Allow network operators to omit the time zone in the 4G EMM Information
and 5G Configuration Update. This is useful for better compatibility
with some UEs.
The parameter is optional according to:
* 4G: 3GPP TS 24.301 Table 8.2.13.1
* 5G: 3GPP TS 24.501 Table 8.2.19.1.1
Bug:
In case that AMF does not have subscription data for the UE,
PDU session remains unreleased after implicit de-registeration.
The exact test case:
- UE registered (integrity protection applied)
- UE deregistered (Nudm_SDM_Unsubscribe, Nudm_UECM_Registration (purgeFlag))
- UE registered, PDU session activated
UE data are still stored in AMF. So if integrity protected applies,
the steps 4 - 14 [ETSI TS 123 502 V16.7.0](https://www.etsi.org/deliver/etsi_ts/123500_123599/123502/16.07.00_60/ts_123502v160700p.pdf) are skipped.
Only AM Policy Association Establishment is performed.
- UE is moved out of radio coverage, 2 x (4 min + Timer t3512) expires
Result: UE is implicitly de-registered, PDU session is not released
The steps of implicit de-registeration:
1. Implicit Timer Expiration
2. UDM_SDM_Unsubscribe
3. UDM_UECM_Deregistration
4. PDU session release request
5. PDUSessionResourceReleaseCommand + PDU session release command
6. PDUSessionResourceReleaseResponse
7. AM_Policy_Association_Termination
So PDU session release is performed after the confirmation of
UDM_UECM_Deregistration.
Since there is no UDM_SDM subscription, the UDM steps are skipped
and PDU session is not released.
Fix:
If the AMF does not have subscription data for the UE which registers,
the AMF registers with the UDM using Nudm_UECM_Registration and
retrieves subscription data with Nudm_SDM_Get.
[ETSI TS 123 502 V16.7.0](https://www.etsi.org/deliver/etsi_ts/123500_123599/123502/16.07.00_60/ts_123502v160700p.pdf), 4.2.2.2.2 General Registration, 14a-c:
> If the AMF does not have subscription data for the UE, the AMF retrieves the Access and Mobility Subscription data, SMF
> Selection Subscription data, UE context in SMF data and LCS mobile origination using Nudm_SDM_Get.
1. UE sends RegistrationRequest to AMF.
2. AMF sends Nudm_UECM_Registration to UDM.
3. UE sends RegistrationRequest to AMF.
4. GMM state is gmm_state_authentication
5. UDM sends Nudm_UECM_Registration response to AMF.
6. AMF crashs since no Handler in gmm_state_authentication state
According to 3GPP TS 29.510, the search parameter "tai" should be a
single item, not an array of items.
TS 29.510: Table 6.2.3.2.3.1-1:
URI query parameters supported by the GET method on this resource
Revert "[SBI] Change discovery option TAI from array to single item"
This reverts commit b4beff1ae16c64b3c6d84d8bdb47c36e19b705f2.
wip
This commit splits filling Requested-Service-Unit, Used-Service-Unit and
QoS-Information into their own helper functions for better readibility,
and then partially reverts 125740727e,
where lots of AVPs were left out of INITIAL_REQUEST messagesi during the
changes made.
After looking through 3GPP TS 32.299 and rfc4006, it seems expected to
send Requested-Service-Unit only during INITIAL_REQUEST, and
Used-Service-Unit during UPDATE_REQUEST, so that part is kept.
However, I am not able to find clear indications that AVPs such as QoS
Information and RAT-Type should not be sent during INITIAL_REQUEST.
So, since we have the info, better set it already during
INITIAL_REQUEST, since the OCS may want to grant different resources
based on that information if available too.
* [AUSF] Fix removing UE context on authentication removal request
AUSF crashed when trying to access ausf_ue->sm fields after they were
already deleted.
* [AMF] Delete UE authentication result after UE deregisters from 5G core
Based on TS 29.509 - 5.2.2.2.5 Authentication Result Removal with 5G AKA
method:
In the case that the Purge of subscriber data in AMF after the UE
deregisters from the network or the NAS SMC fails following the
successful authentication in the registration procedure, the NF Service
Consumer (AMF) requests the AUSF to inform the UDM to remove the
authentication result.
amf_ue->mac_failed flag to be cleared during security mode procedure but it was not.
At this point, the only way to cleare the amf_ue->mac_failed flag is by UE Context Release.
