Page 1 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 PhD Course: UMTS and IP based mobile networks Werner Mohr, Ljupco Jorguseski, and Hans-Peter.

Slides:



Advertisements
Similar presentations
MIGRATION OF GSM TO GPRS
Advertisements

Mobile Switching Systems Unit, L M Ericsson in Finland
1 LTE / HSPA / EPC knowledge nuggets Red Banana Wireless Ltd – Copyright 2013 Connecting to the IMS Connecting to.
Rev A Antti Miettinen H.248 Gateway Control Protocol Signaling Traffic Related Protocol Analysis Antti Miettinen S Thesis Seminar on.
© Sunrise GSM Data evolution EDGE GSM HSCSD services upto 38.4 kbit/s (later up to 64 kbit/s) PDS services low bit rates GSM GPRS services upto.
1 General Packet Radio Service (GPRS) Adapted from a presentation by Miao Lu Nancy Samaan SITE, Ottawa.
Signaling Measurements on the Packet Domain of 3G-UMTS Core Network G. Stephanopoulos (National Technical University of Athens, Greece) G. Tselikis (4Plus.
General Packet Radio Services(GPRS). GPRS GSM GPRS GSM-Drawbacks Circuit switching is used. Complete traffic channel is allocated to user for complete.
All rights reserved © 2001, Alcatel, Paris. ITG-Fachgruppe „IP und Mobility“ Kamp-Lintfort, 20 June 2001 Multistandard Radio Access Network for Wireless.
UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM(UMTS). EVOLUATION OF MOBILE COMMUNICATION 1 st Generation : Analog Cellular 2 nd Generation : Multiple Digital.
Telefónica Móviles España GPRS (General Packet Radio Service)
Mobile Communication MMS / GPRS. What is GPRS ? General Packet Radio Service (GPRS) is a new bearer service for GSM that greatly improves and simplifies.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
SIP and the application of SIP as used in 3GPP Keith Drage - Lucent Technologies.
Telefónica Móviles España UMTS (Universal Mobile Telecommunications System)
One-Pass GPRS and IMS Authentication Procedure for UMTS
SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate
Mobile Communication Division
Wireless Communication Protocols and Technologies
General Packet Radio System (GPRS) Overview. Introduction General Packet Radio Service (GRPS) today “Packet overlay” network on top of the existing GSM.
Supporting Packet-Data QoS in Next-Generation Cellular Networks R. Koodli and Mikko Puuskari Nokia Research Center IEEE Communication Magazine Feb, 2001.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
CSci5221: 3G/4G Cellular Network Architecture Overview 1 Cellular Voice/Data Architectures: A Primer Basics of Cellular Networks Survey of 2G/3G Cellular.
MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.
 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.
General Packet Radio Service (GPRS) A new Dimension to Wireless Communication.
Mobile network evolution Introduction of IP in 3G WCDMA RAN
GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.
Security in GSM/GPRS and UMTS
Understanding 3GPP Bearers LTE / HSPA / EPC ‘knowledge nuggets’ Neil Wiffen - More free downloads at Public.
Lectured By: Vivek Dimri Assistant Professor, CSE Dept. SET, Sharda University, Gr. Noida.
[Public]—For everyone ©2003–2008 Check Point Software Technologies Ltd. All rights reserved. GPRS/UMTS Security Requirements Guto Motta
Wireless Networks Chris Lord (cil103) An Overview of General Packet Radio Service (GPRS) Based on information from
GSM,GPRS & CDMA Technology
Chapter 6 Wireless and Mobile Networks Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on.
Network: Location Management Y. Richard Yang 3/21/2011.
Ronald D. (Ron) Ryan Chair T1P1.SAH Slide 1 Copyright Nortel Networks T1P1/ Overview 3G UMTS LI Capabilities T1P1.SAH April 2001.
T Multimedia Seminar Carlos Herrero55828H Osmo Tolvanen46958L.
Chapter 4 Application Level Security in Cellular Networks.
Rev A Mikko Suominen Enhancing System Capacity and Robustness by Optimizing Software Architecture in a Real-time Multiprocessor Environment.
UMTS and IPv6.
UMTS: Universal Mobile Telecommunications System
1 © NOKIA Functionality and Testing of Policy Control in IP Multimedia Subsystem Skander Chaichee HUT/Nokia Networks Supervisor: Professor Raimo.
GSM Network Architecture
General Packet Radio Service (GPRS)
Ασύρματα Δίκτυα και Κινητές Επικοινωνίες Ενότητα # 8: Σύστημα 2.5 Γενιάς GPRS Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.
S Postgraduate Course in Radio Communications. Interoperability between 3G and WLAN using IMS Antti Keurulainen,
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
SEMINAR RADIO NETWORK CONTROLLER FOR 3G MOBILE AND WIRELESS NETWORK DEVICES BY ARDRA . S7 IT SHMEC KADAKKAL ROLL.
Cellular Networks 1. Overview 1G Analog Cellular 2G TDMA - GSM 2G CDMA - IS G 3G 4G and Beyond Cellular Engineering Issues 2.
1 Special Topics in Computer Engineering Supervised by Dr. Walid Abu-Sufah Jordan University Department of Computer Engineering.
1 Wireless Networks Lecture 21 WCDMA (Part I) Dr. Ghalib A. Shah.
Overview Of 3G Mobile. 3G AWARENESS 3G is the next generation mobile communications systems. 3G is basically an ITU defined set of standards, which along.
1 Lecture 19 EEE 441 Wireless And Mobile Communications.
Cellular Network Base stations transmit to and receive from mobiles at the assigned spectrum Multiple base stations use the same spectrum The service area.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
1 Wireless Networks Lecture 17 GPRS: General Packet Radio Service (Part I) Dr. Ghalib A. Shah.
MULTIMEDIA ENGINEERING ISE (International School of Engineering, CU) Information and Communication Engineering 4 2.5G Mobile Phone and Network.
3G architecture and protocols
Third Generation (3G) Cellular Network 3G System
CS1: Wireless Communication and Mobile Programming
GSM,GPRS & CDMA Technology
GSM.
Universal Mobile Telecommunication System (UMTS)
GPRS GPRS stands for General Packet Radio System. GPRS provides packet radio access for mobile Global System for Mobile Communications (GSM) and time-division.
GPRS/EDGE Implementation
Master in progettista di servizi radiomobili Web Based Overview
Network Architecture How does it all work?
Master in progettista di servizi radiomobili Web Based Overview
GPRS Architecture Ayan Ganguly Bishakha Roy Akash Dutta.
Presentation transcript:

