Transcript Wireless Data Communication

PhD Course: UMTS and IP based mobile networks
Werner Mohr, Ljupco Jorguseski, and Hans-Peter Schwefel
•
Day 1
Architecture and Core Network Aspects (HPS)
•
Day 2
Radio Resource Management and Radio Planning (LJ)
•
Day 3
Radio Propagation (WM)
•
Day 4
W-CDMA & TD-CDMA (WM)
•
Day 5
Cell Structure & Outlook Beyond 3G (WM)
Organized by Ramjee Prasad
PHD Course: UMTS, Lecture 1, Fall03
Page 1
Hans Peter Schwefel
Content
1. Introduction
•
Cellular Concepts, GSM, GPRS
2. UMTS architecture & Components
•
•
Standardisation
Architecture
3. IP transmission in UMTS
•
•
•
PDP contexts, APNs, TFTs
Bearer and Parameters
Mobility Support
4. Security in UMTS
•
•
•
•
PHD Course: UMTS, Lecture 1, Fall03
Basic requirements and threats
UMTS-AKA
Network Protection
Example: Overbilling attack
Page 2
Hans Peter Schwefel
Intro: Cellular systems
• Geographic region
subdivided in radio cells
• Base Station provides
radio connectivity to
Mobile Station within
cell
• Handover to
neighbouring base
station when necessary
• Base Stations
connected by some
networking
infrastructure
PHD Course: UMTS, Lecture 1, Fall03
Page 3
Hans Peter Schwefel
GSM: Global System for Mobile Communication
History:
•
•
•
•
2nd Generation of Mobile Telephony Networks
1982: Groupe Spèciale Mobile (GSM) founded
1987: First Standards defined
1991: Global System for Mobile
Communication,
Standardisation by ETSI (European
Telecommunications Standardisation
Institute) - First European Standard
• 1995: Fully in Operation
PHD Course: UMTS, Lecture 1, Fall03
Page 4
Hans Peter Schwefel
GSM – Architecture
Radio Subsystem (RSS)
•
•
•
BTS: Base Transceiver Station
BSC: Base Station Controller
MSC: Mobile Switching Center
HLR/VLR: Home/Visitor Location
Register
AuC: Authentication Center
EIR: Equipment Identity Register
OMC: Operation and
Maintenance Center
Operation
Subsystem
Base Station
Subsystem
Components:
•
•
•
•
Network and
Switchung Subsystem
Um
Abis
A
VLR
MS
BTS
BSC
HLR
AuC
O
MS
BTS
OMC
BSC
Transmission:
•
•
•
Circuit switched transfer
Radio link capacity: 9.6 kb/s
(FDMA/TDMA)
Duration based charging
MSC
EIR
MS
BTS
Connection to
ISDN, PDN
PSTN
Radio Link
PHD Course: UMTS, Lecture 1, Fall03
Page 5
Hans Peter Schwefel
GPRS: General Packet Radio Service
•
•
•
•
Packet Switched Extension of GSM
1996: new standard developed by ETSI
Components integrated in GSM architecture
Improvements:
– Packet-switched transmission
– Higher transmission rates on radio link (multiple
time-slots)
– Volume based charging  ‚Always ON‘ mode
possible
• Operation started in 2001 (Germany)
