@@ -1,93 +0,0 @@

----

-title: "v2.5.0 - SCP for Indirect Communication"

-date: 2022-10-25 22:54:00 +0900

-categories:

-  - Release

-tags:

-  - News

-  - Release

-head_inline: "<style> ul { padding-bottom: 1em; } .blue { color: blue; }</style>"

----

-

-#### New Feature

-

-SCP(Service Communication Proxy) is added to support Indirect Communication based on TS29.500. The default Open5GS configuration is provided as an indirect communication using SCP.

-

-- amf.yaml If NFs are configured to use Delegated Discovery through the SCP, you do not need to set up NRF.

-

-```

-amf:

-    sbi:

-      - addr: 127.0.0.5

-        port: 7777

-

-scp:

-    sbi:

-      - addr: 127.0.1.10

-        port: 7777

-

-#nrf:

-#    sbi:

-#      - addr:

-#          - 127.0.0.10

-#          - ::1

-#        port: 7777

-```

-

-- scp.yaml NRF is needed for Delegated Discovery in SCP configuration.

-

-```

-scp:

-    sbi:

-      - addr: 127.0.1.10

-        port: 7777

-

-#

-# next_scp:

-#    sbi:

-#      addr: 127.0.1.11

-#      port: 7777

-#

-

-nrf:

-    sbi:

-      - addr:

-          - 127.0.0.10

-          - ::1

-        port: 7777

-```

-

-- nrf.yaml If there is an SCP in the NRF configuration, a notification(nnrf-nfm/nf-status-notify) is sent through an indirect communication.

-

-```

-nrf:

-    sbi:

-      addr:

-        - 127.0.0.10

-        - ::1

-      port: 7777

-

-scp:

-    sbi:

-      - addr: 127.0.1.10

-        port: 7777

-```

-

-

-#### Enhancements

-- WebUI/DB Fixed the WebUI to Support MongoDB 6.0( (#1824(https://github.com/open5gs/open5gs/issues/1824)) -- bmeglicit(https://github.com/bmeglicit)

-- DBI Disable Changes Streams with mongo Version (#1833(https://github.com/open5gs/open5gs/pull/1833)) -- jmasterfunk84(https://github.com/jmasterfunk84)

-- SBI Added 3gpp-Sbi-Sender-Timestamp and 3gpp-Sbi-Max-Rsp-Time -- 7c8722d(https://github.com/open5gs/open5gs/commit/7c8722d9d4d2db13d889be1e5e37bc062f069396)

-- MME Cancel Location while Idle (#1797(https://github.com/open5gs/open5gs/pull/1797)) -- jmasterfunk84(https://github.com/jmasterfunk84)

-- MME Support for Insert Subscriber Data (#1794(https://github.com/open5gs/open5gs/pull/1794)) -- jmasterfunk84(https://github.com/jmasterfunk84)

-

-#### Bug Fixes

-- SGW-C Fixed the bug of SGW-C session deletion (#1825(https://github.com/open5gs/open5gs/pull/1825)) -- dai9000(https://github.com/dai9000), cmmacneill53(https://github.com/cmmacneill53)

-- AMF Reject registration requests when pool for UE context is empty (#1828(https://github.com/open5gs/open5gs/pull/1828)) -- bmeglicit(https://github.com/bmeglicit)

-- AMF Increase size of TMSI pool (#1827(https://github.com/open5gs/open5gs/pull/1827)) -- bmeglicit(https://github.com/bmeglicit)

-- AMF/UDM Added support to subscribe to SDM changes (#1820(https://github.com/open5gs/open5gs/pull/1820)) -- bmeglicit(https://github.com/bmeglicit)

-- PFCP Do not check qos_flow in PFCP Report message (#1819(https://github.com/open5gs/open5gs/pull/1819)) -- ssafaorhan(https://github.com/ssafaorhan)

-- PFCP Fixed invalid message of Dropped DL Traffic threshold (#1817(https://github.com/open5gs/open5gs/pull/1817)) -- ssafaorhan(https://github.com/ssafaorhan)

-

-Download -- v2.5.0.tar.gz(https://github.com/open5gs/open5gs/archive/v2.5.0.tar.gz)

-{: .notice--info}

​

@@ -2,7 +2,7 @@

 Source: open5gs

 Binary: open5gs-common, open5gs-mme, open5gs-sgwc, open5gs-smf, open5gs-amf, open5gs-sgwu, open5gs-upf, open5gs-hss, open5gs-pcrf, open5gs-nrf, open5gs-scp, open5gs-ausf, open5gs-udm, open5gs-pcf, open5gs-nssf, open5gs-bsf, open5gs-udr, open5gs, open5gs-dbg

 Architecture: any

-Version: 2.5.1

+Version: 2.5.3

 Maintainer: Harald Welte <laforge@gnumonks.org>

 Uploaders: Sukchan Lee <acetcom@gmail.com>

 Homepage: https://open5gs.org

@@ -31,8 +31,8 @@

  open5gs-udr deb net optional arch=any

  open5gs-upf deb net optional arch=any

 Checksums-Sha1:

- ce7282c6d728e0e24c12487198e02d80ff7db19d 11488092 open5gs_2.5.1.tar.xz

+ fe7094b8aa8cffcb542434f24e6e5b0512f73743 11489140 open5gs_2.5.3.tar.xz

 Checksums-Sha256:

- b0ce7529d667390338917126ad7075601b686138086dde6e4f6beb83797e05a5 11488092 open5gs_2.5.1.tar.xz

+ 9708b442e700b18e633a886fd350f80eab024c7726fcae56d0d56ca192dc7443 11489140 open5gs_2.5.3.tar.xz

 Files:

- 754d8509044142ce18f5c925f7885a64 11488092 open5gs_2.5.1.tar.xz

+ 454edc0994b134140320fd3dc41f0639 11489140 open5gs_2.5.3.tar.xz

​

@@ -1 +1 @@

-2.5.1

+2.5.3

​

@@ -7,7 +7,7 @@

     create 640 open5gs open5gs

     postrotate

-        for i in nrfd pcrfd hssd ausfd udmd udrd upfd sgwcd sgwud smfd mmed amfd; do

+        for i in nrfd scpd pcrfd hssd ausfd udmd udrd upfd sgwcd sgwud smfd mmed amfd; do

             systemctl reload open5gs-$i

         done

     endscript

​

@@ -2,6 +2,7 @@

 #

 # logfilename                         owner:group mode count size  when  flags /pid_file        sig_num

 @localstatedir@/log/open5gs/nrf.log               644  14    *     $D0   GZ    @localstatedir@/run/open5gs-nrfd/pid`

+@localstatedir@/log/open5gs/scp.log               644  14    *     $D0   GZ    @localstatedir@/run/open5gs-scpd/pid`

 @localstatedir@/log/open5gs/pcrf.log               644  14    *     $D0   GZ    @localstatedir@/run/open5gs-pcrfd/pid`

 @localstatedir@/log/open5gs/hss.log               644  14    *     $D0   GZ    @localstatedir@/run/open5gs-hssd/pid`

 @localstatedir@/log/open5gs/ausf.log               644  14    *     $D0   GZ    @localstatedir@/run/open5gs-ausfd/pid`

​

@@ -440,7 +440,20 @@

 #              mnc: 70

 #            tac: 99

 #

-

+#  <Security Indication - 5G Core only>

+#

+#   According to 3GPP TS38.413 Section 9.3.1.27,

+#   Security Indication IE may be instructed to 5G gNB.

+#

+#   If you set the security_indication in smf.yaml,

+#   this information is delivered using PDU Session Resource Request Transfer IE

+#

+#    security_indication:

+#      integrity_protection_indication: required|preferred|not-needed

+#      confidentiality_protection_indication: required|preferred|not-needed

+#      maximum_integrity_protected_data_rate_uplink: bitrate64kbs|maximum-UE-rate

+#      maximum_integrity_protected_data_rate_downlink: bitrate64kbs|maximum-UE-rate

+#

 smf:

     sbi:

       - addr: 127.0.0.4

​

@@ -9,7 +9,7 @@

 Group=open5gs

 Restart=always

-ExecStart=@bindir@/open5gs-nrfd -c @sysconfdir@/open5gs/nrf.yaml

+ExecStart=@bindir@/open5gs-scpd -c @sysconfdir@/open5gs/scp.yaml

 RestartSec=2

 RestartPreventExitStatus=1

 ExecReload=/bin/kill -HUP $MAINPID

​

@@ -1,8 +1,92 @@

+open5gs (2.5.3) unstable; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Mon, 31 Oct 2022 07:25:06 +0900

+

+open5gs (2.5.3~kinetic) kinetic; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Mon, 31 Oct 2022 07:23:45 +0900

+

+open5gs (2.5.3~jammy) jammy; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Mon, 31 Oct 2022 07:22:25 +0900

+

+open5gs (2.5.3~focal) focal; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Mon, 31 Oct 2022 07:20:57 +0900

+

+open5gs (2.5.3~bionic) bionic; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Mon, 31 Oct 2022 07:19:26 +0900

+

+open5gs (2.5.2) unstable; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 30 Oct 2022 14:18:50 +0900

+

+open5gs (2.5.2~kinetic) kinetic; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 30 Oct 2022 14:15:19 +0900

+

+open5gs (2.5.2~jammy) jammy; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 30 Oct 2022 14:13:53 +0900

+

+open5gs (2.5.2~focal) focal; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 30 Oct 2022 14:12:34 +0900

+

+open5gs (2.5.2~bionic) bionic; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sun, 30 Oct 2022 14:11:04 +0900

+

 open5gs (2.5.1) unstable; urgency=medium

-  * Automatically generated changelog entry for building the Osmocom latest feed

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sat, 29 Oct 2022 12:37:52 +0900

+

+open5gs (2.5.1~kinetic) kinetic; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sat, 29 Oct 2022 12:36:17 +0900

