Demonstration of Untrusted Access of 5GCN using N3IWF
DOCUMENTATION OF N3IWF
Software Requirement:-
OS Ubuntu 20.04.
kernel version 5.4.0-84-generic
my5G-core.
non3GPP-access.
gtp5g v0.5.4.
Libgtp5gnl v0.5.0.
Wireshark
Minimum Hardware Requirements:
CPU: Intel i5 processor.
RAM: 4GB.
Hard drive: 30GB.
NIC: Any 1Gpbs nl80211 compatible wireless device, which supports the AP operating mode.
Note: The project was recreated in Linux Kernel 5.15 without any errors. Skip the switching to 5.4 kernel part if required.
Setting up kernel:
Go to bios change storage > sata/nvme operation > AHCL/Nvme and also turn-off secure boot.
Download & Install the kernel file 5.4.0-84-generic
sudo apt-get install --install-recommends linux-generic-hwe-20.04
sudo
apt install fwupd
sudo service fwupd start
sudo fwupdmgr refresh
fwupdmgr
get-devices
fwupdmgr get-updates
sudo fwupdmgr update
Install the linux-headers and linux-extra packages using the commands
sudo apt update.
sudo apt install linux-headers-5.4.0-84-generic
sudo apt install linux-modules-extra-5.4.0-84-generic
sudo update-grub
reboot
Now switch to 5.4.0 kernel
(If you are facing network issues then install the network drivers)
- After booting into the linux 5.4.0 kernel use the command
lspci
- Get the info of the LAN port and search for the appropriate drivers.
- boot into another kernel (with network connectivity) and download the drivers (here are the required drivers for our case) - switch to linux kernel 5.4.0-84 and install the drivers.
Note: Bios settings may need to be re-verified/changed after upgrading the bios.
Installation of my5g-core:
Install the necessary packages available in Ubuntu repositories:
sudo apt update && sudo apt -y install gcc cmake autoconf
build-essential libtool pkg-config libmnl-dev libyaml-dev
wget git net-tools mongodb
Make sure that MongoDB is running:
sudo systemctl start mongodb
Install Go (assuming there is no previous version installed):
wget https://dl.google.com/go/go1.14.4.linux-amd64.tar.gz
sudo tar -C /usr/local -zxvf go1.14.4.linux-amd64.tar.gz
mkdir -p ~/go/{bin,pkg,src}
echo 'export GOPATH=$HOME/go' >> ~/.bashrc
echo 'export GOROOT=/usr/local/go' >> ~/.bashrc
echo 'export PATH=$PATH:$GOPATH/bin:$GOROOT/bin' >> ~/.bashrc
source ~/.bashrc
Install the proper version of Logrus and fatal:
go get -u github.com/sirupsen/logrus
go get -u github.com/calee0219/fatal
Install the proper version of the Linux kernel module 5G GTP-U:
Install GTP5G:
git clone https://github.com/free5gc/gtp5g.git
cd gtp5g
make clean && make && sudo make install
Install libgtp5gnl:
git clone https://github.com/free5gc/libgtp5gnl.git
cd libgtp5gnl
autoreconf -iv
./configure --prefix=`pwd`
make
Configure the Linux host to offer routing and NAT services. In the following, <DN_INT> must be substituted by the name of the interface used for Internet access, e.g., eth0 or enp0s3. The firewall service (i.e., ufw) is disabled to assure the communication of the 5G core with the outside networks.
