Added a handler to catch invalid NAMF_COMM API messages
and prevent assertion failures, and upgraded related SBI log statements
from warnings to errors.
If gsm_build_pdu_session_establishment_accept() fails due to invalid PCO,
the SMF previously hit an assertion and crashed. This patch adds a proper
error check and transitions to the reject state to prevent the crash.
This was originally reported in issue #3969.
A missing error handling path in 'smf_gsm_state_wait_pfcp_establishment'
led to an assertion failure.
Problem:
During inter-eNB/RAN handover scenarios, such as S1/N2 handover followed by X2/Xn handover cancellation,
the UE context may end up partially moved or duplicated across multiple eNBs. If the handover
is canceled by the target eNB and followed by subsequent UE Context Release or PathSwitchRequest
procedures, the MME can crash due to inconsistent context state. Specifically, when deassociating
the mme_ue <-> enb_ue (or amf_ue <-> ran_ue) pair, the code unconditionally resets the association
fields (`mme_ue->enb_ue_id`, `enb_ue->mme_ue_id`, etc.), even if they no longer reflect an actual
association due to the earlier handover cancellation.
Root Cause:
The MME or AMF state machine incorrectly assumes that the associated context IDs are still valid
and proceeds to unlink the context. When the PathSwitchRequest arrives after the UE context has
been (partially or fully) released, the assertion `enb_ue != NULL` or the mismatch in expected ID
(e.g., `mme_ue->enb_ue_id != enb_ue->id`) leads to a crash.
Solution:
This patch introduces stricter association validation before unlinking UE contexts. Specifically:
- The unlinking functions such as `enb_ue_unlink()` and `amf_ue_deassociate()` were replaced with
more explicit versions: `enb_ue_deassociate_mme_ue()` and `amf_ue_deassociate_ran_ue()`, which
compare the current context ID with the expected one.
- If the ID mismatch is detected, the deassociation is skipped and a detailed error is logged
(rather than crashing with an assertion).
- This approach prevents crashes during handover cancellation cases and avoids incorrectly
cleaning up a context that is already associated with a new peer.
Additionally:
- The same pattern was applied consistently across MME and AMF modules including:
- `s1ap-handler.c`, `mme-context.c`, `mme-s11-handler.c`, `mme-gtp-path.c`
- `ngap-handler.c`, `nsmf-handler.c`, `sbi-path.c`
- All previously direct field resets (`xxx_ue->xxx_ue_id = OGS_INVALID_POOL_ID`) are now guarded
with validation logic.
- Logging was improved to aid in debugging unexpected deassociation cases.
This change improves robustness of the MME/AMF against abnormal handover procedures and
ensures graceful handling of late context release requests or race conditions during
handover cancel and re-establishment.
Fixes: assertion failure in `sgw_ue_check_if_relocated()` during PathSwitchRequest
Add a check to ensure only IPv4, IPv6, or IPv4v6 PDN types are allowed.
For any other (unknown) PDN type, send a PDN Connectivity Reject with cause
Unknown PDN Type instead of proceeding to a fatal assertion.
This prevents the MME from crashing when it receives a malformed NAS message.
In certain race conditions, the AMF could receive an SBI response
after the RAN UE context has already been removed.
The ran_ue_find_by_id assertions in
both amf_npcf_am_policy_control_build_create and
amf_nsmf_pdusession_build_create_sm_context would
trigger a fatal abort.
This change removes those assertions so that late SBI client events are
safely ignored and do not crash the AMF.
During PDU Session release, under memory pressure or upon receiving
an RST_STREAM, the SMF could still attempt to process an already-closed
HTTP/2 stream. This led to a fatal assert(stream) in smf_state_operational(),
terminating the entire SMF process even though the error affected
only a single UE context.
This commit adds a null check for the stream before sending the HTTP status.
If the stream has already been removed, SMF now logs an error instead of
asserting.
Previously, if the AMF received an smf-select-data response (or related SBI
messages) from the NUDM-SDM after the UE context had been released, the GMM
state machine would hit an unhandled event and abort with a fatal assertion.
This commit adds a new case for OGS_SBI_SERVICE_NAME_NUDM_SDM
in gmm_state_exception(), explicitly ignoring SBI messages for AM_DATA,
SMF_SELECT_DATA, UE_CONTEXT_IN_SMF_DATA, and SDM_SUBSCRIPTIONS
(with a warning log).
Any truly unexpected resource names now emit an error log instead
of triggering assert_if_reached. As a result, the AMF will safely drop late
NUDM-SDM responses without crashing.
Previously, malformed S-NSSAI parameters could trigger a fatal assertion in
amf_update_allowed_nssai when the UE had zero slices in its subscription
database. This patch introduces an explicit check for amf_ue->num_of_slice == 0,
logs a clear error message including the UE’s SUPI, and returns false to
reject the registration.
The removed assertion prevents AMF crashes and ensures
that other UEs continue to be served normally.
Previously, malformed Protocol Configuration Options (PCO) data would trigger
ogs_assert failures in both the generic parser and SMF build routines,
causing the SMF process to abort unconditionally.
This commit replaces those fatal assertions with conditional checks:
In ogs_pco_parse(), switch from ogs_assert(size == data_len) to
ogs_expect(size == data_len), allowing the function to return gracefully.
In SMF's PCO build (smf_pco_build) and all downstream build paths
(including GN, GSM, S5C modules), replace ogs_assert(pco_len > 0)
with explicit if (pco_len <= 0) checks that:
Ensure that malformed or incomplete PCOs no longer crash the process,
but instead are handled cleanly so the network function can continue operating.
When SM Context creation fails (e.g. 504 from SMF) the AMF continued
to build and send a NAS downlink message by dynamically looking up
the AMF UE context from ran_ue->amf_ue_id inside ngap_build_downlink_nas_transport().
If ran_ue_deassociate() had already removed that mapping, the lookup
would return NULL, triggering a fatal assertion and crashing the AMF.
This patch changes:
1. nas_5gs_send_to_downlink_nas_transport() and
ngap_build_downlink_nas_transport() signatures to accept an
explicit amf_ue_t * parameter alongside ran_ue_t *.
2. All calls to nas_5gs_send_to_downlink_nas_transport() to pass
the correct amf_ue pointer (from sess->amf_ue_id).
3. Removal of the dynamic lookup and fatal assertion in
ngap_build_downlink_nas_transport(), replacing it with
ogs_assert(amf_ue) on the passed-in context.
By carrying the valid AMF UE context through the call chain, we
ensure that downlink NAS transport always has a correct pointer,
even when the ran_ue-to-amf_ue mapping has been cleared. This
prevents invalid internal state transitions and eliminates the
ngap_build_downlink_nas_transport() crash when handling SMF failures.
SM context release in initial‐context‐setup should not abort the AMF.
Use ogs_error instead of ogs_assert_if_reached to log
the invalid state transition and maintain process availability.
Any unexpected HTTP methods or resource names generate an error
and an assertion, ensuring that truly invalid cases are caught.
By adding these checks and early exits, we avoid fatal assertion failures
in scenarios where the AMF’s state machine would otherwise have no matching
transition for a late SBI callback.
In upf_sess_add, replace the unconditional assertion on sess with a check
that detects when the session pool is exhausted. If allocation fails,
log an error message (“Maximum number of Session reached”) and
return NULL instead of aborting the process.
This change prevents the UPF from crashing when the PFCP session limit (4096) is
exceeded and allows it to reject additional session establishment requests
cleanly.
In lib/sbi/message.c parse_multipart(), http->content may be NULL.
This occurs on empty-body multipart POSTs and causes a segfault.
Add guard to check http->content, log an error, and return OGS_ERROR.
In state_operational, guard against dispatching to NF instance FSMs whose
state has been reset to zero by ogs_fsm_fini() in event_termination(). Drop any
incoming SBI events for those instances and log an error, preventing assertion
failures when late HTTP callbacks arrive after an asynchronous SIGTERM shutdown.
In the previous implementation, the AMF would send a Partial-handover error
indication whenever it encountered a session not found in the subscriber DB,
even if valid sessions remained. This resulted in unexpected error responses
during NG handover.
To resolve this, we record the initial SMF transaction count before iterating
through the UE session list. Sessions without a valid SMF context now produce
a warning and are skipped, while continuing to send Handover Notify messages
for provisioned sessions. After processing, we compare the SMF transaction
count to the initial value. If no valid sessions were handled, we send a
Partial-handover error indication.
With this change, unprovisioned sessions no longer trigger a premature error
indication, allowing valid PDU sessions to complete NG handover successfully.
In lib/sbi/client.c, the conditional compilation for
CURLMOPT_MAX_CONCURRENT_STREAMS was using #ifdef, which does not
ensure the option is set when the symbol is undefined.
Replace the check with #if CURL_AT_LEAST_VERSION(7,67,0) so that the
client applies the max concurrent streams setting on supported
libcurl versions. This fixes pool.event always showing the default
value and enables dynamic adjustment according to pool.stream.
SMF constructs up2cp FAR's outer_header_creation with |ogs_gtp_self()->gtpu_ip|
as DST IP address. Therefore, set |ogs_gtp_self()->gtpu_ip| to GTPU advertise
address. If advertise addr is not set, fall back to socket address as usual.
According to 3GPP TS 29.272 Annex A, when the HSS/UDM responds with
DIAMETER_ERROR_USER_UNKNOWN (5001), the MME/AMF should respond to the UE with
NAS EMM cause #8 (EPS services and non-EPS services not allowed), rather than
cause #11 (PLMN not allowed).
Previously, Open5GS returned cause #11 by default. However, this behavior is
problematic for private LTE environments where multiple operators may use the
same PLMN (e.g., 999/99 as per ITU-T E.212). In such cases, a UE rejected
with cause #11 will add the PLMN to its Forbidden PLMN list (FPLMN), causing
the device to avoid that PLMN for an extended period—even if another
compatible private network using the same PLMN exists.
This patch restores compliance with TS 29.272 by changing the default mapping
from cause #11 to cause #8 in both the 4G MME (emm_cause_from_diameter) and
5G AMF (gmm_cause_from_sbi) when handling unknown subscriber cases.
This ensures:
- Standard-conformant behavior across networks
- Better UE behavior in roaming or private LTE scenarios
- Avoids unnecessary FPLMN blacklisting in UE
Reference Issues:
- #263
- #1281
- #1332
Prevent crashes when UE context is missing in AMF and MME by replacing direct
assertions with conditional checks and error logging.
Removed unconditional ogs_assert(ran_ue) in AMF's GMM handlers and
ogs_assert(enb_ue) in MME's EMM handlers.
Now, if the UE context lookup returns NULL, log an error (including SUPI/IMSI,
NAS message type, and IDs), dump the NAS packet in hex for debugging,
and exit the handler gracefully instead of aborting.
Fix missing N2 signaling when tunnel information is unchanged,
causing AMF crash on repeated PathSwitchRequest
When a second PathSwitchRequest arrives without any tunnel changes,
the handler previously returned HTTP 204 No Content and omitted N2 information.
This led to a fatal assertion in the AMF SM context, since it expected
to receive updated N2 data even when the tunnel remained the same.
This patch modifies ngap_handle_path_switch_request_transfer to build
and send the N2 SM buffer in the “else” branch.
It calls ngap_build_path_switch_request_ack_transfer to construct
the Path Switch Request Acknowledge N2 message and then delivers it
with smf_sbi_send_sm_context_updated_data_n2smbuf.
A new test case is also added to verify that N2 signaling is correctly
transmitted when tunnel parameters have not changed.
In src/smf/context.c:
- Wrap UPF selection logic in a conditional that checks if pfcp_node
is non-NULL.
- If no UPF is available (pfcp_node == NULL), log an error and assert
that sess->pfcp_node remains NULL, instead of crashing.
- Only call selected_upf_node() and set up the GTP session when a prior UPF
entry exists.
In src/smf/gn-handler.c:
- After invoking smf_sess_select_upf(), verify sess->pfcp_node.
- If no UPF was selected, log an error ("No UPF available for session") and
return OGS_GTP1_CAUSE_SYSTEM_FAILURE instead of asserting.
In src/smf/s5c-handler.c:
- Mirror the same check for sess->pfcp_node after smf_sess_select_upf().
- If no UPF is available, log an error and return
OGS_GTP2_CAUSE_SYSTEM_FAILURE.
- If the selected UPF is not yet PFCP-associated, log a specific error
message and return OGS_GTP2_CAUSE_REMOTE_PEER_NOT_RESPONDING.
These changes ensure that SMF does not abort when no UPF is configured or
associated; instead, it fails the session request with an appropriate GTP cause.
* [AMF] Fix UE context transfer when only NRF is client
If UE context transfer is initiated and the new AMF does not get the
old AMF from NRF or no UE context is retrieved from the old AMF,
we do not want to reject UE registration. Send identity request instead.
Test "transfer-error-case" is added into the commit.
* [tests] Unite tests for UE context transfer
All tests for UE context transfer with different configs are placed
into test folder transfer.
* [tests] Make two binaries for UE context transfer tests
For each test config a different test binary is created.
Previously, Open5GS assumed the _links map contained an array under the key
"items". However, the 3GPP specification (TS29.510 section 4.9.4 and TS29.501
Table 6.1.6.2.25-1) defines this member name as "item".
As a result, when interacting with vendor NRF implementations that use "item",
Open5GS could not find the array and logged "No items", causing JSON errors.
This change updates both serialization and parsing in lib/sbi/custom/links.c:
- In ogs_sbi_links_convertToJSON(), replace the property name "items" with
"item" when building JSON.
- In ogs_sbi_links_parseFromJSON(), retrieve the array under "item" and adjust
the error message to "No item" if the member is missing.
With these corrections, Open5GS will correctly handle NRF responses using "item"
and remain compliant with the indirect communication model defined by 3GPP.
In case AMF is configured for multiple PLMN's, it would send a wrong
GUAMI in the Registration Accept message to the UE, also in other NAS
and SBI messages. Previously, it would only send the first configured
PLMN.
In ipfw2.c errx() would call exit(), aborting the UPF thread on rule parse
errors. Add a macro mapping errx() to ogs_log_message() so errors are logged.
We no longer call exit() and the main loop continues on error.
Prior to this change, `session_write_callback()` unconditionally asserted that
`sbi_sess->poll.write` was non-NULL when the write queue drained, then removed
it from the poll set. In edge cases—particularly when using curl 8.x with
external epoll and `SIGPIPE` disabled—a late `EPOLLOUT` or errant write-ready
notification could arrive after `poll.write` had already been cleared. This
triggered the assertion in `nghttp2-server.c:1765`, aborting the process on
shutdown or session teardown.
This commit replaces the hard assertion with a runtime guard. If `poll.write`
is present, it is removed and reset to NULL as before. If it is already NULL,
we emit an warning log (`ogs_warn`) instead of aborting. This ensures any stray
write events after cleanup are safely ignored, allowing a clean exit without
crashing.
- Wrap `ogs_pollset_remove()` and pointer clear in `if (sbi_sess->poll.write)`
- Log an warning when `poll.write` is unexpectedly absent
- Preserve original behavior when `poll.write` is valid
This change resolves the fatal assertion observed on process exit after the
EPOLLERR/SIGPIPE fix and improves overall shutdown robustness.
Previously, any SCTP recv would trigger ogs_fatal and an assert_if_reached
when MSG_EOR wasn’t set, causing the AMF or MME to crash on oversized
or fragmented packets. Since we rely on a 32 KB receive buffer and
do not support SCTP reassembly, this change replaces the conditional
fatal/assert logic with a single ogs_error call in both ngap_recv_handler
and s1ap_recv_handler.
Oversized or partial SCTP messages are now logged and dropped instead of
crashing the process.
Previously, both AMF and MME assumed that RAN UE contexts would always
be present, triggering fatal assertions when a context lookup failed.
This change introduces explicit checks in the common_register_state handlers
to detect missing NG and S1 contexts without crashing:
- Check ran_ue existence and abort if NG context has already been removed
- Detect deassociated RAN-UE (invalid amf_ue_id) and
break to avoid further processing
- Validate AMF-UE ID matches ran_ue->amf_ue_id and skip on mismatch
- Replace hard assertions on MBR/GBR presence in S1AP e‐RAB setup
with a runtime check: if any of the four parameters (MBR DL/UL, GBR DL/UL)
is missing, log an error and treat the bearer as Non-GBR
- Mirror the same logic in SMF’s NGAP build routines for PDU Session Resource
Setup and Modify transfers: drop the assertions, emit detailed error messages
with the missing MBR/GBR values, and omit GBR IEs
- Ensures graceful handling of incomplete QoS configurations by defaulting
to best‐effort (Non-GBR) rather than crashing
Prevent the NRF from processing requests that target its own
instance ID. This prevents a denial of service vulnerability.
If an SBI request attempts to delete or modify the local NRF
instance, respond with 404 Not Found and log an error, avoiding
a crash due to the state machine assertion.
The token parsing loop in ogs_ipfw_compile_rule() lacked a bound on the
number of tokens stored in the 'av' array. This could overflow the stack
buffer when parsing overly long flow descriptions. Add a check to ensure
'i' remains below MAX_NUM_OF_TOKEN-2 before assigning to 'av[i]'.
- In `udm_ue_state_operational()`:
- Wrap the call to `udm_nudr_dr_handle_subscription_authentication()`
in an `if` check.
- On failure (`false`), log an error via
`ogs_error("udm_nudr_dr_handle_subscription_authentication() failed")`.
- Transition the FSM to `udm_ue_state_exception` using `OGS_FSM_TRAN()`.
This change ensures that failures during subscription authentication
REST calls are not silently ignored, and that the UE state machine moves into
an exception state for proper error handling and recovery.
In amf_context_parse_config(), update the loop condition to ensure that
((i * 2) + 1) remains below
(OGS_NAS_MAX_NETWORK_NAME_LEN - 1) before performing any writes.
This change prevents potential out-of-bounds memory writes during
the conversion of an ASCII string to USC-2, thereby fixing a buffer
overflow issue.
This issue was observed on Ubuntu 25.04 and reported in the osmocom
nightly package.
This commit adds support for two Supported-Features AVPs in the
UpdateLocationAnswer (ULA) to enable 5G-NSA roaming. The first AVP
includes subscriber restrictions, while the second AVP signals that NR
as Secondary RAT is supported. Updates include modifications to
lib/diameter/s6a/message.c, lib/diameter/s6a/message.h, and
src/hss/hss-s6a-path.c.
This commit enhances the SM Policy request sent to the PCF
by incorporating user location information and time zone data.
The SMF now builds a userLocationInfo structure using the session's NR TAI
and NR CGI details, along with a timestamp generated from the current GMT time.
Additionally, the UE's time zone is included in the request context,
and the ratType is explicitly set to NR.
In Open5GS 2.7.x, when using curl 8.x with external epoll, an issue occurred
where the peer connection was closed, triggering EPOLLERR. At this point,
POLL_OUT should have been set to trigger the write event handler, invoking
`event_cb()` and calling `curl_multi_socket_action`. This would allow
`curl_multi_info_read` to execute without blocking.
However, when `event_cb()` wasn't invoked, `curl_multi_socket_action` was
not called, causing `curl_multi_info_read` to block. This resulted in a busy
loop in epoll, continuously checking for the closed peer connection.
This issue specifically affects Open5GS 2.7.x with curl 8.x, and is observed
on Ubuntu versions starting from **noble** and later. It does not occur on
Ubuntu Jammy.
The solution involves globally ignoring SIGPIPE and fixing the epoll logic
to ensure POLL_OUT is triggered when EPOLLERR occurs, allowing `curl_multi_socket_action`
to be invoked and `curl_multi_info_read` to run non-blocking. This resolves
the busy loop and connection issues caused by peer disconnects when using
curl 8.x and external epoll.
This fix improves the stability and performance of Open5GS when used with
curl 8.x and Ubuntu versions **noble** and above.
This commit fixes an issue where the callback header (3gpp-Sbi-Callback)
was incorrectly added in non-callback requests. Specifically, for registration
(PUT) and subscription requests in the AMF and SMF modules, the callback
header was included even though these are not asynchronous notifications.
Changes include:
- Removing the callback header assignment in src/amf/nudm-build.c and
src/smf/nudm-build.c for registration and subscription requests.
- Removing the callback header in NRF subscription-related builds in
lib/sbi/nnrf-build.c where it was not required.
- Adding the callback header only for actual notification or callback
operations (e.g. in src/amf/nsmf-build.c for N1/N2 transfer failure and
in src/nrf/nnrf-build.c for NF status notifications).
- Introducing a new callback macro in lib/sbi/message.h for
Namf_Communication_onN1N2TransferFailure.
This aligns the implementation with the standard, ensuring that callback
headers are only included in genuine callback/notification messages.
When UPF/SGW-U is restarted, missing f_teid_len validation causes an error.
This patch adds checks for f_teid_len > 0 in ogs_pfcp_pdr_swap_teid and
in the SGW-U and N4 handler functions.
When a UE handover occurs, the target UE may already be removed. This
patch adds a NULL pointer check and logs an error instead of causing a
segmentation fault in both enb and sgw deassociation functions.
Renamed backup/restore security context functions to save/restore
memento and updated flag to "can_restore_context". Updated AMF and MME
state machines to restore context on failure, preventing malicious
deletion triggered by spoofed NAS messages.
- Changed amf_region_id type from uint16_t to uint8_t in context.h.
- Updated context.c to use ogs_amf_region_id() for extracting and comparing
the region ID.
- Backup sensitive security context fields (e.g. xres, kasme, rand, autn,
keys, counters) when transitioning from REGISTERED state.
- Set the can_restore_security_context flag in common_register_state()
based on whether the transition originates from a REGISTERED or
de-registered state.
- In emm_state_authentication(), restore the security context and revert
to the REGISTERED state on authentication failure only if restoration
is allowed; otherwise, transition to an exception state.
- Remove the redundant unconditional state transition in the cleanup block
to prevent overriding a valid restoration.
Replace unsafe strcpy calls with ogs_cpystrn in both ogs_pfcp_dev_add()
and ogs_pfcp_subnet_add() to ensure proper length checking.
This change prevents potential buffer overflows when handling ifname
and dnn fields, which could otherwise lead to unintended overwrites
(e.g., fd and num_of_range).
Previously, the EPC used the UE-provided KSI directly in the Authentication
Request (except for the special case where the UE sent
OGS_NAS_KSI_NO_KEY_IS_AVAILABLE, which was reset to 0).
This commit changes the EPC to follow the 5G Core approach
for issuing KSI in Attach-Request.
Now, when a Attach Request is received and a new Authentication Vector is
generated, the EPC performs the following steps:
- Extract the KSI value from the UE's request.
- Increment the extracted KSI by 1.
- Use the incremented KSI in the Authentication Request sent to the UE.
This detailed process ensures that the EPC issues the KSI consistently
with 5G Core standards, improving key management and interoperability.
Previously, sample.yaml was used for both 5GC and EPC attach tests.
Because SMF had SBI configured, it sent a register PUT to NRF even in
EPC-only tests (where nrf/scp was not run), leading to a missing HTTP
response and connection timer expiry.
Now, attach.yaml is used for EPC, preventing the unwanted NRF registration.
This commit introduces robust validation for the F-TEID information element
in the PFCP message handling. Previously, malformed F-TEID values (such as
a zero length, zero TEID, or a TEID exceeding the pool size) could lead
to an assertion failure and crash the UPF.
The changes ensure that:
- The F-TEID length is greater than zero, confirming the IE is present.
- The TEID is a non-zero value, as a valid TEID must be positive.
- The TEID does not exceed the allowed pool size (max_ue * 4 * 16).
If any of these conditions are not met, an error is logged with the F-TEID
length and TEID value, and the function returns an error code
(OGS_PFCP_CAUSE_MANDATORY_IE_INCORRECT), preventing further processing
of the malformed message.
When another NF restarts, curl reuses the existing connection, which in
curl 8.9.1 causes the nghttp2 server to send an RST. This commit sends a
GOAWAY frame to every active session on shutdown, ensuring a graceful
termination and avoiding RST errors.
Previous versions such as curl 7.81.0 did not exhibit this behavior.
Previously, nf_instance pointers were stored in nf_type_array and
service_type_array. This led to dangling pointers when an NF instance
was removed via ogs_sbi_nf_instance_remove(), causing incomplete cleanup
and improper recovery on UDR or other NF restarts. The issue resulted in
the system falling back to nf_instance->client with the default port 80,
leading to connection failures.
To resolve the problem, nf_instance_id is now stored instead of the
pointer. The validity of an NF instance is verified using
ogs_sbi_nf_instance_find(nf_instance_id), which ensures proper cleanup
and correct recovery.
In case that NF do not send ProblemDetails in the response.
Do not assume that ProblemDetails is always present, to prevent null
pointer dereferencing.
When receiving a PFCP Session Establishment Request with an invalid PDN type(0),
the UPF would crash due to a failed assertion.
This commit improves error handling by:
- Removing the session_type assertion check that caused the crash
- Changing warning log to error log for better visibility
- Returning CAUSE_SERVICE_NOT_SUPPORTED instead of proceeding
with invalid type
This prevents potential DoS attacks through malformed PFCP messages.
Before this, there were 2 different ways to search for neighbouring
NF's:
a) in the case AMF was started _before_ UDM, AMF would create
subscription to NRF to notify it when a UDM would (un)register. In this
case, NF instance would remain in AMF's context indefinitely.
b) in the case AMF was started _after_ UDM, AMF would have to use NF
discovery mechanism to search for NF's. In this case, NF instance would
remain in AMF's context for the duration of Search's validity (defaults
to 30 seconds). After validity expires, NF would expire. This means that
for heavy traffic situations, AMF would constantly issue discovery
requests.
[SBI] save only wanted NF instances on NF List Retrieval
When retrieving a list of NF Instances from NRF, save only the NF's that
we want. Check the NF instance against our subscription list for either
the NF type or NF Service.
This can still cause a DoS on NRF when NF starts in case there are 100's
of NF's in the network, but prevents using too much memory on NF.
* [UDM][UDR] Add support for nssai resource in nudm-sdm
* Resolve Memory Issue
* Protect from multiple field entries, remove macros
* remove request_from_server, make use of xact state
* typo....