Page 1 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 PhD Course: UMTS and IP based mobile networks Werner Mohr, Ljupco Jorguseski, and Hans-Peter Schwefel Day 1 Architecture and Core Network Aspects (HPS) Day 2 Radio Resource Management and Radio Planning (LJ) Day 3 Radio Propagation (WM) Day 4W-CDMA & TD-CDMA (WM) Day 5Cell Structure & Outlook Beyond 3G (WM) Organized by Ramjee Prasad

Page 2 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Content 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack

Page 3 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Intro: Cellular systems Geographic region subdivided in radio cells Base Station provides radio connectivity to Mobile Station within cell Handover to neighbouring base station when necessary Base Stations connected by some networking infrastructure

Page 4 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GSM: Global System for Mobile Communication 2nd Generation of Mobile Telephony Networks 1982: Groupe Spèciale Mobile (GSM) founded 1987: First Standards defined 1991: Global System for Mobile Communication, Standardisation by ETSI (European Telecommunications Standardisation Institute) - First European Standard 1995: Fully in Operation History:

Page 5 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GSM – Architecture Components: BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR/VLR: Home/Visitor Location Register AuC: Authentication Center EIR: Equipment Identity Register OMC: Operation and Maintenance Center Transmission: Circuit switched transfer Radio link capacity: 9.6 kb/s (FDMA/TDMA) Duration based charging

Page 6 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GPRS: General Packet Radio Service Packet Switched Extension of GSM 1996: new standard developed by ETSI Components integrated in GSM architecture Improvements: –Packet-switched transmission –Higher transmission rates on radio link (multiple time-slots) –Volume based charging  ‚Always ON‘ mode possible Operation started in 2001 (Germany)