PHD Course: UMTS, Lecture 1, Fall03
Page 6
Hans Peter Schwefel
GPRS - Architecture
Components:
• CCU: Channel Coding Unit
• PCU: Packet Control Unit
• SGSN: Serving GPRS Support Node
• GGSN: Gateway GPRS Support Node
• GR: GPRS Register
GPRS
GSM
Components
Um
Transmission:
• Packet Based Transmission
• Radio link:
– Radio transmission identical to GSM
– Different coding schemes (CS1-4)
– Use of Multiple Time Slots
• Volume Based Charging
MS
BSS
A
Abis
B
T
S
C
C
U
Gp
Gb
Other
B
S
C
P
C
U
PLMN
Gn
Gs
SGSN
MSC
GGSN
Gi
HLR
G
PHD Course: UMTS, Lecture 1, Fall03
Page 7
GR
PDN
Gr
Hans Peter Schwefel
Universal Mobile Telecommunication
System (UMTS)
• Currently standardized by 3rd Generation Partnership Project (3GPP),
see http://www.3GPP.org
[North America: 3GPP2]
• So far, three releases: R’99, R4, R5
Modifications:
• New methods & protocols on radio link  increased access bandwidth
• Coexistence of two domains in the core network
– Packets Switched (PS)
– Circuit Switched (CS)
• New Services
• IP Service Infrastructure: IP Based Multimedia Subsystems (IMS) (R5)
PHD Course: UMTS, Lecture 1, Fall03
Page 8
Hans Peter Schwefel
UMTS Standardisation: 3GPP
• Collaboration Agreement,
Partners: ARIB, CCSA, ETSI, T1,
TTA, and TTC
• Technical Work Done in
WGs
• Deliverables
– Technical Reports/Technical
Specifications
– Approval by Consensus or
Vote
– Change Control When
Sufficiently Stable
• Inter-WG Coordination
– In TSGs
– Information Exchange
through Liaison Statements
PHD Course: UMTS, Lecture 1, Fall03
Page 9
Hans Peter Schwefel
UMTS Releases
Release 99
v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.4.0
etc
.
v4.0.0
v4.1.0
v4.2.0
etc
.
v5.0.0
v5.1.0
etc
.
12/99
Release 4
03/01
Release 5
06/02
Release 6
v6.0.0
12/03 or 03/04
etc
.
Corrections
New Functions
PHD Course: UMTS, Lecture 1, Fall03
Page 10
Hans Peter Schwefel
Time line of a Release – Example of Rel 99
450
400
Number of Change Requests against 3GPP Rel 99 specifications
350
300
250
200
150
100
Feature
content
frozen
50
Release
functionally
frozen
Rel.
stable?
0
01
03
05
07
09
11
01
03
05
07
09
11
01
03
05
07
09
11
01
03
05
07
09
9- 99- 99- 99- 99- 99- 00- 00- 00- 00- 00- 00- 01- 01- 01- 01- 01- 01- 02- 02- 02- 02- 029
19
19
19
19
19
19
20
20
20
20
20
20
20
20
20
20
20
20
20
20
20
20
20
Source:
Siemens ICM
• Subsequent Releases became stable more quickly (UTRAN newly
introduced in Rel 99)
PHD Course: UMTS, Lecture 1, Fall03
Page 11
Hans Peter Schwefel
UMTS Domains
MSC-Serv./VLR
CS MGW
G/E/Nc
BSS (RAN/GERAN)
Nb
Mc
Abis
A
BTS
MSC-Serv./VLR
CS MGW
BSC
GMSC-Serv.