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o <DN_INT> -j MASQUERADE
sudo systemctl stop ufw
5G Core
Download the source code:
git clone https://github.com/my5G/my5G-core.git
cd my5G-core
git checkout master
git submodule sync
git submodule update --init --jobs `nproc`
git submodule foreach git checkout master
git submodule foreach git pull --jobs `nproc`
Install the dependencies:
go
mod download
Compile the network functions:
make all
Installation of my5g-non3gpp access and ue :
git clone https://github.com/my5G/my5G-non3GPP-access.git
~/my5G-core/src/ue
cd ~/my5G-core
go build -o bin/ue -x src/ue/ue.go
Setting up experimental environment
sudo apt-get update && sudo apt-get install dnsmasq hostapd wget -y
Y1 Interface-Conection between UE & Wi-Fi AP (Access Point)
Create two virtual interface:
sudo modprobe mac80211_hwsim radios=2
Now open terminal and go ue folder:
cd my5gcore/src/ue/
To create network namespaces for UE, Wi-Fi AP, and UPF:
sudo ip netns add APns
sudo ip netns add UEns
sudo ip netns add UPFns
To isolate IEEE 802.11 radio of Wi-Fi AP, e.g., wlan0, type in other terminal:
Open a new terminal and run commands:
cd ~
sudo ip netns exec APns bash
echo $BASHPID
Go back to first terminal and run command given below with the process id of APns to allocate wlan0 interface to APns:
sudo iw phy phy0 set netns APns_BASHPID
To isolate IEEE 802.11 radio of UE, e.g., wlan1, type again in another terminal:
Open a new terminal and run commands:
cd ~
sudo ip netns exec UEns bash
echo $BASHPID
Go back to first terminal and run command given below with the process id of UEns to allocate wlan1 interface to UEns:
sudo iw phy phy1 set netns UEns_BASHPID
Open a new terminal :
To apply ip address for Wi-Fi AP wireless interface:
sudo ip netns exec APns ip addr add 192.168.1.10/24 dev wlan0
D𝑛𝑠𝑚𝑎𝑠𝑞 tool is used as a Dynamic Host Configuration Protocol (DHCP) server for automatically assigning IP addresses to UE. First, create dnsmasq.conf file:
sudo killall dnsmasq
sudo touch ~/dnsmasq.conf && sudo chmod 666 ~/dnsmasq.conf
echo -e
"interface=wlan0\ndhcp-range=192.168.1.2,192.168.1.254,255.255.255.0,
12h\nserver=8.8.8.8\nlog-queries\nlog-dhcp\nlisten-address=127.0.0.1\
ndhcp-host=02:00:00:00:01:00,192.168.1.1" > ~/dnsmasq.conf
Initializing 𝑑𝑛𝑠𝑚𝑎𝑠𝑞 service:
sudo ip netns exec APns dnsmasq -C ~/dnsmasq.conf -D
We use h𝑜𝑠𝑡𝑎𝑝𝑑 tool for enabling a 𝑚𝑎𝑐80211_h𝑤𝑠𝑖𝑚 (virtual) interface to act as an Wi-Fi AP. First, create hostapd.conf file:
sudo touch ~/hostapd.conf && sudo chmod 666 ~/hostapd.conf
echo -e
"interface=wlan0\ndriver=nl80211\nssid=my5gcore\nchannel=0\ nhw_mode=g \nwpa=3\nwpa_key_mgmt=WPA-PSK\nwpa_pairwise=TKIP
CCMP\nwpa_passphrase=my5gcore\nauth_algs=3\nbeacon_int=100" >
~/hostapd.conf
Initializing h𝑜𝑠𝑡𝑎𝑝𝑑 service. At the end of this process, wlan0 will become an Wi-Fi AP:
sudo ip netns exec APns hostapd ~/hostapd.conf -B
Now wlan0 is set as the master node. You can check it by opening second terminal and
type command:
iwconfig
The 𝑤𝑝𝑎_𝑠𝑢𝑝𝑝𝑙𝑖𝑐𝑎𝑛𝑡 is used to implement key negotiation and IEEE 802.11
authentication and association between UE and Wi-Fi AP. First, create
wpa_supplicant.conf file:
sudo touch ~/wpa_supplicant.conf && sudo chmod 666 ~/wpa_supplicant.conf
echo -e 'network={\nssid="my5gcore"\nkey_mgmt=WPA-PSK\npsk="my5gcore"\n}' > ~/wpa_supplicant.conf
Initializing 𝑤𝑝𝑎_𝑠𝑢𝑝𝑝𝑙𝑖𝑐𝑎𝑛𝑡 service for UE:
sudo killall wpa_supplicant
sudo ip netns exec UEns wpa_supplicant -i wlan1 -c ~/wpa_supplicant.conf -B
sudo ip netns exec UEns dhclient wlan1
Now go to first terminal and do following:
Remove the default route from UE:
sudo ip netns exec UEns route del -net 0.0.0.0 gw 192.168.1.10 netmask 0.0.0.0 dev wlan1
Check connection between UE and AP
At this point, the virtual interface wlan1 (ip address 192.168.1.1/24) is connected to
wlan0 (ip address 192.168.1.10/24) which acts as a Wi-Fi access point.