* definition cleanup
When a duplicate PDU session establishment is received, the AMF logs a
warning and proceeds to update the SM context via the SBI interface. This
process eventually calls amf_nsmf_pdusession_build_create_sm_context(), which
uses the SUPI to build the SBI URI header. If the SUPI is NULL, then the header's
resource component becomes NULL. This leads to a call to ogs_uridup() that
asserts on the NULL value, causing a crash.
This commit adds a check before invoking the SBI update. If the SUPI is NULL,
the update is skipped and a warning is logged. This prevents the invalid URI
build process and avoids the subsequent crash in ogs_uridup().
During handover between two gNBs, the AMF enters an invalid state when it
receives an unexpected SBI response from the UDM in the process of sending
a smf-select-data request. This bug could lead to an AMF crash as the state
machine in gmm_state_registration encountered an unknown state.
The fix adds explicit handling for SBI messages with resource names such as
AM_DATA, SMF_SELECT_DATA, UE_CONTEXT_IN_SMF_DATA, and SDM_SUBSCRIPTIONS.
If the HTTP response status is not OK, CREATED, or NO_CONTENT, a warning
is logged and the message is ignored. This prevents the AMF from transitioning
into an abnormal state and improves overall stability during frequent handovers.
Previously, policies were configured via YAML files without MongoDB.
This update enhances the YAML approach by adding the 'supi_range' key to
filter policies based on UE SUPI ranges. When both 'supi_range' and
'plmn_id' are provided, both conditions must be met.
Note that PLMN-ID filtering will be deprecated in a future release.
Replace enb_ue with source_ue to correctly reference the target eNodeB
context during handover. Added null checks and assertions to ensure proper
session cleanup in both mme-s11-handler.c and s1ap-handler.c.
This commit modifies the message length check in ogs_pfcp_recvfrom.
Previously, the condition only verified that the received size was less than
the expected length, which could allow messages that are too long to be
processed.
The condition now requires an exact match between the received
size and the expected total PFCP message length, ensuring proper message
validation.
This commit adds additional checks in the PFCP receive callback to ensure
that a complete PFCP message is received before parsing. A minimum header
length check and a total message length validation are now performed. This
prevents incomplete, fragmented messages from being processed and avoids
potential parsing errors and DoS conditions.
Previously, the function `udm_nudm_sdm_handle_subscription_create()` would
trigger a fatal assertion failure if the maximum number of SDM subscriptions
was reached.
This commit adds error handling to check if the subscription pool allocation
fails.
If `udm_sdm_subscription_add()` returns NULL, an appropriate error message is
logged, and a 400 Bad Request response is sent back to the client instead of
causing a crash.
Wrap SSL_CTX_set_keylog_callback calls with an OpenSSL version check
to ensure compatibility with versions older than 1.1.1.
This prevents compilation issues on earlier OpenSSL releases,
such as those found on Ubuntu 18.04(bionic).
Each received PFCP message triggered ogs_pfcp_node_find(), causing a DNS
resolution if node_id was FQDN. Under heavy traffic, this could lead to
excessive DNS queries.
- Implement a 300-second refresh interval to avoid repeated DNS lookups.
- Store last_dns_refresh in each node to defer new queries until needed.
- Treat config-based nodes with no Node ID as UNKNOWN, matching them by IP
alone until ogs_pfcp_node_merge() updates their ID.
- Validate IPv4, IPv6, or FQDN types in ogs_pfcp_node_merge() and reject
invalid IDs.
- Provide inline code comments for clarity and maintainability.
This commit addresses an Open5GS bug where the AMF process crashes
when receiving npcf-am-policy-control service responses during UE handovers.
The crash was occurring in the gmm_state_authentication() function
when the AMF encountered an unexpected SBI (Service Based Interface) message
from the PCF related to AM Policy Control requests.
Added a new case block in gmm_state_authentication() to explicitly handle
messages with the service name OGS_SBI_SERVICE_NAME_NPCF_AM_POLICY_CONTROL.
- Replace direct usage of OGS_ADDR/OGS_PORT macros with
ogs_sockaddr_to_string_static() for consistent IPv4/IPv6 logging.
- Remove redundant stack buffer allocations for address printing.
- Update PFCP node address handling to use addr_list and related
merges, avoiding obsolete sa_list references.
- Use ogs_pfcp_extract_node_id() and related APIs to safely extract
PFCP Node ID, improving error handling and reducing stack usage.
- Changed ogs_sockaddr_strdup to ogs_sockaddr_to_string_static
- Replaced dynamic allocation with a static buffer
- Updated source and header files accordingly
Created util.h and util.c to implement the ogs_pfcp_get_node_id function,
which retrieves the node_id from a PFCP message. Utilized the
ogs_pfcp_status_e enum for enhanced error handling, distinguishing
between success, absence, and error states.
Modified the `ogs_gtp/pfcp_context_parse_config` function to iterate through
all configured GTP/PFCP server addresses. When a Fully Qualified Domain
Name (FQDN) resolves to multiple IP addresses, the server now binds and
listens on each IP address individually.
These modifications enhance the flexibility and reliability of the GTP/PFCP
server within Open5GS, allowing it to handle multiple network
interfaces and redundant IP configurations as required.
In case that mapped HPLMN SST was not set by the UE in the request to
Establish PDU Session, AMF/SMF would assume it is set to 0 (since the
recent change to allow SST value 0).
3GPP TS 23.003: 28.4.2 Format of the S-NSSAI
The SST field may have standardized and non-standardized values. Values
0 to 127 belong to the standardized SST range and they are defined in
3GPP TS 23.501 [119]. Values 128 to 255 belong to the Operator-specific
range.
Introduce client_delegated_config to manage delegation settings for NRF and SCP
separately. This ensures that in Model C, all NRF-related procedures
(registration, heartbeat, deregistration, etc.) communicate directly with the
NRF without routing through the SCP. This change aligns Open5GS behavior with
3GPP standards, providing consistent direct communication for both discovery
and management in Model C, and maintaining indirect communication in Model D.
- Direct Communication with NRF
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
```
- Indirect Communication by Delegating to SCP
```
sbi:
client:
scp:
- uri: http://127.0.0.200:7777
```
- Indirect Communication without Delegation
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
delegated:
nrf:
nfm: no # Directly communicate NRF management functions
disc: no # Directly communicate NRF discovery
scp:
next: no # Do not delegate to SCP for next-hop
```
- Indirect Communication with Delegated Discovery
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
delegated:
nrf:
nfm: no # Directly communicate NRF management functions
disc: yes # Delegate discovery to SCP
scp:
next: yes # Delegate to SCP for next-hop communications
```
- Default delegation: all communications are delegated to the SCP
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
# No 'delegated' section; defaults to AUTO delegation
```
This update allows the parsing and handling of user-defined port numbers
in the `advertise` field or explicitly in the `server` configuration for
SBI. Users can now specify non-default ports for both binding and
advertising while maintaining compatibility with existing configurations.
The feature includes logic to handle FQDNs with embedded port numbers
(e.g., `example.com:8080`) and ensures proper memory management during
parsing. Updated the client association logic to utilize custom ports
when specified.
Examples:
- Bind to the address on the eth0 and advertise as open5gs-amf.svc.local
```
sbi:
server:
- dev:eth0
advertise: open5gs-amf.svc.local
```
- Specify a custom port number 7777 while binding to the given address
```
sbi:
server:
- address: amf.localdomain
port: 7777
```
- Bind to 127.0.0.5 and advertise as open5gs-amf.svc.local
```
sbi:
server:
- address: 127.0.0.5
port: 7777
advertise: open5gs-amf.svc.local
```
- Bind to port 7777 but advertise with a different port number 8888
```
sbi:
server:
- address: 127.0.0.5
port: 7777
advertise: open5gs-amf.svc.local:8888
```
- Add `sslkeylogfile` configuration options to `*.yaml.in` in NFs.
- Update `open5gs-common.dirs` to include `var/log/open5gs/tls` directory
- Extend `ogs_sbi_context_s` structure in `context.h` to include `sslkeylog`
- Modify `context.c` to parse and handle `sslkeylogfile` settings
- Update `server.c` and `server.h` to manage the `sslkeylog` field
in server structures
- Update `ogs_sbi_client_add` and `ogs_sbi_client_remove` functions to handle
`sslkeylog` field.
- Adjust `meson.build` to create the TLS log directory during installation
This commit introduces SSL key logging functionality to Open5GS,
enabling the capture of SSL/TLS keys. This feature is essential
for debugging encrypted traffic and allows integration with tools
like Wireshark for decrypting TLS sessions.
- Added functionality to parse and validate the plmnList JSON array
during a PATCH request.
- Updated the nf_instance structure with new PLMN data from the request.
- Ensured robust error handling for invalid PLMN entries
and excessive PLMN counts.
- Responded with appropriate HTTP status codes for success and error scenarios.
- Removed `create_sctp_socket_from_addr_list` function.
- Introduced direct use of `sctp_socket_family_from_addr_list` in
`ogs_sctp_server` and `ogs_sctp_client`.
- Ensured proper handling of address family selection for SCTP sockets,
defaulting to `AF_INET` or `AF_INET6` based on the address list.
- Added error handling for cases where no suitable address family is found.
Addressed feedback on commit 33532a5 by switching SGsAP's SCTP socket
from SOCK_SEQPACKET to SOCK_STREAM. This change eliminates the need
for the 'addr' field, as SOCK_STREAM does not require specifying the address
in sctp_sendmsg.
All references to the 'addr' field have been removed from the VLR structure
and related functions, simplifying SCTP message handling and ensuring better
compatibility with multiple addresses.
Updated `sgsap-sctp.c` accordingly to reflect these changes
and improve the reliability of SCTP connections.
Added checks to validate the SUPI ID in the ogs_dbi_auth_info function
before calling ogs_assert. This prevents a crash when the SUPI ID is malformed,
such as when it does not contain a hyphen.
The fix ensures that invalid SUPI values are logged and handled gracefully,
avoiding assertion failures and crashes in the UDR.
- Modified the `ogs_nas_qos_rule_s` structure to increase the size
of the `identifier` field from 4 bits to 6 bits in order to allow
for larger QoS Flow Identifiers (QFI).
- Adjusted the URR access logic in `upf_sess_urr_acc_add` to prevent
out-of-bounds access by ensuring the URR ID is within the valid range.
Refactored the SCTP socket creation logic to dynamically select
the address family based on the provided address list.
A new function, `create_sctp_socket_from_addr_list`, was introduced
to check for the presence of an IPv6 address in the address list and
create an SCTP socket accordingly.
If an IPv6 address is found, it uses AF_INET6; otherwise, it defaults
to AF_INET. This change was applied to both the `ogs_sctp_server` and
`ogs_sctp_client` functions.
Updated the VLR (mme_vlr_t) lookup mechanism to identify VLR instances
using socket pointers rather than IP addresses.
Replaced the `mme_vlr_find_by_addr` function with `mme_vlr_find_by_sock` across
relevant modules, including `mme-context.c`, `mme-context.h`, and `mme-sm.c`.
Adjusted memory management for the `addr` field within the VLR structure
to ensure proper allocation and deallocation. Removed address assignments
in `sgsap-sctp.c` for usrsctp and updated logging to reflect the new socket-based
identification.
Added support for binding to local IP addresses in ogs_sctp_client and
ogs_sctp_server, and correct SGsAP configuration
Implemented the ability to bind to one or multiple local IP addresses using
`sctp_bindx()` in both the `ogs_sctp_client()` and `ogs_sctp_server()` APIs.
Users can now specify local addresses in the configuration files under the new
`local_addresses` field, reducing unnecessary complexity and signaling caused
by binding to `ANY_ADDR`.
This update addresses issue https://osmocom.org/issues/6509 by ensuring
correct operation in multi-interface and complex networking setups.
Additionally, corrected the `sgsap` configuration by changing it
from `server` to `client`, and added support for specifying `local_addresses`
for local binding as follows:
```
sgsap:
client:
- address: msc.open5gs.org # SCTP server address configured on the MSC/VL
local_address: 127.0.0.2 # SCTP local IP addresses to be bound in the M
```
Modified the PCF logic to bypass the BSF dependency when it is not available.
This change ensures that the 5G Core can operate without requiring a BSF,
allowing PDU sessions to be established successfully in setups
where only a single PCF is used.
Resolved a heap-buffer-overflow issue
in the ogs_nas_5gs_decode_registration_request function caused
by improper handling of empty pkbuf.
Added validation checks to ensure pkbuf size is non-zero
before accessing its data.
Reviewed similar patterns in other decoding functions
to prevent similar vulnerabilities.
Added a handler in gmm_state_registered() to process SBI client events
for UE context transfer, preventing fatal errors and AMF crashes during
Initial Registration.
This commit resolves additional crashes in the AMF caused by improper handling
of UE registration requests in various states of the GMM state machine.
The issue occurs when the AMF receives multiple registration requests
from the same UE while the previous UE context is being released,
leading to outdated or invalid authentication vectors being processed.
Although a previous fix addressed this problem in the gmm_state_exception
function, similar crashes were identified in other states within gmm-sm.c.
To address this, the handling of multiple registration requests
from the same UE has been refined across all relevant states.
The fix ensures proper synchronization and validation of UE contexts,
preventing the AMF from processing outdated authentication data and
maintaining stability during such edge cases.
This prevents incorrect restoration behavior by ensuring the TEID is only
swapped when F-TEID.ch is false, indicating the TEID has already been assigned.
Added a check to ensure that TEID restoration via swap occurs only
when F-TEID.ch is false. In the restoration process, when F-TEID.ch is false,
it indicates that the TEID has already been assigned, and the swap operation is
necessary to restore the TEID. However, if F-TEID.ch is true, it means that
the UPF needs to assign a new TEID for the first time, and performing a swap
in this case would be incorrect.
This check ensures that the swap operation is only triggered
when the TEID is already assigned and prevents potential issues
during the TEID assignment process.
This commit addresses an issue in the AMF where it crashes
upon receiving the Nausf_UEAuthentication_Authenticate response
in the gmm_state_exception function.
The crash occurs when the same UE continuously sends registration requests
while the previous UE context is released before the AUSF response is received,
leading to incorrect states in the gmm state machine.
The root cause was a lack of proper handling in the gmm_state_exception function
for the scenario where multiple registration requests from the same UE cause
the AMF to process outdated authentication vectors.
This update introduces a fix to handle this edge case
and prevent the AMF from crashing.
- Added handling for empty NAS PDUs to prevent potential heap-buffer-overflow.
- Implemented safeguards to reject invalid NAS messages and mitigate DoS attacks
by removing S1/NG Context for affected UEs.
In case an external HSS is used, and the NAM field is set to 0 (PACKET_ONLY),
Open5GS MME will only respond with an "EPS_ONLY" attach accept. This behavior
causes a lot of UEs (mainly phones) to disconnect after 1-2 seconds without
further signalling.
To resolve this, a new flag is introduced:
```
global:
parameter:
fake_csfb: true
```
If this flag is set to 'ture', the MME will respond with a combined EPS/IMSI
attach accept even if the HSS NAM field is set to "PACKET_ONLY", or if the
MME has no SGs connection towards a CS core.
By default this flag is false, thus not modifying the original behavior.
Note: some commercial core network vendors do include the LAI part in a
"fake" combined EPS/IMSI attach accept message. As that field is optional, and
testing also indicates that it is not needed, this patch does not implement it.
According to TS 29.510, the NFProfile structure in the NFDiscovery API does not
include the nfProfileChangesSupportInd attribute. However, Open5GS NRF currently
includes this attribute in NFDiscovery API responses, which has led to
complaints from certain NF vendors.
This commit modifies the nrf_nnrf_handle_nf_discover function
in src/nrf/nnrf-handler.c to ensure that the nfProfileChangesSupportInd
attribute is excluded when constructing NFProfile for NFDiscovery responses.
This commit introduces a new parameter in the global configuration
to support UPG-VPP UPF. When the following setting is added:
```
global:
parameter:
use_upg_vpp: true
```
The SMF generates PFCP messages specifically tailored for UPG-VPP UPF.
This allows seamless integration and operation with UPG-VPP
by automatically adapting the message structure to its requirements.
TS 29.571 - 5.5.2 Simple Data Types defines BitRate type as
String representing a bit rate that shall be formatted as follows:
Pattern: '^\d+(\.\d+)? (bps|Kbps|Mbps|Gbps|Tbps)$'
Examples: "125 Mbps", "0.125 Gbps", "125000 Kbps"
Taking the "0.125 Gbps" example, rather than round 0.125 down to 0, parse it as
a double-float first before multiplying by 10^9, resulting in 1.25e8 (bps).
Resolved an issue where Handover was failing when attempting to handover
from GNB-ID/eNB-ID 1 to GNB-ID/eNB-ID 0.
The problem occurred because the hash table managing GNB_ID values would
remove any entry with the default GNB-ID/eNB-ID of 0 before re-adding entries.
Consequently, any GNB/eNB configured with a GNB-ID/eNB-ID of 0
would be inadvertently deleted whenever another GNB was added.
This fix modifies the handling of the hash table to prevent the default
GNB-ID/eNB-ID (0) from being removed unintentionally, allowing handovers
between GNB-ID/eNB-ID 0 and other GNBs/eNBs to proceed without error.
```
TS36.413
8.7.3 S1 Setup
8.7.3.4 Abnormal Conditions
If the eNB initiates the procedure by sending a S1 SETUP REQUEST message
including the PLMN Identity IEs and none of the PLMNs provided by the eNB
is identified by the MME, then the MME shall reject the eNB S1 Setup Request
procedure with the appropriate cause value, e.g., “Unknown PLMN”
```
Modified code to address abnormal conditions where the eNB initiates
the S1 Setup Request with a PLMN Identity IE that is unrecognized by the MME.
In this case, the MME now properly rejects the S1 Setup Request
with the cause value "Unknown PLMN" in compliance with the 3GPP specification
(8.7.3.4).
In accordance with TS29.500 Section 5.2.2.2 on mandatory HTTP standard headers,
the User-Agent header in HTTP/2 requests is required to include the NF type
of the HTTP/2 client. Additionally, it is specified that the content
of the User-Agent header may be followed by a hyphen and custom information
when needed, providing greater flexibility for identifying the originating
NF type or adding other specific details.
To accommodate this requirement, I modified the code to allow for additional
information to be appended after the NF type in the User-Agent header,
separated by a hyphen.
This change ensures that the User-Agent header format can be customized
as needed for indirect communication scenarios and requests originating
from the SCP, improving compliance with the specification and enhancing
the adaptability of the header format for HTTP/2 communications.
While experimenting with CSFB, it was observed that when the UE returns
to E-UTRAN after a CS call, the UE performs a Tracking Area Update
with a combined Tracking Area/Location Area update and IMSI attach.
Currently, Open5GS's MME simply responds with a TAU Accept message
but does not inform the MSC/VLR.
As a result, no further MT (Mobile Terminated) CS/SMS services are possible
in cases where the MSC/VLR only attempts paging on GERAN.
However, some MSC/VLR implementations with fast fallback may still attempt
paging on E-UTRAN, allowing MT CS/SMS services to function intermittently.
According to 3GPP TS 29.118 Section 5.2.2 Procedures in the MME,
specifically Section 5.2.2.2.1, if the timer Ts6-1 is not running,
the MME shall start the location update for non-EPS services procedure
upon receiving a combined Tracking Area Update Request indicating
combined TA/LA updating with IMSI attach. However, SGs timers are not
implemented in Open5GS, which is a separate issue.
To comply with the specification and ensure that the MSC/VLR is informed
when the UE becomes reachable via SGs, the following changes have been
implemented:
1. Delay UEContextReleaseCommand:
When the active_flag is set to 0, the UEContextReleaseCommand is now delayed
until the MME receives the TAU Complete message from the UE. This ensures
that the UE has acknowledged the new P-TMSI before the network releases
the context, maintaining proper synchronization between the UE and the network.
2. Include Mobile Identity Only When P-TMSI Changes:
The Mobile Identity is now included in the Attach/TAU Accept messages
only when the MSC/VLR updates the P-TMSI. This ensures that the UE receives
the Mobile Identity information solely when there is an actual change
in the P-TMSI, preventing unnecessary or incorrect handling
of TAU Complete messages.
3. Send SGsAP-REALLOCATION-COMPLETE Conditionally:
The SGsAP-REALLOCATION-COMPLETE message is now sent to the MSC/VLR
only upon receiving a Attach/TAU Complete message from the UE.
This confirmation indicates that the UE has successfully updated its P-TMSI,
ensuring that the MSC/VLR is accurately informed of the change.
4. Handle P-TMSI Confirmation:
When the MSC/VLR updates the P-TMSI, Open5GS stores the new P-TMSI
in the next field of the mme_ue structure. Upon receiving the TAU Complete
message from the UE, indicating acknowledgment of the new P-TMSI,
Open5GS confirms the update by transferring the P-TMSI from the next field
to the current field. This ensures that the MME maintains an accurate and
up-to-date record of the P-TMSI as confirmed by the UE.
Fixed an issue in SCP TLS communication for Open5GS where omitted port numbers
in HTTP/HTTPS URIs (e.g., "https://scp.localdomain" implying port 443) were not
handled correctly.
Updated the code to ensure that during FQDN and port comparisons,
cases where the port number is set to 0 are accounted for.
This fix resolves the problem with indirect SBI communication over SCP using TLS
allowing proper connectivity between network functions like BSF and NRF.
Previously, the global configuration section was required for NF to start,
which differed from earlier versions where it was optional. This commit modifies
the implementation to make the global section optional again,
allowing NF to start without explicitly defining global settings.
This change restores the previous behavior and improves usability for users
who do not need to customize global settings.
The memory leaks occurring in specific exception handling scenarios have been
resolved. For instance, when an HTTP2 connection closes, memory associated
with objects like response messages was not being freed properly.
This update addresses and fixes these issues.
Implement support for Node-Identifier IE in GTPv2 S2b Create-Session-Request
to SMF for Diameter S6b integration
This patch adds support for processing the Node-Identifier IE within GTPv2
Create-Session-Request messages sent via the S2b interface to the SMF.
When the ePDG includes the Node-Identifier IE containing both host and realm
of the AAA-Server, the SMF now uses this information to populate
the Destination-Realm and Destination-Host AVPs in the Diameter S6b AAR message.
This enables seamless integration and allows the SMF to route requests directly
to the appropriate AAA-Server, enhancing interoperability in setups
where the host and realm data are required by the Diameter network.
This field was previously omitted, which could lead to
improper handling of interface-specific logic in certain scenarios.
The addition of the 3GPP Interface Type ensures correct behavior
in compliance with the 3GPP standards for PFCP message handling.
1. Fix SGW-U/UPF bug by comparing QFI only when PDI's QFI is present
Resolved an issue where the QoS Flow Identifier in the GTP-U Extension Header
was incorrectly compared regardless of the presence of PDI's QFI.
Updated the implementation to perform the comparison
only when PDI's QFI is present.
2. Add Outer Header Removal settings to SGW's PDR where necessary
Addressed the absence of Outer Header Removal in the SGW's PDR
by adding it to all required locations, ensuring proper header handling.
3. Remove unnecessary GTP-U Extension Header Removals
Eliminated all instances of GTP-U Extension Header Removal
since they should only be used during handover from 5GS to EPS.
This cleanup prevents improper header removals in other scenarios.
4. Delete unnecessary usage of Network Interface and UE IP Address
Removed all redundant references to Network Interface and UE IP Address,
streamlining the codebase and reducing potential confusion.
5. Change precedence so that Control has higher priority than Data
Adjusted the precedence settings to ensure that Control messages
are given higher priority over Data, enhancing the system's efficiency
and responsiveness.
1. Set packet filter identifier values to 0 when the UE requests to:
- Create new QoS rule
- Modify existing QoS rule and replace all packet filters
- Modify existing QoS rule and add packet filters - As specified in TS24.501, section 9.11.4.13, Table 9.11.4.13.1.
2. Revise QoS rule modification logic:
- Instead of replacing packet filters based on their identifiers (EPC approach), update the implementation to delete all existing packet filters within the QoS rule and add new ones.
- This ensures that when modifying an existing QoS rule to replace all packet filters, the packet filters are correctly reset and updated per 5G Core requirements.
- **Correct Packet Filter Identifier Handling:**
Remove the addition of +1 when searching for the packet filter context using `smf_pf_find_by_identifier()` in the 5G Core SMF. According to 3GPP TS24.008 Section 10.5.6.12 and TS24.501 Section 9.11.4.13, the Packet Filter Identifier should range from 1 to 15 (or 0 to 15) depending on the operation and should be used directly as received from the UE.
- **Adjust Maximum Number of Packet Filter Identifiers:**
Change the maximum number of Packet Filter Identifiers from **16** to **15** in the SMF to comply with the 3GPP specifications. The standards specify that the number of packet filters shall be greater than 0 and less than or equal to 15 for certain operations.
**Background:**
In the current 5GC implementation, the SMF incorrectly adds +1 to the identifier received from the UE and allows up to 16 identifiers, leading to mismatches and potential communication issues. These discrepancies cause the SMF to fail in correctly locating the packet filter context, resulting in improper QoS rule enforcement.
**Changes Made:**
- **For Packet Filter Identifier Handling:**
- Updated the SMF code to use the identifier received from the UE directly without modification:
```c
// Corrected code for 5GC:
pf = smf_pf_find_by_identifier(
qos_flow, qos_rule[i].pf[j].identifier);
```
- **For Maximum Number of Packet Filter Identifiers:**
- Adjusted the code to enforce a maximum of 15 packet filters as per the specifications.
**Impact:**
- **Compliance:**
- Ensures that the 5GC implementation of Open5GS adheres to the 3GPP TS24.008 and TS24.501 specifications regarding Packet Filter Identifier handling and limits.
- **Functionality:**
- Corrects the mapping and management of packet filters between the UE and SMF in 5GC, preventing potential communication issues and misconfigurations.
- **EPC Implementation:**
- The EPC implementation remains unaffected by these changes. EPC correctly handles the Packet Filter Identifier by decrementing it by 1 before sending it to the UE and adding +1 when searching for the packet filter context.