Um
Mc
D
BTS
Gb
C
Iu Cs
Nb
SIM-ME
CS MGW
SIM
CS
HSS/AuC
ME
Domain
UTRAN
USIM
Nc
IMS Domain
Cx
Gs
Cu
(Release 5)
Iu bis
MS
Node B
Gc
Gr
RNC
Mb/Gi
Uu
Node B
Gn
Iur
Iu PS
SGSN
GGSN
RNC
PS Domain
Access
Network
Domain
User Equipment
Domain
PHD Course: UMTS, Lecture 1, Fall03
Core Network
Domain
Infrastructure
Domain
Page 12
Hans Peter Schwefel
UMTS Network Domains
•
Service
Serviceand
andApplication
Application
Domain
Domain
Radio Access Network
– Node B (Base station)
– Radio Network Controller (RNC)
•
Mobile Core Network
–
–
–
–
–
•
•
•
•
•
User
UserEquipment
Equipment
Domain
Domain
Serving GPRS Support Node (SGSN)
Gateway GPRS Support Node (GGSN)
Mobile Switching Center (MSC)
Home/Visited Location Register (HLR/VLR)
Routers/Switches, DNS Server, DHCP Server,
Radius Server, NTP Server, Firewalls/VPN Gateways
Access
Access
Network
Network
Domain
Domain
Core
Core
Network
Network
Domain
Domain
Other
Other
Networks
Networks(IP/
(IP/ISDN)
ISDN)
Charging/
Charging/Lawful
LawfulInterception/
Interception/OAM
OAM
Application/Services
IP-Based Multimedia Subsystem (IMS)
– [see Lecture 2]
Operation, Administration & Maintenance (OAM)
Charging Network
[Legal Interception]
PHD Course: UMTS, Lecture 1, Fall03
Page 13
Hans Peter Schwefel
UMTS Radio Access Network (UTRAN): architecture
• W-CDMA (Wideband Code Division Multiple Access) on Radio Link
• transmission rate theoretically up to 2Mbit/s (realistic up to 300kb/s)
PHD Course: UMTS, Lecture 1, Fall03
Page 14
Hans Peter Schwefel
Content
1. Introduction
•
Cellular Concepts, GSM, GPRS
2. UMTS architecture & Components
•
•
Standardisation
Architecture
3. IP transmission in UMTS
•
•
•
PDP contexts, APNs, TFTs
Bearer and Parameters
Mobility Support
4. Security in UMTS
•
•
•
•
PHD Course: UMTS, Lecture 1, Fall03
Basic requirements and threats
UMTS-AKA
Network Protection
Example: Overbilling attack
Page 15
Hans Peter Schwefel
Transport of IP packets
IP tackets are tunnelled through the UMTS network
(GTP – GPRS tunneling protocol)
User IP (v4 or v6)
UTRAN
Terminal
Radio Bearer
SGSN
GTP-U
Application
Server
GGSN
GTP-U
Application
IP
v4 or v6
IP
v4 or v6
Relay
IP
v4 or v6
Relay
PDCP
PDCP
GTP-U
GTP-U
GTP-U
GTP-U
RLC
RLC
UDP/IP
v4 or v6
UDP/IP
v4 or v6
UDP/IP
v4 or v6
MAC
MAC
UDP/IP
v4 or v6
AAL5
AAL5
L2
L2
L2
L1
L1
ATM
ATM
L1
L1
L1
Uu
PHD Course: UMTS, Lecture 1, Fall03
Iu-PS
Gn
Page 16
[Source: 3GPP]
Gi
Hans Peter Schwefel
IP Transport: Concepts
• PDP contexts (Packet Data Protocol) activation
• done by UE before data transmission
• specification of APN and traffic parameters
• GGSN delivers IP address to UE
• set-up of bearers and mobility contexts in SGSN and GGSN
• activation of multiple PDP contexts possible
•Access Point Names (APN)
• APNs identify external networks (logical Gi interfaces of GGSN)
• At PDP context activation, the SGSN performs a DNS query to find out the GGSN(s)
serving the APN requested by the terminal.
• The DNS response contains a list of GGSN addresses from which the SGSN selects
one address in a round-robin fashion (for this APN).
•Traffic Flow Templates (TFTs)
• set of packet filters (source address, subnet mask, destination port range, source port
range, SPI, TOS (IPv4), Traffic Class (v6), Flow Label (v6)
• used by GGSN to assign IP packets from external networks to proper PDP context
• GPRS tunneling protocol (GTP)
•For every UE, one GTP-C tunnel is established for signalling and a number of GTP-U
tunnels, one per PDP context (i.e. session), are established for user traffic.