Page 7 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GPRS - Architecture Components: CCU: Channel Coding Unit PCU: Packet Control Unit SGSN: Serving GPRS Support Node GGSN: Gateway GPRS Support Node GR: GPRS Register Transmission: Packet Based Transmission Radio link: – Radio transmission identical to GSM – Different coding schemes (CS1-4) – Use of Multiple Time Slots Volume Based Charging

Page 8 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Universal Mobile Telecommunication System (UMTS) Currently standardized by 3rd Generation Partnership Project (3GPP), see [North America: 3GPP2] So far, three releases: R’99, R4, R5 Modifications: New methods & protocols on radio link  increased access bandwidth Coexistence of two domains in the core network –Packets Switched (PS) –Circuit Switched (CS) New Services IP Service Infrastructure: IP Based Multimedia Subsystems (IMS) (R5)

Page 9 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Standardisation: 3GPP Collaboration Agreement, Partners: ARIB, CCSA, ETSI, T1, TTA, and TTC Technical Work Done in WGs Deliverables –Technical Reports/Technical Specifications –Approval by Consensus or Vote –Change Control When Sufficiently Stable Inter-WG Coordination –In TSGs –Information Exchange through Liaison Statements

Page 10 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Releases

Page 11 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Time line of a Release – Example of Rel 99 Subsequent Releases became stable more quickly (UTRAN newly introduced in Rel 99) Feature content frozen Release functionally frozen Rel. stable? Number of Change Requests against 3GPP Rel 99 specifications Source: Siemens ICM

Page 12 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Domains

Page 13 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Radio Access Network –Node B (Base station) –Radio Network Controller (RNC) Mobile Core Network –Serving GPRS Support Node (SGSN) –Gateway GPRS Support Node (GGSN) –Mobile Switching Center (MSC) –Home/Visited Location Register (HLR/VLR) –Routers/Switches, DNS Server, DHCP Server, Radius Server, NTP Server, Firewalls/VPN Gateways Application/Services IP-Based Multimedia Subsystem (IMS) –[see Lecture 2] Operation, Administration & Maintenance (OAM) Charging Network [Legal Interception] UMTS Network Domains

Page 14 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Radio Access Network (UTRAN): architecture W-CDMA (Wideband Code Division Multiple Access) on Radio Link transmission rate theoretically up to 2Mbit/s (realistic up to  300kb/s)

Page 15 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Content 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack

Page 16 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Transport of IP packets Application Server GGSN Terminal SGSNUTRAN GTP-U User IP (v4 or v6) Radio Bearer IP tackets are tunnelled through the UMTS network (GTP – GPRS tunneling protocol) L1 RLC PDCP MAC IP v4 or v6 Application L1 RLC PDCP MAC ATM UDP/IP v4 or v6 GTP ‑ U AAL5 Relay L1 UDP/IP v4 or v6 L2 GTP ‑ U IP v4 or v6 Iu-PSUuGn Gi ATM UDP/IP v4 or v6 GTP ‑ U AAL5 L1 UDP/IP v4 or v6 GTP ‑ U L2 Relay L1 L2 IP v4 or v6 [Source: 3GPP]

Page 17 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 IP Transport: Concepts PDP contexts (Packet Data Protocol) activation done by UE before data transmission specification of APN and traffic parameters GGSN delivers IP address to UE set-up of bearers and mobility contexts in SGSN and GGSN activation of multiple PDP contexts possible Access Point Names (APN) APNs identify external networks (logical Gi interfaces of GGSN) At PDP context activation, the SGSN performs a DNS query to find out the GGSN(s) serving the APN requested by the terminal. The DNS response contains a list of GGSN addresses from which the SGSN selects one address in a round-robin fashion (for this APN). Traffic Flow Templates (TFTs) set of packet filters (source address, subnet mask, destination port range, source port range, SPI, TOS (IPv4), Traffic Class (v6), Flow Label (v6) used by GGSN to assign IP packets from external networks to proper PDP context GPRS tunneling protocol (GTP) For every UE, one GTP-C tunnel is established for signalling and a number of GTP-U tunnels, one per PDP context (i.e. session), are established for user traffic.