+

+open5gs (2.5.1~jammy) jammy; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sat, 29 Oct 2022 12:34:51 +0900

+

+open5gs (2.5.1~focal) focal; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

+

+ -- Sukchan Lee <acetcom@gmail.com>  Sat, 29 Oct 2022 12:32:53 +0900

+

+open5gs (2.5.1~bionic) bionic; urgency=medium

+

+  * New NF - SCP(Service Communication Proxy)

- -- Osmocom OBS scripts <info@osmocom.org>  Fri, 28 Oct 2022 00:28:30 +0000

+ -- Sukchan Lee <acetcom@gmail.com>  Sat, 29 Oct 2022 12:31:01 +0900

 open5gs (2.5.0) unstable; urgency=medium

​

@@ -3,7 +3,7 @@

 MAINTAINER Sukchan Lee <acetcom@gmail.com>

 ARG PACKAGE=open5gs

-ARG VERSION=2.5.1

+ARG VERSION=2.5.3

 RUN set -e; \

     cd /usr/src; \

​

@@ -185,7 +185,7 @@

     ```bash

     $ sudo apt update

     $ sudo apt install curl

-    $ curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -

+    $ curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -

     $ sudo apt install nodejs

     ```

​

@@ -418,7 +418,7 @@

 ```bash

 $ sudo apt install curl

-$ curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -

+$ curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -

 $ sudo apt install nodejs

 ```

​

@@ -184,7 +184,7 @@

 The following shows how to install the Web UI of Open5GS.

 ```bash

-$ curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -

+$ curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -

 $ sudo apt install nodejs

 $ curl -fsSL https://open5gs.org/open5gs/assets/webui/install | sudo -E bash -

 ```

​

@@ -0,0 +1,96 @@

+---

+title: "v2.5.3 - SCP for Indirect Communication"

+date: 2022-10-31 07:17:00 +0900

+categories:

+  - Release

+tags:

+  - News

+  - Release

+head_inline: "<style> ul { padding-bottom: 1em; } .blue { color: blue; }</style>"

+---

+

+#### New Feature

+

+SCP(Service Communication Proxy) is added to support Indirect Communication based on TS29.500. The default Open5GS configuration is provided as an indirect communication using SCP.

+

+- amf.yaml If NFs are configured to use Delegated Discovery through the SCP, you do not need to set up NRF.

+

+```

+amf:

+    sbi:

+      - addr: 127.0.0.5

+        port: 7777

+

+scp:

+    sbi:

+      - addr: 127.0.1.10

+        port: 7777

+

+#nrf:

+#    sbi:

+#      - addr:

+#          - 127.0.0.10

+#          - ::1

+#        port: 7777

+```

+

+- scp.yaml NRF is needed for Delegated Discovery in SCP configuration.

+

+```

+scp:

+    sbi:

+      - addr: 127.0.1.10

+        port: 7777

+

+#

+# next_scp:

+#    sbi:

+#      addr: 127.0.1.11

+#      port: 7777

+#

+

+nrf:

+    sbi:

+      - addr:

+          - 127.0.0.10

+          - ::1

+        port: 7777

+```

+

+- nrf.yaml If there is an SCP in the NRF configuration, a notification(nnrf-nfm/nf-status-notify) is sent through an indirect communication.

+

+```

+nrf:

+    sbi:

+      addr:

+        - 127.0.0.10

+        - ::1

+      port: 7777

+

+scp:

+    sbi:

+      - addr: 127.0.1.10

+        port: 7777

+```

+

+

+#### Enhancements

+- WebUI/DB Fixed the WebUI to Support MongoDB 6.0 (#1824(https://github.com/open5gs/open5gs/issues/1824)) -- bmeglicit(https://github.com/bmeglicit)

+- NAS Discard NAS message if integrity is failed (#1848(https://github.com/open5gs/open5gs/pull/1848)) -- jmasterfunk84(https://github.com/jmasterfunk84)

+- AMF Support REREGISTRATION_REQUIRED in dereg notify (#1858(https://github.com/open5gs/open5gs/pull/1858)) -- mitmitmitm(https://github.com/mitmitmitm)

+- SMF Support Security Indication IE for 5G-SA UP integrity and confidentiality(#1851(https://github.com/open5gs/open5gs/discussions/1851)) -- irazairspan(https://github.com/irazairspan)

+- DBI Disable Changes Streams with mongo Version (#1833(https://github.com/open5gs/open5gs/pull/1833)) -- jmasterfunk84(https://github.com/jmasterfunk84)

+- SBI Added 3gpp-Sbi-Sender-Timestamp and 3gpp-Sbi-Max-Rsp-Time -- 7c8722d(https://github.com/open5gs/open5gs/commit/7c8722d9d4d2db13d889be1e5e37bc062f069396)

+- MME Cancel Location while Idle (#1797(https://github.com/open5gs/open5gs/pull/1797)) -- jmasterfunk84(https://github.com/jmasterfunk84)