PHD Course: UMTS, Lecture 1, Fall03
Page 17
Hans Peter Schwefel
IP Transport: PDP Context & APNs
Same PDP (IP) address and APN
ISP X
GGSN
APN X
PDP Context X1 (APN X, IP address X, QoS1)
PDP Context X2 (APN X, IP address X, QoS2)
ISP Y
GGSN
PDP Context Y (APN Y, IP address Y, QoS)
APN Y
PDP Context selection
based on TFT (downstream)
PDP Context Z (APN Z, IP address Z, QoS)
APN Z
Terminal
SGSN
ISP Z
[Source: 3GPP]
PHD Course: UMTS, Lecture 1, Fall03
Page 18
Hans Peter Schwefel
UMTS Data Transport: Bearer Hierarchy
Air
Interface
TE
MT
UTRAN/
GERAN
CN
Gateway
CN Iu
EDGE
NODE
TE/AS
End-to-End Service
(IP Bearer Service)
TE/MT Local
Bearer Service
External Bearer
Service
UMTS Bearer Service
Service
CN Bearer
Service
Radio Access Bearer
Service
Radio Bearer
Service
Iu Bearer
Service
Physical
Radio
Service
Physical
Bearer Service
RAN
Backbone
Bearer Service
3G SGSN
3G GGSN
User Equipment
PHD Course: UMTS, Lecture 1, Fall03
Page 19
Hans Peter Schwefel
UMTS Bearer: Traffic Classes (Source
TS23.107, V5.2.0)
UMTS Bearer: Selected Traffic/QoS Parameters
•
•
•
Maximum Bitrate (kb/s)
Guaranteed Bitrate (kb/s)
Source statistics descriptor (`speech´, `unknown´)
PHD Course: UMTS, Lecture 1, Fall03
Page 20
•
•
•
Transfer delay (ms)
SDU error ratio
Maximum SDU size (bytes)
Hans Peter Schwefel
UMTS Bearer: Parameters
(Source TS23.107,
V5.2.0)
Selected Traffic/QoS Parameters
• Maximum Bitrate (kb/s)
Token bucket: bucket size = MaxSDUsize; token rate=Maximum Bitrate
• Guaranteed Bitrate (kb/s)
Token bucket: bucket size = k*MaxSDUsize; token rate=guaranteed
bitrate
k=1 in Rel. 99;
Note: for speech traffic, maximum bitrate = guaranteed bitrate (25.413)
• Source statistics descriptor (`speech´, `unknown´)
Could be used to compute effective bandwidths (multiplex gain)
• Transfer delay (ms)
limit 95percentile of delay distribution of all delivered SDUs
• SDU error ratio
fraction of lost or detected erroneous SDUs
• Maximum SDU size (bytes)
PHD Course: UMTS, Lecture 1, Fall03
Page 21
Hans Peter Schwefel
UMTS Bearer: Range of Traffic/QoS Parameters
(Source TS23.107, V5.2.0)
PHD Course: UMTS, Lecture 1, Fall03
Page 22
Hans Peter Schwefel
The ’full picture’ of the UMTS packet switched domain
Roaming Support:
•
•
UE attaches with SGSN in visited network
PDP context is set-up to GGSN in home network (via Gp interface, GRX network)
PHD Course: UMTS, Lecture 1, Fall03
Page 23
Hans Peter Schwefel
Message Flow: PDP Context Setup
…
…
PHD Course: UMTS, Lecture 1, Fall03
Page 24
Hans Peter Schwefel
Content
1. Introduction
•
Cellular Concepts, GSM, GPRS
2. UMTS architecture & Components
•
•
Standardisation
Architecture
3. IP transmission in UMTS
•
•
•
PDP contexts, APNs, TFTs
Bearer and Parameters
Mobility Support
4. Security in UMTS
•
•
•
•
PHD Course: UMTS, Lecture 1, Fall03
Basic requirements and threats
UMTS-AKA
Network Protection
Example: Overbilling attack
Page 25
Hans Peter Schwefel
UMTS Security: Main Requirements
• Availability: Network and services shall be available whenever needed.
• Authentication: The user and the network want to be sure that the other party is
indeed the one claimed.
• Confidentiality: Only sender and receiver shall be able to read the transferred
data.
• Integrity: The user wants to be sure that the data haven‘t been changed on the
way from the sender to the receiver.
• Non-repudiation: A user can‘t deny having used a certain service.
• Network Protection: The network shall be protected against intrusion, DoS
attacks, etc.
• Legal requirements: Country specific legal security requirements shall be met.