sudo ip netns exec UEns iwconfig
You can also check the IP address configuration of the wlan1 interface.
sudo ip netns exec UEns ip addr show wlan1
The ip add address of the wlan1 interface must be 192.168.1.1/24.
Check Succesful ping:
from APns bash ping 192.168.1.1
from UEns bash ping 192.168.1.10
Y2 Interface - Conection between Wi-Fi AP and N3IWF
Virtual ethernet is the connection between Wi-Fi AP and N3IWF. The ip addressing for the Y2 interface and the virtual interfaces are shown in the figure below:
Setting up the architecture:
Setting up the ethernet devices, bridges and routes of our PoC:
cd ~/my5G-core/src/ue/sample/my5g_wifi_config/utils/
./env_manager.sh up $(ip route | grep default | cut -d' ' -f5)
Setting up the 5G core:
Open a new terminal window:
While following these instructions you may see some error/info on screen in build and backup commands. It is because we have built 5g Core earlier. But to make sure no dependencies are left we will run each command.
# Enable forwarding, stop ufw, install module gtp5g and add rule on iptables
cd ~/my5G-core/src/ue/
sudo ./sample/my5g_wifi_config/utils/fix_core.sh
#if some error comes, that is because of some installation needed is already done before.
# Backup of the config folder
cd ~/my5G-core
mv -f config config.orig
# Using my5g_wifi_config folder for configuration
cp -R src/ue/sample/my5g_wifi_config/ config
# Backup of upf config
mv -f src/upf/build/config/upfcfg.yaml src/upf/build/config/upfcfg.yaml.orig
# New configuration for upf
cp src/upf/config/upfcfg.sample1.yaml src/upf/build/config/upfcfg.yaml
# set UE http bind address
sudo sed -i 's/HttpIPv4Address: .*/HttpIPv4Address: 192.168.1.1/' config/uecfg.conf
# Remove database due to previous tests
mongo free5gc --eval "db.dropDatabase()"
# Compile webconsole
go build -o bin/webconsole -x webconsole/server.go
# Run webconsole
./bin/webconsole &
Now open your favorite web browser and open localhost:5000 (127.0.0.1:5000) it will open free5gc login with credentials:
username : admin
password : free5gc
Now press ctrl+c in terminal and run command given below to add a user equipment:
#Add the UE that will be used in the test
~/my5G-core/src/ue/sample/my5g_wifi_config/utils/add_test_ue.sh
Now again open the web browser and open 127.0.0.1:5000 and you can see in the subscribers list a user equipment get added.
RUNNING THE EXPERIMENT
Starting monitoring tools
# Wireshark for global namespace
wireshark -kni any --display-filter "isakmp or nas-5gs or ngap or pfcp or gtp or esp or gre" &
Starting UPF
# Use a new terminal so we can easily see the logs
cd ~/my5G-core/sample/sample1/utils
./run_upf.sh
Running the other NFs in my5G-core network
Run the components of core in this order: NRF->AMF->SMF->UDR->PCF->UDM->NSSF->AUSF->N3IWF.