Page 18 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 GGSN IP Transport: PDP Context & APNs Terminal SGSN GGSN PDP Context X 2 (APN X, IP address X, QoS 2 ) PDP Context X 1 (APN X, IP address X, QoS 1 ) ISP X ISP Z ISP Y PDP Context Z (APN Z, IP address Z, QoS) PDP Context Y (APN Y, IP address Y, QoS) APN Y APN Z APN X Same PDP (IP) address and APN PDP Context selection based on TFT (downstream) [Source: 3GPP]

Page 19 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Data Transport: Bearer Hierarchy TEMTUTRAN/ GERAN CNIu EDGE NODE CN Gateway TE/AS End-to-End Service (IP Bearer Service) TE/MT Local Bearer Service UMTS Bearer Service External Bearer Service UMTS Bearer Service Radio Access Bearer Service CN Bearer Service Backbone Bearer Service Iu Bearer Service Radio Bearer Service Physical Radio Service Physical Bearer Service Air Interface 3G GGSN 3G SGSN RAN User Equipment

Page 20 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Bearer: Traffic Classes (Source TS23.107, V5.2.0) UMTS Bearer: Selected Traffic/QoS Parameters Maximum Bitrate (kb/s) Guaranteed Bitrate (kb/s) Source statistics descriptor (`speech´, `unknown´) Transfer delay (ms) SDU error ratio Maximum SDU size (bytes)

Page 21 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Bearer: Parameters (Source TS23.107, V5.2.0) Selected Traffic/QoS Parameters Maximum Bitrate (kb/s) Token bucket: bucket size = MaxSDUsize; token rate=Maximum Bitrate Guaranteed Bitrate (kb/s) Token bucket: bucket size = k*MaxSDUsize; token rate=guaranteed bitrate k=1 in Rel. 99; Note: for speech traffic, maximum bitrate = guaranteed bitrate (25.413) Source statistics descriptor (`speech´, `unknown´) Could be used to compute effective bandwidths (multiplex gain) Transfer delay (ms) limit 95percentile of delay distribution of all delivered SDUs SDU error ratio fraction of lost or detected erroneous SDUs Maximum SDU size (bytes)

Page 22 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Bearer: Range of Traffic/QoS Parameters (Source TS23.107, V5.2.0)

Page 23 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 The ’full picture’ of the UMTS packet switched domain Roaming Support: UE attaches with SGSN in visited network PDP context is set-up to GGSN in home network (via Gp interface, GRX network)

Page 24 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Message Flow: PDP Context Setup … …

Page 25 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Content 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack

Page 26 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Security: Main Requirements Availability: Network and services shall be available whenever needed. Authentication: The user and the network want to be sure that the other party is indeed the one claimed. Confidentiality: Only sender and receiver shall be able to read the transferred data. Integrity: The user wants to be sure that the data haven‘t been changed on the way from the sender to the receiver. Non-repudiation: A user can‘t deny having used a certain service. Network Protection: The network shall be protected against intrusion, DoS attacks, etc. Legal requirements: Country specific legal security requirements shall be met.

Page 27 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Threats: Examples Eavesdropping user traffic or signalling traffic Modifying messages on their path from sender to receiver Using somebody else’ identity Manipulate charging –Use services without payment or with payment from third person’s account –‘overcharge’ third persons account (without use of services) Block certain functionality (Denial of Service Attacks) Possible Origin/Point of Attack –Via external Interfaces: Gi interface, Gp interface –While passing through untrusted intermediate networks (e.g. bacbone connecting site networks) –Air interface –Mobile subscriber –OAM Network

Page 28 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Network Architecture HSS BTS BSC Abis BSS (RAN/GERAN) Node B RNC Iub Iur RNS (UTRAN) SIM USIM ME Cu SIM-ME MS Uu IMS Domain Release 5 IuPS IuCS A Gb Gs user equipment domainaccess network domaincore network domain SGSN GGSN PS Domain Gn Cx Mb/GiGc Gr CS-MGW MSC server VLR Nb G/E/Nc Mc G-MSC server CS-MGW MSC server VLR Nc Mc CS Domain CD Nb