PHD Course: UMTS, Lecture 1, Fall03
Page 26
Hans Peter Schwefel
Threats: Examples
•
•
•
•
Eavesdropping user traffic or signalling traffic
Modifying messages on their path from sender to receiver
Using somebody else’ identity
Manipulate charging
– Use services without payment or with payment from third person’s account
– ‘overcharge’ third persons account (without use of services)
• Block certain functionality (Denial of Service Attacks)
Possible Origin/Point of Attack
– Via external Interfaces: Gi interface, Gp interface
– While passing through untrusted intermediate networks (e.g. bacbone
connecting site networks)
– Air interface
– Mobile subscriber
– OAM Network
PHD Course: UMTS, Lecture 1, Fall03
Page 27
Hans Peter Schwefel
UMTS Network Architecture
BSS (RAN/GERAN)
CS Domain
BTS
CS-MGW
BSC
A
BTS
SIM-ME
MSC server
VLR
G/E/Nc
Nb
CS-MGW
Abis
Gb
SIM
Mc
G-MSC
MSC server
Nc server
VLR
Mc
Nb
ME
CS-MGW
Uu
USIM
Cu
D
RNS (UTRAN)
IuCS
Node B
MS
C
Iub
IMS Domain
Cx
RNC
IuPS
HSS
Gs
Release 5
Node B
Gn
RNC
SGSN
user equipment domain
PHD Course: UMTS, Lecture 1, Fall03
Gc
Gr
Iur
access network domain
Mb/Gi
PS Domain
GGSN
core network domain
Page 28
Hans Peter Schwefel
UMTS Security Domains
User Domain Security
– Secure access to terminal
Network Access Security
– Mutual authentication of user and network
– Confidentiality and integrity on the radio access link
Network Domain Security
– Secure exchange of signaling traffic between
network elements
– Protection against attacks on the wireline network
Application Security
– Secure exchange of messages between
applications in the user and provider domain
PHD Course: UMTS, Lecture 1, Fall03
Page 29
Hans Peter Schwefel
Overview of UMTS Security Mechanisms (R5)
•
•
•
•
•
Mutual Authentication (UE--SGSN): UMTS AKA
Encryption on air interface (data and signalling, UE--RNC)
Integrity protection of signalling data on the air-interface
Network protection (secure topologies, firewalls, etc.) up to operator
Integrity protection and encryption of signalling traffic on external
interfaces (Gp, Gi) via IPsec tunnels (ESP)
PHD Course: UMTS, Lecture 1, Fall03
Page 30
Hans Peter Schwefel
Air interface: Integrity Protection
SENDER
(UE or RNC)
COUNT-I
DIRECTION
MESSAGE
Integrity
Key IK
FRESH
Integrity Function f9
MAC-I
MESSAGE
Air Interface
RECEIVER
(UE or RNC)
COUNT-I
DIRECTION
MAC-I = XMAC-I ?
MESSAGE
Integrity
Key IK
PHD Course: UMTS, Lecture 1, Fall03
MAC-I
FRESH
Integrity Function f9
XMAC-I
Page 31
Hans Peter Schwefel
Air interface: Encryption
COUNT-C
DIRECTION
BEARER
Cipher
Key CK
LENGTH
KEYSTREAM
BLOCK
Ciphering function f8
SENDER
(UE or RNC)
PLAINTEXT
BLOCK
Air Interface
PLAINTEXT
BLOCK
RECEIVER
(UE or RNC)
Cipher
Key CK
DIRECTION
BEARER
PHD Course: UMTS, Lecture 1, Fall03
KEYSTREAM
BLOCK
Ciphering function f8
COUNT-C
CIPHERTEXT
BLOCK
LENGTH
Page 32
Hans Peter Schwefel
UMTS Authentication and Key Agreement (AKA)
MS
VLR / SGSN
HLR/AuC
Authentication Data Request
VLR/SGSN
User Authentication Request(RAND,AUTN)
verify AUTN
compute RES
Authentication Data Response (AV 1..n)
User Authentication Response (Res)
store AV‘s
RES = XRES?
