Authentication Failure - ngKSI already in use #307
Conversation
Signed-off-by: AshithaCDAC <[email protected]>
gab-arrobo
force-pushed
the
ngksi-already-in-use
branch
2 times, most recently
from
c019095
to
fe5da79
Compare
gmm/handler.go
Outdated
| @@ -1558,6 +1558,16 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
| ue.AuthenticationCtx = response | |||
| ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|
|||
| if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |||
| // As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | |||
| if ue.NgKsi.Ksi < 6 { // ksi is range from 0 to 6 | |||
There was a problem hiding this comment.
ue.NgKsi.Ksi = (ue.NgKsi.Ksi +1) % 7
There was a problem hiding this comment.
Incorporated the suggested changes.
ashithacdac
force-pushed
the
ngksi-already-in-use
branch
from
fe5da79
to
c29b742
Compare
Signed-off-by: AshithaCDAC <[email protected]>
| @@ -1558,6 +1558,12 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
| ue.AuthenticationCtx = response | |||
| ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|
|||
| if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |||
There was a problem hiding this comment.
| if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |
| if ue.NgKsi.Tsc == models.ScType_NATIVE { |
There was a problem hiding this comment.
ue.NgKsi.Ksi will never be 7.
There was a problem hiding this comment.
Agree with Ajay's comment
There was a problem hiding this comment.
I would appreciate clarification on the statement regarding Key lifetimes in the specification 33.501 section 6.2.3.3 which states 'In case the UE does not have a valid KAMF, an ngKSI with value "111" shall be sent by the UE to the network, which can initiate (re)authentication procedure to get a new KAMF based on a successful primary authentication.'
There was a problem hiding this comment.
I would appreciate clarification on the statement regarding Key lifetimes in the specification 33.501 section 6.2.3.3 which states 'In case the UE does not have a valid KAMF, an ngKSI with value "111" shall be sent by the UE to the network, which can initiate (re)authentication procedure to get a new KAMF based on a successful primary authentication.'
@thakurajayL what are yout thoughts about this?
There was a problem hiding this comment.
I read the section you mentioned. It just says that if UE sends 111 then it just means UE does not have Kamf and its requesting new keys. In my opinion its perfectly fine to remove the != 7 check in the above code and let the keys rotate from 0 to 6.
| // As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | ||
| ue.NgKsi.Ksi = (ue.NgKsi.Ksi + 1) % 7 | ||
| } | ||
| ue.GmmLog.Info("ngKSI after 5G-AKA: ", ue.NgKsi.Ksi) |
There was a problem hiding this comment.
| ue.GmmLog.Info("ngKSI after 5G-AKA: ", ue.NgKsi.Ksi) | |
| ue.GmmLog.Infoln("ngKSI after 5G-AKA:", ue.NgKsi.Ksi) |
| @@ -1558,6 +1558,12 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
| ue.AuthenticationCtx = response | |||
| ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|
|||
| if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |||
There was a problem hiding this comment.
Agree with Ajay's comment
| @@ -1558,6 +1558,12 @@ func AuthenticationProcedure(ue *context.AmfUe, accessType models.AccessType) (b | |||
| ue.AuthenticationCtx = response | |||
| ue.ABBA = []uint8{0x00, 0x00} // set ABBA value as described at TS 33.501 Annex A.7.1 | |||
|
|
|||
| if ue.NgKsi.Tsc == models.ScType_NATIVE && ue.NgKsi.Ksi != 7 { | |||
| // As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | |||
There was a problem hiding this comment.
BTW, should not it be 33.501 the correct document to reference?
| // As per the Specification 24.501 - 5.4.1.3.2 Authentication initiation by the network | |
| // As per the Specification 33.501 - 6.2.3.2 Key identification |
Issue:
Authentication failure with cause ngKSI already in use
Troubleshoot:
Identified the root cause: the core includes the same ngKSI value from the Registration Request
in the Authentication request
Fix:
Updated the ngKSI value after the 5G AKA procedure
Supporting Data:
Authentication_fail_ngksi_already_in_use.zip