**Conclusion:**
By making these adjustments, we ensure proper synchronization between the UE and SMF in the 5G Core and maintain compliance with the 3GPP specifications. This fix resolves the mismatches caused by incorrect identifier handling and enforces the correct limit on the number of packet filters, enhancing the reliability and standards compliance of the 5GC implementation without impacting the existing correct behavior in EPC.
Decrement the Packet Filter Identifier by 1 before sending it to the UE
during GSM message construction. This correction ensures proper synchronization
between the UE and SMF, allowing `smf_pf_find_by_identifier()` to accurately
locate the corresponding `pf` context without adjusting the identifier
during the search.
This fix aligns the 5GC implementation with the EPC behavior,
where the identifier was correctly decremented before transmission to the UE,
preventing mismatches and synchronization issues.
I have modified the PAA's IPv6 prefix length from 8 to 64.
This adjustment ensures that the prefix length now correctly reflects
the standard /64 notation, in accordance with the specifications.
I wanted to let you know that I have modified the SMF configuration
to send S2b PGW GTP-U instead of S5/S8 PGW GTP-U in WLAN.
This adjustment should ensure that the correct interface type is used,
as per the specifications.
The issue was that the PLMN-ID of the TAI was incorrectly being
retrieved from the PLMN-ID of the EUTRAN_CGI.
As a result, when the PLMN-IDs of the TAI and EUTRAN_CGI were improperly set,
the MME would crash.
All issues have now been resolved.
This commit doesn't add any PCRF specific metrics, only all the
boilerplate code to instantiate libmetrics and hence have the generic
prometheus metrics available.
There's no real need for a separate thread, it all can run with a timer.
Furthermore, this will ease submitting events towards app so that they
can update diameter metrics.
This commit is a follow-up from previous one, split to ease review.
In this commit, the SGSN Context Ack towards SGSN plus session creation
towards SGW is further delayed until authorizing + SecurityModeCommand
against UE has succeeded, hence meaning we have a fully operating
context to communicate with it.
As per 3GPP TS 23.401 Annex D.3.6 step 6, "Security functions may be
executed" during TAU (UE cell reselection 2g->4g).
The idea is that the 4G network should check the integrity of the TAU,
and only if iexisting and valid then accept it right away. Otherwise,
an authorization procedure is started.
Until now, during 2g->4g TAU we were retrieving and acking the PDP Context
received from the SGSN and creating the session against the SGW right away.
Tests done so far with real phones ended up in unsuccesful results when
tring to reuse the 4g context derived from 2g, due to yet unknown
reasons.
Hence, with this patch we simply force for now the re-auth and
recreation of security context before completing the TAU. This showed
good results during testing with real phones.
The security context is recreated through:
* S6a 3gpp-Authentication-Info towards HSS
* S1AP/NAS Authentication Request+Response towards UE
* SecurityModeCommand towards UE.
This patch is the first step towards delaying SGSN Context Ack after the whole
authentication is done against the UE. Patches are splitted for ease of
review.
This patch is only delaying session setup after the S6a procedure.
Follow-up patch will delay it further.
In case that UE requests a PDU session with specific SSC Mode
for which it is not authorized, reject the request
instead of trying to continue processing it.
The osmocom ttcn3-mme-ogs test uses an APN consisting simply of the NULL
byte. This corresponds to one label of length zero, so simply the APN "".
Since commit 333d3fe1 ogs_fqdn_parse() returning zero is considered an
error in ogs_gtp1_parse_pdp_context().
Fix this by returning a negative value on error in ogs_fqdn_parse() and checking for
that.
The standard mandates that one SSC Mode is the default (if UE does not
request one), with up to 2 additional SSC Modes can be selected.
Always check also the default SSC Mode if it can be selected.
Same logic applies for Session Types.
Set flag LimitedSubscriptions in the supportedFeatures field in
SDMSubscription. This flag should be set in case that AMF supports
unique SDM Subscription, notifying UDM in this case of the support.
The old comment describe the 4G to 2G mobility, not the 2G to 4G.
Correct the comments.
Also set the translated bearer vulnerability to 1, translated bearer
should always vulnerable to it.
The clang scan-build procedure
```
Assume Ubuntu docker container with open5gs mounted to /src.
Assume these tools are installed to docker container:
sudo apt install -y clang-tools clang
For easy reference to clang scan-build tool:
Put normal open5gs build procedure into a file called /src/build
=======================
Inside docker container:
=======================
export CLANG_OUT_DIR=/src/scan_build_results
scan-build -disable-checker deadcode.DeadStores --override-compiler --keep-going
--exclude subprojects --exclude tests --exclude lib/asn1c -maxloop 200 -o $CLANG_OUT_DIR -plist-html /src/build 2>&1 | tee /src/logclang.txt
=======================
Results:
=======================
Results are in html format in $CLANG_OUT_DIR - top level index.html
```
Note that in this analysis the following suppressions were assumed:
- no deadcode.DeadStores analysis since those are not functional findings
- exclude lib/asn1c for reason that is outside of open5gs control
- exclude tests for reason that those are not functional findings
- exclude subprojects since those are outside of open5gs control
- create SDM subscription to UDM when PDU session is created, just
before sending SMF registration to UDM
- delete SDM subscription when PDU session is released
- handle SDM Change Notification, but not yet process items in it
UEContextReleaseCommand fails to encode as an ASN.1 message
if the Group is 0. This is added because there is currently
no exception handling when the gNB sends a Group of 0.
When a GTP transaction occurs, the ENB-UE associated with the MME-UE may change.
To address this, we have changed the structure to include the ENB-UE
in the GTP transaction, similar to AMF.
When a UEContextReleaseRequest and a Service Request occur simultaneously,
the ENB-UE in the Release Access Bearer Request/Response GTP transaction is
designed to persist even if the ENB-UE Context changes.
UEContextReleaseCommand fails to encode as an ASN.1 message
if the Group is 0. This is added because there is currently
no exception handling when the gNB sends a Group of 0.
ngap_send_amf_ue_context_release_command() is unnecessary.
So, change ngap_send_amf_ue_context_release_command()
to ngap_send_ran_ue_context_release_command.
NF should accept 204 No Content for Update Subscription requests.
According to 3GPP 29.510 NRF specification document in figure 5.2.2.5.6.1
NRF may return 204 or 200 for success update operations.
2a. On success, if the NRF accepts the extension of the lifetime
of the subscription, and it accepts the requested value for the "validityTime"
attribute, a response with status code "204 No Content" shall be returned.
2b. On success, if the NRF accepts the extension of the lifetime
of the subscription, but it assigns a validity time different than
the value suggested by the NF Service Consumer, a "200 OK" response code shall
be returned. The response shall contain the new resource representation
of the "subscription" resource, which includes the new validity time,
as determined by the NRF, after which the subscription becomes invalid.
I changed it so that all NFs can receive both 200 and 204 STATUS.
I also changed the default behavior of NRFs to respond with 204,
which is NO CONTEXT.
- Upgraded libraries to 4.5 to address compile error issues with CXX11 support
- Change the default version of FreeBSD Vagrant to 14.1-STABLE
- FreeBSD Platform documentation also changed to 14.x version
TS24.008
10.5.6.12 Traffic Flow Template
Table 10.5.162: Traffic flow template information element
Number of packet filters (octet 3)
The number of packet filters contains the binary coding
for the number of packet filters in the packet filter list.
The number of packet filters field is encoded in bits 4
through 1 of octet 3 where bit 4 is the most significant
and bit 1 is the least significant bit.
For the "delete existing TFT" operation and
for the "no TFT operation", the number of packet filters shall be
coded as 0. For all other operations, the number of packet filters
shall be greater than 0 and less than or equal to 15.
The array of TLV messages is limited to 16.
So, Flow(PDI.SDF_Filter) in PDR is limited to 16.
Therefore, we defined the maximum number of flows as 16.
TS24.008
10.5.6.12 Traffic Flow Template
Table 10.5.162: Traffic flow template information element
Number of packet filters (octet 3)
The number of packet filters contains the binary coding
for the number of packet filters in the packet filter list.
The number of packet filters field is encoded in bits 4
through 1 of octet 3 where bit 4 is the most significant
and bit 1 is the least significant bit.
For the "delete existing TFT" operation and
for the "no TFT operation", the number of packet filters shall be
coded as 0. For all other operations, the number of packet filters
shall be greater than 0 and less than or equal to 15.
The array of TLV messages is limited to 16.
So, Flow(PDI.SDF_Filter) in PDR is limited to 16.
Therefore, we defined the maximum number of flows as 16.
When exiting a diameter interface, the session state data could be NULL.
So we added code to check the session state data
to prevent SIGSEGV occurring.
We're experiencing an issue after changing SearchResult.validityTime
from 3600 seconds to 30 seconds.
When AMF finds a PCF through Discovery, it can be deleted
after 30 seconds by ValidityTime.
We have changed our implementation to not send the PCF-ID in this case.
What we need to do is proactively add a part that will re-discover
the PCF when a situation arises where we really need the PCF-ID.
* [UPF/SGW-U] Optimizing data-path (#3306)
In ogs_pfcp_up_handle_pdr, there is a copy operation performed on recvbuf,
which can reduce the sending performance in the data path. Personally,
We believe that this copy operation can be eliminated.
Of course, if it is canceled, the recvbuf does not need to be released again
at the location where ogs_pfcp_up_handle_pdr is called. After testing,
it has indeed shown an improvement in performance of approximately 15-18%.
/*
sendbuf = ogs_pkbuf_copy(recvbuf);
if (!sendbuf) {
ogs_error("ogs_pkbuf_copy() failed");
return false;
}*/
sendbuf = recvbuf;</div>
* update it
UE attached to 4G cell, terminates 4G connection,
then attempts 5G cell attach with TAC update - fails connection
Setup a UE on a 4G cell. Also have a 5G cell available to the UE.
Next, disable the 4G cell. The 4G connection terminates normally.
The UE scans the network and finds the 5G cell.
At this time the UE sends a registration to the 5G cell.
Open5gs sent back a reject with reason "Semantically incorrect message".
Then the UE did not try to attach again and lost the call forever.
Compare this scenario with a different core that we tested this scenario on.
With a different core (other than open5gs) the core sent back a reject
also but with a reason "UE can't be derived by network".
Then the UE tried attach again and the 5G call was successful.
Although this was successful for the other core it could be suggested
that not rejecting at all is good behavior.
There is a workaround which is that the Samsung UE could be put into
airplane mode and taken out of airplane mode and at that point
the UE is able to attach to the 5G cell. But this is a lot of manual effort
on the user of the UE which could be avoided with a simple open5gs change.
Note: Issue only happens when registration request + tracking area update
occurs on 5G cell attach following LTE cell being disabled.
If only registration occurs without a tracking area update
(such as the first time system is up) then it is ok with no rejection.
To solve this issue, added Additional-GUTI to the ClearText Group.
On 4G only... when UE sent an inactivity UEContextReleaseRequest,
Open5GS sent back UEContextReleaseCommand **with cause=normal-release.
This, in turn, does not allow the Samsung UE to return to the low power state
in our testing of the scenario.
Comparing the behavior of open5gs to other cores that we have tested
the other cores are sending a ** cause=“Radio Network Layer Cause”:
User inactivity ** when the UE sends inactivity. And this is what allows
other cores to transition the UE to the low power state whereas
with open5gs the UE is not entering the low power state.
We've fixed to allow open5gs to come to the same level of compliance
in this area as to the other cores.
Update Bearer Request
Modify Bearer Context Request
Modify Bearer Context Accept
Update Bearer Response
In the process above, we incorrectly used the Timer
that the MME uses to wait for the eNB.
We used xact's holding timer, which continues to hold the transaction
for further exception handling even after sending the Update Bearer Response.
This timer should end exactly when the Update Bearer Response is sent
by the MME to the SGW-C. Therefore, we have added a new peer timer
in xact for this purpose.
We fixed an issue in #3302 where MME does not send Downlink Data Notification
Acknowledge to SGW-C in Error Indication situation.
However, it did not work properly when this occurred in conjunction
with releasing the bearer as shown below.
>>>Seesion-Termination in Diameter
>>>SMF sends E-RABReleaseCommand and
Deactivate EPS bearer request context
1. SGW-U received Error Indication
2. SGW-U sends PFCP Report Request to SGW-C
3. SGW-C sends PFCP Report Response to SGW-U
4. SGW-C sends Downlink Data Notification to MME (MME Connected with eNB)
>>> eNB sends E-RABReleaseCommand
>>> UE sends Deactivate EPS bearer context accept
5. MME sends UEContextReleaseCommand to the eNB
6. eNB sends UEContextReleaseComplete to the MME
7. MME sends S1-Paging to the eNB
8. eNB sends Service-Request to the MME
9. MME sends InitialContextSetupRequest to the eNB
10. eNB sends InitialContextSetupResponse to the MME
No bearer context, so cannot send Downlink Data Notification Acknowledge
So, we've fixed it as below.
>>>Seesion-Termination in Diameter
>>>SMF sends E-RABReleaseCommand and
Deactivate EPS bearer request context
1. SGW-U received Error Indication
2. SGW-U sends PFCP Report Request to SGW-C
3. SGW-C sends PFCP Report Response to SGW-U
4. SGW-C sends Downlink Data Notification to MME (MME Connected with eNB)
>>>>>>>> Since eNB Connected, we send Downlink Data Notification Acknowledge here.
>>> eNB sends E-RABReleaseCommand
>>> UE sends Deactivate EPS bearer context accept
5. MME sends UEContextReleaseCommand to the eNB
6. eNB sends UEContextReleaseComplete to the MME
7. MME sends S1-Paging to the eNB
8. eNB sends Service-Request to the MME
9. MME sends InitialContextSetupRequest to the eNB
10. eNB sends InitialContextSetupResponse to the MME
We've encountered an issue where Downlink Data Notification Acks are not sent
in the following situations.
1. SGW-U received Error Indication
2. SGW-U sends PFCP Report Request to SGW-C
3. SGW-C sends PFCP Report Response to SGW-U
4. SGW-C sends Downlink Data Notification to MME
(MME Connected with eNB)
5. MME sends UEContextReleaseCommand to the eNB
6. eNB sends UEContextReleaseComplete to the MME
7. MME sends S1-Paging to the eNB
8. eNB sends Service-Request to the MME
9. MME sends InitialContextSetupRequest to the eNB
10. eNB sends InitialContextSetupResponse to the MME
Here, MME needs to send Downlink Data Notification Acknowledge.
So, we've fixed it
I created ogs_sbi_xact_find_by_id() with a hash
to replace ogs_sbi_xact_cycle().
Modified to find the xact via xact->id
when making an HTTP request with the SBI client function
and waiting for the HTTP response.
Pool library has the following issues with XXX_cycle,
including mme_enb_cycle()/amf_ue_cycle()
```
INIT POOL(SIZE:5)
Alloc Node1
Alloc Node2
Alloc Node3
Alloc Node4
Alloc Node5
Free Node4
Free Node3
PoolCycle(Node4) is NULL (Freed...OK!)
PoolCycle(Node3) is NULL (Freed...OK!)
Alloc Node6
Alloc Node7
PoolCycle(Node4) is Not NULL (Freed...but NOK!)
PoolCycle(Node3) is Not NULL (Freed...but NOK!)
PoolCycle(Node6) is Not NULL (Allocated...OK!)
PoolCycle(Node7) is Not NULL (Allocated...OK!)
```
If we use ogs_poll_alloc() to create and allocate a node,
the correct behavior of calling ogs_pool_free() on this node
and then later calling ogs_pool_cycle() on this node must always return NULL.
However, the behavior of calling ogs_pool_cycle() on this node
in the future may return a “valid” pointer.
To solve the problem, we added hash id to the pool memory and
ogs_pool_find_by_id() function is added.
3GPP TS 23.003 Ch. 2.8.2.2.2 (Mapping in the UE) states "The P-TMSI
signature is sent intact to the MME."
So simply use the PTMSI signature from the TAU and pass it throught to the
SGSN Context Request.
The algorithms described in 3GPP TS 23.003 Ch. 2.8.2.1.2 an 2.8.2.2.2
are not directly the inverse of each other.
To send a SGSN Context Request (in 2G -> 4G mobility) the algorithm in
2.8.2.2.2 has to be done in reverse (like mentioned in 2.8.2.2.3 -
Mapping in the new MME).
When parsing an SGSN Context Request (for 4G -> 2G mobility) the reverse
of 2.8.2.1.2 (as described in 2.8.2.1.3) has to be used.
PTMSI signature handling is added in a separate commit.
When setting hashes, we typically delete and set hashes that are set to OLD.
A hash set to OLD should be deleted by setting it to NULL,
but here we're deleting it with a value of NEW.
Therefore, we modified it to delete the OLD gNB/eNB ID
instead of NEW by setting a NULL value to Hash as Key.
Consider the following situation.
```
1. SMF->SGW-C->MME: First Update Bearer Request
2. MME->UE: First Modify EPS bearer context request
3. SMF->SGW-C->MME: Second Update Bearer Request
4. MME->UE: Second Modify EPS bearer context request
5. UE->MME: First Modify EPS bearer context accept
6. MME->SGW-C->SMF: First Update Bearer Response
7. UE->MME: Second Modify EPS bearer context accept
8. MME->SGW-C->SMF: Second Update Bearer Response
```
Until now, only one GTP transaction was managed for one bearer.
Therefore, if the UE does not send an EPS Modify bearer accept to the MME,
and the SMF/SGW-C sends an Update Bearer Request to the MME,
The NEW update bearer request overwrites the OLD that was previously managed.
So we modified it to manage them simultaneously.
However, we don't know if this is the right way to implement it.
So if the SMF/SGW-C sends 5 MMEs of Update Bearer Request and
the UE sends only 3 MMEs of Modify EPS bearer context accept,
we have no way to associate it.
Therefore, it's implemented so that we just process them sequentially and
2 of them are just timeout.
When the second AMF, which is the transfer, runs later than the SMF,
there is no client information.
Fixed to pre-create the Client when the Resource URI is transferred.
Fixed to not change the session information stored in the DB
when transferring context from GERAN to EUTRAN.
Note that the Tracking Area Update Procedure differs
from the Attach Procedure in 5.3.2 in the point
at which HSS and ULR/ULA are performed.
3GPP TS 23.401
Ch 5.3.3 Tracking Area Update procedures
<Attach Procedure>
1. Security-mode complete
2. Update Location Request/Answer
3. Create Session Request/Response
<Tracking Area Update Procedure>
1. Security-mode complete
2. Create Session Request/Response
3. Update Location Request/Answer
When TAU creates a Create Session Request message,
there is no session type information in the Subscriber DB
that is received from HSS in the Update Location.
Therefore, TAU does not reflect the Session Type
but creates PDN Type by reflecting the information
in the Request Type as it is.
HTTP Location header field does not contain the "5g-aka-confirmation"
substring. Which means that when we try to delete the authentication
from AUSF, it fails.
/nausf-auth/v1/ue-authentications/1
vs
/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation
IP assigned from SMF: session->paa
Static IP read from the Subscriber DB: session->ue_ip
When passing the PDP context information to the SGSN, we actually wanna
provide it with the IP address currently in use.
Try to fix the following error
"MME_Tests.ttcn:955 : no SGSN Context Response from MME"
MME_Tests.ttcn:1572 MME_Tests control part
MME_Tests.ttcn:1457 TC_ue_cell_reselect_eutran_to_geran testcase
If the UE continuously attempts to Attach while changing PDN Type,
it will cause the wrong IP to be assigned.
(e.g PDU-Type : IPv4v6 -> IPv4 -> IPv4v6)
This is because we use two variables at the same time,
one to read and store the Static IP from the Subscriber DB and
one to store the IP assigned from SMF, called session->paa.
When the UE attaches with PDN-Type set to IPv4v6,
MME saves the allocated IP in session->paa.
However, MME thinks it has been assigned a static IP based on the information
in session->paa, so changing the PDN-Type may result in the wrong IP
being assigned.
To solve this problem, I separated the variable(session->paa) that stores
the allocated IP received from SMF and the variable(session->ue_ip) that stores
the Static IP read from the Subscriber DB.
Therefore, the information read from the Subscriber DB
(session->session_type and session->ue_ip) should not be modified.
When using ogs_buffer_to_bcd(), an overflow occurs if the input buffer length
is larger than the output bcd size, causing a crash.
We adjusted the size of the input buffer length using ogs_min as follows.
```
sgwc_ue->imsi_len = ogs_min(imsi_len, OGS_MAX_IMSI_LEN);
memcpy(sgwc_ue->imsi, imsi, sgwc_ue->imsi_len);
ogs_buffer_to_bcd(sgwc_ue->imsi, sgwc_ue->imsi_len, sgwc_ue->imsi_bcd);
```
When we run the test, for example,
./tests/registration/registration simple-init,
wee get an INFO message like the one below.
```
05/17 14:24:03.933: [sbi] INFO: NF EndPoint(addr) setup [127.0.0.200:7777] (../lib/sbi/context.c:474)
```
When we run the code in Open5GS, the log level initially defaults to INFO.
However, for test code, we change the log level to ERROR
by automatically inserting the -e error option into argv.
The reason for this is to prevent WARNING and INFO messages
from appearing when the test code is run.
However, the log level to ERROR is changed at the bottom of
the initialize routine, which caused the above message
to be printed during testing.
To prevent this from being printed, I modified the code
to change that log level to ERROR a little earlier.
The validity time for NF Instances obtained through NF Discovery was
not properly implemented. Since the validity was 3600 seconds(1 hour),
which caused 5G Core to not work properly after 3600 seconds(1 hour).
There was an issue where an NF Instance should be deleted
when its validity time expired, but it was not working correctly
due to incorrect use of reference count.
Therefore, I have modified the Validity of NF Instances obtained
through NF Discovery to work properly.
I also changed the default value of valdityPeriod to 30 seconds.
Fixed not using Reference Count for adding/deleting NF Instances.
Up until now, NF Instances have been managed by referencing the Reference Count.
Initially, when an NF Instance is added, the Reference Count is incremented and
when it is deleted, the Reference Count is decremented.
If a UE discovers another NF Instance through the NF Discovery function,
the Reference Count is incremented. And if a UE de-registers,
the Reference Count of the discovered NF is decremented.
However, there's a problem with this approach.
When other NF is de-registered,
there is no guarantee that it will be 100% notified.
For example, if a UDM is de-registered, but an SCP is de-registered before it,
the AMF will not be notified that the UDM has been de-registered.
In situations where this is not clear, Reference Count cannot be used.
Therefore, we have modified it to not use the Reference Count method.
Also, when a UE connects, it is modified to always search
whether an NF Instance exists by NF Instance ID whenever it is discovered.
To do this, we modified lib/sbi/path.c as shown below.
```diff
@@ -281,13 +281,15 @@ int ogs_sbi_discover_and_send(ogs_sbi_xact_t *xact)
}
/* Target NF-Instance */
- nf_instance = sbi_object->service_type_array[service_type].nf_instance;
+ nf_instance = ogs_sbi_nf_instance_find(
+ sbi_object->service_type_array[service_type].nf_instance_id);
if (!nf_instance) {
nf_instance = ogs_sbi_nf_instance_find_by_discovery_param(
target_nf_type, requester_nf_type, discovery_option);
- if (nf_instance)
- OGS_SBI_SETUP_NF_INSTANCE(
- sbi_object->service_type_array[service_type], nf_instance);
+ if (nf_instance) {
+ OGS_SBI_SETUP_NF_INSTANCE_ID(
+ sbi_object->service_type_array[service_type], nf_instance->id);
+ }
}
```
An assert shall be triggered.
The vulnerable code path is in src/mme/mme-fd-path.c:
```
/* s6a process Subscription-Data from avp */
static int mme_s6a_subscription_data_from_avp(struct avp *avp,
ogs_subscription_data_t *subscription_data,
mme_ue_t *mme_ue, uint32_t *subdatamask)
{
...
/* AVP: 'MSISDN'( 701 )
* The MSISDN AVP is of type OctetString. This AVP contains an MSISDN,
* in international number format as described in ITU-T Rec E.164 [8],
* encoded as a TBCD-string, i.e. digits from 0 through 9 are encoded
* 0000 to 1001; 1111 is used as a filler when there is an odd number
* of digits; bits 8 to 5 of octet n encode digit 2n; bits 4 to 1 of
* octet n encode digit 2(n-1)+1.
* Reference: 3GPP TS 29.329
*/
ret = fd_avp_search_avp(avp, ogs_diam_s6a_msisdn, &avpch1);
ogs_assert(ret == 0);
if (avpch1) {
ret = fd_msg_avp_hdr(avpch1, &hdr);
ogs_assert(ret == 0);
if (hdr->avp_value->os.data && hdr->avp_value->os.len) {
mme_ue->msisdn_len = hdr->avp_value->os.len; /* 1 */
memcpy(mme_ue->msisdn, hdr->avp_value->os.data,
ogs_min(mme_ue->msisdn_len, OGS_MAX_MSISDN_LEN)); /* 2 */
ogs_buffer_to_bcd(mme_ue->msisdn,
mme_ue->msisdn_len, mme_ue->msisdn_bcd); /* 3 */
*subdatamask = (*subdatamask | OGS_DIAM_S6A_SUBDATA_MSISDN);
}
}
```
When NSSF was first implemented, nf-status-notify was not required.
This is because there was no need to be notified
if other NFs were registered or de-registered in the NRF.
However, this situation changed with the addition of SEPP.
NSSFs can be notified whenever a SEPP registers or de-registers an NRF.
Therefore, we added nf-status-notify,
which was not implemented when the NSSF was originally created.
When running the open5gs package with systemd network config, the 1st IP address
of the UE pool configured in open5gs-upfd config file for ogstun is
being assigned to the interface through this file.
That was discussed as being a desirable default setup.
However, in the event a user wants a setup where no IP address is
assigned to the tundev, then it's not enough removing the IP address,
because then the implicit routing rules regarding the subnet of the IP
address added automatically by the kernel are also removed.
