GGSN - re-used (PDP contexts remain)
  • HLR - some extensions
  • Main differences
  • Much higher data rates, soft handoffs

17

HLR

Node B

SGSN

SS7 Network

RNC

BSC BTS

IP Network

GGSN

Internet

UE

slide-18
SLIDE 18

Florida Institute for Cybersecurity (FICS) Research

UMTS/GPRS Protocol Stacks

18

Internet

SGSN GGSN

BS

Server

GTP-U TCP/UDP IP L2 L1 GTP-U TCP/UDP IP L2 L1 IP/PPP IP/PPP App TCP/UDP UMTS RLC/MAC PDCP App TCP/UDP IP Lower Layers AAL5 ATM IP GTP-U TCP/UDP ATM AAL5 IP

TCP/UDP

GTP-U

RLC/ MAC UMTS PDCP

slide-19
SLIDE 19

Florida Institute for Cybersecurity (FICS) Research

Inter-SGSN Move

19

New SGSN Old SGSN HLR GGSN RA Update SGSN Context ID Request Auth Info Auth & Cipher Update Location Cancel Location Location Update Accepted Attach Accept

SGSN Context Ack

FWD Packets Update PDP Context Insert Subscriber Data

slide-20
SLIDE 20

Florida Institute for Cybersecurity (FICS) Research

Inter-SGSN Move: Data

20

New SGSN Old SGSN HLR GGSN RA Update SGSN Context ID Request Auth Info Auth & Cipher Update Location Cancel Location Location Update Accepted Attach Accept

SGSN Context Ack

FWD Packets Update PDP Context Insert Subscriber Data Packets Flowing to Old SGSN New Tunnel

slide-21
SLIDE 21

Florida Institute for Cybersecurity (FICS) Research

Data Network Functionality Redux

21