Select a result to preview

TP-01_registration_mobility

TP-01 — Registration & Mobility Tests

Domain: Subscriber Registration and Mobility
Standards: 3GPP TS 33.501 v18.9.0 · 3GPP TS 33.401 · NIST SP 800-187
Prerequisites: TP-00 Steps 1–8 complete; both 4G and 5G labs running

TC-REG-01: Normal 5G Registration (5G-AKA)

Threat Model

sequenceDiagram
    participant UE as UE (UERANSIM)
    participant GNB as gNB (UERANSIM)
    participant AMF as AMF (Open5GS)
    participant AUSF as AUSF
    participant UDM as UDM

    Note over UE,UDM: THREAT: Attacker observes registration to harvest identifiers
    UE->>GNB: RRC Setup + Registration Request (SUCI)
    Note right of UE: ✅ SUCI hides SUPI
Attacker sees only SUCI
    GNB->>AMF: NGAP InitialUEMessage
    AMF->>AUSF: Nausf_UEAuthentication_Authenticate (SUCI)
    AUSF->>UDM: Nudm_UEAuthentication_Get (SUCI)
    UDM-->>AUSF: AV (RAND, AUTN, HXRES*, KAUSF)
    AUSF-->>AMF: 5G-AKA Challenge (RAND, AUTN)
    AMF->>UE: NAS Authentication Request (RAND, AUTN)
    Note over UE: UE verifies AUTN
derives RES*
    UE-->>AMF: NAS Authentication Response (RES*)
    AMF->>AUSF: Confirm (RES*)
    Note over AUSF: Compares HXRES* vs RES*
⚠️ THREAT: Replay attack here
    AUSF-->>AMF: Auth Success + KAMF
    AMF->>UE: Security Mode Command
    UE-->>AMF: Security Mode Complete
    AMF->>UE: Registration Accept
    Note over UE,UDM: ✅ MITIGATED: SUCI prevents IMSI catch
5G-AKA prevents replay via SQN

Objective

Verify a UE can complete full 5G registration with 5G-AKA authentication end-to-end.

Steps

# 1. Start capture on SBI and N2 interfaces
SBIBRIDGE=$(docker network ls --filter name=5g_sbi -q | head -1)
sudo tshark -i br-$SBIBRIDGE -w ~/open5gs-lab/captures/tc-reg-01.pcap &
CAPTUREPID=$!

# 2. Start gNB
docker compose -f ~/open5gs-lab/5g/docker-compose.yml up -d gnb
sleep 5
docker logs open5gs-gnb 2>&1 | grep "NG Setup"

# 3. Start UE
docker compose -f ~/open5gs-lab/5g/docker-compose.yml up -d ue
sleep 5

# 4. Check registration
docker logs open5gs-amf 2>&1 | grep -E "Registered|SUPI"
docker exec ueransim-ue ip addr show uesimtun0

# 5. Test data plane
docker exec ueransim-ue ping -c 5 -I uesimtun0 8.8.8.8

# 6. Stop capture
kill $CAPTUREPID

Expected Results

Pass Criteria

UE registers, IP assigned, ping succeeds. SUCI confirmed in pcap (not plaintext IMSI).

TC-REG-02: 4G Attach Procedure (EPS-AKA)

Threat Model

sequenceDiagram
    participant UE as srsUE (4G UE)
    participant ENB as srsENB (eNB)
    participant MME as MME (Open5GS)
    participant HSS as HSS
    participant ATTACKER as Attacker (passive)

    Note over UE,ATTACKER: THREAT: 4G exposes IMSI before security setup
    UE->>ENB: RRC Connection Setup + Attach Request
    ENB->>MME: S1AP InitialUEMessage (IMSI or GUTI)

    alt First attach — no GUTI stored
        MME->>UE: Identity Request (IMSI)
        Note over ATTACKER: ⚠️ IMSI sent in cleartext
Rogue eNB can intercept here
        UE-->>MME: Identity Response (plaintext IMSI)
    end

    MME->>HSS: Diameter AIR (IMSI)
    HSS-->>MME: AIA (authentication vectors)
    MME->>UE: NAS Authentication Request (RAND, AUTN)
    UE-->>MME: NAS Authentication Response (RES)
    MME->>UE: Security Mode Command (EEA, EIA algo)
    Note over ATTACKER: ⚠️ If EEA0/EIA0 negotiated
traffic is unprotected
    UE-->>MME: Security Mode Complete
    MME->>ENB: S1AP InitialContextSetupRequest
    UE-->>MME: Attach Complete
    Note over UE,ATTACKER: 4G IMSI exposure mitigated in 5G by SUCI

Objective

Verify 4G attach with EPS-AKA and default bearer establishment.

