NAS: refactor Identity Request handler and enforce spec-compliant security checks#217
Conversation
|
CI Build: #413 | Failed on the following stages: |
rorsc
left a comment
There was a problem hiding this comment.
the code looks ok, but I don't know how to test this. There is no Identity Request when running OAI UE in RFsim, because the UE directly sends its IMSI. how to test?
First attach won’t hit this change: the UE sends SUCI in the Registration Request, so the AMF skips Identity Request. I can adapt nr-ue-nas-simulator-test to fill an unknown GUTI in the initial UE message, so the AMF sends Identity Request (SUCI) 4.2.2.2.2 TS 23.502 step 6:
I believe this is a good way to test the PR because the simulator runs the actual TASK_NAS_NRUE path against OAI CN5G. Would that be ok? |
that would be perfect! if you have an idea how to make this scriptable, please let us know. |
I can add a command line flag to the simulator, @rakeshmundlamuri would that work for you ? |
Yes please go ahead. Thats good for me. |
Done. To test, compile the simulator and run: |
…urity checks Align UE Identity Request handling with TS 24.501 by checking the NAS security header and rejecting unprotected non-SUCI requests. Also, refactor Identity Response identity selection based on the requested identity types, add to a helper and handle unavailable identities in the UE context. Closes duranta-project#82 Signed-off-by: Guido Casati <guido.casati@openairinterface.org>
|
CI Build: #600 | Failed on the following stages: |
|
CI Build: #601 | Failed on the following stages: |
|
CI Build: #602 | Failed on the following stages: |
Add an optional Identity Request test to the NAS/NGAP simulator. With --identity-guti, the Initial UE Message carries a random 5G-GUTI plus matching NGAP 5G-S-TMSI and GUAMI so the AMF requests SUCI per TS 23.502 registration step 6. The simulator then continues the usual attach, PDU session, and deregistration flow. Changes: - nr-ue-nas-simulator: seed_unknown_guti(), identity_request BOOLPARAM, NGAP ue_identity fill in send_initial_ue_message() - Update README Signed-off-by: Guido Casati <guido.casati@openairinterface.org>
Signed-off-by: Guido Casati <guido.casati@openairinterface.org>
rorsc
left a comment
There was a problem hiding this comment.
Ok for me. @rakeshmundlamuri can you please test the simulator for both cases (with/without the --identity-guti option)? if ok, we could merge.
I tested with and without |
|
CI Build: #614 | Failed on the following stages: |
…_2026_w27 NAS: refactor Identity Request handler and enforce spec-compliant security checks (#217) Align UE Identity Request handling with TS 24.501 by checking the NAS security header and rejecting unprotected non-SUCI requests. Also, refactor Identity Response identity selection based on the requested identity types, add to a helper and handle unavailable identities in the UE context. Closes: #82 Reviewed-by: Robert Schmidt <robert.schmidt@openairinterface.org> Reviewed-By: Rakesh Mundlamuri <rakesh.mundlamuri@openairinterface.org
0dab3bb
Align UE Identity Request handling with TS 24.501 by checking the NAS security header and rejecting unprotected non-SUCI requests.
Also, refactor Identity Response identity selection based on the requested identity types, add to a helper and handle unavailable identities in the UE context.
Closes: #82