+- MME Support for Insert Subscriber Data (#1794(https://github.com/open5gs/open5gs/pull/1794)) -- jmasterfunk84(https://github.com/jmasterfunk84)

+

+#### Bug Fixes

+- SGW-C Fixed the bug of SGW-C session deletion (#1825(https://github.com/open5gs/open5gs/pull/1825)) -- dai9000(https://github.com/dai9000), cmmacneill53(https://github.com/cmmacneill53)

+- AMF Reject registration requests when pool for UE context is empty (#1828(https://github.com/open5gs/open5gs/pull/1828)) -- bmeglicit(https://github.com/bmeglicit)

+- AMF Increase size of TMSI pool (#1827(https://github.com/open5gs/open5gs/pull/1827)) -- bmeglicit(https://github.com/bmeglicit)

+- AMF/UDM Added support to subscribe to SDM changes (#1820(https://github.com/open5gs/open5gs/pull/1820)) -- bmeglicit(https://github.com/bmeglicit)

+- PFCP Do not check qos_flow in PFCP Report message (#1819(https://github.com/open5gs/open5gs/pull/1819)) -- ssafaorhan(https://github.com/ssafaorhan)

+- PFCP Fixed invalid message of Dropped DL Traffic threshold (#1817(https://github.com/open5gs/open5gs/pull/1817)) -- ssafaorhan(https://github.com/ssafaorhan)

+

+Download -- v2.5.2.tar.gz(https://github.com/open5gs/open5gs/archive/v2.5.2.tar.gz)

+{: .notice--info}

​

@@ -10,7 +10,7 @@

 #

 PACKAGE="open5gs"

-VERSION="2.5.1"

+VERSION="2.5.3"

 print_status() {

     echo

​

@@ -301,8 +301,10 @@

             break;

         case OGS_TIMER_NF_INSTANCE_NO_HEARTBEAT:

-            ogs_error("%s No heartbeat",

-                    NF_INSTANCE_ID(ogs_sbi_self()->nf_instance));

+            ogs_error("%s:%s No heartbeat",

+                    NF_INSTANCE_ID(ogs_sbi_self()->nf_instance),

+                    OpenAPI_nf_type_ToString(

+                        NF_INSTANCE_TYPE(ogs_sbi_self()->nf_instance)));

             OGS_FSM_TRAN(s, &ogs_sbi_nf_state_will_register);

             break;

​

@@ -16,7 +16,7 @@

 # along with this program.  If not, see <https://www.gnu.org/licenses/>.

 project('open5gs', 'c', 'cpp',

-    version : '2.5.0',

+    version : '2.5.3',

     license : 'AGPL-3.0-or-later',

     meson_version : '>= 0.43.0',

     default_options : 

@@ -24,7 +24,7 @@

     ,

 )

-libogslib_version = '2.5.0'

+libogslib_version = '2.5.3'

 prefix = get_option('prefix')

 bindir = join_paths(prefix, get_option('bindir'))

​

@@ -797,29 +797,35 @@

         case OGS_NAS_5GS_SECURITY_MODE_COMPLETE:

             ogs_debug("%s Security mode complete", amf_ue->supi);

-            CLEAR_AMF_UE_TIMER(amf_ue->t3560);

-

-            /* Now, We will check the MAC in the NAS message*/

+        /*

+         * TS24.501

+         * Section 4.4.4.3

+         * Integrity checking of NAS signalling messages in the AMF

+         *

+         * Once the secure exchange of NAS messages has been established

+         * for the NAS signalling connection, the receiving 5GMM entity

+         * in the AMF shall not process any NAS signalling messages

+         * unless they have been successfully integrity checked by the NAS.

+         * If any NAS signalling message, having not successfully passed

+         * the integrity check, is received, then the NAS in the AMF shall

+         * discard that message. If any NAS signalling message is received,

+         * as not integrity protected even though the secure exchange

+         * of NAS messages has been established, then the NAS shall discard

+         * this message.

+         */

             if (h.integrity_protected == 0) {

                 ogs_error("%s Security-mode : No Integrity Protected",

                         amf_ue->supi);

-

-                ogs_assert(OGS_OK ==

-                    nas_5gs_send_gmm_reject(amf_ue,

-                        OGS_5GMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &gmm_state_exception);

                 break;

             }

             if (!SECURITY_CONTEXT_IS_VALID(amf_ue)) {

                 ogs_warn("%s No Security Context", amf_ue->supi);

-                ogs_assert(OGS_OK ==

-                    nas_5gs_send_gmm_reject(amf_ue,

-                        OGS_5GMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &gmm_state_exception);

                 break;

             }

+            CLEAR_AMF_UE_TIMER(amf_ue->t3560);

+

             gmm_cause = gmm_handle_security_mode_complete(

                     amf_ue, &nas_message->gmm.security_mode_complete);

             if (gmm_cause != OGS_5GMM_CAUSE_REQUEST_ACCEPTED) {

​

@@ -870,26 +870,30 @@

             CLEAR_MME_UE_TIMER(mme_ue->t3460);

-            /* Now, We will check the MAC in the NAS message*/

+        /*

+         * TS24.301

+         * Section 4.4.4.3

+         * Integrity checking of NAS signalling messages in the MME:

+         *

+         * Once the secure exchange of NAS messages has been established

+         * for the NAS signalling connection, the receiving EMM or ESM entity

+         * in the MME shall not process any NAS signalling messages

+         * unless they have been successfully integrity checked by the NAS.