Steps

# 1. Start Open5GS 4G EPC
docker compose -f ~/open5gs-lab/4g/docker-compose.yml up -d
sleep 10

# 2. Verify MME is up
docker logs open5gs-epc 2>&1 | grep "MME started"

# 3. Start srsENB (in separate terminal)
sudo srsenb --enb.enb_id=0x19B --enb.mcc=001 --enb.mnc=01 \
  --enb.mme_addr=172.22.0.4 --log.all_level=info

# 4. Start srsUE (in separate terminal)
sudo srsue --usim.imsi=001010000000001 \
  --usim.k=465B5CE8B199B49FAA5F0A2EE238A6BC \
  --usim.opc=E8ED289DEBA952E4283B54E88E6183CA \
  --log.all_level=info

# 5. Check attach
# Look for: "Network attach successful. IP: 10.45.0.x"

# 6. Test data plane
ping -c 5 -I srsue_tun 8.8.8.8

Expected Results

Pass Criteria

UE attaches; ping succeeds. Document IMSI exposure in Identity Response (expected 4G behavior, mitigated in 5G by TC-REG-03).

TC-REG-03: SUCI Privacy Verification (5G)

Threat Model

flowchart TD
    A[UE sends Registration Request] --> B{Mobile Identity Type?}
    B -->|SUCI type=0x01| C[✅ ECIES Encrypted MSIN]
    B -->|IMSI type=0x02| D[❌ CRITICAL: Plaintext IMSI]
    B -->|Null-scheme type=0x00| E[⚠️ WARN: Null SUCI — lab default]

    C --> F[Attacker sees only SUCI\nCannot derive SUPI without Home Network Private Key]
    D --> G[IMSI Catcher can harvest SUPI\nStingray attack succeeds]
    E --> H[IMSI derivable — acceptable in lab\nMUST use ECIES in production]

    F --> I{SIDF at UDM de-conceals SUCI}
    I --> J[SUPI revealed only to UDM/AUSF\nNever on radio interface]

    style D fill:#c0392b,color:#fff
    style E fill:#e67e22,color:#fff
    style C fill:#27ae60,color:#fff
    style F fill:#27ae60,color:#fff
    style G fill:#c0392b,color:#fff

Objective

Confirm SUPI is concealed as SUCI in Registration Request; no IMSI on the air interface.

Steps

# 1. Capture NAS-5GS on N2 interface during registration
sudo tshark -i br-$(docker network ls --filter name=sbi -q) \
  -Y "nas-5gs" -T fields \
  -e frame.time \
  -e nas-5gs.mm.message_type \
  -e nas-5gs.mm.mobile_identity_type \
  -e nas-5gs.mm.suci.supi_format \
  -w ~/open5gs-lab/captures/tc-reg-03.pcap 2>/dev/null &

# 2. Register UE (restart if already running)
docker compose -f ~/open5gs-lab/5g/docker-compose.yml restart ue
sleep 8

# 3. Check Mobile Identity type in pcap
tshark -r ~/open5gs-lab/captures/tc-reg-03.pcap \
  -Y "nas-5gs.mm.message_type == 0x41" \
  -T fields -e nas-5gs.mm.mobile_identity_type -e nas-5gs.mm.suci.protection_scheme_id

# Expected output: mobile_identity_type=1 (SUCI), protection_scheme_id=0 (lab null) or 1/2 (ECIES)

# 4. Verify NO IMSI type=2 appears
tshark -r ~/open5gs-lab/captures/tc-reg-03.pcap \
  -Y "nas-5gs.mm.mobile_identity_type == 2"
# Must return ZERO packets

Expected Results

Pass Criteria

No plaintext IMSI on N2. SUCI type confirmed. Flag null-scheme as lab limitation.