Page 29 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Security Domains Network Domain Security –Secure exchange of signaling traffic between network elements –Protection against attacks on the wireline network Application Security – Secure exchange of messages between applications in the user and provider domain Network Access Security –Mutual authentication of user and network –Confidentiality and integrity on the radio access link User Domain Security –Secure access to terminal

Page 30 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Overview of UMTS Security Mechanisms (R5) Mutual Authentication (UE--SGSN): UMTS AKA Encryption on air interface (data and signalling, UE--RNC) Integrity protection of signalling data on the air-interface Network protection (secure topologies, firewalls, etc.) up to operator Integrity protection and encryption of signalling traffic on external interfaces (Gp, Gi) via IPsec tunnels (ESP)

Page 31 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Air interface: Integrity Protection

Page 32 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Air interface: Encryption

Page 33 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS Authentication and Key Agreement (AKA) Based on long-term pre-shared key K on USIM and in HLR/AuC Authentication vector: Quintuplet (random number RAND, expected response XRES=f2(K,RAND), cipher key CK, integrity key IK, authentication token AUTN) generated in HLR/AuC using a sequence number SQN, RAND, and K VLR/SGSN downloads authentication vectors from HLR/AuC during Attach VLR / SGSN Authentication Data Request Authentication Data Response (AV 1..n) store AV‘s HLR/AuC

Page 34 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 UMTS AKA: Message flow during Attach

Page 35 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Network Protection Layered security architecture At domain boundaries –State-less packet filters (first barrier) –Demilitarized Zone (DMZ) and main firewall –Logging and intrusion detection Network internal packet filters and monitoring devices Host-based security mechanisms, e.g. –Access Control Lists (ACLs) –Application specific configurations (e.g. disabling DNS aliases)

Page 36 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Network Protection II Firewall types –State-less packet filters based on Layer 3 and 4 header fields (IP addresses, port numbers, etc.) –State-full packet filters: e.g. allow TCP connections initiated from inside the network –Application layer filtering: check payload of specific applications –Application proxies: split end-2-end connection Demilitarized Zones –Application Proxies –External DNS servers –VPN Gateways

Page 37 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Example Topology Shown: DMZ, Main Firewall, internal packet filters, split-DNS, application proxies

Page 38 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: ) Activate/Create PDP Context Example: Overbilling Attack (1) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server 1. Malicious UE attaches to GPRS network and is assigned an IP-address (IP-Addr: ) Source: Siemens CT IC 3

Page 39 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: ) Overbilling Attack (2) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server (IP-Addr: ) Create TCP Connection to malicious server Firewall is opened for TCP between and Malicious UE attaches to GPRS network and is assigned an IP-address Source: Siemens CT IC 3

Page 40 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet Deactivate/Delete PDP Context Overbilling Attack (3) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server 1. Malicious UE attaches to GPRS network and is assigned an IP-address (IP-Addr: ) TCP/FIN Open for TCP between and Source: Siemens CT IC 3

Page 41 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: ) Activate/Create PDP Context Overbilling Attack (4) SGSN FW GGSN 2. Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server 1. Malicious UE attaches to GPRS network and is assigned an IP-address (IP-Addr: ) TCP/FIN Open for TCP between and Source: Siemens CT IC 3

Page 42 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Internet (IP-Addr: ) Overbilling Attack (5) SGSN FW GGSN 4. Eventually, some victim UE attaches and receives same IP-address 5. Mal. server keeps sending TCP/FIN (or other) messages to victim UE Malicious UE Victim UE Malicious Server (IP-Addr: ) TCP/FIN Open for TCP between and Malicious UE opens TCP session to cooperating malicious server 3. Malicious UE detaches. Malicious Server keeps firewall open by sending TCP/FIN messages 1. Malicious UE attaches to GPRS network and is assigned an IP-address Source: Siemens CT IC 3

Page 43 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Contermeasures: Overbilling attack  Exercise

Page 44 Hans Peter Schwefel PHD Course: UMTS, Lecture 1, Fall03 Summary 1.Introduction Cellular Concepts, GSM, GPRS 2.UMTS architecture & Components Standardisation Architecture 3.IP transmission in UMTS PDP contexts, APNs, TFTs Bearer and Parameters Mobility Support 4.Security in UMTS Basic requirements and threats UMTS-AKA Network Protection Example: Overbilling attack