But I'd like to connect UEs as fast as possible without UE Context Release.
* Add "subscriber_status" cmd to open5gs-dbctl to set values for
"subscriber_status" and "operator_determined_barring" DB fields.
* Add webui View+Edit for those same fields.
* open5gs-hssd now takes those values into account and submits
Operator-Determined-Barring AVP with DB-retrieved value if
subscriber_status is set to OPERATOR_DETERMINED_BARRING.
For more information, see TS 29.272 section 5.2.2.1.3 and 7.3.30.
currently if no IP address is available from the configured
subnets in the SMF when attempting to assign an IP to an UE
we assert and the SMF crashes. Handle the error more gracefully
by returning an error cause instead.
Scenario is handover on S1AP, data forwarding is enabled, and
the Source ENB is forwarding DL PDCP packets to EPC(SGWU)
with PDCP SN included. SGWU is also forwarding these packets
to the Target ENB.
However the PDCP SN is not present in the forwarded packets
from SGWU to Target ENB.
I modified this part, and there was the same problem in 5GC, fixed it as well.
A lot of code in GTP-U has been modified,
so if you have any problems, please let us know right away.
curl --noproxy '*' --http2-prior-knowledge -X POST --header "Content-Type: multipart/related" --data-binary @pdu http:/192.168.29.231:7777/nsmf-pdusession/v1/sm-contexts
Attaching file 'pdu'
SMF crashes as not able to decode the message properly. SmContextCreateData is not accessible.
Modifications were made to resolve the following assertion..
Invalid HNET PKI Value [0] (../lib/sbi/conv.c:135)
ogs_supi_from_supi_or_suci: Expectation `supi' failed. (../lib/sbi/conv.c:262)
udm_ue_add: Assertion `udm_ue->supi' failed. (../src/udm/context.c:144)
backtrace() returned 8 addresses (../lib/core/ogs-abort.c:37)
A situation in which you establish two sessions and release both of them.
In the first SESSION, the UE normally sent PDUSessionResourceReleaseResponse
and PDU session release complete. However, these were not sent when releasing
the second SESSION.
At this point, when the UE tried to do a deregistration,
the SMF was not properly handling the exception.
I've just fixed this.
NAS, GTP, PFCP, SBI, all except S1AP/NGAP use x1000 multiplier for Kbps, Mbps, Gbps ... etc.
From now on in WebUI all units also use a multiplier of x1000.
Based on the standard document below, when the UE is in the IDLE state,
we checked the implicit timer and tried to send a message to the UE,
but it doesn't work properly.
So, first of all, I deleted the related code.
- TS 24.301 Ch 5.3.7
If ISR is not activated, the network behaviour upon expiry of
the mobile reachable timer is network dependent, but typically
the network stops sending paging messages to the UE on the
first expiry, and may take other appropriate actions
- TS 24.501 Ch 5.3.7
The network behaviour upon expiry of the mobile reachable timer is network dependent,
but typically the network stops sending paging messages to the UE on the first expiry,
and may take other appropriate actions.
Move the config to the sgsn node instead of having a specific route with
specific format "default: route", since anyway internally it's already
applied to the sgsn object.
When AMF release the NAS signalling connection,
ran_ue context is removed by ran_ue_remove() and
amf_ue/ran_ue is de-associated by amf_ue_deassociate().
In this case, implicit deregistration is attempted
by the mobile reachable timer according to the standard document,
and amf_ue will be removed by amf_ue_remove().
TS 24.501
5.3.7 Handling of the periodic registration update timer and
Start AMF_TIMER_MOBILE_REACHABLE
mobile reachable timer
The network supervises the periodic registration update procedure
of the UE by means of the mobile reachable timer.
If the UE is not registered for emergency services,
the mobile reachable timer shall be longer than the value of timer
T3512. In this case, by default, the mobile reachable timer is
4 minutes greater than the value of timer T3512.
The mobile reachable timer shall be reset and started with the
value as indicated above, when the AMF releases the NAS signalling
connection for the UE.
The 'data' struct used to specify the diameter dispatch options for the
MME callbacks was not being initialized properly, which meant that the
App id could contain garbage. This was preventing the callbacks from
being invoked when receiving ISD/CLR requests.
Each SMF's NfProfile can contain multiple SmfInfo items. The issue was
that AMF checked only the first SmfInfo for correct S-NSSAI/NR-TAI
information.