This patch adds config sections to set up the routing explicitly, with
the aim to get the routing still applied if the user decides to comment
out the IP address, so that packets are still forwarded properly in that
case.
Related: https://osmocom.org/issues/6361
A friend in the community was trying to connect an SMF made by another
manufacturer with an SBI interface and found a big problem with Open5GS.
All of the code in the part that generates the Resource URI
from HTTP.location is invalid.
For example, suppose we create a Resource URI with SMContext as below.
{apiRoot}/nsmf-pdusession/<apiVersion>/sm-contexts/{smContextRef}
In this case, Open5GS extracted the {smContextRef} part of the HTTP.location
and appended it to the beginning
{apiRoot}/nsmf-pdusession/<apiVersion>/sm-contexts/.
This implementation may not work properly if the apiRoot changes.
Consider a different port number as shown below.
<HTTP.location>
127.0.0.4:9999/nsmf-pdusession/v1/sm-contexts/1
The SMF may send an apiRoot to the AMF with a changed port number,
in which case the AMF must honor it.
Therefore, instead of extracting only the smContextRef from HTTP.location,
we modified it to use the whole thing to create a Resource URI.
We modified all NFs that use HTTP.location in the same way, not just SMFs.
Add an option to disable printing the timestamp. This is useful to not
have duplicate timestamps, when stderr is piped into a logging system
that adds timestamps on its own. For example with systemd's journald:
$ journalctl -u open5gs-smfd
Apr 10 13:25:18 hostname open5gs-smfd[1582]: 04/10 13:25:18.274: [app] INFO: Configuration: '/etc/open5gs/smf.yaml' (../lib/app/ogs-init.c:130)
Configuration change:
```
<OLD Format>
logger:
file: /var/log/open5gs/smf.log
<NEW Format>
logger:
file:
path: /var/log/open5gs/smf.log
```
Example config, to have no timestamps on stderr:
```
logger:
default:
timestamp: false
file:
path: /var/log/open5gs/smf.log
timestamp: true
```
The way subnet is set up has changed as shown below.
```
<OLD Format>
smf:
session:
- subnet: 10.45.0.1/16
<NEW Format>
smf:
session:
- subnet: 10.45.0.0/16
gateway: 10.45.0.1
```
For more information, please refer to Pull Request #2975.
In InitialUEMessage, send a NAS message with a message type
other than Registration Request, Deregistration Request, or Service Request,
the following messages from UE will not be accepted.
We found this issue in not only the initial state but multiple states.
We believe if an attacker has the ability to inject a NAS message to the core,
it can perform a DoS attack on the victim UE.
So, I've fixed that The MME/AMF deletes MME_UE_S1AP_ID/AMF_UE_NGAP_ID,
and will not accept any following messages from the UE.
The AMF will crash on the following locations when it receives a sequence
of NAS messages from a UE.
- ogs_nas_encrypt: Assertion `pkbuf->len' failed. (../lib/nas/common/security.c:86)
- gmm_state_authentication: Assertion `r != OGS_ERROR' failed. (../src/amf/gmm-sm.c:1561)
Besides the crashes found above, an incorrect protocol transition
is identified in Open5GS. Without any Registration/Attach Request message,
when the Identity Response message sent, the Core Network responds
with an Authentication Request message. According to the standard,
only the Registration/Attach Request message can start a state transition
from the 5GMM/EMM-DEREGISTERED state to the 5GMM/EMM-COMMON-PROCEDURE-INITIATED.
So I've modified the relevant code to address these issues.
If a Create Bearer Response occurs after a Delete Bearer Response,
SGW-C crashes.
The execution is stopped by the following ASSERT
because it tries to access the UL Tunnel
deleted by the Delete Bearer Response.
```
03/28 17:28:41.229: [gtp] DEBUG: [7] LOCAL Find GTPv2 peer [172.22.0.9]:2123 (../lib/gtp/xact.c:949)
03/28 17:28:41.229: [gtp] DEBUG: [7] LOCAL Receive peer [172.22.0.9]:2123 (../lib/gtp/xact.c:966)
03/28 17:28:41.229: [gtp] DEBUG: [7] LOCAL UPD RX-96 peer [172.22.0.9]:2123 (../lib/gtp/xact.c:448)
03/28 17:28:41.229: [sgwc] DEBUG: Create Bearer Response (../src/sgwc/s11-handler.c:707)
03/28 17:28:41.229: [gtp] DEBUG: [7] LOCAL Commit peer [172.22.0.9]:2123 (../lib/gtp/xact.c:629)
03/28 17:28:41.230: [gtp] DEBUG: [7] LOCAL Delete peer [172.22.0.9]:2123 (../lib/gtp/xact.c:1149)
03/28 17:28:41.230: [sgwc] FATAL: sgwc_s11_handle_create_bearer_response: Assertion `ul_tunnel' failed. (../src/sgwc/s11-handler.c:802)
03/28 17:28:41.231: [core] FATAL: backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)
./open5gs-sgwcd(+0x189b7) [0x5b3c92cf09b7]
./open5gs-sgwcd(+0x13c6d) [0x5b3c92cebc6d]
/open5gs/install/lib/x86_64-linux-gnu/libogscore.so.2(ogs_fsm_dispatch+0x113) [0x70600ed63402]
./open5gs-sgwcd(+0x629d) [0x5b3c92cde29d]
/open5gs/install/lib/x86_64-linux-gnu/libogscore.so.2(+0x11754) [0x70600ed54754]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x8609) [0x70600ecfc609]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x70600ec21353]
```
To solve this problem, I have modified to handle the exception appropriately,
display the error situation in the Cause of the Create Bearer Response,
and proceed with the execution.
AS shown in 3GPP TS 29.244 C.2.1.1 diagram, the meaning of Threshold
value is different in Diameter Gy and in PFCP interfaces.
In Diameter Gy the value sets the trigger for the "remaining credit",
while in PFCP the value sets the trigger for the "used credit".
ThresholdPFCP = Quota - ThresholdGy
If eg. PCRF or AAA diameter link is not yet ready (eg. PCRF crashed),
and a client sends a CreateSessionRequest announcing its ow F-TEID,
then open5gs-smfd answers with Create Session Response Cause=
"Remote peer not responding", but it is not setting the received F-TEID
in the header of the response, instead it sends with TEI=0.
As a result, the peer cannot match the CreateSessionResponse,
and needs to rely on its own timeout timer to figure out
that specific request failed.
To address this issue, I modified the GTP Response message to check
the Sender F-TEID and send it accordingly, setting the destination TEID
to the value of the Sender F-TEID.
I've made this modification only for SMF, but MME and SGW-C have not done so;
if you need to, you can work from the examples in SMF.
Similarly, the same situation can happen with PFCP. If anyone needs to do this
in the future, I think you can work on it this way.
This is the continuation of commit
12158eebb8, which only checked the code in
CCA[Update], but not in CCA[Initial].
The handling in CCA[Initial] is a bit more complex since depending on
the outcome, we may end up with a Result-Code != SUCCESS in MSCC but the
session may still be created at the OCS because the message Result-Code
= SUCCESS. In that scenario, we want to abort setting up the PDN session
but we still need to make sure we terminate the Gy session that was just
created.
Cause is set according to particular NF standard.
Additionally:
- OGS_SBI_HTTP_STATUS_MEHTOD_NOT_ALLOWED typo fixed.
- [PCF] Fixed SM Policy establishment error handling
First of all, it crashes when creating a Dedicated Bearer
on the default Session that is created for the first time.
This behavior should be possible, so the related ASSERT is removed.
Next, the InitialContextRequest is modified
during the Attach Request to include the first Bearer.
Finally, there was an issue where trying to create a Dedicated Bearer
with SGsAP enabled resulted in an InitialContextSetupRequest message
with a PTI of zero. This is because MME initializes the PTI to 0
upon receiving the Create Bearer Request while processing SGsAP.
All of these issues has been fixed.
Do not attempt to run "systemctl reload" on the open5gs services, unless
they are running. This fixes the logrotate service failing on this
postrotate script, if units are not running or not installed.
1. According to ETSI TS 129 118 4.1, if the Network Access Mode (NAM) is set
to "Packet only," no SGs association should be established.
2. If the NAM is set to "Packet and Circuit," and the SGs association is
rejected by the CS core, this rejection should only impact
the SGs association itself and not result in a UE attach rejection
for a UE with a valid HSS account.
a cryptographic vulnerability in the SUCI decryption routines
of Open5GS 5G—specifically Profile B, which uses P-256 (secp256r1)
for its elliptic curve routines.
If a mobile device user passes a public key within its SUCI
that does not correspond to a valid point on the P-256 elliptic curve,
the Open5GS UDM will not check the point
before running elliptic curve operations with it and returning a response
to the mobile device user.
If the public key is not checked to be a valid point, an attacker can leverage
this behavior to extract the Profile B private key from the UDM,
as has been done in other domains
(https://owasp.org/www-pdf-archive/Practical_Invalid_Curve_Attacks_on_TLS-ECDH_-_Juraj_Somorovsky.pdf).
Note that Profile A is not similarly vulnerable to this, as it is impossible
to construct an invalid point on a curve25519 elliptic curve.
There was some work that went into developing a practical proof of concept
of this kind of attack against free5gc last year; it can be found here:
https://www.gsma.com/security/wp-content/uploads/2023/10/0073-invalid_curve.pdf
And here is the free5gc security advisory:
https://github.com/advisories/GHSA-cqvv-r3g3-26rf
To mitigate this issue in Open5GS, the public key of the UE must be validated
by the UDM prior to use. Adding a validation function such as the following
should work:
I designed this code based on information from https://crypto.stackexchange.com/questions/90151/verify-that-a-point-belongs-to-secp256r1.
'node_timeout' and some other functions can remove a smf_sess_t
while that session is still waiting for a PFCP reply
and has an active PFCP xact.
In this case, xact->data points to the deleted session
and xact's timeout function (sess_5gc_timeout for example)
eventually refers to this already freed session.
This fix prevents duplicate deletes from occurring by checking to see
if the session context has already been deleted when the timeout occurs.
Additionally, it moves session deletions out of timer callbacks into
state machine by reselect_upf().
Due to the way 'ogs_timer_mgr_expire' calls timer callbacks,
one must not stop or expire timers from within a timer callback.
And now one must not remove sessions from within a timer callback.
If eg. PCRF or AAA diameter link is not yet ready (eg. PCRF crashed), and
a client sends a CreateSessionRequest announcing its ow F-TEID,
then open5gs-smfd answers with Create Session Response Cause=
"Remote peer not responding", but it is not setting the received F-TEID
in the header of the response, instead it sends with TEI=0.
As a result, the peer cannot match the CreateSessionResponse, and needs
to rely on its own timeout timer to figure out that specific request failed.
This also happens in PFCP, so to solve this problem, I added teid/seid_presence
to the interface that sends the error message as shown below.
void ogs_gtp2_send_error_message(ogs_gtp_xact_t *xact,
int teid_presence, uint32_t teid, uint8_t type, uint8_t cause_value);
void ogs_pfcp_send_error_message(
ogs_pfcp_xact_t *xact, int seid_presence, uint64_t seid, uint8_t type,
uint8_t cause_value, uint16_t offending_ie_value);
When we try to send an SBI message to SMF to release a session,
sometimes ran_ue is NULL. This happens when the Mobile Reachable Timer expires
and Implicit Deregistration is triggered.
To account for this case, we added the `ran_ue` parameter to the SBI interface
and made it work even if it is NULL.
This AVP is optional and was added in later releases of the 3GPP TS
32.299 spec. For instance, it shows up in Release 16 (V16.2.0), but
doesn't show up in Release 12 (V12.7.0).
Some OCS, like PortaOne OCS, implement older versions of the release
(V12.14.0), and hence fail when receiving the 3GPP-RAT-Type inside
Multiple-Services-Credit-Control AVP.
Since nowadays we also send the 3GPP-RAT-Type in PS-Information AVP,
which has been specified for longer time (it already shows up in
V12.7.0), drop it from Multiple-Services-Credit-Control to have greater
compatibility with other vendors.
* [SBI] Handle and store AMF info
* [SBI] Add "target GUAMI" discovery option
* [SBI] Handle UeContextTransfer request and response messages
* [AMF] Handle NF discovery from AMF to AMF
* [AMF] Add UE Context Transfer Request/Response from AMF to AMF
* [SCP] Handle UeContextTransfer
* Follow-up on #3052
* [AMF] force authentication after 'Ue context transfer' for now
* [AMF] force authentication after 'Ue context transfer' for now
---------
Co-authored-by: Sukchan Lee <acetcom@gmail.com>
This happens for instance when the session is terminated due to a
rejection coming from the OCS, hence no originating GTP xact producing
the tear down.
The xact may well be NULL, eg. when tearin down the session
(send_ccr_termination_req_gx_gy_s6b()) because OCS rejected an update:
Hence there's no GTP xact originating the tear down, aka e->gtp-xact
passed to the function is NULL.
smf_gx_send_ccr() is already handling this case properly, contrary to smf_gf_send_ccr().
When building the MIME Multipart Media Encapsulation format
within an SBI message in the NF of a third-party product,
Open5GS does not parse properly if it contains a Preamble CRLF.
For example,
```
TCP/HTTP2
Stream: Data, Stream ID: 1, Length 841
MIME Multipart Media Encapsulation, Type: multipart/related, Boundary: "gc0pJq08jU534c"
--->Preamble: 0d0a
First boundary: --gc0pJq08jU534c\r\n
Encapsulated multipart part: (application/json)
Boundary: \r\n--gc0pJq08jU534c\r\n
Encapsulated multipart part: (application/vnd.3gpp.5gnas)
Boundary: \r\n--gc0pJq08jU534c\r\n
Encapsulated multipart part: (application/vnd.3gpp.ngap)
Last Boundary: \r\n--gc0pJq08jU534c--\r\n
```
Assume the UE has Attached, the session has been created,
and is in the IDLE state with the UEContextRelease process.
This could result in the following call flow.
1. TAU request without Integrity Protected
2. Authentication request/response
3. Security-mode command/complete
MME can be performed simultaneously by the HSS(S6A) and UE(S1AP).
Update-Location-Request
Service request
Service reject
Delete Session Request
Delete Session Response
Update-Location-Answer
UEContextReleaseCommand for Service reject
TAU reject
UEContextReleaseCommand for TAU reject
UEContextReleaseComplete
UEContextReleaseComplete
MME crashes when UE sends a service request(S1AP) during ULR/ULA(S6A) with HSS,
which has been fixed.
Transaction Identity doesn't map 1-to-1 with Procedure Transaction
Identity: The value ranges change, and PTI cannot use value 0 8which
means unused).
Hence, for now let's simply set the PTI to a valid default value instead
of asserting during mme_sess_add:
Assertion `pti != OGS_NAS_PROCEDURE_TRANSACTION_IDENTITY_UNASSIGNED'
Related: https://github.com/open5gs/open5gs/issues/3020
1. HandoverRequired
2. HandoverRequest
3. HandoverFailure
4. UEContextReleaseCommand
5. HandoverPreparationFailure
If UEContextReleaseComplete is not received,
the Source-UE will have the Target-UE.
6. HandoverRequired
There may be cases where the Source UE has a Target UE
from a previous HandoverRequired process. In this case,
it is recommended to force the deletion of the Target UE information
when receiving a new HandoverRequired.
7. HandoverRequest
8. HandoverFailure
9. UEContextReleaseCommand
10. UEContextReleaseComplete
11. HandoverPreparationFailure
... Crashed ...
For bi-directions, the rules are created in the same form as for downlink
as shown below, so to apply them for uplink, we need to swap the rules
according to the interface.
RX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
GX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
PFCP : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
RULE : Source <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> Destination <UE_IP> <UE_PORT>
TFT : Local <UE_IP> <UE_PORT> REMOTE <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
RX : permit in from <UE_IP> <UE_PORT> to <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
GX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
PFCP : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
RULE : Source <UE_IP> <UE_PORT> Destination <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
TFT : Local <UE_IP> <UE_PORT> REMOTE <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
APER encoding fails when using the asn_uint642INTEGER function on a 32-bit machine as shown below.
```C
asn_uint642INTEGER(AMF_UE_NGAP_ID, 0xffffffff);
...
aper_encode_to_buffer(...)
```
INTEGER APER encode/decode functions seem to be operating internally with long variables instead of intmax_t.
That is probably the reason of the failure.
@v0-e fixed this issues in the mouse07410/asn1c pull request.
https://github.com/mouse07410/asn1c/pull/176https://github.com/mouse07410/asn1c/pull/177
When there is no MME-UE Context, going to cleanup without setting
s6a_message could cause a segmentation fault.
We fixed the problem by moving the location of setting s6a_message
to before cleanup.
The UPF is sending Session Report Request after the Session was Deleted,
when the Gy interface is active.
UPF is sending PFCP session report request after the session has been deleted
when the Gy interface is active. This is because some of the timers related to
the report are not deleted when the session is deleted.
We have fixed it to delete all the timers in the session
when the SESSION is deleted.
Problems with Purge-UE-Request/Answer can occur in the following situations
1. Attach Request
2. Authentication request
3. Authentication reject
4. UEContextReleaseCommand
5. UEContextReleaseComplete
6. Purge-UE-Request
7. Attach Request
8. Purge-UE-Answer
9. (UE Context Remove)
To resolve this issue, we have changed to delete the UE-Context
via mme_ue_remove() immediately upon receiving UEContextReleaseComplete()
without calling mme_s6a_send_pur().
1. Reachable assertion in ogs_nas_5gmm_decode
Location: lib/nas/5gs/decoder.c:4445
```c
int ogs_nas_5gmm_decode(ogs_nas_5gs_message_t *message, ogs_pkbuf_t *pkbuf)
{
int size = 0;
int decoded = 0;
ogs_assert(pkbuf);
ogs_assert(pkbuf->data);
ogs_assert(pkbuf->len);
```
When a NAS payload is received over `src/amf/context.c:1675`NGAP that has no data, the ogs_assert(pkbuf->len) assertion will be triggered.
2.Reachable assertion in ogs_nas_emm_decode
```
int ogs_nas_emm_decode(ogs_nas_eps_message_t *message, ogs_pkbuf_t *pkbuf)
{
int size = 0;
int decoded = 0;
ogs_assert(pkbuf);
ogs_assert(pkbuf->data);
ogs_assert(pkbuf->len);
```
Nearly identical to (1), but for LTE.
3. Reachable assertion in nas_eps_send_emm_to_esm
```
int nas_eps_send_emm_to_esm(mme_ue_t *mme_ue,
ogs_nas_esm_message_container_t *esm_message_container)
{
int rv;
ogs_pkbuf_t *esmbuf = NULL;
if (!mme_ue_cycle(mme_ue)) {
ogs_error("UE(mme-ue) context has already been removed");
return OGS_NOTFOUND;
}
ogs_assert(esm_message_container);
ogs_assert(esm_message_container->length);
```
The ESM message payload may be 0-length, as the length is determined by a field in the NAS payload (which can be chosen arbitrarily by an attacker). This leads to the length assertion above being triggered.
5. Reachable assertion and incorrect hash calculation in ogs_kdf_hash_mme
```
void ogs_kdf_hash_mme(const uint8_t *message, uint8_t message_len, uint8_t *hash_mme)
{
uint8_t key[32];
uint8_t output[OGS_SHA256_DIGEST_SIZE];
ogs_assert(message);
ogs_assert(message_len);
ogs_assert(hash_mme);
memset(key, 0, 32);
ogs_hmac_sha256(key, 32, message, message_len,
output, OGS_SHA256_DIGEST_SIZE);
memcpy(hash_mme, output+24, OGS_HASH_MME_LEN);
}
```
When handling NAS attach requests or TAU requests, the ogs_kdf_hash_mme function is passed the NAS payload. However, the length field is represented as an unsigned 8-bit integer, which the passed length of the packet may overflow. This leads to the passed value being truncated.
When the passed value is a multiple of 256, the above assertion (ogs_assert(message_len)) is triggered. Otherwise, the hash is computed on only the first n bits of the message (where n = actual_message_len % 256).
There is an issue with SESSION RELEASE not working properly
depending on the PDU session release complete order
in the PDUSessionResourceReleaseResponse.
If the AMF receives PDUSessionResourceReleaseResponse
followed by PDU session release complete, it works correctly.
However, if it receives PDU session release complete
followed by PDUSessionResourceReleaseResponse, it does not work correctly
and sends an Error Indication to the UE/gNB.
To fix this issue, we added pdu_session_release_complete_received and
pdu_session_resource_release_response_received to the content
so that CLEAR_SM_CONTEXT_REF() is executed when both are received.
Because a race condition can occur between S6A Diameter and S1AP message,
the following error handling code has been added.
1. InitialUEMessage + Attach Request + PDN Connectivity request
2. Authentication-Information-Request/Authentication-Information-Answer
3. Authentication Request/Response
4. Security-mode command/complete
5. Update-Location-Request/Update-Location-Answer
6. Detach request/accept
In the ULR/ULA process in step 6, the PDN Connectivity request is
pushed to the queue as an ESM_MESSAGE because the NAS-Type is still
an Attach Request.
See the code below in 'mme-s6a-handler.c' for where the queue is pushed.
if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) {
rv = nas_eps_send_emm_to_esm(mme_ue,
&mme_ue->pdn_connectivity_request);
if (rv != OGS_OK) {
ogs_error("nas_eps_send_emm_to_esm() failed");
return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED;
}
} else if (mme_ue->nas_eps.type == MME_EPS_TYPE_TAU_REQUEST) {
r = nas_eps_send_tau_accept(mme_ue,
S1AP_ProcedureCode_id_InitialContextSetup);
ogs_expect(r == OGS_OK);
ogs_assert(r != OGS_ERROR);
} else {
ogs_error("Invalid Type[%d]", mme_ue->nas_eps.type);
return OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED;
}
If you perform step 7 Detach request/accept here,
the NAS-Type becomes Detach Request and the EMM state changes
to emm_state_de_registered().
Since the PDN, which is an ESM message that was previously queued,
should not be processed in de_registered, the message is ignored
through error handling below.
Otherwise, MME will crash because there is no active bearer
in the initial_context_setup_request build process.
See the code below in 's1ap-build.c' for where the crash occurs.
ogs_list_for_each(&mme_ue->sess_list, sess) {
ogs_list_for_each(&sess->bearer_list, bearer) {
...
if (mme_ue->nas_eps.type == MME_EPS_TYPE_ATTACH_REQUEST) {
} else if (OGS_FSM_CHECK(&bearer->sm, esm_state_inactive)) {
ogs_warn("No active EPS bearer [%d]", bearer->ebi);
ogs_warn(" IMSI[%s] NAS-EPS Type[%d] "
"ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d]",
mme_ue->imsi_bcd, mme_ue->nas_eps.type,
enb_ue->enb_ue_s1ap_id, enb_ue->mme_ue_s1ap_id);
continue;
}
...
}
}
As mentioned in the sgwu.yaml configuration file, it is possible to configure multiple addresses with different source_interface values for the gtpu interface.
Following the this section, I defined two addresses, one with source_interface set to 0 and another with source_interface set to 1. My expectation was to see different addresses for the two PDRs in the Session Establishment Response message during session establishment. However, both addresses were the same, and it was the address I had set for source_interface = 0.
When I looked into the code, I found the reason for the issue. In the lib/pfcp/context.c file, on line 1185, the function that determines the address is called as follows:
...
} else {
ogs_gtpu_resource_t *resource = NULL;
resource = ogs_pfcp_find_gtpu_resource(
&ogs_gtp_self()->gtpu_resource_list,
pdr->dnn, OGS_PFCP_INTERFACE_ACCESS);
if (resource) {
...
In the last parameter of this function, a constant value, OGS_PFCP_INTERFACE_ACCESS, is used. This causes every PDR with any source_interface to be considered as "access," and the value 0 is used for its interface.
I replaced the value with pdr->src_if, and the bug was resolved.
A race condition can occur in the following situations.
In conclusion, we can use this situation to determine
whether or not the UE Context has been removed and avoiding a crash.
For example, suppose a UE Context is removed in the followings.
1. Attach Request
2. Authentication-Information-Request
3. Authentication-Information-Answer
4. Authentication Request
5. Authentication Response(MAC Failed)
6. Authentication Reject
7. UEContextReleaseCommand
8. UEContextReleaseComplete
The MME then sends a Purge-UE-request to the HSS and deletes
the UE context as soon as it receives a Purge-UE-Answer.
Suppose an Attach Request is received from the same UE
between Purge-UE-Request/Answer, then the MME and HSS start
the Authentication-Information-Request/Answer process.
This can lead to the following situations.
1. Purge-UE-Request
2. Attach Request
3. Authentication-Information-Request
4. Purge-UE-Answer
5. [UE Context Removed]
6. Authentication-Information-Answer
Since the UE Context has already been deleted
when the Authentication-Information-Answer is received,
it cannot be processed properly.
Therefore, mme_ue_cycle() is used to check
whether the UE Context has been deleted and
decide whether to process or
ignore the Authentication-Information-Answer as shown below.
Instead of checking if caller memset'ted the structure to zero, memset
it inside the function regardless.
There is no added benefit of a memset() + memcmp() to check if caller
cleared the structure used for outputing data from the database.
In an Inter-RAT setup a UE could perform a TAU coming from a 2G/3G network.
In that case the UE/MS is unknown to the MME and it should request the
SGSN context (MM, PDP) from the old SGSN. This is done through the following
GTPv1C message exchange on the Gn interface of SGSN and MME:
SGSN <- MME: SGSN Context Request
SGSN -> MME: SGSN Context Response
SGSN <- MME: SGSN Context Acknowledge
Diagram with full set of steps can be found at 3GPP TS 23.401 D.3.6.
This commit doesn't aim to be a complete implementation of the mentioned
procedure, since it's quite a complex one, with lots of fields and logic
required. This so far only implements in general the minimally
successful case by filling as much as possible the required set of
fields.
This will allow for a base onto which do incremental improvements and
fixes while testing against UEs and SGSNs (such as osmo-sgsn, which
doesn't yet support this procedure but will potentially earn it soon).
The reverse direction, aka UE issuing cell reselection 4G->2G was
already implemented (same as here, initial non-complete implementation)
in open5gs-mmed in commit 3d693da73e.