+         * If any NAS signalling message, having not successfully passed

+         * the integrity check, is received, then the NAS in the MME shall

+         * discard that message. If any NAS signalling message is received,

+         * as not integrity protected even though the secure exchange

+         * of NAS messages has been established, then the NAS shall discard

+         * this message.

+         */

             h.type = e->nas_type;

             if (h.integrity_protected == 0) {

                 ogs_error("%s No Integrity Protected", mme_ue->imsi_bcd);

-

-                ogs_assert(OGS_OK ==

-                    nas_eps_send_attach_reject(mme_ue,

-                        OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,

-                        OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &emm_state_exception);

                 break;

             }

             if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {

                 ogs_warn("%s No Security Context", mme_ue->imsi_bcd);

-                ogs_assert(OGS_OK ==

-                    nas_eps_send_attach_reject(mme_ue,

-                        OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,

-                        OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &emm_state_exception);

                 break;

             }

@@ -1038,30 +1042,35 @@

         case OGS_NAS_EPS_ATTACH_COMPLETE:

             ogs_info("%s Attach complete", mme_ue->imsi_bcd);

-            CLEAR_MME_UE_TIMER(mme_ue->t3450);

-

+        /*

+         * TS24.301

+         * Section 4.4.4.3

+         * Integrity checking of NAS signalling messages in the MME:

+         *

+         * Once the secure exchange of NAS messages has been established

+         * for the NAS signalling connection, the receiving EMM or ESM entity

+         * in the MME shall not process any NAS signalling messages

+         * unless they have been successfully integrity checked by the NAS.

+         * If any NAS signalling message, having not successfully passed

+         * the integrity check, is received, then the NAS in the MME shall

+         * discard that message. If any NAS signalling message is received,

+         * as not integrity protected even though the secure exchange

+         * of NAS messages has been established, then the NAS shall discard

+         * this message.

+         */

             h.type = e->nas_type;

             if (h.integrity_protected == 0) {

                 ogs_error("%s No Integrity Protected", mme_ue->imsi_bcd);

-

-                ogs_assert(OGS_OK ==

-                    nas_eps_send_attach_reject(mme_ue,

-                        OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,

-                        OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &emm_state_exception);

                 break;

             }

             if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {

                 ogs_warn("%s No Security Context", mme_ue->imsi_bcd);

-                ogs_assert(OGS_OK ==

-                    nas_eps_send_attach_reject(mme_ue,

-                        OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,

-                        OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &emm_state_exception);

                 break;

             }

+            CLEAR_MME_UE_TIMER(mme_ue->t3450);

+

             rv = emm_handle_attach_complete(

                     mme_ue, &message->emm.attach_complete);

             if (rv != OGS_OK) {

@@ -1085,30 +1094,35 @@

         case OGS_NAS_EPS_TRACKING_AREA_UPDATE_COMPLETE:

             ogs_debug("%s Tracking area update complete", mme_ue->imsi_bcd);

-            CLEAR_MME_UE_TIMER(mme_ue->t3450);

-

+        /*

+         * TS24.301

+         * Section 4.4.4.3

+         * Integrity checking of NAS signalling messages in the MME:

+         *

+         * Once the secure exchange of NAS messages has been established

+         * for the NAS signalling connection, the receiving EMM or ESM entity

+         * in the MME shall not process any NAS signalling messages

+         * unless they have been successfully integrity checked by the NAS.

+         * If any NAS signalling message, having not successfully passed

+         * the integrity check, is received, then the NAS in the MME shall

+         * discard that message. If any NAS signalling message is received,

+         * as not integrity protected even though the secure exchange

+         * of NAS messages has been established, then the NAS shall discard

+         * this message.

+         */

             h.type = e->nas_type;

             if (h.integrity_protected == 0) {

                 ogs_error("%s No Integrity Protected", mme_ue->imsi_bcd);

-

-                ogs_assert(OGS_OK ==

-                    nas_eps_send_attach_reject(mme_ue,

-                        OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,

-                        OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &emm_state_exception);

                 break;

             }

             if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {

                 ogs_warn("%s No Security Context", mme_ue->imsi_bcd);

-                ogs_assert(OGS_OK ==

-                    nas_eps_send_attach_reject(mme_ue,

-                        OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,

-                        OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));

-                OGS_FSM_TRAN(s, &emm_state_exception);

                 break;

             }

+            CLEAR_MME_UE_TIMER(mme_ue->t3450);

+

             /* Confirm GUTI */

             if (mme_ue->next.m_tmsi)

                 mme_ue_confirm_guti(mme_ue);