In case of a 5G core setup with SMF handling 2 or more slices, and UE
trying to establish multiple PDU sessions, AMF would report an error
when trying to find the correct serving SMF.
[amf] ERROR: [1:0] (NF discover) No [nsmf-pdusession] (../src/amf/nnrf-handler.c:85)
Since [redesign](8553c77733)
of fivegs_smffunction_sm_sessionnbr gauge, the metric doesn't
expose some decrements. The decreasing of gauge had been
moved out of function stats_remove_smf_session.
It should be decreased every time stats_remove_smf_session
is called, but this particular case is easily reproducible
by killing UPF while the session is established.
The current code uses the cc request number as an index to the
transaction array (xact/xact_data). Since cc request number is a 32 bit
integer this is unfeasible for longer sessions and if more than a
handful of messages are exchanged per session.
The array size was already increased in #2038 which simply delays the
issue.
Furthermore, the current code asserts that cc_request_number is <=
MAX_CC_REQUEST_NUMBER which leads to an out-of-bounds write if
cc_request_number == MAX_CC_REQUEST_NUMBER.
Instead use a smaller array and index into it using cc_request_number
% array size. More than 2 requests should never be in flight at any one
time (initial or update request together with a termination request) so
an array size of 4 should be fine.
- have a more consistent naming among the NF's
- always have the same prefix (amf_/smf_/pcf_) depending on the NF
- function name is always the same, how the function calculates the load
is NF specific and internal to the function itself (but not the function
name).
- the 'if' clause was comparing some value with an always '1' due to
wrong calculation. Consequently, this 'if' statement never executed.
- sizes for session pool and UE pools are directly linked between each
other. We need to count the number of items only in one of the pools to
correctly represent the NF load
- if anything, we should also check the load of the application pool to
determine correct load of the NF
ogs_pool_init() shall be used in the initialization routine.
Otherwise, memory will be fragment since this function uses system malloc()
Compared with ogs_pool_init()
ogs_pool_create() could be called while the process is running,
so this function should use ogs_malloc() instead of system malloc()
Multimedia-Auth-Answer and Server-Assignment-Answer
defines the AVP User-Name as mandatory. It must also be
present on failure cases.
See 3GPP TS 29.273 Rel 17.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
[ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf):
Registration type label is not provided.
A nonstandard PLMNID label is added to achieve uniqueness.
- 5.3.1.3 Number of PDU sessions requested to be created by the SMF
PLMNID and SNSSAI are defined during PDU session creation processing.
Some requests can be rejected during processing before label values are known.
Those requests are not counted under particular labels.
To count also such requests, the basic metric with empty labels is exposed too.
```
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 1
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1
```
- 5.3.1.4 Number of PDU sessions successfully created by the SMF
```
fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1
```
- 5.3.1.5 Number of PDU sessions failed to be created by the SMF
```
fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1
```
Example for one successful and one failed (during creation processing) PDU session creation:
```
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="",snssai=""} 2
fivegs_smffunction_sm_pdusessioncreationreq{plmnid="00101",snssai="1000009"} 1
fivegs_smffunction_sm_pdusessioncreationsucc{plmnid="00101",snssai="1000009"} 1
fivegs_smffunction_sm_pdusessioncreationfail{cause="400"} 1
```
After N2 Handover (1 AMF, multiple gNB's) was successfully executed, the
PDU session was not properly released afterwards on PDU Session Release
Request from UE.
The reason was that after N2 Handover the new 'ran_ue' context did not
have any information about the active PDU sessions.
Copy the information about PDU sessions from old ran_ue context to the
new one.
TS23.007 17.4.1
19A PFCP based restart procedures
After a PFCP entity has restarted, it shall immediately update all local Recovery Time Stamps and shall clear all remote
Recovery Time Stamps. When peer PFCP entities information is available, i.e. when the PFCP Association is still alive,
the restarted PFCP entity shall send its updated Recovery Time Stamps in a Heartbeat Request message to the peer
PFCP entities before initiating any PFCP session signalling.
Follow-up on [#2048](https://github.com/open5gs/open5gs/pull/2048)
AMF crashes when 'skipInd' field is missing:
```
amf | 03/21 07:45:04.092: [amf] FATAL: [imsi-001010000000000] No skipInd (../src/amf/namf-handler.c:392)
amf | 03/21 07:45:04.092: [amf] FATAL: amf_namf_comm_handle_n1_n2_message_transfer: should not be reached. (../src/amf/namf-handler.c:393)
```
In case of CM_CONNECTED skipInd is not important.