Related: https://osmocom.org/issues/6294
Within the PathSwitchRequest packet,
the E-RABToBeSwitchedDLList has two bearers.
If the E-RAB-ID of both bearers is 5, the MME's list memory is destroyed
and the MME crashes. To fix this issue, we modified the code so that
the MME can work correctly with invalid S1AP messages.
This will be useful for other procedures where only the RAI is known,
but not the specific CI. This is the case of idle mobility from Gb or Iu
to EUTRAN, where MME needs to request contexts based on the RAI mapped
in the GUTI obtained from the UE during TAU.
This also makes the config more resilient in RIM scenario, where an SGSN
can be picked now even if CI doesn't match, instead of failing or faling
back to the default route SGSN.
While they were continuing their fuzzy testing and developing PacketRusher, an unusual issue with the AMF was observed. The problem arises when a single Ethernet frame containing three bundled SCTP chunks is sent. This behavior is reproduced with PacketRusher when attempting to concurrently register two UEs with the same MSIN.
The expected behavior is that the PDU Session Establishment Accept is sent inside a DownlinkNASTransport to RAN UE NGAP ID 1. However, it is actually sent inside an InitialContextSetupRequest to RAN UE NGAP ID 2. The MAC of this NAS message is invalid for the Security Context of RAN UE NGAP ID 2 (probably valid for RAN UE NGAP ID 1)
When the input string contains a number and a unit too large to be
represented by a 64-bit variable, AMF/SMF would crash due to conversion
resulting in a negative value and unable to be used in compiling NAS-PDU
container.
Now the value gets clipped at int64_t maximum value.
Failed to encode ASN-PDU [-1] (../lib/asn1c/util/message.c:42)
../lib/core/ogs-list.h:62:24: warning: invalid conversion from 'void*' to 'ogs_list_t*' {aka 'ogs_list_s*'} [-fpermissive]
../lib/core/ogs-rbtree.h:79:32: warning: invalid conversion from 'const void*' to 'const ogs_rbnode_t*' {aka 'const ogs_rbnode_s*'} [-fpermissive]
[SBI] Fix compiler error - possible uninitialized variable
[SCP] Fix compiler error - Error: this condition has identical branches
In case of additional compiler warnings turned on, the compiler warns
about potentially unused variables. Fix those issues.
Both types are defined under lib/proto/type.h, and the conversion
function is used in several different protocols, so let's better move it
to generic lib/proto/conv.h and remove the "gtp2" prefix.
The assert is checking for sess->session->name, but afterwards there's a
check to skip ses->session not being null, which means the assert can
crash while dereferencing sess->session.
I've resolved an issue where sending continuous
'PDU Session Release Request' message to the same session,
when more than two sessions were created, was causing an SMF crash.
For your reference, this problem did not occur
when only one session was created.
In an Inter-RAT setup a UE could perform a RAU coming from a 4G network.
In that case the UE/MS is unknown to the SGSN and it should request the
SGSN context (MM, PDP) from the MME. This is done through the following
GTPv1C message exchange on the Gn interface of SGSN and MME:
SGSN -> MME: SGSN Context Request
SGSN <- MME: SGSN Context Response
SGSN -> MME: SGSN Context Acknowledge
This commit doesn't aim to be a complete implementation of the mentioned
procedure, since it's quite a complex one, with lots of fields and logic
required. This so far only implements in general the minimally
successful case by filling as much as possible the required set of
fields.
This will allow for a base onto which do incremental improvements and
fixes while testing against UEs and SGSNs (such as osmo-sgsn, which
doesn't yet support this procedure but will potentially earn it soon).
This commit doesn't implement the reverse direction, aka UE issuing cell
reselection 2G->4G. Initial support for this scenario will hopefully be
added soon as a follow-up patch, similar to this one.
Related: https://osmocom.org/issues/6294
As per TS 29.060:
The Initial/request message is "SGSN Context Request", sent by peer A.
Peer B sends a response message "SGSN Context Response" with same SeqNr.
Peer A sends a response message "SGSN Context Acknowledge" with same
SeqNr.
If Peer B doesn't see a "SGSN Context Acknowlegde", it should keep
retransmitting "SGSN Context Response" as usual.
In an Inter-RAT setup a UE could perform a RAU coming from a 4G network.
In that case the UE/MS is unknown to the SGSN and it should request the
SGSN context (MM, PDP) from the MME. This is done through the following
GTPv1C message exchange on the Gn interface of SGSN and MME:
SGSN -> MME: SGSN Context Request
SGSN <- MME: SGSN Context Response
SGSN -> MME: SGSN Context Acknowledge
This commit doesn't aim to be a complete implementation of the mentioned
procedure, since it's quite a complex one, with lots of fields and logic
required. This so far only implements in general the minimally
successful case by filling as much as possible the required set of
fields.
This will allow for a base onto which do incremental improvements and
fixes while testing against UEs and SGSNs (such as osmo-sgsn, which
doesn't yet support this procedure but will potentially earn it soon).
This commit doesn't implement the reverse direction, aka UE issuing cell
reselection 2G->4G. Initial support for this scenario will hopefully be
added soon as a follow-up patch, similar to this one.
Related: https://osmocom.org/issues/6294
This information will be required by the Gn interface in MME when
answering an SGSN with an "SGSN Context Response" message during MS cell
reselection EUTRAN->GERAN.
* [AMF/MME] UEContextReleaseCommand in Integrity (#2786)
Modified not to send UEContextReleaseCommand in Integrity Unprotected
NAS message such like Registration or Service request.
* [AMF/MME] UEContextReleaseCommand after Interity Protected (#2786)
Modified not to send UEContextReleaseCommand in Integrity Unprotected
NAS message such like Registration or Service request.
* Update 03-VoLTE-dockerized.md
adding "-" in docker-compose commands and added filename t the docker-compose command
* Adding up command to docker-compose
Need to bring docker images up to run the Open5Gs system.
Allow network operators to omit the time zone in the 4G EMM Information
and 5G Configuration Update. This is useful for better compatibility
with some UEs.
The parameter is optional according to:
* 4G: 3GPP TS 24.301 Table 8.2.13.1
* 5G: 3GPP TS 24.501 Table 8.2.19.1.1
Bug:
In case that AMF does not have subscription data for the UE,
PDU session remains unreleased after implicit de-registeration.
The exact test case:
- UE registered (integrity protection applied)
- UE deregistered (Nudm_SDM_Unsubscribe, Nudm_UECM_Registration (purgeFlag))
- UE registered, PDU session activated
UE data are still stored in AMF. So if integrity protected applies,
the steps 4 - 14 [ETSI TS 123 502 V16.7.0](https://www.etsi.org/deliver/etsi_ts/123500_123599/123502/16.07.00_60/ts_123502v160700p.pdf) are skipped.
Only AM Policy Association Establishment is performed.
- UE is moved out of radio coverage, 2 x (4 min + Timer t3512) expires
Result: UE is implicitly de-registered, PDU session is not released
The steps of implicit de-registeration:
1. Implicit Timer Expiration
2. UDM_SDM_Unsubscribe
3. UDM_UECM_Deregistration
4. PDU session release request
5. PDUSessionResourceReleaseCommand + PDU session release command
6. PDUSessionResourceReleaseResponse
7. AM_Policy_Association_Termination
So PDU session release is performed after the confirmation of
UDM_UECM_Deregistration.
Since there is no UDM_SDM subscription, the UDM steps are skipped
and PDU session is not released.
Fix:
If the AMF does not have subscription data for the UE which registers,
the AMF registers with the UDM using Nudm_UECM_Registration and
retrieves subscription data with Nudm_SDM_Get.
[ETSI TS 123 502 V16.7.0](https://www.etsi.org/deliver/etsi_ts/123500_123599/123502/16.07.00_60/ts_123502v160700p.pdf), 4.2.2.2.2 General Registration, 14a-c:
> If the AMF does not have subscription data for the UE, the AMF retrieves the Access and Mobility Subscription data, SMF
> Selection Subscription data, UE context in SMF data and LCS mobile origination using Nudm_SDM_Get.
1. UE sends RegistrationRequest to AMF.
2. AMF sends Nudm_UECM_Registration to UDM.
3. UE sends RegistrationRequest to AMF.
4. GMM state is gmm_state_authentication
5. UDM sends Nudm_UECM_Registration response to AMF.
6. AMF crashs since no Handler in gmm_state_authentication state
According to 3GPP TS 29.510, the search parameter "tai" should be a
single item, not an array of items.
TS 29.510: Table 6.2.3.2.3.1-1:
URI query parameters supported by the GET method on this resource
Revert "[SBI] Change discovery option TAI from array to single item"
This reverts commit b4beff1ae16c64b3c6d84d8bdb47c36e19b705f2.
wip
This problem can be occurred in the following scenarios.
1. Run NFs(NRF/SCP/SMF/UPF/AUSF/UDM/PCF/BSF/NSSF/UDR) except AMF.
2. Run AMF
3. Run gNB/UE and try to register
4. STOP PCF
5. AMF Crashed
AMF discovered the PCF through SCP during the UE registration process.
At this time, ogs_sbi_nf_fsm_init() is not called,
so AMF does not have state information about PCF.
In other words, AMF state is NULL.
In such a situation, when PCF is terminated at this time,
a crash occurs as AMF attempts to change the PCF state.
So, I've fixed that state information is initialized to solve this problem.
This commit splits filling Requested-Service-Unit, Used-Service-Unit and
QoS-Information into their own helper functions for better readibility,
and then partially reverts 125740727e,
where lots of AVPs were left out of INITIAL_REQUEST messagesi during the
changes made.
After looking through 3GPP TS 32.299 and rfc4006, it seems expected to
send Requested-Service-Unit only during INITIAL_REQUEST, and
Used-Service-Unit during UPDATE_REQUEST, so that part is kept.
However, I am not able to find clear indications that AVPs such as QoS
Information and RAT-Type should not be sent during INITIAL_REQUEST.
So, since we have the info, better set it already during
INITIAL_REQUEST, since the OCS may want to grant different resources
based on that information if available too.
* [AUSF] Fix removing UE context on authentication removal request
AUSF crashed when trying to access ausf_ue->sm fields after they were
already deleted.
* [AMF] Delete UE authentication result after UE deregisters from 5G core
Based on TS 29.509 - 5.2.2.2.5 Authentication Result Removal with 5G AKA
method:
In the case that the Purge of subscriber data in AMF after the UE
deregisters from the network or the NAS SMC fails following the
successful authentication in the registration procedure, the NF Service
Consumer (AMF) requests the AUSF to inform the UDM to remove the
authentication result.
* [SBI] Ignore unknown enum values and continue parsing (#2622)
* [SBI] Reject empty enum lists (#2622)
Enum lists that are empty due to ignoring
unsupported enum values are also rejected.
* Revert changing `generator.sh`
amf_ue->mac_failed flag to be cleared during security mode procedure but it was not.
At this point, the only way to cleare the amf_ue->mac_failed flag is by UE Context Release.
But I'd like to connect UEs as fast as possible without UE Context Release.
* Add "subscriber_status" cmd to open5gs-dbctl to set values for
"subscriber_status" and "operator_determined_barring" DB fields.
* Add webui View+Edit for those same fields.
* open5gs-hssd now takes those values into account and submits
Operator-Determined-Barring AVP with DB-retrieved value if
subscriber_status is set to OPERATOR_DETERMINED_BARRING.
For more information, see TS 29.272 section 5.2.2.1.3 and 7.3.30.
Tests were crashing due to AF using the wrong OpenAPI structure, while
the SBI library tried to convert a different structure to JSON.
Before the added support for nullable fields in OpenAPI documents, both
structures were identical.
Depending on the OpenAPI yaml files, fields can be marked as "nullable".
Which means that the field can be either present, not present, or null.
This feature is important for example in SmContextUpdateData structure,
where many fields are described similar as the following:
This IE shall be included for the modification .... For deleting the
field, it shall contain the Null value.
currently if no IP address is available from the configured
subnets in the SMF when attempting to assign an IP to an UE
we assert and the SMF crashes. Handle the error more gracefully
by returning an error cause instead.
Open5GS documentation instructs to install into open5gs.git/install/
during build [1]:
"""
$ cd open5gs
$ meson build --prefix=`pwd`/install
$ ninja -C build
"""
As a result, this directory appears all the time when using git, since
it's not in the .gitignore file. Add it.
[1] https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/
> Using external babel configuration
> Location: "/tmp/open5gs-2.6.5/webui/.babelrc"
> Failed to build on /tmp/fdd1769d-9793-45ac-a613-b20e09756073
Error: commons.js from UglifyJs
Name expected [commons.js:8066,6]
at /tmp/open5gs-2.6.5/webui/node_modules/next/dist/server/build/index.js:182:21
at /tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/Compiler.js:269:13
at Compiler.emitRecords (/tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/Compiler.js:375:38)
at /tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/Compiler.js:262:10
at /tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/Compiler.js:368:12
at next (/tmp/open5gs-2.6.5/webui/node_modules/tapable/lib/Tapable.js:218:11)
at Compiler.<anonymous> (/tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/performance/SizeLimitsPlugin.js:99:4)
at Compiler.applyPluginsAsyncSeries1 (/tmp/open5gs-2.6.5/webui/node_modules/tapable/lib/Tapable.js:222:13)
at Compiler.afterEmit (/tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/Compiler.js:365:9)
at /tmp/open5gs-2.6.5/webui/node_modules/webpack/lib/Compiler.js:360:15 {
errors: [ 'commons.js from UglifyJs\nName expected [commons.js:8066,6]' ],
warnings: []
}
Error executing command, exiting
After the page remains inactive for 10 minutes,
clicking on the edit page will result in a blank screen
when you click on edit after 10 minutes,
all user data is lost. After capturing the network packets,
it can be observed that the frontend sends a fresh request
to the backend for data, and the backend responds correctly,
but the page does not refresh correctly.
`function recent(fetchedAt) {
if (fetchedAt === null) return false;
const interval = 10 * 60 * 1000; // 10 minutes
return ((Date.now() - interval) < fetchedAt);
}`
j
The crash is caused by ogs_assert(data) in listEntry_create(void *data).
Reason for the failing assertion is that in
OpenAPI_subscription_data_t *OpenAPI_subscription_data_parseFromJSON(
cJSON *subscription_dataJSON)
in line 501 of file subscription_data.c the event string is transformed
into an integer/enum value, which in case of an unknown event is 0.
Steps to reproduce:
1. Deploy NRF
2. Run curl --http2-prior-knowledge --header "Content-Type: application/json" --data '{"nfStatusNotificationUri": "test@example.com", "reqNotifEvents": ["unknown"], "subscriptionId": "12345"}' "http://<NRF_IP>:<NRF_PORT>/nnrf-nfm/v1/subscriptions"
There was a memory problem in the encryption using snow_3g_f8,
so AMF/MME crashed.
To solve this problem, we used the snow-3g encryption library
created as below.
https://github.com/rcatolino/libressl-snow3g
However, it seems that this library cannot be used to create
integrity hash like snow_3g_f8.
So, we decided to keep both snow-3g libraries for the time being.
1. lib/crypt/snow3g* : for INTEGRITY (NIA1, EIA1)
2. lib/crypt/openssl/snow3g* : for ENCRYPTION (NEA1, EEA1)
Scenario is handover on S1AP, data forwarding is enabled, and
the Source ENB is forwarding DL PDCP packets to EPC(SGWU)
with PDCP SN included. SGWU is also forwarding these packets
to the Target ENB.
However the PDCP SN is not present in the forwarded packets
from SGWU to Target ENB.
I modified this part, and there was the same problem in 5GC, fixed it as well.
A lot of code in GTP-U has been modified,
so if you have any problems, please let us know right away.
curl --noproxy '*' --http2-prior-knowledge -X POST --header "Content-Type: multipart/related" --data-binary @pdu http:/192.168.29.231:7777/nsmf-pdusession/v1/sm-contexts
Attaching file 'pdu'
SMF crashes as not able to decode the message properly. SmContextCreateData is not accessible.
After examining the call stack and reading the source code, I found that
in /lib/core/ogs-pool.h line 152: (pool)->array[i] = i+1;
then in lib/pfcp/context.c line 78: pdr_random_to_index[ogs_pfcp_pdr_teid_pool.array[i]] = i;
ogs_pfcp_pdr_teid_pool.array[i] may exceed the size of pdr_random_to_index, leading to a heap-buffer-overflow.
Modifications were made to resolve the following assertion..
Invalid HNET PKI Value [0] (../lib/sbi/conv.c:135)
ogs_supi_from_supi_or_suci: Expectation `supi' failed. (../lib/sbi/conv.c:262)
udm_ue_add: Assertion `udm_ue->supi' failed. (../src/udm/context.c:144)
backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)
A situation in which you establish two sessions and release both of them.
In the first SESSION, the UE normally sent PDUSessionResourceReleaseResponse
and PDU session release complete. However, these were not sent when releasing
the second SESSION.
At this point, when the UE tried to do a deregistration,
the SMF was not properly handling the exception.
I've just fixed this.
After the UE performs Registration/Attach, SQN field is created.
If we edit subscriber information when SQN value is present, WebUI crash occurs.
It is because the way to handle Long Type(SQN:Long) is different
when the mongoose version is 6 or higher.
To avoid this crash, we use the mongoose version down to 5.x first.
Whether or not to send a Setting ACK is determined by the nghttp2 library.
Therefore, when nghttp2 informs us that it want to send an SETTING frame
with ACK by nghttp2_session_want_write(), we need to call session_send()
directly to send it.
NAS, GTP, PFCP, SBI, all except S1AP/NGAP use x1000 multiplier for Kbps, Mbps, Gbps ... etc.
From now on in WebUI all units also use a multiplier of x1000.
Based on the standard document below, when the UE is in the IDLE state,
we checked the implicit timer and tried to send a message to the UE,
but it doesn't work properly.
So, first of all, I deleted the related code.
- TS 24.301 Ch 5.3.7
If ISR is not activated, the network behaviour upon expiry of
the mobile reachable timer is network dependent, but typically
the network stops sending paging messages to the UE on the
first expiry, and may take other appropriate actions
- TS 24.501 Ch 5.3.7
The network behaviour upon expiry of the mobile reachable timer is network dependent,
but typically the network stops sending paging messages to the UE on the first expiry,
and may take other appropriate actions.
Move the config to the sgsn node instead of having a specific route with
specific format "default: route", since anyway internally it's already
applied to the sgsn object.
When AMF release the NAS signalling connection,
ran_ue context is removed by ran_ue_remove() and
amf_ue/ran_ue is de-associated by amf_ue_deassociate().
In this case, implicit deregistration is attempted
by the mobile reachable timer according to the standard document,
and amf_ue will be removed by amf_ue_remove().
TS 24.501
5.3.7 Handling of the periodic registration update timer and
Start AMF_TIMER_MOBILE_REACHABLE
mobile reachable timer
The network supervises the periodic registration update procedure
of the UE by means of the mobile reachable timer.
If the UE is not registered for emergency services,
the mobile reachable timer shall be longer than the value of timer
T3512. In this case, by default, the mobile reachable timer is
4 minutes greater than the value of timer T3512.
The mobile reachable timer shall be reset and started with the
value as indicated above, when the AMF releases the NAS signalling
connection for the UE.
The 'data' struct used to specify the diameter dispatch options for the
MME callbacks was not being initialized properly, which meant that the
App id could contain garbage. This was preventing the callbacks from
being invoked when receiving ISD/CLR requests.
The RAN INFORMATION RELAY message has no associated response, and hence
it should not start T3-RESPONSE timer to retrigger retransmissions.
TS 29.060 11.1:
"The Error Indication, Version Not Supported, RAN Information Relay,
Supported Extension Headers Notification and the SGSN Context Acknowledge
messages shall be considered as Responses for the purpose of this clause"
TS 29.060 7.5.14.1:
"For handling of protocol errors the RAN Information Relay message is treated as a
Response message."
Add CIFuzz workflow action to have fuzzers build and run on each PR.
This service is offered by OSS-Fuzz where open5gs already runs. CIFuzz can help
catch regressions and fuzzing build issues early, and has a variety of features
(see the URL above). In the current PR the fuzzers gets build on a pull request
and will run for 300 seconds.
Signed-off-by: David Korczynski <david@adalogics.com>
Each SMF's NfProfile can contain multiple SmfInfo items. The issue was
that AMF checked only the first SmfInfo for correct S-NSSAI/NR-TAI
information.
In case of a 5G core setup with SMF handling 2 or more slices, and UE
trying to establish multiple PDU sessions, AMF would report an error
when trying to find the correct serving SMF.
[amf] ERROR: [1:0] (NF discover) No [nsmf-pdusession] (../src/amf/nnrf-handler.c:85)
Since [redesign](8553c77733)
of fivegs_smffunction_sm_sessionnbr gauge, the metric doesn't
expose some decrements. The decreasing of gauge had been
moved out of function stats_remove_smf_session.
It should be decreased every time stats_remove_smf_session
is called, but this particular case is easily reproducible
by killing UPF while the session is established.
The current code uses the cc request number as an index to the
transaction array (xact/xact_data). Since cc request number is a 32 bit
integer this is unfeasible for longer sessions and if more than a
handful of messages are exchanged per session.
The array size was already increased in #2038 which simply delays the
issue.
Furthermore, the current code asserts that cc_request_number is <=
MAX_CC_REQUEST_NUMBER which leads to an out-of-bounds write if
cc_request_number == MAX_CC_REQUEST_NUMBER.
Instead use a smaller array and index into it using cc_request_number
% array size. More than 2 requests should never be in flight at any one
time (initial or update request together with a termination request) so
an array size of 4 should be fine.
- have a more consistent naming among the NF's
- always have the same prefix (amf_/smf_/pcf_) depending on the NF
- function name is always the same, how the function calculates the load
is NF specific and internal to the function itself (but not the function
name).
- the 'if' clause was comparing some value with an always '1' due to
wrong calculation. Consequently, this 'if' statement never executed.
- sizes for session pool and UE pools are directly linked between each
other. We need to count the number of items only in one of the pools to
correctly represent the NF load
- if anything, we should also check the load of the application pool to
determine correct load of the NF
When converting bitrates from bits per second to kilobits per second,
if the conversion results in fractions, the resulting value should be
rounded upwards
The improved algorithm better handles some odd bitrates.
With the current version, the bitrates 63 Kbps and 65 Kbps would get
converted into 48 Kbps (unit 16 Kbps x 3) and 64 Kbps (unit 64 Kbps x
1).
Especially in the first case, the conversion error is quite signicant.
Current version tries to find the biggest 'unit', while the 'value' is
still above 0.
With the updated version, the algorithm tries to find the 'unit' low
enough, that the resulting 'value' can still fit into the 16-bit space
without overflow.
From the OpenAPI document,TS29571_CommonData.yaml : BitRate
String representing a bit rate; the prefixes follow the standard symbols from The International
System of Units, and represent x1000 multipliers, with the exception that prefix "K" is
used to represent the standard symbol "k".
ogs_pool_init() shall be used in the initialization routine.
Otherwise, memory will be fragment since this function uses system malloc()
Compared with ogs_pool_init()
ogs_pool_create() could be called while the process is running,
so this function should use ogs_malloc() instead of system malloc()
Multimedia-Auth-Answer and Server-Assignment-Answer
defines the AVP User-Name as mandatory. It must also be
present on failure cases.
See 3GPP TS 29.273 Rel 17.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
[ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf):
Registration type label is not provided.
A nonstandard PLMNID label is added to achieve uniqueness.
- 5.3.1.3 Number of PDU sessions requested to be created by the SMF
PLMNID and SNSSAI are defined during PDU session creation processing.
Some requests can be rejected during processing before label values are known.
Those requests are not counted under particular labels.
To count also such requests, the basic metric with empty labels is exposed too.
```
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 1
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1
```
- 5.3.1.4 Number of PDU sessions successfully created by the SMF
```
fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1
```
- 5.3.1.5 Number of PDU sessions failed to be created by the SMF
```
fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1
```
Example for one successful and one failed (during creation processing) PDU session creation:
```
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 2
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1
fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1
fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1
```
The subscriptions to NRF should be tied to the number of NF's and number
of services per NF that we support, instead of number of UE's.
This decreases memory usage of each NF slightly, depending on the
configuration.
After N2 Handover (1 AMF, multiple gNB's) was successfully executed, the
PDU session was not properly released afterwards on PDU Session Release
Request from UE.
The reason was that after N2 Handover the new 'ran_ue' context did not
have any information about the active PDU sessions.
Copy the information about PDU sessions from old ran_ue context to the
new one.
TS23.007 17.4.1
19A PFCP based restart procedures
After a PFCP entity has restarted, it shall immediately update all local Recovery Time Stamps and shall clear all remote
Recovery Time Stamps. When peer PFCP entities information is available, i.e. when the PFCP Association is still alive,
the restarted PFCP entity shall send its updated Recovery Time Stamps in a Heartbeat Request message to the peer
PFCP entities before initiating any PFCP session signalling.
Follow-up on [#2048](https://github.com/open5gs/open5gs/pull/2048)
AMF crashes when 'skipInd' field is missing:
```
amf | 03/21 07:45:04.092: [amf] FATAL: [imsi-001010000000000] No skipInd (../src/amf/namf-handler.c:392)
amf | 03/21 07:45:04.092: [amf] FATAL: amf_namf_comm_handle_n1_n2_message_transfer: should not be reached. (../src/amf/namf-handler.c:393)
```
In case of CM_CONNECTED skipInd is not important.
In case of CM_IDLE the proper relase would contain skipInd.
SMF already handles the freeing in labels correctly.
In the same manner the memsets are moved to the beginning of the
problematic functions in AMF and PCF.
When UDM issues a SDM Data Change Notification with request to modify
RAT restrictions, AMF would crash when it tried to send a SDM
subscription delete as part of Network Initiated Deregistration.
Function amf_ue_sbi_discover_and_send() changed from returning boolean,
to returning integer (one of OGS_OK/OGS_ERROR/...).
When both IPv4 and IPv6 Frame Routes are set, IPv4 Frame Route list
was subsequently cleared.
