-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication Failure - ngKSI already in use #307
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: AshithaCDAC <[email protected]>
c019095
to
fe5da79
Compare
gmm/handler.go
Outdated
@@ -1558,6 +1558,16 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
ue.AuthenticationCtx = response | |||
ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|||
if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |||
// As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | |||
if ue.NgKsi.Ksi < 6 { // ksi is range from 0 to 6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ue.NgKsi.Ksi = (ue.NgKsi.Ksi +1) % 7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorporated the suggested changes.
fe5da79
to
c29b742
Compare
Signed-off-by: AshithaCDAC <[email protected]>
@@ -1558,6 +1558,12 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
ue.AuthenticationCtx = response | |||
ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|||
if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |
if ue.NgKsi.Tsc == models.ScType_NATIVE { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ue.NgKsi.Ksi will never be 7.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with Ajay's comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would appreciate clarification on the statement regarding Key lifetimes in the specification 33.501 section 6.2.3.3 which states 'In case the UE does not have a valid KAMF, an ngKSI with value "111" shall be sent by the UE to the network, which can initiate (re)authentication procedure to get a new KAMF based on a successful primary authentication.'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would appreciate clarification on the statement regarding Key lifetimes in the specification 33.501 section 6.2.3.3 which states 'In case the UE does not have a valid KAMF, an ngKSI with value "111" shall be sent by the UE to the network, which can initiate (re)authentication procedure to get a new KAMF based on a successful primary authentication.'
@thakurajayL what are yout thoughts about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read the section you mentioned. It just says that if UE sends 111 then it just means UE does not have Kamf and its requesting new keys. In my opinion its perfectly fine to remove the != 7 check in the above code and let the keys rotate from 0 to 6.
// As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | ||
ue.NgKsi.Ksi = (ue.NgKsi.Ksi + 1) % 7 | ||
} | ||
ue.GmmLog.Info("ngKSI after 5G-AKA: ", ue.NgKsi.Ksi) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ue.GmmLog.Info("ngKSI after 5G-AKA: ", ue.NgKsi.Ksi) | |
ue.GmmLog.Infoln("ngKSI after 5G-AKA:", ue.NgKsi.Ksi) |
@@ -1558,6 +1558,12 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
ue.AuthenticationCtx = response | |||
ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|||
if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with Ajay's comment
@@ -1558,6 +1558,12 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
ue.AuthenticationCtx = response | |||
ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|||
if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |||
// As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, should not it be 33.501 the correct document to reference?
// As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | |
// As per the Specification 33.501 - 6.2.3.2 Key identification |
Issue:
Authentication failure with cause ngKSI already in use
Troubleshoot:
Identified the root cause: the core includes the same ngKSI value from the Registration Request
in the Authentication request
Fix:
Updated the ngKSI value after the 5G AKA procedure
Supporting Data:
Authentication_fail_ngksi_already_in_use.zip