​

@@ -379,7 +379,7 @@

                 v_start = v_end = NULL;

-                while (*p++) {

+                while (*p) {

                     if (*p == ';') {

                         if ((v_start && v_end) || !v_start) {

                             p++;

@@ -389,6 +389,7 @@

                         if (!v_start) v_start = p+1;

                         else if (!v_end) v_end = p;

                     }

+                    p++;

                 }

                 if (v_start && v_end) {

​

@@ -202,6 +202,83 @@

         }

     }

+    if (self.security_indication.integrity_protection_indication ||

+        self.security_indication.confidentiality_protection_indication) {

+        if (!self.security_indication.integrity_protection_indication ||

+            !self.security_indication.confidentiality_protection_indication) {

+            ogs_error("Invalid security_indication %s,%s",

+                self.security_indication.integrity_protection_indication ?

+                self.security_indication.integrity_protection_indication :

+                "No integrity_protection_indication",

+                self.security_indication.confidentiality_protection_indication ?

+                self.security_indication.confidentiality_protection_indication :

+                "No confidentiality_protection_indication");

+            return OGS_ERROR;

+        }

+        if (smf_integrity_protection_indication_value2enum(

+            self.security_indication.integrity_protection_indication) < 0) {

+            ogs_error("Invalid integrity_protection_indication %s",

+                self.security_indication.integrity_protection_indication);

+            return OGS_ERROR;

+        }

+        if (smf_confidentiality_protection_indication_value2enum(

+            self.security_indication.

+            confidentiality_protection_indication) < 0) {

+            ogs_error("Invalid confidentiality_protection_indication %s",

+                self.security_indication.confidentiality_protection_indication);

+            return OGS_ERROR;

+        }

+    }

+

+    if (self.security_indication.maximum_integrity_protected_data_rate_uplink) {

+        NGAP_IntegrityProtectionIndication_t integrityProtectionIndication;

+        if (smf_maximum_integrity_protected_data_rate_uplink_value2enum(

+                self.security_indication.

+                    maximum_integrity_protected_data_rate_uplink) < 0) {

+            ogs_error("Invalid "

+                "maximum_integrity_protected_data_rate_uplink %s",

+                self.security_indication.

+                    maximum_integrity_protected_data_rate_uplink);

+            return OGS_ERROR;

+        }

+        integrityProtectionIndication =

+            smf_integrity_protection_indication_value2enum(

+                self.security_indication.integrity_protection_indication);

+        if (integrityProtectionIndication ==

+                NGAP_IntegrityProtectionIndication_required ||

+            integrityProtectionIndication ==

+                NGAP_IntegrityProtectionIndication_preferred) {

+        } else {

+            ogs_error("Invalid security_indication %s:UL-%s",

+                self.security_indication.integrity_protection_indication ?

+                self.security_indication.integrity_protection_indication :

+                "No integrity_protection_indication",

+                self.security_indication.

+                    maximum_integrity_protected_data_rate_uplink ?

+                self.security_indication.

+                    maximum_integrity_protected_data_rate_uplink :

+                "No integrity_protection_indication");

+            return OGS_ERROR;

+        }

+    }

+

+    if (self.security_indication.maximum_integrity_protected_data_rate_downlink) {

+        if (smf_maximum_integrity_protected_data_rate_downlink_value2enum(

+                self.security_indication.

+                    maximum_integrity_protected_data_rate_downlink) < 0) {

+            ogs_error("Invalid "

+                "maximum_integrity_protected_data_rate_downlink %s",

+                self.security_indication.

+                    maximum_integrity_protected_data_rate_downlink);

+            return OGS_ERROR;

+        }

+        if (!self.security_indication.

+                maximum_integrity_protected_data_rate_uplink) {

+            ogs_error("No maximum_integrity_protected_data_rate_uplink");

+            return OGS_ERROR;

+        }

+    }

+

     return OGS_OK;

 }

@@ -825,6 +902,40 @@

                     } while (ogs_yaml_iter_type(&info_array) ==

                             YAML_SEQUENCE_NODE);

+                } else if (!strcmp(smf_key, "security_indication")) {

+                    ogs_yaml_iter_t security_indication_iter;

+                    ogs_yaml_iter_recurse(

+                            &smf_iter, &security_indication_iter);

+                    while (ogs_yaml_iter_next(&security_indication_iter)) {

+                        const char *security_indication_key =

+                            ogs_yaml_iter_key(&security_indication_iter);

+                        ogs_assert(security_indication_key);

+                        if (!strcmp(security_indication_key,

+                            "integrity_protection_indication")) {

+                            self.security_indication.

+                                integrity_protection_indication =

+                                    ogs_yaml_iter_value(

+                                        &security_indication_iter);

+                        } else if (!strcmp(security_indication_key,

+                            "confidentiality_protection_indication")) {

+                            self.security_indication.