When UE tried to deregister, PCF would crash when it tried to free the
Frame Routing list.
POST requests to {apiRoot}/nnrf-nfm/v1/subscriptions return
a HTTP Location header in 201 respose
in the form {apiRoot}/nnrf-nfm/v1/subscriptions/{subscriptionID}
In case that handling Service Request results in an error, AMF sends a
Service Reject and sets UE's context to exception state. Without the
'break', the code would set UE's context to registered state.
[ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf)
5.2.2 Registration procedure related measurements
SNSSAI labels are not provided.
- Number of registration requests received by the AMF is
exposed for each registration type.
```
fivegs_amffunction_rm_reginitreq 1
fivegs_amffunction_rm_regmobreq 0
fivegs_amffunction_rm_regperiodreq 0
fivegs_amffunction_rm_regemergreq 0
```
- Number of successful initial registrations at the AMF is
exposed for each registration type.
```
fivegs_amffunction_rm_reginitsucc 1
fivegs_amffunction_rm_regmobsucc 0
fivegs_amffunction_rm_regperiodsucc 0
fivegs_amffunction_rm_regemergsucc 0
```
- The existing counter of failed registrations at the AMF
is exposed separately for each registration type.
```
fivegs_amffunction_rm_reginitfail
fivegs_amffunction_rm_regmobfail
fivegs_amffunction_rm_regperiodfail
fivegs_amffunction_rm_regemergfail
```
5.2.5.2 Measurements for 5G paging
Number of 5G paging procedures initiated at the AMF:
```
fivegs_amffunction_mm_paging5greq 1
```
Number of successful 5G paging procedures initiated at the AMF:
```
fivegs_amffunction_mm_paging5gsucc 1
```
5.2.11 Authentication procedure related measurements
Number of authentication requests:
```
fivegs_amffunction_amf_authreq 2
```
Number of authentication rejections:
```
fivegs_amffunction_amf_authreject 1
```
Number of failed authentications due to parameter error:
```
fivegs_amffunction_amf_authfail{cause="21"} 1
```
5.2.8 UE Configuration Update procedure related measurements
Number of UE Configuration Update commands requested by the AMF:
```
fivegs_amffunction_mm_confupdate 2
```
Number of UE Configuration Update complete messages received by the AMF:
```
fivegs_amffunction_mm_confupdatesucc 1
```
* [pfcp] response_timeout should never call ogs_pfcp_xact_delete (#50)
* also remove ogs_pfcp_xact_delete since never called
* also had to catch one more ogs_pfcp_sendto()
---------
Co-authored-by: Spencer Sevilla <spencer@MacBook-Air.local>
TS33.401
7 Security procedures between UE and EPS access network elements
7.2 Handling of user-related keys in E-UTRAN
7.2.7 Key handling for the TAU procedure when registered in E-UTRAN
If the "active flag" is set in the TAU request message or
the MME chooses to establish radio bearers when there is pending downlink
UP data or pending downlink signalling, radio bearers will be established
as part of the TAU procedure and a KeNB derivation is necessary.
23.501 (5G NAS stage 2)
5.4.4.1:
"When the AMF receives Registration Request with the Registration type set
to Initial Registration or when it receives the first Registration Request
after E-UTRA/EPC Attach with Registration type set to Mobility Registration
Update, the AMF deletes the UE radio capability."
o TS24.301(4G/LTE)
5.5.1 Attach procedure
5.5.1.2 Attach procedure for EPS services
5.5.1.2.4 Attach accepted by the network
If the attach request is accepted by the network,
the MME shall delete the stored UE radio capability information
or the UE radio capability ID, if any.
o TS24.501(5G)
5.5.2 De-registration procedure
5.5.2.1 General
When the AMF enters the state 5GMM-DEREGISTERED for 3GPP access,
the AMF shall delete the stored UE radio capability information
or the UE radio capability ID, if any.
<nf>/init.c:<nf>_main() :
ogs_pollset_poll() receives the time of the expiration of next timer as
an argument. If this timeout is in very near future (1 millisecond),
and if there are multiple events that need to be processed by
ogs_pollset_poll(), these could take more than 1 millisecond for
processing, resulting in the timer already passed the expiration.
In case that another NF is under heavy load and responds to an SBI
request with some delay of a few seconds, it can happen that
ogs_pollset_poll() adds SBI responses to the event list for further
processing, then ogs_timer_mgr_expire() is called which will add an
additional event for timer expiration. When all events are processed
one-by-one, the SBI xact would get deleted twice in a row, resulting in
a crash.
0 __GI_abort () at ./stdlib/abort.c:107
1 0x00007f9de91693b1 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
2 0x00007f9de9a21745 in ogs_talloc_free (ptr=0x7f9d906c2c70, location=0x7f9de960bf41 "../lib/sbi/message.c:2423") at ../lib/core/ogs-memory.c:107
3 0x00007f9de95dbf31 in ogs_sbi_discovery_option_free (discovery_option=0x7f9d9090e670) at ../lib/sbi/message.c:2423
4 0x00007f9de95f7c47 in ogs_sbi_xact_remove (xact=0x7f9db630b630) at ../lib/sbi/context.c:1702
5 0x000055a482784846 in amf_state_operational (s=0x7f9d9488bbb0, e=0x7f9d90aecf20) at ../src/amf/amf-sm.c:604
6 0x00007f9de9a33cf0 in ogs_fsm_dispatch (fsm=0x7f9d9488bbb0, event=0x7f9d90aecf20) at ../lib/core/ogs-fsm.c:127
7 0x000055a48275b32e in amf_main (data=0x0) at ../src/amf/init.c:149
8 0x00007f9de9a249eb in thread_worker (arg=0x55a483d41d90) at ../lib/core/ogs-thread.c:67
9 0x00007f9de8fd2b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
10 0x00007f9de9063bb4 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100
These UTF-8 characters are causing issues with static code analysis
tools.
Error: encoding error in ./lib/crypt/zuc.c
'utf-8' codec can't decode byte 0x97 in position 3948: invalid start byte
Python3 requires input character data to be perfectly encoded;
it also requires perfectly correct system encoding settings.
Unfortunately, your data and/or system settings are not.
Other NF instances are obtained through NRF
or created directly through configuration files.
Other NFs created by the config file should not be passed
through NRF discovery or anything like that.
Since self-created NF Instances do not have an ID,
they are implemented to exclude them from NRF Discovery.
* [MME] Introduce aging timers
* Creating three new timers
* mirroring work done by gstaa on the AMF
* Implicit detach procedures added
* Fix for detach from unknown UE
* no Purge Timer, no config, expanded code
A buffer overflow occurred in ALPINE
because the size of the pfcp message structure increased by
ogs_pfcp_tlv_framed_route_t framed_route[8];
ogs_pfcp_tlv_framed_ipv6_route_t framed_ipv6_route[8];
[AMF] Implicit Network-initiated Deregistration
Two timers are introduced (both with duration of T3512 + 4 min):
-MOBILE_REACHABLE
-IMPLICIT_DEREGISTRATION
MOBILE_REACHABLE is set when NAS connection for the UE is released.
IMPLICIT_DEREGISTRATION is set when MOBILE_REACHABLE expires.
On MOBILE_REACHABLE expiry Paging is ignored.
On IMPLICIT_DEREGISTRATION expiry:
-UE's RM_State is set to DEREGISTERED
-UE is Nudm_SDM_Unsubscribed
-UE is Nudm_UECM_Deregistered
-PDU sessions are released
-AM policies are deleted
Existing flag amf_ue->network_initiated_de_reg is used.
Two timers are introduced (both with duration of T3512 + 4 min):
-MOBILE_REACHABLE
-IMPLICIT_DEREGISTRATION
MOBILE_REACHABLE is set when NAS connection for the UE is released.
IMPLICIT_DEREGISTRATION is set when MOBILE_REACHABLE expires.
On MOBILE_REACHABLE expiry Paging is ignored.
On IMPLICIT_DEREGISTRATION expiry:
-UE's RM_State is set to DEREGISTERED
-UE is Nudm_SDM_Unsubscribed
-UE is Nudm_UECM_Deregistered
-PDU sessions are released
-AM policies are deleted
Existing flag amf_ue->network_initiated_de_reg is used.
o Generate the private key as below.
$ openssl genpkey -algorithm X25519 -out /etc/open5gs/hnet/curve25519-1.key
$ openssl ecparam -name prime256v1 -genkey -conv_form compressed -out /etc/open5gs/hnet/secp256r1-2.key
o The private and public keys can be viewed with the command.
The public key is used when creating the SIM.
$ openssl pkey -in /etc/open5gs/hnet/curve25519-1.key -text
$ openssl ec -in /etc/open5gs/hnet/secp256r1-2.key -conv_form compressed -text
In ausf/udm.yaml
hnet:
o Home network public key identifier(PKI) value : 1
Protection scheme identifier : ECIES scheme profile A
- id: 1
scheme: 1
key: /etc/open5gs/hnet/curve25519-1.key
o Home network public key identifier(PKI) value : 2
Protection scheme identifier : ECIES scheme profile B
- id: 2
scheme: 2
key: /etc/open5gs/hnet/secp256r1-2.key
o Home network public key identifier(PKI) value : 3
Protection scheme identifier : ECIES scheme profile A
- id: 3
scheme: 1
key: /etc/open5gs/hnet/curve25519-1.key
o Home network public key identifier(PKI) value : 4
Protection scheme identifier : ECIES scheme profile B
- id: 4
scheme: 2
key: /etc/open5gs/hnet/secp256r1-2.key
Related to #1779
Metric 'bearers_active' was incremented in only one code path
(smf_bearer_add() for 4G only), while it was decremented from two paths
(smf_bearer_remove() for both 4G and 5G).
Increment metric also for 5G path (smf_qos_flow_add()), so it won't get
decremented into negative values.
The current load percentage of the NF Service Consumer is provided
in the payload body of the PATCH request when periodically
contacting the NRF (heart-beat).
AMF: ratio between currently connected ran_ue and maximum number of them
SMF: ratio between current PDU sessions and maximum available
PCF: ratio between current AM+SM policy associations and maximum available
or ratio between currently connected UEs and maximum number of them
(the load which is higher)
AUSF, UDM: ratio between currently connected UE and maximum number of them
BSF: ratio between current sessions and maximum available
NSSF: ratio between currently used NSIs and maximum number of them
NRF currently doesn't determine that the NF Profile has changed.
Expose SM metrics with labels according to ETSI TS 128 552 V16.13.0 in
SMF by using hash.
The metrics are named respecting the rule:
<generation>_<measurement_object_class>_<measurement_family_name>_<metric_name_as_in_TS_128_552>
Existing gauge sessions_active is renamed!
Since slice itself is not unique, the plmnid label is exposed in
addition to snssai.
Exposed metrics example:
-standard gauges:
fivegs_smffunction_sm_sessionnbr{plmnid="00101",snssai="1000009"} 0
fivegs_smffunction_sm_qos_flow_nbr{plmnid="00101",snssai="1000009",fiveqi="9"} 0
-nonstandard counters:
fivegs_smffunction_sm_n4sessionestabfail{cause="71"} 68
fivegs_smffunction_sm_n4sessionreport 1
fivegs_smffunction_sm_n4sessionreportsucc 1
fivegs_smffunction_sm_n4sessionestabreq 1
Expose RM metrics with labels according to ETSI TS 128 552 V16.13.0 in
AMF by using hash.
The metrics are named respecting the rule:
<generation>_<measurement_object_class>_<measurement_family_name>_<metric_name_as_in_TS_128_552>
Since slice itself is not unique, the plmnid label is exposed in
addition to snssai.
RegInitFail is exposed as an alternative to RegInitReq and RegInitSucc
counters so cause label can be provided. It counts rejected registrations
and rejected authentications.
Rejected authentications are counted under label cause="0".
Exposed metrics example:
-standard gauge:
fivegs_amffunction_rm_registeredsubnbr{plmnid="00101",snssai="1000009"} 1
-nonstandard counter:
fivegs_amffunction_rm_reginitfail{cause="3"} 4
In case that database is (manually) corrupted for a specific UE, SSC
mode and ARP preemption vulnerability fields are not set correctly,
SMF will crash when trying to build a request to create PCF association.
Function smf_npcf_smpolicycontrol_build_create() will end prematurely,
and when cleaning up resources it will try to free() up invalid pointer,
which was not set to 0 at beginning of the function.
[smf] ERROR: SSCMode is not allowed (../src/smf/nudm-handler.c:165)
[sbi] DEBUG: STATUS [201] (../lib/sbi/nghttp2-server.c:443)
[sbi] DEBUG: SENDING...: 3 (../lib/sbi/nghttp2-server.c:451)
[sbi] DEBUG: {
} (../lib/sbi/nghttp2-server.c:452)
[sbi] DEBUG: STREAM closed [1] (../lib/sbi/nghttp2-server.c:962)
[smf] ERROR: No Arp.preempt_cap (../src/smf/npcf-build.c:132)
<crash>
0 __GI_abort () at ./stdlib/abort.c:107
1 0x00007f9348fe43b1 in ?? () from /lib/x86_64-linux-gnu/libtalloc.so.2
2 0x00007f9349aef745 in ogs_talloc_free (ptr=0x7f9348e38dab <_int_free+1675>,
location=0x5591b8675d27 "../src/smf/npcf-build.c:181") at ../lib/core/ogs-memory.c:107
3 0x00005591b8653c45 in smf_npcf_smpolicycontrol_build_create (sess=0x7f9343070010, data=0x0)
at ../src/smf/npcf-build.c:181
4 0x00007f9349abc2b4 in ogs_sbi_xact_add (sbi_object=0x7f9343070010,
service_type=OGS_SBI_SERVICE_TYPE_NPCF_SMPOLICYCONTROL, discovery_option=0x7f9338006d90,
build=0x5591b86531d0 <smf_npcf_smpolicycontrol_build_create>, context=0x7f9343070010, data=0x0)
at ../lib/sbi/context.c:1699
5 0x00005591b86580be in smf_sbi_discover_and_send (service_type=OGS_SBI_SERVICE_TYPE_NPCF_SMPOLICYCONTROL,
discovery_option=0x0, build=0x5591b86531d0 <smf_npcf_smpolicycontrol_build_create>, sess=0x7f9343070010,
stream=0x7f9344fce0a0, state=0, data=0x0) at ../src/smf/sbi-path.c:110
6 0x00005591b864e9da in smf_nudm_sdm_handle_get (sess=0x7f9343070010, stream=0x7f9344fce0a0,
recvmsg=0x7f933f52d5a0) at ../src/smf/nudm-handler.c:290
7 0x00005591b8600c96 in smf_gsm_state_wait_5gc_sm_policy_association (s=0x7f9343070610, e=0x7f9338076730)
at ../src/smf/gsm-sm.c:523
...
Expose metrics with labels according to ETSI TS 128 552 V16.13.0 in
PCF by using hash.
The metrics are named respecting the rule:
<generation>_<measurement_object_class>_<measurement_family_name>_<metric_name_as_in_TS_128_552>
Since slice itself is not unique, the plmnid label is exposed in
addition to snssai.
AM policy:
fivegs_pcffunction_pa_policyamassoreq and
fivegs_pcffunction_pa_policyamassosucc do not expose snssai label
since it is not available at the time of exposure.
plmnid is defined during AM policy processing, so not to lose the
difference to ...succ, the basic metric
fivegs_pcffunction_pa_policyamassoreq is preserved.
SM policy:
snssai is defined during SM policy processing, so not to lose the
difference to ...succ, the basic metric
fivegs_pcffunction_pa_policysmassoreq is preserved.
Those 2 basic metrics retain their position but are exposed with empty
labels.
Metrics with labels are called later, when the label values are known.
Exposed metrics example:
-standard counters:
fivegs_pcffunction_pa_policyamassoreq{plmnid=""} 3
fivegs_pcffunction_pa_policyamassoreq{plmnid="99970"} 3
fivegs_pcffunction_pa_policyamassosucc{plmnid="99970"} 3
fivegs_pcffunction_pa_policysmassoreq{plmnid="",snssai=""} 3
fivegs_pcffunction_pa_policysmassoreq{plmnid="99970",snssai="1000009"} 3
fivegs_pcffunction_pa_policysmassosucc{plmnid="99970",snssai="1000009"} 3
-nonstandard gauge (added for controlling purposes -
same metric as existing metric on AMF and SMF):
fivegs_pcffunction_pa_sessionnbr{plmnid="99970",snssai="1000009"} 0
Expose metrics with labels according to ETSI TS 128 552 V16.13.0 in
UPF by using hash.
The metrics are named respecting the rule:
<generation>_<measurement_object_class>_<measurement_family_name>_<metric_name_as_in_TS_128_552>
5qi is not available in UPF.
To present 5qi to the user, MN will have to maintain a table qfi->5qi
for each QoS flow (will have to get information from SMF).
So UPF has to expose qfi. qfi itself is not useful. When used, UPF will
have to expose additional label to define the session (e.g. source
interface).
Label dnn is set to value of APN/DNN received in Establishment.
Since SMF does not add APN/DNN to Establishment, the label is empty.
When APN/DNN will be set by SMF, it should be added to sess in UPF
and used in metrics on Modification and Deletion.
Both datavolumeqosleveln3upf are exposed in bytes.
MN is providing the transformation to kbits.
fivegs_upffunction_upf_qosflows should expose the number of QFIs used in
sessions, but exposes number of QER rules, which is currently equal to
QFIs.
The label snsssai is not provided since the slice is not available on UPF.
Exposed metrics example:
Standard counters:
fivegs_ep_n3_gtp_indatapktn3upf 28637
fivegs_ep_n3_gtp_outdatapktn3upf 14729
fivegs_upffunction_sm_n4sessionestabreq 4
fivegs_upffunction_sm_n4sessionestabfail{cause="66"} 1
fivegs_upffunction_sm_n4sessionestabfail{cause="71"} 68
fivegs_upffunction_sm_n4sessionestabfail{cause="68"} 4
fivegs_upffunction_sm_n4sessionestabfail{cause="72"} 15
fivegs_upffunction_sm_n4sessionestabfail{cause="75"} 3
fivegs_upffunction_sm_n4sessionestabfail{cause="65"} 4
fivegs_upffunction_sm_n4sessionreport 0
fivegs_upffunction_sm_n4sessionreportsucc 0
fivegs_ep_n3_gtp_indatavolumeqosleveln3upf{qfi="1"} 39792997
fivegs_ep_n3_gtp_outdatavolumeqosleveln3upf{qfi="1"} 737548
Nonstandard gauge (added for controlling purposes -
same metric as existing metric on AMF and SMF):
fivegs_upffunction_upf_sessionnbr 1
Standard gauge:
fivegs_upffunction_upf_qosflows{dnn=""} 1
Even if the configured log level for the application was set to "error",
the first "info" message of the metrics library was output to the log.
Reorder the initialization of the metrics library.
commit 5070c19a5469269d036bf243ebdb2740aefc7b8d
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri Nov 4 15:46:35 2022 +0900
updte it
commit e49107f46152ff6dce5658b48cfb2c31df61724a
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri Nov 4 11:03:37 2022 +0900
update it
commit a55b977e044b1d74ccc8a19f1dbf8194c3cd7daa
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri Nov 4 10:50:41 2022 +0900
update it
commit 0ff0930d99bfeb91134271dae0941b4c454d1a3d
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri Nov 4 10:09:35 2022 +0900
update it
commit 8cb5038b66d4a605446c6fc200b77f645f7ad328
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri Nov 4 09:39:08 2022 +0900
update it
commit 0a6829dfb6470f3d9b786363d49387fdc688e33b
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri Nov 4 09:06:22 2022 +0900
update it
commit ea85035300d9a42cc5f8f7ee300d28cd055f0f1c
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Nov 3 21:36:17 2022 +0900
update it
commit e86ba621de332d3f712569cf0580fc8a5321adbd
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Nov 3 17:39:27 2022 +0900
update it
commit 2c05df84eabeba7c277c622e5d810768b2895961
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Nov 3 16:20:47 2022 +0900
update it
commit 43c88aed3f2001fdbc28ce0f11cc21dfcdc5906f
Author: Sukchan Lee <acetcom@gmail.com>
Date: Wed Nov 2 22:17:37 2022 +0900
update it
commit b374db4e02e7dd153944f5a6fdc2a50c434dfa09
Author: Sukchan Lee <acetcom@gmail.com>
Date: Wed Nov 2 22:05:53 2022 +0900
update it
OpenAPI dictates that certain arrays should have at least one item,
otherwise they should not be present.
This includes lists for IPv4/v6 addresses, TAI/TAC lists, ...
Add a check if there is at least 1 item, before creating an array.
Also move variable declarations to inner blocks, to prevent some
accidental usage out of wanted scope.
Support for change stream is only available in mongoc >=1.9.0
- Disabled related functions in dbi.
Support for bson to json used in debug statement only in libbson >=1.7.0
- Simple debug message in lower versions
AMF does not crash anymore when a new UE registration request arrives,
and there is no available space left in UE context pool. Now it just
rejects the request with an error.
Each UE context has 'current' and 'next' TMSI values. AMF first
allocates the 'next' value, before confirming it and releasing the
'previous'. This means that we potentially need pool size of 2x the
amount of maximum configured UE.
Without this change, AMF would crash in case that there are 'x'
configured maximum amount of UE, and there are already 'x' registered
UE.
[gmm] INFO: Registration request (../src/amf/gmm-sm.c:135)
[gmm] INFO: [suci-0-001-01-1234-0-1-1000000000] SUCI (../src/amf/gmm-handler.c:149)
[gmm] DEBUG: OLD TSC[UE:0,AMF:0] KSI[UE:7,AMF:0] (../src/amf/gmm-handler.c:179)
[gmm] DEBUG: NEW TSC[UE:0,AMF:0] KSI[UE:7,AMF:0] (../src/amf/gmm-handler.c:186)
[amf] FATAL: amf_m_tmsi_alloc: Assertion `m_tmsi' failed. (../src/amf/context.c:2160)
[core] FATAL: backtrace() returned 13 addresses (../lib/core/ogs-abort.c:37)
AMF subscribes to UDM for each registered UE.
At the moment, UDM does not send callback to AMF when any of the UE's
properties in the database changes.
At the moment, AMF does properly parse the ModificationNotification, but
does not do anything useful.
* Cancel Location while Idle Fix
* Forgot about SGSAP on MME Change.
Added "action" to sgsap_send_detach..
* Make handle_clr uniform with other handlers
* Added Robustness for Any Detach Type
* Memory wasn't freed upon CLR for unknown IMSIs
* Moving MME Detach to new PR
TS29.500
Ch 6.11 Detection and handling of late arriving requests
In Open5GS, this part was hard-corded.
HTTP2 Client sends a request and waits for 10 seconds.
If no response is received from the HTTP2 Server,
HTTP2 Client performs the exception handling.
In this commit, HTTP2 client sends Header with setting Max-Rsp-Time to 10 seconds.
However, HTTP2 server has not yet been implemented to process this value.
The server is still processing using hard-corded values (10 seconds).
* [MME] Support for Insert Subscriber Data
* Supported AVPs in IDR will overwrite existing subscription information
* Provide error on partial APN updates
* IDR and ULA use same function to process AVPs
* Move subdatamask values into s6a, so both HSS and MME can use them
* Updates are not actioned at this time. A Re-attach is required for
most changes to take effect
* Memory issue on IDR exceptions
* Remove of handling MSIDSN change until DSR is used
Without this change, using metrics with core setup configurations
(configs/vonr.yaml for example) would not be possible. Having one
metrics section for whole config file causes every NF to start metrics
server on same port causing an abort.
* [HSS] Enable Change Streams
* Enable Events and Timers in HSS
* Integrate change streams in dbi
* mongodb should be configured with replica sets enabled to use feature
* Change streams are optional in HSS
* Timer will poll change stream for changes in the database
* As changes are detected, event is created to perform the correct
action
* Changes made as suggested
When UE would send a request to release PDU session, AMF would
eventually send "PDU Session Resource Release Command" downlink to both
UE (N1) and gNB (N2). Each UE and gNB would then reply with "PDU Session
Resource Release Response" indicating they released their own resources.
Usually the first one to respond would be gNB. SMF made an assumption
that this would always be the case. And it would wait for signal that UE
resources were freed, before releasing session resources. But
occasionally the situation is that UE responds first, and SMF releases
resources prematurely.
This situation does not normally occur. But under high stress (100's of
UE PDU releases at the same time) this happens occasionally.
According to the standard, this situation is perfectly normal.
3GPP TS 23.502 Rel. 16
4.3.4.2 UE or network requested PDU Session Release for Non-Roaming and
Roaming with Local Breakout
...
Steps 8-10 may happen before steps 6-7.
...
* Introduce Cancel Location and Insert Subscriber Data features to HSS.
* HSS database will keep track of last known MME and Update Time
* Purged UE flag is established in HSS for future PUR handling
* HSS Thread will connect to database and watch change stream
mongoDB must be configured with a Replica Set to use this
* HSS will send IDR if subscription data changes
* HSS will send CLR to old MME if MME host or realm changes
* Function created to allow ULA and IDR to generate Subscription-Data AVP
* MME Hostname and Realm shown in WebUI
* Resolve freeDiameter errors
During a ULR, if database does not contain a last known MME, a CLR is being sent to a Null destination. This will ensure that a destination is available in the database before sending the CLR.
* Removed change streams. Added PUR handling.
* newline needed at end of file.
* Removed temp variable.
* * Change WebUI to 2x2 display
* Including UE Purged indicator
* Using pointers in ogs_subscription_data_t
* better memory mangement with pointers
* Tweak to Destination used by hss_s6a_send_idr to use last known MME
* Check for null mme_host and mme_realms
Do this before trying to compare the strings.
In case that APN name sent from UE does not case-match with the one
configured in the database, AMF would reject the registration with the
message:
[gmm] WARNING: [imsi-xxx] DNN Not Supported OR Not Subscribed in the
Slice (../src/amf/gmm-handler.c:1051)
Add additional check when receiving Deregistration Notification from
UDM. UE should already be in registered state before accepting the
request and deregistering the UE.