TC-REG-04: Tracking Area Update (4G TAU)

Threat Model

sequenceDiagram
    participant UE as srsUE
    participant ENB1 as eNB-1 (TAC=1)
    participant ENB2 as eNB-2 (TAC=2)
    participant MME as MME
    participant ATTACKER as Attacker

    Note over UE,ATTACKER: THREAT: TAU leaks GUTI and location to attacker
    UE->>ENB1: Served by eNB-1 (TAC=1)

    Note over UE: UE moves to eNB-2 area
    UE->>ENB2: RRC Connection + TAU Request (GUTI, old TAI)
    Note over ATTACKER: ⚠️ TAU Request reveals GUTI
Tracks UE movement between TAs
    ENB2->>MME: S1AP InitialUEMessage (TAU Request)
    MME->>MME: Validate GUTI, check old TAI
    MME-->>UE: TAU Accept (new TAI list)
    Note over ATTACKER: ⚠️ Passive observer can map
UE to geographic TA over time
    Note over UE,MME: ✅ GUTI re-allocation on TAU
limits persistent tracking

Objective

Verify TAU procedure completes without full re-authentication when UE moves between Tracking Areas.

Steps

# 1. Attach UE in TA-1 (default lab config, TAC=1)
# (Assumes srsUE attached from TC-REG-02)

# 2. Check current TA in MME
docker logs open5gs-epc 2>&1 | grep "TAI" | tail -5

# 3. Simulate TA change by modifying eNB TAC and restarting
# Edit srsenb config: enb.tac=2
sudo srsenb --enb.tac=2 --enb.mme_addr=172.22.0.4 &

# 4. UE detects TA change and sends TAU Request
# Monitor MME logs
docker logs -f open5gs-epc 2>&1 | grep -E "TAU|Tracking Area"

# 5. Capture TAU exchange
sudo tshark -i lo -f "sctp port 36412" -w ~/open5gs-lab/captures/tc-reg-04.pcap &

Expected Results

Pass Criteria

TAU completes; IP retained; no service interruption. GUTI re-allocated in TAU Accept.

TC-REG-05: Multiple UE Registration — Scalability

Threat Model

graph TD
    subgraph LEGIT["Legitimate UEs (x10)"]
        U1["UE-1 IMSI ...001"]
        U2["UE-2 IMSI ...002"]
        U3["UE-3 IMSI ...003"]
        UN["UE-N IMSI ...010"]
    end

    subgraph ATTACK["Attack Scenario: Registration Storm"]
        A1["Attacker UE-A1 (invalid IMSI)"]
        A2["Attacker UE-A2 (invalid IMSI)"]
        A3["Attacker UE-AN (1000x invalid)"]
    end

    U1 & U2 & U3 & UN -->|Concurrent Reg Requests| AMF["AMF\n(Open5GS)"]
    A1 & A2 & A3 -->|Storm: 1000 req/s| AMF

    AMF -->|Valid IMSI| UDM["UDM\n(subscriber lookup)"]
    AMF -->|Invalid IMSI| REJECT["Registration Reject\n5GMM #11"]

    AMF -->|All 10 legit| REGISTERED["✅ All 10 Registered\nPDU Sessions Up"]
    AMF -->|Flood| DEFENDED["⚠️ Test: Does AMF crash?\nLegit UEs still served?"]

    style ATTACK fill:#7b2d00,color:#fff
    style DEFENDED fill:#e67e22,color:#fff
    style REGISTERED fill:#27ae60,color:#fff

Objective

Verify AMF handles 10 concurrent registrations without drop or misrouting; validate scalability under load.

Steps

# 1. Ensure 10 subscribers registered in MongoDB (TP-00 Step 7)

# 2. Launch 10 UE containers with staggered 100ms start
for i in $(seq 1 10); do
  docker run -d --name ueransim-ue-${i} \
    --cap-add=NET_ADMIN \
    --network open5gs-lab_ran \
    -v ~/open5gs-lab/5g/config/ue-${i}.yaml:/etc/ueransim/ue.yaml \
    louisroyer/ueransim-ue:latest
  sleep 0.1
done

# 3. Wait for registrations
sleep 15

# 4. Check all 10 registered
docker logs open5gs-amf 2>&1 | grep "is registered" | wc -l
# Expected: 10

# 5. Check AMF metric
curl -s http://localhost:9090/api/v1/query?query=amf_registered_ue_count | jq .

# 6. Verify each UE has an IP
for i in $(seq 1 10); do
  docker exec ueransim-ue-${i} ip addr show uesimtun0 2>/dev/null | grep "inet " | awk '{print "UE-'$i': "$2}'
done

# 7. Cleanup
for i in $(seq 1 10); do docker rm -f ueransim-ue-${i}; done

Expected Results

Pass Criteria

All 10 UEs registered and have active PDU sessions. AMF metric accurate.