+                                confidentiality_protection_indication =

+                                    ogs_yaml_iter_value(

+                                            &security_indication_iter);

+                        } else if (!strcmp(security_indication_key,

+                            "maximum_integrity_protected_data_rate_uplink")) {

+                            self.security_indication.

+                                maximum_integrity_protected_data_rate_uplink =

+                                    ogs_yaml_iter_value(

+                                            &security_indication_iter);

+                        } else if (!strcmp(security_indication_key,

+                            "maximum_integrity_protected_data_rate_downlink")) {

+                            self.security_indication.

+                                maximum_integrity_protected_data_rate_downlink =

+                                    ogs_yaml_iter_value(

+                                            &security_indication_iter);

+                        }

+                    }

                 } else if (!strcmp(smf_key, "pfcp")) {

                     /* handle config in pfcp library */

                 } else if (!strcmp(smf_key, "subnet")) {

@@ -2981,3 +3092,42 @@

     num_of_smf_sess = num_of_smf_sess - 1;

     ogs_info("Removed Number of SMF-Sessions is now %d", num_of_smf_sess);

 }

+

+int smf_integrity_protection_indication_value2enum(const char *value)

+{

+    ogs_assert(value);

+    if (!strcmp(value, "required"))

+        return NGAP_IntegrityProtectionIndication_required;

+    else if (!strcmp(value, "preferred"))

+        return NGAP_IntegrityProtectionIndication_preferred;

+    else if (!strcmp(value, "not-needed"))

+        return NGAP_IntegrityProtectionIndication_not_needed;

+    else {

+        ogs_error("Invalid value%s", value);

+        return -1;

+    }

+}

+int smf_confidentiality_protection_indication_value2enum(const char *value)

+{

+    ogs_assert(value);

+    return smf_integrity_protection_indication_value2enum(value);

+}

+int smf_maximum_integrity_protected_data_rate_uplink_value2enum(

+        const char *value)

+{

+    ogs_assert(value);

+    if (!strcmp(value, "bitrate64kbs"))

+        return NGAP_MaximumIntegrityProtectedDataRate_bitrate64kbs;

+    else if (!strcmp(value, "maximum-UE-rate"))

+        return NGAP_MaximumIntegrityProtectedDataRate_maximum_UE_rate;

+    else {

+        ogs_error("Invalid value%s", value);

+        return -1;

+    }

+}

+int smf_maximum_integrity_protected_data_rate_downlink_value2enum(

+        const char *value)

+{

+    ogs_assert(value);

+    return smf_maximum_integrity_protected_data_rate_uplink_value2enum(value);

+}

​

@@ -92,6 +92,13 @@

     uint16_t        mtu;            /* MTU to advertise in PCO */

+    struct  {

+        const char *integrity_protection_indication;

+        const char *confidentiality_protection_indication;

+        const char *maximum_integrity_protected_data_rate_uplink;

+        const char *maximum_integrity_protected_data_rate_downlink;

+    } security_indication;

+

 #define SMF_UE_IS_LAST_SESSION(__sMF) \

      ((__sMF) && (ogs_list_count(&(__sMF)->sess_list)) == 1)

     ogs_list_t      smf_ue_list;

@@ -512,6 +519,13 @@

 void smf_pf_precedence_pool_init(smf_sess_t *sess);

 void smf_pf_precedence_pool_final(smf_sess_t *sess);

+int smf_integrity_protection_indication_value2enum(const char *value);

+int smf_confidentiality_protection_indication_value2enum(const char *value);

+int smf_maximum_integrity_protected_data_rate_uplink_value2enum(

+        const char *value);

+int smf_maximum_integrity_protected_data_rate_downlink_value2enum(

+        const char *value);

+

 #ifdef __cplusplus

 }

 #endif

​

@@ -33,6 +33,7 @@

     NGAP_GTPTunnel_t *gTPTunnel = NULL;

     NGAP_DataForwardingNotPossible_t *DataForwardingNotPossible = NULL;

     NGAP_PDUSessionType_t *PDUSessionType = NULL;

+    NGAP_SecurityIndication_t *SecurityIndication = NULL;

     NGAP_QosFlowSetupRequestList_t *QosFlowSetupRequestList = NULL;

     NGAP_QosFlowSetupRequestItem_t *QosFlowSetupRequestItem = NULL;

     NGAP_QosFlowIdentifier_t *qosFlowIdentifier = NULL;

@@ -129,6 +130,89 @@

         ogs_assert_if_reached();

     }

+    if (smf_self()->security_indication.integrity_protection_indication &&

+        smf_self()->security_indication.confidentiality_protection_indication) {

+

+        ie = CALLOC(1,

+                sizeof(NGAP_PDUSessionResourceSetupRequestTransferIEs_t));

+        ogs_assert(ie);

+        ASN_SEQUENCE_ADD(&message.protocolIEs, ie);

+

+        ie->id = NGAP_ProtocolIE_ID_id_SecurityIndication;

+        ie->criticality = NGAP_Criticality_reject;

+        ie->value.present = NGAP_PDUSessionResourceSetupRequestTransferIEs__value_PR_SecurityIndication;

+

+        SecurityIndication = &ie->value.choice.SecurityIndication;

+

+        SecurityIndication->integrityProtectionIndication =

+                smf_integrity_protection_indication_value2enum(

+                    smf_self()->security_indication.