Compute CK, IK
select CK IK
• Based on long-term pre-shared key K on USIM and in HLR/AuC
• Authentication vector: Quintuplet (random number RAND, expected response
•
XRES=f2(K,RAND), cipher key CK, integrity key IK, authentication token AUTN)
generated in HLR/AuC using a sequence number SQN, RAND, and K
VLR/SGSN downloads authentication vectors from HLR/AuC during Attach
PHD Course: UMTS, Lecture 1, Fall03
Page 33
Hans Peter Schwefel
UMTS AKA: Message flow during Attach
UE
UE
Node B
SGSN
/VLR
RNC
Node B
SGSN
/VLR
RNC
HLR/
AuC
HLR/
AuC
10. Selection of
the oldest AV
1. RRC Connection Request
RRC
Connection
Setup
2. RRC Connection Setup
3. RRC Connection Setup Complete
UE
11. NAS: User Authentication Request
Node B
12. Verification of
Authentication
Token.
23. Generate
FRESH value
Authentication
and Key
Establishment
13. Compute
RES
5. NAS: User Identity Request
Start of GPRS
Attach
Procedure
15. NAS: User Authentication Response
17. Compute
Cipher and
Integrity Key
HLR/
AuC
Continuation from previous page
25. RRC: Security Mode Command
16. RES =
XRES?
6. NAS: User Identity Response
SGSN
/VLR
24. Start Integrity
Protection
14. Store KSI
4. NAS: Attach Request
RNC
26. Check UE
Security
Capabilities
18. Select
Cipher and
Integrity Key
Security
Mode Setup
Procedure
27. Verify
Message
Integrity
7. MAP: Authentication Data Request
8. MAP: Authentication Data Response
9. Storage of
Authentication
Vectors
Distribution of
Authentication
Vectors
28. Start Integrity
Protection
19. Decide
allowed Integrity
& Encryption
Algorithms
20. RANAP: Security Mode Command
29. RRC: Security Mode Complete
Security
Mode Setup
Procedure
30. Verify Integrity
of the Message
21. Reset START
value to zero
31. RANAP: Security Mode Complete
22. Select UIA
and UEA
PHD Course: UMTS, Lecture 1, Fall03
continues at next page
Page 34
32.Start
Ciphering
32.Start Ciphering
Hans Peter Schwefel
Network Protection
Layered security architecture
• At domain boundaries
– State-less packet filters (first barrier)
– Demilitarized Zone (DMZ) and main firewall
– Logging and intrusion detection
• Network internal packet filters and monitoring devices
• Host-based security mechanisms, e.g.
– Access Control Lists (ACLs)
– Application specific configurations (e.g. disabling DNS aliases)
PHD Course: UMTS, Lecture 1, Fall03
Page 35
Hans Peter Schwefel
Network Protection II
• Firewall types
– State-less packet filters based on Layer 3 and 4 header fields (IP
addresses, port numbers, etc.)