Also add additional check that PCF association policy exists before
sending a delete request to PCF.
* npcf-smpolicycontrol - enabled or disabled
* npcf-policyauthorization - enabled or disabled
Only one of npcf-smpolicycontrol and npcf-policyauthorization cannot be enabled. (../src/pcf/sbi-path.c:151)
They can be enabled or disabled together.
OpenAPI specification for sending NF discovery query with
"service-names" parameter is defined as folowing:
- name: service-names
...
style: form
explode: false
According to OpenAPI specification, this means array items
should be delimited with a comma character (example: /users?id=3,4,5).
== Known limitation ==
Placing npcf-smpolicycontrol and pcf-policyauthorization
in different NFs is not supported. Both npcf-smpolicycontrol
and pcf-policyauthorization should be placed in the same NF.
- Gy instead of Gx AVP was used.
- Use correct avp position and avp variables.
Fixes: 657eef9169 ("[SMF] send 3GPP-Charging-Characteristics on Gx if received on S5/8c")
The 3GPP-Charging-Characteristics is an operator specific AVP
(optional). The 3GPP-Charging-Characteristics can be filled by the HSS
and forwarded by the MME towards the SMF.
The 3GPP-Charging-Characteristics is an operator specific AVP
(optional). The 3GPP-Charging-Characteristics can be filled by the HSS
and pass through to the Gx interface.
See ETSI 29.212 5.4.0.1 for further details.
* Add Diameter Dictionary Elements
* Initial IDR Framework
* Resolve Compile Issues
* Moving Closer
* Compile error
* Somewhat Working stuffing Code
* Add Timestamp Changes
* Cleanup some of this code. mme_s6a_handle_idr in s6a-handler.c removed for now, since it will only come in handy when IDR flag is set to request current location, which would involve breaking out into paging. I think there's a few other things we can do just within fd-path first.
* further removal of mme_s6a_handle_idr
In case that SMF was configured to run without Diameter, it would crash
on application exit due to uninitialized variables/pointers.
ERROR pid:unnamed in fd_sess_handler_destroy@sessions.c:324: ERROR: Invalid parameter '(handler && ( ((*handler) != ((void *)0)) && ( ((struct session_handler *)(*handler))->eyec == 0x53554AD1) ))', 22
[smf] FATAL: smf_gx_final: Assertion `ret == 0' failed. (../src/smf/gx-path.c:1353)
The problem occurred in the following scenario:
1. VLR sent PAGING-REQUEST to the MME
2. MME sent S1-Paging to the UE
3. Paging failed
4. MME responded SERVICE-REQUEST to the VLR
5. VLR sent DOWNLINK-UNITDATA to the MME
6. Even though there is no S1 Context,
MME try to sent DownlinkNASTransport message to the UE.
7. So, the problem occurred.
I've changed the number 4 PAGING-REJECT instead of SERVICE-REQUEST.
* CLR while idle is broken after 7031856cd7
Cancel Location Request arriving while UE is idle will not proceed to paging due to this check for S1 connection. Using new flag "isAnswer" to bypass this check to allow paging to occur when we are not doing a AIA/ULA related procedure.
* No Context Setup is required when sending the detach request. If the paging was due to wanting to send a Detach Request to the UE, then we fast track to sending the detach request.
* emm-sm.c:
In the case of MME initiated detach while UE is idle, there is no initial conext setup. We go right from the service request after paging into sending the detach request. TS23.401
mme-path.c:
Using nas_eps.type in the case of MME Initiated Detach while UE is idle does not work. nas_eps.type would represent the service request.
mme-s11-handler.c:
After S11 action, no action should be taken. We want to wait for the detach accept from the UE before proceeding with the S1 release (detach).
* InitialContextSetup should occur for detach.
As per 3GPP TS 29.060 version 15.3.0, section 7.3.3, 7.3.4, 7.3.5 and 7.3.6
Only if PCO IE is included in Update/Delete PDP Context Request then it
must be present in Update/Delete PDP Context Response.
In order to reflect on whether the request contained PCO IE or not
the SMF context containing the GTP request needs to be updated
i.e. update if present else clear the contents
As per 3GPP TS 29.274 version 10.5.0, section 7.2.9 and 7.2.10,
Only if PCO IE is included in Delete Session Request then it
must be present in Delete Session Response.
In order to reflect on whether the request contained PCO IE or not
the SMF context containing the GTP request needs to be updated
i.e. update if present else clear the contents
Do not Set Origin-Hosts with fd_msg_rescode_set before potential use of ogs_diam_message_experimental_rescode_set. This results in multiple Origin-Host/Realm AVPs.
- Added diameter dictionary definitions for Cancel Location
- Cancel Location will completely remove UE from MME, allow for a fresh IMSI attach to occur on next attempt.
- T3422 is used for detach request.
- Added new handling for s6a events in mme-sm, as not all s6a messages are at attach now. Maybe there's something in a state machine I should've been using here instead of a new flag?
- Testing was completed with UE in idle and connected. With CLR flags indicating re-attach required and without. Also sending CLR after UE detach. And then sending again when mme_ue is empty.
Found no support for HSS provided charging characteristics. Following TS32.251 A.4:
- Use PDN level CC, if one wasn't provided then use subscription level CC
- Don't send CC in S11 if it wasn't included
For HSS's which do not include the NAM, the MME should not treat this as a fatal error. MME should just assume PACKET_AND_CIRCUIT (0), as was decided in a previous PR.
In case there are multiple AMF registered to NRF, SMF would pick only
the first AMF from the list.
In the case of sending PDU Session Establishment Accept from SMF to
AMF, this would mean a high chance of failure since the AMF might
be different than the original requester, and would not know about a
particular UE.
Modify SMF to use ServingNfId field from original request
SmContextCreateData from AMF to determine to which AMF should it send
PDU Session Establishment Accept message.
The issue was introduced with the commit, which builds Open5GS from
local sources instead of downloading them each time from Github.
Fixes: d2cbcf711 ("[build] Use local sources to build applications (#1583)")
When a UE that requests slices tries to connect and there are no slices configured, the reject message is:
5GMM cause = 0x7 (5GS Services not allowed)
however it should be:
5GMM cause = 0x3e (No network slices available)
All 5GMM cause value in reject message is reviewed in this commit
UDM may send a Deregistration Notification to AMF, to deregister
specific UE from the network - Network-Initiated Deregistration.
Deregistration procedure includes sending Deregistration Request to UE,
starting a timer T3522, releasing PDU sessions from SMF, releasing PCF
policies from PCF, and waiting for Deregistration Accept from UE.
Not yet implemented is:
- to prevent deregistration of UE in case it has any emergency sessions,
- page UE when UE is in IDLE mode.
According to TS 23.502, 4.2.2.2.2, AMF sends Registration event to UDM
in the following cases:
- If the AMF has changed since the last Registration procedure, or
- if the UE provides a SUPI which doesn't refer to a valid context in
the AMF,
- or if the UE registers to the same AMF it has already registered
to a non- 3GPP access (i.e. the UE is registered over a non-3GPP access
and initiates this Registration procedure to add a 3GPP access).
In case that UE re-registers to the network with a GUTI, it bypasses
authentication check to the AUSF. In this case, AMF does not send
Registration event to UDM.
Consequently, when UE deregisters again, AMF would send a Deregistration
Event to a UDM, which does not have a context for it.
3GPP standard does not say when AMF sends Deregistration Event to UDM,
only that it is optional.
These (De-)Registration events are for (de-)registering AMF to the UDM
for serving the UE. And not for (de-)registering UE itself for purpose
of tracking when UE is registered on the network.
This partially reverts commit 7be7029ac4
Don't attempt to restart systemd-networkd if systemd is not running
(e.g. installing open5gs inside a chroot).
Fix for:
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
dpkg: error processing package open5gs-upf:amd64 (--configure):
installed open5gs-upf:amd64 package post-installation script subprocess returned error exit status 1
Static code analysis can be executed with following commands:
meson build
ninja -C build analyze-cppcheck
ninja -C build analyze-clang-tidy
These commands are available only if additional tools are installed:
- cppcheck
- clang-tidy
- clang-tools is optional if you want to paralelize the clang-tidy
In case of cppcheck analysis, a file called build/cppchecklog.log is
created with the analysis results.
In case of clang-tidy analysis, some checks are disabled. See file
.clang-tidy, and reenable them if you see fit.
Also it does not scan all the files in the project, since some of them
are imported from other sources. It does not scan any sources under:
- subprojects/
- lib/asn1c/
- lib/ipfw/
3GPP TS 29.244 7.2.2.4.2 documents that the peer will set SEID=0 in the
response when we request something for a session not existing at the peer.
If that's the case, we still want to locate the local session which
originated the request, so let's store the local SEID in the xact when
submitting the message, so that we can retrieve the related SEID and
find the session if we receive SEID=0.
It was spotted that if DeleteSessionReq sent by SMF is answered by UPF
with cause="Session context not found", then it contains SEID=0 (this is
correct as per specs). Hence, since SEID=0 session is not looked up, so
sess=NULL.
A follow up commit improves the situation by looking up the SEID in the
originating request message in that case.
In that case, ogs_pfcp_ue_ip_alloc() will fail with the error message
"CHECK CONFIGURATION: Cannot find subnet [...]" and the assert will make
upf crash.
That's not desirable, let's keep it running and simply reject the
request. The error log is big enoguh to find out.
* [SMF] Avoid abort() if gtp_node mempool becomes full
Related: https://github.com/open5gs/open5gs/issues/1621
* [SMF] metrics: Add new ctr tracking gtp_node allocation failures
This metrics is useful to track whether at some point the mempool went
full, so that config needs to be updated to increase the mempool size.
Gy (3GPP TS 32.299 ) refers to AVP in DCCA (RFC4006).
RFC4006 5.1.2:
"[...] by including the Multiple-Services-Indicator AVP in the first
interrogation."
Nokia's infocenter documentation also states it's sent during Initial CCR
only: "(CCR-I only)".
"build" Docker image previously downloaded latest version of Open5GS
from github, and built the project from that.
Use local source files for building instead.
Valgrind memcheck tool reports an error, of invalid read beyond the
allocated memory.
Function "write_cb()" already allocates (realloc) +1 byte and
null-terminates the data. But the length "conn->size" does not contain
this extra null-terminated byte.
When a copy of the received data is made in "check_multi_info()", it
does not include the null character, resulting in potentially a
non-null terminated string.
Later on when parsing the data, "strlen()" will read beyond the
allocated memory to search for the null character, resulting in an
invalid read.
==1994== Invalid read of size 1
==1994== at 0x484ED24: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1994== by 0x4D3F401: cJSON_ParseWithOpts (cJSON.c:1109)
==1994== by 0x4D3F65C: cJSON_Parse (cJSON.c:1197)
==1994== by 0x4C927DE: parse_json (message.c:913)
==1994== by 0x4C972D8: parse_content (message.c:1790)
==1994== by 0x4C90096: ogs_sbi_parse_response (message.c:589)
==1994== by 0x136431: amf_state_operational (amf-sm.c:248)
...
==1994== Address 0x668371d is 0 bytes after a block of size 253 alloc'd
==1994== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1994== by 0x5107D7F: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.3.3)
==1994== by 0x510814B: _talloc_memdup (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.3.3)
==1994== by 0x4871568: ogs_talloc_memdup (ogs-strings.c:184)
==1994== by 0x4CA7755: check_multi_info (client.c:475)
...
* [SBI] Fix converting PatchItem to JSON
* [UDR] Add support for endpoint for patching subscription data
Add support for PATCH HTTP method for the following endpoint:
/subscription-data/{ueId}/context-data/amf-3gpp-access
Currently does not change any data in the database.
* [UDM] Add support for endpoint for patching subscription data
Add support for the following endpoint, HTTP PATCH method:
/nudm-uecm/v1/{ueId}/registrations/amf-3gpp-access
The endpoint is used when UE deregisters from the core, and AMF
sends a subscription modification request with "purgeFlag" set.
* [UDM] Add check for same GUAMI when patching subscription data
* [AMF] Send deregistration event to UDM
When UE sends deregistration request, AMF needs to send a
Nudm_UECM_Deregistration request to UDM.
The order of requests is now the following:
- send PDU session release to SMF
- send deregistration event to UDM
- send AM policy control release to PCF
* configs: use proper default IP address for metrics server
Let's use the IP address assigned to each process by default when
configuring the HTTP Prometheus server. Otherwise having several
processes listening on 0.0.0.0 cause collisions.
* configs: mme.yaml: Fix trailing whitespace
smf_gtp_node_pool were properly freed.
However, the seqence was wrong, so we got a warning message.
To solve this problem, I've moved smf_gtp_node_alloc/free
from gtp_path.[ch] to context.[ch]
Recent commit re-enabling SBI HTTP/1.1 support
(10bdf39505cf525b95886c140b3c2e82e7427d29) started using libmicrohttpd's
API MHD_create_response_from_buffer_with_free_callback(), which is only
available starting from v0.9.61.
As a result, compilation in xUbuntu 18.04 started failing with errors
about the function not being found, since it ships with libmicrohttpd
v0.9.59.
Depending on 0.9.61 is fine since it's quite old (november 2018) and all
major current distros should for sure have an >= one. Let's simply bump
the version check so that it fails in an informative manner.
For null protection scheme the SUCI needs to be BCD encoded. Whereas for
protection scheme profiles A and B the SUCI needs to be converted from
hexadecimal to ASCII.
This still needs the support for protection schemes A and B in UDM to
work.
* Initial metrics support based on Prometheus
This commit introduces initial support for metrics in open5gs.
The metrics code is added as libogsmetrics (lib/metrics/), with a well
defined opaque API to manage different types of metrics, allowing for
different implementations for different technologies to scrap the
metrics (placed as lib/metrics/<impl>/. The implementation is right now
selected at build time, in order to be able to opt-out the related dependencies
for users not interested in the features. 2 implementations are already
provided in this commit to start with:
* void: Default implementation. Empty stubs, acts as a NOOP.
* prometheus: open5gs processes become Prometheus servers, offering
states through an http server to the Prometheus scrappers. Relies on
libprom (prometheus-client-ci [1] project) to track the metrics and format
them during export, and libmicrohttpd to make the export possible through
HTTP.
[1] https://github.com/digitalocean/prometheus-client-c
The prometheus-client-c is not well maintained nowadays in upstream, and
furthermore it uses a quite peculiar mixture of build systems (autolib
on the main dir, cmake for libprom in a subdir). This makes it difficult
to have it widely available in distros, and difficult to find it if it
is installed in the system. Hence, the best is to include it as a
meson subproject like we already do for freeDiameter. An open5gs fork is
requried in order to have an extra patch adding a top-level
CMakeList.txt in order to be able to includ eit from open5gs's meson
build. Furthermore, this allows adding bugfixes to the subproject if any
are found in the future.
* [SMF] Initial metrics support
* [SMF] Add metrics at gtp_node level
* docs: Add tutorial documenting metrics with Prometheus
* [SMF] Gn: Drop unreachable return line
* [SMF] Avoid crash if Create{Session,PdpContext}Resp fails to be sent
Crash spotted in a running open5gs-smfd process, triggered by:
ERROR: ogs_gtp_sendto() failed (1:Operation not permitted) (../lib/gtp/path.c:119)
ERROR: ogs_gtp_xact_commit: Expectation `rv == OGS_OK' failed. (../lib/gtp/xact.c:730)
ERROR: smf_gtp2_send_create_session_response: Expectation `rv == OGS_OK' failed. (../src/smf/gtp-path.c:451)
FATAL: smf_gsm_state_wait_pfcp_establishment: Assertion `OGS_OK == smf_gtp2_send_create_session_response( sess, gtp_xact)' failed. (../src/smf/gsm-sm.c:676)
* [SMF] Avoid crash if Delete{Sesson,PdpContext}Resp fails to be sent
Let's simply continuing with release of the session, there's not much we
can do about it. Peer will eventually realize the conn is no longer
there.
I added four additional commands which are useful in case not using the GUI (add UE using a specific APN, add UE using a specific slice and APN, modify a slice adding an APN, modify an UE adding a new slice + APN)
According to the following standards the response to the endpoint
/nudm-sdm/${supi}/sm-data should be an array of
SessionManagementSubscriptionData objects, instead of only one object.
TS 29.503 version 16.6.0
TS 29.505 version 16.4.0
UDR now responds to the request with only item in the array.
UDM copies all items as is.
SMF uses only the first item in the array, even if there are more
present.
AN-Trusted AVP is only relevant for non-3GPP access networks e.g. WLAN.
This commit adds a check for non-3GPP access network in order to include
AN-Trusted AVP in CCR or not.
Also, clears the M bit for AN-trusted AVP as per TS 29.212 version 16.4.0, Table 5.4.0.1
A problem occurred when there was one SGWU/UPF and multiple SGWC/SMF.
When SGWU and UPF create a session, if the SEID is the same,
the existing session information is used without creating an additional session.
These problems were solved by using the F-SEID including IP information
in the process of checking the existing session.
For video in VoNR, multiple QosFlow is required in one session.
In the past, since only one Session Modification Message was supported,
QoS-Flow was put into several Session Messages one by one and processed.
Now that multiple QoS-Flows can be supported,
it is optimized to process one session modification message.
* [SMF] rename function s/gtp/gtp2/
* [SMF] Store GTPC version in session
So far we always depended on an xact being present in the code path in
order to know which kind of session it is (GTPv1C vs GTPv2C). Let's
instead store that information in smf_sess_t so that we have it always
available in an easy way.
* [SMF] Move smf_sess_t GTPv1C specifics into gtp substruct
* [SMF] Gy CCR: append 3GPP-NSAPI AVP
* [SMF] Append PDP-Address AVP to Gy CCR msg
* [SMF] Gy CCR: Move some AVPs under Service-Information/PS-Information
They belong there. Nokia infocenter documentation seems to be document
the possibility to configure its software to have it in top level, but
that's not what 3GPP TS 32.299 states, so let's stick to it.
* [SMF] Gy CCR: append 3GPP-PDP-Type AVP
* [SMF] Gy CCR: append 3GPP-Charging-Id AVP
* [SMF] Gy CCR: append SGSN-Address AVP
* [SMF] Gy CCR: append GGSN-Address AVP
Issue:
When the ULA - Subscription Data does not contain MSISDN, the Create Session Request
from MME to SGW does not contain MSISDN IE resulting in SMF throwing following log
smf | 05/09 15:20:53.683: [smf] ERROR: No MSISDN (../src/smf/s5c-handler.c:82)
sgwc | 05/09 15:20:53.683: [sgwc] ERROR: No Context in TEID (../src/sgwc/s5c-handler.c:104)
mme | 05/09 15:20:53.683: [mme] ERROR: No Context in TEID (../src/mme/mme-s11-handler.c:122)
As per 3GPP TS 29.274 version 16.5.0, table 7.2.1-1: MSISDN IE shall only be included
in Create Session Request if its provided in subscription data from the HSS. This commit
fixes this by removing the mandatory MSISDN IE check in SMF.
It allows for much better control on the lifecycle of the session, and
already shows some missing tear down paths in case of errors.
It also clarifies the existence of "sess" pointer in several paths.
The code also becomes clearer overall, since all the transitions and
logic to send next messages are put together.
Tear down of the session will be integrated into gsm-sm in a follow-up
patch.
The 5gc session setup is only partially moved to gsm-sm, and left as an
exercise for users wishin to improve 5gc support.
In the past only GTPv2C was supported, and had the "gtp" generic prefix.
Later on, GTPv1C support was added, and "gtp1" prefix was used.
Let's move GTPv2C specific bits to have "gtp2" prefix too, and leave
"gtp" prefix for generic stuff among different GTP versions.
This commit adds EMM Cause to Attach accept message when
Attach Request has COMBINED EPS IMSI ATTACH but the HSS
Network-Access-Mode is configure for EPS ONLY.
The use of the Gy interface (SMF acting as CTF towards an OCS node) is
mandated through configuration file. Default value "enable: auto" will
only make use of it in case a Diameter peer announcing support for the
Credit-Control Application is found.
Upon subscriber session creation, and after auth check over Gx, the SMF
will create a Gy session with the OCS and only after that step the SMF
will accept the session back to the subscriber.
The OCS may then grant some traffic volumes/time and ask to be notified
back with updated measurements.
In order to get the measurements, the SMF relies on PFCP URR configured
to the UPF through Session Repoort Request messages.
When closing the subscriber session, the SMF will also terminate the Gy
session at the OCS.
So far only some specifics parts of the Gy interface as well as the PFCP
side are implemented. Those should be enough to at least have
volume/time thresholds granted by the OCS, which then will be able to
track subsriber resource use.
This patch doesn't implement the OCS side of the Gy interface, that's
left as a future exercise. The interface was tested using an OCS
emulator implemented in TTCN-3 [1]
[1] https://cgit.osmocom.org/osmo-ttcn3-hacks/
TODO:
* Use an event for the report, like SMF_EVT_N4_TIMER?
* Properly set Service identifier in Gy CCR
* SMF: Properly set pkt/octet volumes in Gy CCR
** Update when receiving PFCP Modify Response.
* Figure out best way to require Gy through config file in open5gs-smfd.
* Create a new sess-sm.c which handles smf_sess_t state through
Gx+Gy+PFCP creation, modification and tear down. This way we can do
stuff in parallel, for instance Gx+Gy. It will alsoavoid duplicating
some code paths due to Gy being optional.
This commit adds required blocks in lib/diameter to be able to handle Gy
messages later in open5gs apps.
The Gy interface is mainly decribed in 3GPP TS 32.299 and 3GPP TS
32.251, which in turn refers to Diameter protcols defined in RFC4006.
This interface allows charging managment through an external OCS node.
The "Report Triggers" is sent SMF->UPF to tell in which situations a
report should be sent.
The "Usage Report Trigger" is sent UPF->SMF to indicate which situation
triggered the report.
Catch Origin-Host during CCA and set it as Destination-Host during
subsequent CCRs. This way we ensure UPDATE/TERMINATION Requests are sent
back explicitly to the same Diameter peer. Moreover, it seems
freediameter relies on this AVP to properly send the message over the
correct SCTP association when several diameter peers are available.
* [PFCP] Fix trailing whitespace in message generation files
* [PFCP] message gen: Support multiple URR ID IEs in Create PDR group
* [PFCP] Support associating multiple URRs to a PDR
According to 3GPP TS 29.244:
"""
A PDR shall contain:
- zero, one or more URRs, which contains instructions related to traffic measurement and reporting.
"""
These will be further needed in PFCP in the future, as well as in other
Diameter based interfaces (such as Gy).
Let's put all implementation details in APIs so that devs don't need to
care about those details every time.
* [PFCP] Fix trailing whitespace
* [PFCP] Fix wrong endianess enc of some URR values
u32 tlvs are already converted to big endian automatically. Manually
doing so ends up in double conversion and hence in wrong endianness
being sent over the wire.
Similar issue was also fixed recently in the PFCP decoding path.
Related: https://github.com/open5gs/open5gs/issues/1349
1. UE registered and PDU established.
2. PCF does not receive Heartbeat.
- PCF De-registered state.
- Since PDU is established, SMF should not remove NF instance
3. PCF re-registered.
- HERE, WE NEED TO INCREASE NF REFERENCE COUNT.
Otherwise, NF instance will be removed if PCF is de-registered state
4. UE sends PDU release request.
5. Because SMF knows PCF NF instance, SMF can send PCF delete
mouse07410/asn1c#89
Found when tried to encode NGAP_CauseRadioNetwork_release_due_to_pre_emption
mouse07410/asn1c#90
Found when tried to decode messages encoded with newer schema
As per 3GPP TS 23.401 version 15.12.0, section 5.3.1.2.2
The PDN GW allocates a globally unique /64
IPv6 prefix via Router Advertisement to a given UE.
After the UE has received the Router Advertisement message, it
constructs a full IPv6 address via IPv6 Stateless Address
autoconfiguration in accordance with RFC 4862 using the interface
identifier assigned by PDN GW.
For stateless address autoconfiguration however, the UE can
choose any interface identifier to generate IPv6 addresses, other
than link-local, without involving the network.
And, from section 5.3.1.1, Both EPS network elements and UE shall
support the following mechanisms:
/64 IPv6 prefix allocation via IPv6 Stateless Address
autoconfiguration according to RFC 4862, if IPv6 is
supported.
* [SMF] Gn: Avoid assert crash if no PDP resources available
* [SMF] Gn: Rearrange IE handling order in CreatePDPContextRequest
Let's handle the GTPC remote addr + TEID first, since those should be
used in the CreatePDPContextResponse ideally if available.
Let's then handle parsing of all IEs not related to bearers/UserPlane,
then those missing, and finally do all the IP resource allocation.
* Fix conversion from IPFilterRule to packet filter
As per 3GPP TS 24.008, following Packet filter component type identifier
are not supported on the LTE pre release-11 UEs:
IPv4 local address type
IPv6 remote address/prefix length type
IPv6 local address/prefix length type
And,
IPv6 remote address/prefix length type and
IPv6 local address/prefix length type shall be used when both MS and
Network support Local Address in TFTs.
This commit add logic to omit adding local address in packet filters
for compatibility with pre-release LTE 11 devices. The following parameter
could be used to toggle omit/no to omit behavior.
parameter:
no_ipv4v6_local_addr_in_packet_filter: <true/false>
* Remove logic of supporting pre-release LTE 11 devices in PCRF
According to TS 29.060 they should be added.
section 7.6:
"if it is a request for which a response has been defined, shall be sent
with a Sequence Number"
section 8.2:
"""
Sequence number flag (S) shall be set to "1"
...
For GTP-C messages not having a defined response message for a request
message, i.e. for messages Version Not Supported, RAN Information Relay
and Supported Extension Headers Notification, the Sequence Number shall
be ignored by the receiver.
"
* [SMF] typo fixes in commented code
* [SMF] Fix early err return handling UpdatePDPContextRequest
* [SMF] UpdatePDPContext: forward update of remote TEID+IPaddr to UPF
Updating the remote GTP-U IP address and/or TEID on the GGSN is a common
practice, used for instance by an SGSN in a UTRAN network to connect an
HNB(GW) to exchange GTP-U directly with the GGSN. It is also used in
general when doing handovers.