+                        integrity_protection_indication);

+        ogs_assert(SecurityIndication->integrityProtectionIndication >= 0);

+

+        SecurityIndication->confidentialityProtectionIndication =

+                smf_confidentiality_protection_indication_value2enum(

+                    smf_self()->security_indication.

+                        confidentiality_protection_indication);

+        ogs_assert(SecurityIndication->

+                confidentialityProtectionIndication >= 0);

+

+        if (smf_self()->security_indication.

+                maximum_integrity_protected_data_rate_uplink) {

+

+            ogs_assert(

+                SecurityIndication->integrityProtectionIndication ==

+                    NGAP_IntegrityProtectionIndication_required ||

+                SecurityIndication->integrityProtectionIndication ==

+                    NGAP_IntegrityProtectionIndication_preferred);

+

+            SecurityIndication->maximumIntegrityProtectedDataRate_UL =

+                CALLOC(1, sizeof(NGAP_MaximumIntegrityProtectedDataRate_t));

+            ogs_assert(SecurityIndication->

+                    maximumIntegrityProtectedDataRate_UL);

+            *(SecurityIndication->maximumIntegrityProtectedDataRate_UL) =

+                smf_maximum_integrity_protected_data_rate_uplink_value2enum(

+                    smf_self()->security_indication.

+                        maximum_integrity_protected_data_rate_uplink);

+            ogs_assert(

+                *(SecurityIndication->

+                    maximumIntegrityProtectedDataRate_UL) >= 0);

+

+            if (smf_self()->security_indication.

+                    maximum_integrity_protected_data_rate_downlink) {

+                NGAP_ProtocolExtensionContainer_9625P229_t *extContainer = NULL;

+                NGAP_SecurityIndication_ExtIEs_t *extIe = NULL;

+                NGAP_MaximumIntegrityProtectedDataRate_t

+                    *MaximumIntegrityProtectedDataRate = NULL;

+

+                extContainer = CALLOC(1,

+                        sizeof(NGAP_ProtocolExtensionContainer_9625P229_t));

+                ogs_assert(extContainer);

+                SecurityIndication->iE_Extensions =

+                    (struct NGAP_ProtocolExtensionContainer *)extContainer;

+

+                extIe = CALLOC(1, sizeof(NGAP_SecurityIndication_ExtIEs_t));

+                ogs_assert(extIe);

+                ASN_SEQUENCE_ADD(&extContainer->list, extIe);

+

+                extIe->id =

+                    NGAP_ProtocolIE_ID_id_MaximumIntegrityProtectedDataRate_DL;

+                extIe->criticality = NGAP_Criticality_ignore;

+                extIe->extensionValue.present = NGAP_SecurityIndication_ExtIEs__extensionValue_PR_MaximumIntegrityProtectedDataRate;

+

+                MaximumIntegrityProtectedDataRate =

+                    &extIe->extensionValue.choice.

+                        MaximumIntegrityProtectedDataRate;

+

+                *MaximumIntegrityProtectedDataRate =

+                smf_maximum_integrity_protected_data_rate_downlink_value2enum(

+                        smf_self()->security_indication.

+                            maximum_integrity_protected_data_rate_downlink);

+                ogs_assert(*MaximumIntegrityProtectedDataRate >= 0);

+            }

+        }

+    }

+

     ie = CALLOC(1, sizeof(NGAP_PDUSessionResourceSetupRequestTransferIEs_t));

     ogs_assert(ie);

     ASN_SEQUENCE_ADD(&message.protocolIEs, ie);

​

@@ -22,7 +22,7 @@

 #define DATASTR "This is a test"

 #define STRLEN 8092

-#define PORT 7777

+#define PORT 47777

 #define NUM 100

 #ifndef AI_PASSIVE

​

@@ -22,8 +22,8 @@

 #define DATASTR "This is a test"

 #define STRLEN 8092

-#define PORT 7777

-#define PORT2 7778

+#define PORT 47777

+#define PORT2 47778

 #ifndef AI_PASSIVE

 #define AI_PASSIVE 1

​

@@ -1,12 +1,12 @@

 {

   "name": "open5gs",

-  "version": "2.5.1",

+  "version": "2.5.3",

   "lockfileVersion": 2,

   "requires": true,

   "packages": {

     "": {

       "name": "open5gs",

-      "version": "2.5.1",

+      "version": "2.5.3",

       "license": "AGPL-3.0",

       "dependencies": {

         "axios": "^0.27.2",

​

@@ -1,6 +1,6 @@

 {

   "name": "open5gs",

-  "version": "2.5.1",

+  "version": "2.5.3",

   "description": "Open5gs",

   "main": "index.js",

   "repository": "https://github.com/open5gs/open5gs/webui",

​