– State-full packet filters: e.g. allow TCP connections initiated from
inside the network
– Application layer filtering: check payload of specific applications
– Application proxies: split end-2-end connection
• Demilitarized Zones
DMZ
– Application Proxies
– External DNS servers
– VPN Gateways
Internal
Domain
PHD Course: UMTS, Lecture 1, Fall03
Main
FW
Page 36
Router+
Packet
Filter
External
Domain
Domain
Hans Peter Schwefel
Example Topology
Shown: DMZ, Main Firewall, internal packet filters, split-DNS, application proxies
PHD Course: UMTS, Lecture 1, Fall03
Page 37
Hans Peter Schwefel
Source: Siemens CT IC 3
Example: Overbilling Attack (1)
Internet
Victim UE
GGSN
SGSN
FW
Malicious
Server
Activate/Create PDP Context
(IP-Addr: 139.1.2.3)
Malicious UE
(IP-Addr: 10.1.1.1)
1. Malicious UE attaches to GPRS network and is assigned an IP-address
2. Malicious UE opens TCP session to cooperating malicious server
3. Malicious UE detaches. Malicious Server keeps firewall open by sending
TCP/FIN messages
4. Eventually, some victim UE attaches and receives same IP-address
5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE
PHD Course: UMTS, Lecture 1, Fall03
Page 38
Hans Peter Schwefel
Source: Siemens CT IC 3
Overbilling Attack (2)
Firewall is opened for
TCP between 10.1.1.1 and
139.1.2.3
Internet
Victim UE
GGSN
SGSN
Malicious UE
FW
Create TCP Connection to malicious server
Malicious
Server
(IP-Addr: 139.1.2.3)
(IP-Addr: 10.1.1.1)
1. Malicious UE attaches to GPRS network and is assigned an IP-address
2. Malicious UE opens TCP session to cooperating malicious server
3. Malicious UE detaches. Malicious Server keeps firewall open by sending
TCP/FIN messages
4. Eventually, some victim UE attaches and receives same IP-address
5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE
PHD Course: UMTS, Lecture 1, Fall03
Page 39
Hans Peter Schwefel
Source: Siemens CT IC 3
Overbilling Attack (3)
Open for TCP between
10.1.1.1 and 139.1.2.3
Internet
Victim UE
TCP/FIN
GGSN
SGSN
FW
Malicious
Server
Deactivate/Delete PDP Context
(IP-Addr: 139.1.2.3)
Malicious UE
1. Malicious UE attaches to GPRS network and is assigned an IP-address
2. Malicious UE opens TCP session to cooperating malicious server
3. Malicious UE detaches. Malicious Server keeps firewall open by sending
TCP/FIN messages
4. Eventually, some victim UE attaches and receives same IP-address
5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE
PHD Course: UMTS, Lecture 1, Fall03
Page 40
Hans Peter Schwefel
Source: Siemens CT IC 3
Overbilling Attack (4)
Open for TCP between
10.1.1.1 and 139.1.2.3
Internet
Victim UE
TCP/FIN
(IP-Addr: 10.1.1.1)
GGSN
SGSN
FW
Malicious
Server
Activate/Create PDP Context
(IP-Addr: 139.1.2.3)
Malicious UE
1. Malicious UE attaches to GPRS network and is assigned an IP-address
2. Malicious UE opens TCP session to cooperating malicious server
3. Malicious UE detaches. Malicious Server keeps firewall open by sending
TCP/FIN messages
4. Eventually, some victim UE attaches and receives same IP-address
5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE
PHD Course: UMTS, Lecture 1, Fall03
Page 41
Hans Peter Schwefel
Source: Siemens CT IC 3
Overbilling Attack (5)
Open for TCP between
10.1.1.1 and 139.1.2.3
Internet
Victim UE
TCP/FIN
(IP-Addr: 10.1.1.1)
GGSN
SGSN
FW
Malicious
Server
(IP-Addr: 139.1.2.3)
Malicious UE
1. Malicious UE attaches to GPRS network and is assigned an IP-address
2. Malicious UE opens TCP session to cooperating malicious server
3. Malicious UE detaches. Malicious Server keeps firewall open by sending
TCP/FIN messages
4. Eventually, some victim UE attaches and receives same IP-address
5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE
PHD Course: UMTS, Lecture 1, Fall03
Page 42
Hans Peter Schwefel
Contermeasures: Overbilling attack
 Exercise
PHD Course: UMTS, Lecture 1, Fall03
Page 43
Hans Peter Schwefel
Summary
1. Introduction
•
Cellular Concepts, GSM, GPRS
2. UMTS architecture & Components
•
•
Standardisation
Architecture
3. IP transmission in UMTS
•
•
•
PDP contexts, APNs, TFTs
Bearer and Parameters
Mobility Support
4. Security in UMTS
•
•
•
•
PHD Course: UMTS, Lecture 1, Fall03
Basic requirements and threats
UMTS-AKA
Network Protection
Example: Overbilling attack
Page 44
Hans Peter Schwefel