In case of CM_IDLE the proper relase would contain skipInd.
SMF already handles the freeing in labels correctly.
In the same manner the memsets are moved to the beginning of the
problematic functions in AMF and PCF.
When UDM issues a SDM Data Change Notification with request to modify
RAT restrictions, AMF would crash when it tried to send a SDM
subscription delete as part of Network Initiated Deregistration.
Function amf_ue_sbi_discover_and_send() changed from returning boolean,
to returning integer (one of OGS_OK/OGS_ERROR/...).
When both IPv4 and IPv6 Frame Routes are set, IPv4 Frame Route list
was subsequently cleared.
When UE tried to deregister, PCF would crash when it tried to free the
Frame Routing list.
POST requests to {apiRoot}/nnrf-nfm/v1/subscriptions return
a HTTP Location header in 201 respose
in the form {apiRoot}/nnrf-nfm/v1/subscriptions/{subscriptionID}
In case that handling Service Request results in an error, AMF sends a
Service Reject and sets UE's context to exception state. Without the
'break', the code would set UE's context to registered state.
[ETSI TS 128 552 V16.9.0](https://www.etsi.org/deliver/etsi_ts/128500_128599/128552/16.09.00_60/ts_128552v160900p.pdf)
5.2.2 Registration procedure related measurements
SNSSAI labels are not provided.
- Number of registration requests received by the AMF is
exposed for each registration type.
```
fivegs_amffunction_rm_reginitreq 1
fivegs_amffunction_rm_regmobreq 0
fivegs_amffunction_rm_regperiodreq 0
fivegs_amffunction_rm_regemergreq 0
```
- Number of successful initial registrations at the AMF is
exposed for each registration type.
```
fivegs_amffunction_rm_reginitsucc 1
fivegs_amffunction_rm_regmobsucc 0
fivegs_amffunction_rm_regperiodsucc 0
fivegs_amffunction_rm_regemergsucc 0
```
- The existing counter of failed registrations at the AMF
is exposed separately for each registration type.
```
fivegs_amffunction_rm_reginitfail
fivegs_amffunction_rm_regmobfail
fivegs_amffunction_rm_regperiodfail
fivegs_amffunction_rm_regemergfail
```
5.2.5.2 Measurements for 5G paging
Number of 5G paging procedures initiated at the AMF:
```
fivegs_amffunction_mm_paging5greq 1
```
Number of successful 5G paging procedures initiated at the AMF:
```
fivegs_amffunction_mm_paging5gsucc 1
```
5.2.11 Authentication procedure related measurements
Number of authentication requests:
```
fivegs_amffunction_amf_authreq 2
```
Number of authentication rejections:
```
fivegs_amffunction_amf_authreject 1
```
Number of failed authentications due to parameter error:
```
fivegs_amffunction_amf_authfail{cause="21"} 1
```
5.2.8 UE Configuration Update procedure related measurements
Number of UE Configuration Update commands requested by the AMF:
```
fivegs_amffunction_mm_confupdate 2
```
Number of UE Configuration Update complete messages received by the AMF:
```
fivegs_amffunction_mm_confupdatesucc 1
```
TS33.401
7 Security procedures between UE and EPS access network elements
7.2 Handling of user-related keys in E-UTRAN
7.2.7 Key handling for the TAU procedure when registered in E-UTRAN
If the "active flag" is set in the TAU request message or
the MME chooses to establish radio bearers when there is pending downlink
UP data or pending downlink signalling, radio bearers will be established
as part of the TAU procedure and a KeNB derivation is necessary.
23.501 (5G NAS stage 2)
5.4.4.1:
"When the AMF receives Registration Request with the Registration type set
to Initial Registration or when it receives the first Registration Request
after E-UTRA/EPC Attach with Registration type set to Mobility Registration
Update, the AMF deletes the UE radio capability."
Sukchan Lee
Oliver Smith
gstaa
Bostjan Meglic
Pau Espin
Šimon Lukašík
Emanuele Di Pascale
theodorsm
Robert Dash
mitmitmitm
Matthias Bräuer
Bostjan Meglic
Gaber Stare
Daniel Willmann
EugeneBogush
Alexander Couzens
Shigeru Ishida
Abdelmuhaimen Seaudi
Spencer Sevilla