Skip to content

NAS: refactor Identity Request handler and enforce spec-compliant security checks#217

Merged
3 commits merged into
duranta-project:developfrom
GuidoCasati:issue-963
Jul 4, 2026
Merged

NAS: refactor Identity Request handler and enforce spec-compliant security checks#217
3 commits merged into
duranta-project:developfrom
GuidoCasati:issue-963

Conversation

@GuidoCasati

@GuidoCasati GuidoCasati commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

Align UE Identity Request handling with TS 24.501 by checking the NAS security header and rejecting unprotected non-SUCI requests.

Also, refactor Identity Response identity selection based on the requested identity types, add to a helper and handle unavailable identities in the UE context.

Closes: #82

@GuidoCasati GuidoCasati added this to the REVIEW_CAN_START milestone Jun 22, 2026
@GuidoCasati GuidoCasati self-assigned this Jun 22, 2026
@GuidoCasati GuidoCasati added the 5G-NR Perform 5G Tests label Jun 22, 2026
@durantabot

Copy link
Copy Markdown
Collaborator

@rorsc rorsc self-requested a review June 25, 2026 10:23

@rorsc rorsc left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the code looks ok, but I don't know how to test this. There is no Identity Request when running OAI UE in RFsim, because the UE directly sends its IMSI. how to test?

@GuidoCasati

Copy link
Copy Markdown
Collaborator Author

the code looks ok, but I don't know how to test this. There is no Identity Request when running OAI UE in RFsim, because the UE directly sends its IMSI. how to test?

First attach won’t hit this change: the UE sends SUCI in the Registration Request, so the AMF skips Identity Request. I can adapt nr-ue-nas-simulator-test to fill an unknown GUTI in the initial UE message, so the AMF sends Identity Request (SUCI) 4.2.2.2.2 TS 23.502 step 6:

If the SUCI is not provided by the UE nor retrieved from the old AMF the Identity Request procedure is initiated by AMF sending an Identity Request message to the UE requesting the SUCI.

I believe this is a good way to test the PR because the simulator runs the actual TASK_NAS_NRUE path against OAI CN5G.

Would that be ok?

@rorsc

rorsc commented Jun 30, 2026

Copy link
Copy Markdown
Member

I believe this is a good way to test the PR because the simulator runs the actual TASK_NAS_NRUE path against OAI CN5G.

Would that be ok?

that would be perfect! if you have an idea how to make this scriptable, please let us know.

@rakeshmundlamuri FYI

@GuidoCasati

Copy link
Copy Markdown
Collaborator Author

I believe this is a good way to test the PR because the simulator runs the actual TASK_NAS_NRUE path against OAI CN5G.
Would that be ok?

that would be perfect! if you have an idea how to make this scriptable, please let us know.

@rakeshmundlamuri FYI

I can add a command line flag to the simulator, @rakeshmundlamuri would that work for you ?

@rakeshmundlamuri

Copy link
Copy Markdown
Collaborator

I believe this is a good way to test the PR because the simulator runs the actual TASK_NAS_NRUE path against OAI CN5G.
Would that be ok?

that would be perfect! if you have an idea how to make this scriptable, please let us know.
@rakeshmundlamuri FYI

I can add a command line flag to the simulator, @rakeshmundlamuri would that work for you ?

Yes please go ahead. Thats good for me.

@GuidoCasati

Copy link
Copy Markdown
Collaborator Author

the code looks ok, but I don't know how to test this. There is no Identity Request when running OAI UE in RFsim, because the UE directly sends its IMSI. how to test?

First attach won’t hit this change: the UE sends SUCI in the Registration Request, so the AMF skips Identity Request. I can adapt nr-ue-nas-simulator-test to fill an unknown GUTI in the initial UE message, so the AMF sends Identity Request (SUCI) 4.2.2.2.2 TS 23.502 step 6:

If the SUCI is not provided by the UE nor retrieved from the old AMF the Identity Request procedure is initiated by AMF sending an Identity Request message to the UE requesting the SUCI.

I believe this is a good way to test the PR because the simulator runs the actual TASK_NAS_NRUE path against OAI CN5G.

Would that be ok?

Done. To test, compile the simulator and run:

./tests/nr-ue-nas-simulator/nr-ue-nas-simulator-test -O ../tests/nr-ue-nas-simulator/test.conf --identity-request

…urity checks

Align UE Identity Request handling with TS 24.501 by checking the NAS
security header and rejecting unprotected non-SUCI requests.

Also, refactor Identity Response identity selection based on the
requested identity types, add to a helper and handle unavailable
identities in the UE context.

Closes duranta-project#82

Signed-off-by: Guido Casati <guido.casati@openairinterface.org>
@durantabot

Copy link
Copy Markdown
Collaborator

@durantabot

Copy link
Copy Markdown
Collaborator

@durantabot

Copy link
Copy Markdown
Collaborator

Comment thread tests/nr-ue-nas-simulator/README.md Outdated
Comment thread tests/nr-ue-nas-simulator/README.md Outdated
@rorsc rorsc requested a review from rakeshmundlamuri July 2, 2026 08:16
Add an optional Identity Request test to the NAS/NGAP simulator.
With --identity-guti, the Initial UE Message carries a random 5G-GUTI
plus matching NGAP 5G-S-TMSI and GUAMI so the AMF requests SUCI per TS 23.502
registration step 6. The simulator then continues the usual attach, PDU
session, and deregistration flow.

Changes:
- nr-ue-nas-simulator: seed_unknown_guti(), identity_request BOOLPARAM,
  NGAP ue_identity fill in send_initial_ue_message()
- Update README

Signed-off-by: Guido Casati <guido.casati@openairinterface.org>
Signed-off-by: Guido Casati <guido.casati@openairinterface.org>

@rorsc rorsc left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok for me. @rakeshmundlamuri can you please test the simulator for both cases (with/without the --identity-guti option)? if ok, we could merge.

@rorsc rorsc mentioned this pull request Jul 2, 2026
@rakeshmundlamuri

Copy link
Copy Markdown
Collaborator

Ok for me. @rakeshmundlamuri can you please test the simulator for both cases (with/without the --identity-guti option)? if ok, we could merge.

I tested with and without --identity-guti option, looks good to me. I see the logs of identity request in the simulator and identity response the amf. I also see the identity request/response messages in the wireshark.

@durantabot

Copy link
Copy Markdown
Collaborator

rorsc added a commit that referenced this pull request Jul 2, 2026
…_2026_w27

NAS: refactor Identity Request handler and enforce spec-compliant security checks (#217)

Align UE Identity Request handling with TS 24.501 by checking the NAS
security header and rejecting unprotected non-SUCI requests.

Also, refactor Identity Response identity selection based on the
requested identity types, add to a helper and handle unavailable
identities in the UE context.

Closes: #82
Reviewed-by: Robert Schmidt <robert.schmidt@openairinterface.org>
Reviewed-By: Rakesh Mundlamuri <rakesh.mundlamuri@openairinterface.org
@rorsc rorsc closed this pull request by merging all changes into duranta-project:develop in 0dab3bb Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

5G-NR Perform 5G Tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

NAS 5G MM: Reject Identity Request without Authentication [Migrated Issue #963]

4 participants