When receiving a UpdatePDPContext with the new address, we need to
forward the update to the UPF so that it takes it into account when
forwarding packets.
This patch only implements updating the information towards the UPF when
GTPv1C is used. Similar approach for GTPv2C (upon receival of Modify
Bearer Request) is still unimplemented.
Related: https://github.com/open5gs/open5gs/issues/1367
In the event we have 2 local IP addresses available for use, put the one
having same IP version in "GGSN Address *" IE, and the one with the
other IP version in "Alternative GGSN Address *" IE.
Same fix was applied recently to CreatePDPContextResponse.
TS 29.060 sections 7.3.4 and 7.3.6 specify the possible cause values for
UpdatePdpContextResponse and DeletePdpContextResponse.
Together with section 8.2, it becomes clear that 'Non-existent' cause
should be sent instead of 'Context not found' one in those cases.
It seems to be actually mandatory in GGSN->SGN directon, though it is
ignored in Release99 upwards. Let's hardcode it to 0 for now, should be
fine in the majority of cases.
In the event we have 2 local IP addresses available for use, put the one
having same IP version in "GGSN Address *" IE, and the one with the
other IP version in "Alternative GGSN Address *" IE.
* [CORE] tlv: Store mode in ogs_tlv_t
This allows specifying the format of the IE for each individual IE,
hence allowing messages containing IEs formatted in different ways.
This is needed in order to support parsing GTPv1-C, since messages
contain IEs with different structure (TLV vs TV). Hence, this is a
preparation patch to add support for parsing TVs in ogs-tlv.c/.h.
* [CORE] tlv: Support parsing msg with both TLV and TV in it
IEs of type TV are sometimes used in GTPv1-C. Current tlv parser/builder
doesn't provide with ways to parse messages which contain TV formatted
IEs. This patch adds the relevant types and ways to encode/decode them.
Furthermore, the current parser/builder allows parsing/building messages
containing the exact same format in all its IEs. A new parser function
is added which allows parsing messages of different types (TV, TLV)
mixed in the same message. In order to be able to do so, it uses the
general msg_mode passed to it in order to know the general TLV format
(in essence, the length of the Tag field, and also the length of the
Length field if applicable each IE).
Looking up the instance in the TLV description is left undone and
hadcoded to 0, since the only user so far requiring this API is GTPv1-C,
which has no instances.
* [CORE] tlv: Support repeated tag+instance parsing TLV message
In GTPv2C, repeated IEs (same tag) are easily differentiated by the
Instance byte, which provides info to match different decoded
structures. In GTPv1C though, there's no Instance byte, and we still
encounter repeated IEs (like GSN Address in Create PDP Context Request).
Hence, the TLV decoder needs to be updated to track count of IEs found
(identified by tag+instance, where instance is always 0 in GTPv1C) and
get the proper description index + offset into the decoded structure.
* [GTP]: Move GTPv2-C specifics to its own libgtp subdir
This will allow adding GTPv1-C code by the side. Most GTPv2 code is left
in this patch as "gtp" instead of renaming it to "gtp2" in order to
avoid massive changes. It can be done at a later stage if wanted.
* [GTP] Support generating GTPv1-C messages
* [SMF] Add Gn interface support
This patch introduces GTPv1C support to open5gs-smfd. With it,
open5gs-becomes a GGSN too, where SGSN can connect to, hence supporting
GERAN and UTRAN networks.
* [configs] Remove requires systemd-networkd dep from smfd service
The smf no longer has (never had?) a dependency on systemd-networkd,
and can start and remain operational without systemd-networkd
specifically running.
* [configs] Relax upf dependency on systemd-networkd
The upf relies on systemd-networkd to create the ogstun interface, but
does not communicate with it at runtime. It currently has a "Requires"
dependency specified, which means that the upf will be stopped if
systemd-networkd is ever stopped. Since the upf doesn't actually care
if systemd-networkd is later stopped after ogstun is created, it can
use the weaker "Wants" dependency type, which allows it to keep
running even if systemd-networkd were to be stopped.
Regardless, since it does rely on systemd-networkd specifically to
create the ogstun interface, it should sequence itself "After"
systemd-networkd has been started.
Since the true dependency is ogstun, not systemd-networkd, a cleaner
approach would depend on the specific tunnel device being
available. Systemd exposes this information via device units, but I'm
not sure if they are always consistently named across platforms.
* [configs] Do not require ogstun for system online
Systemd-networkd will wait for all managed interfaces to be configured
before determining the system is online. Since the ogstun and upf are
more logically an application rather than a system networking service,
don't wait for them to be configured by default.
This breaks the circular dependency between the userspace cellular
core network services and the system's network, which will allow the
cellular core network services to sequence themselves cleanly after
the system's network is up and configured.
* [configs] Sequence network-dependent units after network-online
Since open5gs targets platforms with both ifupdown (debian) and
systemd-networkd (Ubuntu) as core networking providers, this commit
sequences network-dependent core network components after the generic
network-online.target instead of one of the specific provider
targets. This allows the core network to operate correctly with both
systemd-networkd and ifupdown (networking), and fixes the issue
observed in https://github.com/open5gs/open5gs/issues/826 where some
platforms may fail to start cleanly.
* [GTP] xact: Fix trailing whitespace
* [GTP] xact: Avoid exporting internally used functions
This simplifies the API header hiding unneeded APIs from external
components, and lets the compiler further optimize by
marking the functions as static.
* [GTP] xact: Drop unused API ogs_gtp_xact_find
After making it static, it became clear to the compiler that this
function is not used anywhere, warning about it. Let's drop it.
* [SMF] Fix potential null pointer dereference
Pointer "sess" was first dereferenced and later on checked for nullness.
This is clearly wrong. Rearrange the code path to make sure the check is
done first, then dereferenced.
* gitignore: Add subprojects/libtins
* cosmetic: Fix whitespace
The network access mode of HSS has been changed to 0 (Packet and Circuit).
Versions of MME prior to v2.4.2 did not use this value. Open5GS set
the attach result of Attach Complete message as it is by looking
at the attach type of the Attach Request message.
Now, if the network access mode of HSS is set to 2 (Only Packet),
this value is affected by MME from v2.4.3. Regardless of the attach type
of the Attach Request, the MME will set EPS Only to the attach result
of Attach Complete.
3GPP TS 24.501 version 16.6.0 Release 16
4.4 NAS security
4.4.6 Protection of initial NAS signalling messages
1) the UE needs to send non-cleartext IEs in a REGISTRATION REQUEST
or SERVICE REQUEST message, the UE includes the entire REGISTRATION
REQUEST or SERVICE REQUEST message (i.e. containing both cleartext IEs
and non-cleartext IEs) in the NAS message container IE and shall cipher
the value part of the NAS message container IE. The UE shall then send
a REGISTRATION REQUEST or SERVICE REQUEST message containing
the cleartext IEs and the NAS message container IE;
As per RFC 4861 Router advertisement message
format, Source Address MUST be the link-local address
assigned to the interface from which this message is sent.
Since SMF was not sending it as per RFC, certain
phones were not completing the procedure of stateless
IPv6 address autoconfiguration mentioned in
3GPP TS 23.401 version 15.12.0 Release 15, section 5.3.1.2.2
During PDU Session Establishment,
if gNB sends PDUSessionResourceReleaseResponse,
AMF was crashed.
In this case, AMF/SMF remove Session Context and sends ErrorIndication.
An assert occurs when a NAS message retransmission occurs.
Because there is no `enb_ue` context.
Therefore, before removing enb_ue, all Timers must be stopped
to prevent retransmission of NAS messages.
1. rollback ogs_error() to ogs_warn()
To remove the print-out in the test code,
8/13 open5gs:epc / attach OK 10.60 s
bearer-test : SUCCESS
session-test : /11/30 15:59:34.556: [esm] ERROR: Invalid APN[ims2] (../src/mme/esm-handler.c:71)
SUCCESS
2. if( to if (
Coding standard in open5gs
This bug occurs when SGW-C restarts and the next signal occurs
between MME and SGW-C
- Create Session Request/Response
- Modify Bearer Request/Response
When connecting to the UPF port for the PFCP protocol (8805) and sending
an association setup request followed by a session establishment request
with a PDI Network Instance set to ‘internet’, it causes a stack corruption
to occur.
So, ogs_fqdn_parse() fixed.
nas-common library includes libcrypt. However, SGW-C don't have to use
crypt library. As such, ogs_nas_plmn_id function was moved to
3gpp-core-types.[ch]
For more information,
$ ./install/bin/open5gs-sgwcd
./install/bin/open5gs-sgwcd: error while loading shared libraries: libogscrypt.so.2: cannot open shared object file: No such file or directory
$ ldd ./install/bin/open5gs-sgwcd
linux-vdso.so.1 (0x00007ffc749ad000)
libogsapp.so.2 => /home/acetcom/Documents/git/open5gs/install/lib/x86_64-linux-gnu/libogsapp.so.2 (0x00007f1f92277000)
libogscore.so.2 => /home/acetcom/Documents/git/open5gs/install/lib/x86_64-linux-gnu/libogscore.so.2 (0x00007f1f92240000)
libogsgtp.so.2 => /home/acetcom/Documents/git/open5gs/install/lib/x86_64-linux-gnu/libogsgtp.so.2 (0x00007f1f921eb000)
libogsnas-common.so.2 => /home/acetcom/Documents/git/open5gs/install/lib/x86_64-linux-gnu/libogsnas-common.so.2 (0x00007f1f921e5000)
libogspfcp.so.2 => /home/acetcom/Documents/git/open5gs/install/lib/x86_64-linux-gnu/libogspfcp.so.2 (0x00007f1f92177000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1f92134000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1f91f42000)
libyaml-0.so.2 => /usr/lib/x86_64-linux-gnu/libyaml-0.so.2 (0x00007f1f91f20000)
libogscrypt.so.2 => not found
libogsipfw.so.2 => /home/acetcom/Documents/git/open5gs/install/lib/x86_64-linux-gnu/libogsipfw.so.2 (0x00007f1f91ef5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1f922b1000)
TS24.501
8.2.11 DL NAS transport
8.2.11.4 5GMM cause
The AMF shall include this IE when the Payload container IE
contains an uplink payload which was not forwarded and
the Payload container type IE is not set to "Multiple payloads".
-0-
As such, this function 'nas_5gs_send_gsm_reject()' must be used
only when an N1 SM message has been forwarded to the SMF.
- Nokia FRGY Flexi BTS BBU with Nokia FRCG RRU Band 5 850Mhz FDD 40W. Version 16.1A to 19.0
- Huawei BBU5900 with RRU5304W Band 7 FDD 2600Mhz 40W Version V100R016C10
commit 183d8b8344122f25f77be79b1b698c71f48c1656
Author: Sukchan Lee <acetcom@gmail.com>
Date: Fri May 28 23:44:26 2021 +0900
[SMF] introduce new list API [#1019]
Sometimes we may need two lists for same node.
To do this, I created a new list API, and applied it this pull request.
This commit address the issue where a bearer with particular
PCC rule name exists with TFTs and addtional TFTs needs to be added
to same bearer and DRB lost is reported by UE.
This is achieved by creating EPS Bearer Level Traffic Flow Template
with TFT operation code as 'OGS_GTP_TFT_CODE_ADD_PACKET_FILTERS_TO_EXISTING_TFT' in
above scenario rather than use 'OGS_GTP_TFT_CODE_CREATE_NEW_TFT' at all times.
And, not remove existing packet filters for the bearer.
Confirmation for non-cleartext IE should only be applied
to the initial NAS message. Registration requests and Service requests
with UplinkNASTransport do not have to.
All process will be forcely exited if it failed to encode the S1AP/NGAP/GTP/PFCP message. It is to make sure there was no problem with the encoding of open5gs.
* Preserve local port in Rx flow-description
In contnuation to support for calling in pre-rel. LTE 11 devices
, rather than removing the local IP addr field and local port remove
only the IP addr field
* tft: Set precedence considering exisiting TFTs in all bearers of a DNN
- In developement mode, if there is no default admin account,
Node.js server WILL create admin/1423 account.
- In production mode, even though there is no default admin account,
Node.js server WILL NOT create admin/1423 account.
1. WebUI installation script will create default admin account
if there is no account.
$ curl -fsSL https://open5gs.org/open5gs/assets/webui/install | sudo -E bash -
2. Installation script will automatically uninstall WebUI
if WebUI has already been installed.
1. DownlinkNASTransport
If AMF has not sent it previously, UE-AMBR is included in Registration
accept.
2. InitialContextSetupRequest
If PDUSessionResourceSetup is available, UE-AMBR is included
3. PDUSessionResourceSetupRequest
If AMF has not sent it previously, UE-AMBR is included
4. HandoverRequest
If PDUSessionResourceSetup is available, UE-AMBR is included
1. If UE does not use a NAS container for Non-cleartext IEs,
Open5GS AMF will send Registration reject message.
2. If UE sends Non-cleartext IEs without Integrity-protected,
Open5GS AMF will send Registration reject message.
3. If UE does not send NAS container in Security mode complete message,
Open5GS AMF will send Registration reject message.
* [misc] Set slice session type when upgrading
* [misc] Use correct units when upgrading
The old UI specified units in kbps, which corresponds to enum 1, not
enum 0, in the new schema and UI.
Change the order of IMPUs sent in XML as follows and also have only the
following IMPUs
i.e.
1. sip:<MSISDN>@ims.mnc<MNC>.mcc<MCC>.3ggpnetwork.org
2. tel:<MSISDN>
The configuration has changed. PFCP node rr=0 is removed as shown below.
sgwc:
pfcp
rr: 0 <-- Removed
Introduced a new configuration method for SMF/SGW-C
parameter:
no_pfcp_rr_select: true
By default, PFCP round robin selection is allowed.
The above parameters prohibit selecting PFCP in a round robin manner.
The AMF shall assign a new 5G-GUTI for a particular UE:
a) during a successful initial registration procedure;
b) during a successful registration procedure
for mobility registration update; and
c) after a successful service request procedure invoked as a response
to a paging request from the network and before the release
of the N1 NAS signalling connection as specified in subclause 5.4.4.1.
The AMF should assign a new 5G-GUTI for a particular UE
during a successful registration procedure
for periodic registration update. The AMF may assign a new 5G-GUTI
at any time for a particular UE by performing
the generic UE configuration update procedure.
1. UE sends PDU session establishment request to the AMF.
2. AMF initiates Release Due to Duplicate Session ID.
3. SMF cannot find the session by SM-Context-Ref.
For the above condition, AMF sends NGAP ErrorIndication to the UE.
If parameter.ignore_requsted_nssai is true,
AMF will ignore the UE Requested NSSAI and create an allowed-NSSAI
based on the Default S-NSSAI in the Subscription DB.
AMF checks whether it can serve all the S-NSSAI(s) from
the Requested NSSAI present in the Subscribed S-NSSAIs
(potentially using configuration for mapping S-NSSAI values
between HPLMN and Serving PLMN), or all the S-NSSAI(s) marked
as default in the Subscribed S-NSSAIs in the case that
no Requested NSSAI was provided or none of the S-NSSAIs
in the Requested NSSAI are permitted,
i.e. do not match any of the Subscribed S-NSSAIs or not available
at the current UE's Tracking Area (see clause 5.15.3).
* protects db endpoints with auth data, but will require ui updates to function properly
* adds an Authorization header with bearer token to all api/db/* request endpoints
* force login if token doesn't exist
* remove debug code
If both Delete-Session-Request/Response and
UEContextReleaseCommand/UEContextReleaseComplete are failed at the same time,
UE cannot attach to the EPC infinitely.
So, I've add the protection code
if timer expires when MME does not receive Delete-Session-Response.
DataForwardingNotPossible should only be included
if Data Path is not available during N2-Handover.
However, there is a bug that always includes
DataFowardingNotPossible regardless of Handover.
So, I've fixed it!
Previously, AMF would sends PDUSessionResourceSetupRequest
when the following conditions were met:
- gNB didn't send UE Context Request IE of InitialUEMessage
- AMF should send SMF generated TRANSFER message(PDU_RES_SETUP_REQ)
to the gNB
However, in issues #771, the gNB did not accept
PDUSessionResourceSetupRequest. Perhaps the gNB engineer thought
that if gNB needs to send data traffic to the UE, AMF should send
an InitialContextSetupRequest regardless of UE Context Request IE.
This is because gNB requires the kgNB security context
for data connection.
So, in this case, Open5GS-AMF decided to send
an InitialContexSetupRequest regardless of
whether it received UE Context Request IE of InitialUEMessage.
* AAR Media-Sub-Component modification for more UEs support
* Introduce parameter for legacy support for pre-release LTE 11 devices to do calling
IE (IPV4-local-addr field ) is not supported on
the LTE pre release-11 UEs. In order for the call
to work the local address in packet filter must
be replaced by any.
Parameter: no_ipv4v6_local_addr_in_packet_filter
* Flow-Description use 'to assigned' in Gx Interface
* Support SDF Filter ID
* Support F-TEID's Choose
* BAR(Buffering) is added in PFCP session
* Default Apply Action uses NOCP|BUFF
* Remove invalid link in debian docker file.
Remove self-referential link from debian docker setup.
Fixes bug introduced in commit 8c4a50785
* Add Vagrantfile to create CentOS 8 system for deploying open5GS.
This Vagrantfile is identical to the base CentOS 8 box from Vagrant
Cloud, but was modified to increase the amount of virtual memory to
1GB from 512MB.
* Update installation instructions for CentOS 8.
Update the installation instructions for CentOS 8 to describe
step-by-step the commands necessary to install the necessary
prerequesites for building and running Open5GS, installing and building
the source code, and running the base tests to confirm that Open5GS
was built correctly.
Most of the time, an application wants to perform some amount of data buffering
in addition to just responding to events. When we want to write data,
for example, the usual pattern runs something like:
1. Decide that we want to write some data to a connection;
put that data in a buffer.
2. Wait for the connection to become writable
3. Write as much of the data as we can
4. Remember how much we wrote, and if we still have more data to write,
wait for the connection to become writable again.
Now, Open5GS implements the above method by default when transmitting data
in a stream type socket.
1. SCTP event size workaround - stolen code from libosmo-netif
2. Remove PFCP User Plane IP resource information
3. Fix the bug when building Initial Context Setup Request with EMM NAS message.
So far, no operation was performed when Error Indication was received
from eNodeB. For that reason, I solved #568 issues by controlling
the MME to prevent this from happening.
Now, when GTP-U Error Indication is received, MME and SGW are implemented
to do what they have to do. I hope that the network can be restored
by responding appropriately even if Error Indication occurs.
* Add Vendor-Specific-Application-Id in CER of PCRF
Not advertising a Vendor-Specific-Application-Id in CER may result in
Diameter Peer rejecting the CER with a DIAMETER_NO_COMMON_APPLICATION error
* Add Vendor-Specific-Application-Id in CER of HSS and MME
Not advertising a Vendor-Specific-Application-Id in CER may result in
Diameter Peer rejecting the CER with a DIAMETER_NO_COMMON_APPLICATION error
In TS24.501 Ch 5.5.1.3.8 Abnormal cases on the network side
d) REGISTRATION REQUEST with 5GS registration type IE set to
"mobility registration updating" or "periodic registration updating"
received after the REGISTRATION ACCEPT message has been sent and
before the REGISTRATION COMPLETE message is received.
Since, we have to do this special case, it is desirable
to handle it directly inside the state(gmm-sm.c).
<DOWNLINK>
RX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
GX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
PFCP : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
RULE : Source <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> Destination <UE_IP> <UE_PORT>
TFT : Local <UE_IP> <UE_PORT> REMOTE <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
<UPLINK>
RX : permit in from <UE_IP> <UE_PORT> to <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
GX : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
PFCP : permit out from <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT> to <UE_IP> <UE_PORT>
RULE : Source <UE_IP> <UE_PORT> Destination <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
TFT : Local <UE_IP> <UE_PORT> REMOTE <P-CSCF_RTP_IP> <P-CSCF_RTP_PORT>
o Tester
1. UE registered to 5GS and can connect to internet.
2. Turn off the UE and turn on the UE immediately
3. UE send PDU session request message
without sending registration complete
o Analysis Result
1. UE sends registration request with unknown GUTI
2. AMF send registration accept without GUTI
3. UE skips the registration complete
So, we need the handler UL NAS Transport in this state.
After the PDN disconnect failed, there was a problem
that the PDN connectivity was not possible again.
PDN connectivity has been modified to work properly
even in the same situation as 401x2 pcap.
- Set the number of UEs in units of AMF/MME instead of gNB/eNB.
- See default value as shown below
Number of UEs per AMF/MME : 4,096
Number of gNB/eNB per AMF/MME : 32
commit 58d790f4916319b274c2c8a82b6226dc3f79258e
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 22:05:38 2020 +0000
udpate it
commit 5c06b8fa9114dc7391208d523cf850a3ca3f78d5
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 16:01:02 2020 +0000
update it
commit 19909f9d9e20f429bd06300e9ba2cfaef855c9b2
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 15:52:13 2020 +0000
update it
commit b7f2bb3681aa512dcb621e4662c90d7277863707
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 15:48:18 2020 +0000
update it
commit 53f3004467a81a0702d9c1ee3e29f4d4d29ff22c
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 15:32:30 2020 +0000
update it
commit e295ec4537c443cd6253592a9e31e151fc0bb827
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 14:50:23 2020 +0000
update it
commit 435edd22ba8118b31855b88d6974d9f757758da2
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 14:39:43 2020 +0000
update it
commit 49872a99f13476bd73a44150d18c66ad713ef699
Author: Sukchan Lee <acetcom@gmail.com>
Date: Thu Aug 13 14:36:30 2020 +0000
update it
Unfortunately upstream microhttpd has changed their callback function
prototypes in an API-incompatible way. At least if you build with
-Werror, gcc will fail due to non-matching prototypes.
Work around this by using a typedef which uses the proper return type
depending on the microhttpd version used.
Closes: #497
Co-authored-by: Harald Welte <laforge@osmocom.org>
* MME: select SGW by RR,TAC,ENB_ID
and enable round robin inside each option
* SMF: select PFCP associated UPF by RR,TAC,APN,ENB_ID
and enable round robin inside each option
1. Dont run the P-CSCF, I-CSCF and S-CSCF as systemctl process
2. Run all the IMS process in foreground for better debugging
3. Run all the IMS process (or atleast P-CSCF) in foreground as ROOT user and NOT SUDO - Handles non-creation of IPSec tunnel issue
The fix introduced in commit 768e4d9eb3 is wrong, which resulting in UE
replying with bad Semantic error for Activate Dedicated EPS Bearer Context Request. Hence, reverting back
to original implementation as its correctly doing the conversion as per 3GPP Spec. ETSI ETSI TS 129 214 V14.3.0
Section 5.3.8.
* Remove mme_enb_t pool and use enb_list instead
* Refactor S1 Setup request handler
* Implement S1 Setup Failure response when maximum number of eNBs reached
Few minor corrections;
* Meson installed via apt
* Directory corrections in regards to where to go on the system
* Added copying the binaries to /usr/bin
* Adopt tutorial format to dockerized VoLTE lab
* Fixed several lines according to Supreeth's feedback
* add PCAP analysis to successful calls
* set APN type to IPv4
* remove redundant APN screenshots
- Added more info to disable VoIP calling so that it doesnt intefere with VoLTE call test
- Checkout 5.3 branch of kamailio (better for IPSec requiring phones)
If you don't understand something about Open5GS, the [https://open5gs.org/open5gs/docs/](https://open5gs.org/open5gs/docs/) is a great place to look for answers.
## Getting Started
## Support
Please follow the [documentation](https://open5gs.org/open5gs/docs/) at [open5gs.org](https://open5gs.org/)!
Problem with Open5GS can be filed as [issues](https://github.com/open5gs/open5gs/issues) in this repository.
## Sponsors
Discussions related to this project are happening on the [nextepc@lists.osmocom.org](mailto:nextepc@lists.osmocom.org) mailing list, please see <https://lists.osmocom.org/mailman/listinfo/nextepc> for subscription options and the list archive.
If you find Open5GS useful for work, please consider supporting this Open Source project by [Becoming a sponsor](https://github.com/sponsors/acetcom). To manage the funding transactions transparently, you can donate through [OpenCollective](https://opencollective.com/open5gs).
Voice and text chat available in Open5GS's [Discord](https://discordapp.com/) workspace. Use [this link](https://discord.gg/GreNkuc) to get started.
- Problem with Open5GS can be filed as [issues](https://github.com/open5gs/open5gs/issues) in this repository.
- Other topics related to this project are happening on the [discussions](https://github.com/open5gs/open5gs/discussions).
- Voice and text chat are available in Open5GS's [Discord](https://discordapp.com/) workspace. Use [this link](https://discord.gg/GreNkuc) to get started.
## Contributing
Open5GS is a pure/classic FOSS project, open to contributions from anyone.
[Pull requests](https://github.com/open5gs/open5gs/pulls) are always welcome, and I appreciates any help the community can give to help make Open5GS better.
Do you want to be a committer? Please [send me an email](mailto:acetcom@gmail.com). You will be added as a committer to this project. However, if someone consistently causes difficulties with these source repositories due to poor behavior or other serious problems then commit access may be revoked.
If you're contributing through a pull request to Open5GS project on GitHub, please read the [Contributor License Agreement](https://open5gs.org/open5gs/cla/) in advance.
## License
Open5GS source files are made available under the terms of the GNU Affero General Public License (GNU AGPLv3).
-Open5GS Open Source files are made available under the terms of the GNU Affero General Public License ([GNU AGPLv3.0](https://www.gnu.org/licenses/agpl-3.0.html)).
- [Commercial licenses](https://open5gs.org/open5gs/support/) are also available from [NewPlane](https://newplane.io/) at [sales@newplane.io](mailto:sales@newplane.io).
When you contribute code for Open5GS, the same license applies.
## Support
Technical support and customized services for Open5GS are provided by [NewPlane](https://newplane.io/) at [support@newplane.io](mailto:support@newplane.io).
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.