Run NRF:
cd ~/my5G-core
./bin/nrf &
Run AMF:
cd ~/my5G-core
./bin/amf &
Run SMF:
cd ~/my5G-core
./bin/smf &
Run UDR:
cd ~/my5G-core
./bin/udr &
Run PCF:
cd ~/my5G-core
./bin/pcf &
Run UDM:
cd ~/my5G-core
./bin/udm &
Run NSSF:
cd ~/my5G-core
./bin/nssf &
Run AUSF:
cd ~/my5G-core
./bin/ausf &
Finally, to run N3IWF:
cd ~/my5G-core
sudo ./bin/n3iwf
Starting UE
# Use a new terminal or split
cd ~/my5G-core/
# Starting UE
sudo ip netns exec UEns ./bin/ue
Triggering initial registration procedure
# New ike_bind_addr
sed -i 's/ike_bind_addr=.*/ike_bind_addr=${ike_bind_addr:-"192.168.1.1"}/' ~/my5G-core/src/ue/trigger_initial_registration.sh
# Starting the initial registration procedure
sudo ip netns exec UEns ~/my5G-core/src/ue/trigger_initial_registration.sh --ue_addr 192.168.1.1 --ue_port 10000 --scheme http
CHECKING THE EXPERIMENT
Check creation of the rules in UPF
You can also check the creation of the rules in UPF. The SMF component instructs the UPF to create rules for packet detection (PDR) and forwarding (FAR).
PDR
To view the PDR:
sudo ip netns exec UPFns ~/libgtp5gnl/tools/gtp5g-tunnel list pdr
Note that you can see PDI Info such as ip address of UE and the action in FAR ID. This informations are necessary to allow UPF to identify the packets.
FAR
To view the FAR:
sudo ip netns exec UPFns ~/libgtp5gnl/tools/gtp5g-tunnel list far
The FAR with action 2 means forward the packet. Other possible actions could be drop, duplicate or buffer.
Check associations between UE and N3IWF
XFRM policy
sudo ip netns exec UEns ip xfrm policy
XFRM state
To view XFRM state between UE and N3IWF:
sudo ip netns exec UEns ip xfrm state
Check connectivity between UE and UPF
Ping to 60.60.0.101
# Starting monitoring tools for each interface at path between UE and UPF
sudo ip netns exec UEns wireshark -kni ipsec0 &
sudo ip netns exec UEns wireshark -kni gretun0 &
sudo ip netns exec UEns wireshark -kni wlan1 &
sudo ip netns exec APns wireshark -kni wlan0 &
sudo ip netns exec APns wireshark -kni veth3 &
sudo wireshark -kni veth2 &
sudo wireshark -kni veth0 &
sudo ip netns exec UPFns wireshark -kni any &
Then, to do a ping test:
sudo ip netns exec UEns ping -c 1 60.60.0.101
The output of ping test:
You can observe the ICMP packets at all interfaces between UE and UPF. We provided the pcapng files for in-depth analysis.
Traceroute analysis
To do a traceroute between UE and UPF:
sudo ip netns exec UEns traceroute 60.60.0.101
UE and UPF are one hop of distance due to the GRE (Generic Routing Encapsulation) tunnel.
Check conectivity between UE and Internet
Ping to 8.8.8.8
You also can ping the Internet (8.8.8.8):
sudo ip netns exec UEns ping -c 1 8.8.8.8
The output of ping test:
Traceroute analysis
To do a traceroute between UE and Internet:
sudo
ip netns exec UEns traceroute 8.8.8.8
From now, you can see that the traffic from UE to Internet goes through the UPF.
Wireshark output:
- UE's IP is 60.60.0.1 when it pings 8.8.8.8 the GTP protocol is translated to ICMP protocol and sent via UPF 10.1.2.2 towards 8.8.8.8 and the acknowledgement is re-translated to GTP protocol towards UE.
- Connection between UE WLAN1 192.168.1.1 and N3IWF VETH2 192.168.127.1
- Here we can see the output after appling the following filters (isakmp or nas-5gs or ngap or pfcp or gtp or esp or gre)
Architecture & Network addressing scheme
1.
https://github.com/LABORA-INF-UFG/paper-MCAK-2021/wiki/Running-the-experi
ment
2. https://github.com/LABORA-INF-UFG/paper-MCAK-2021/wiki/Checking
3. https://vabhishekraj.blogspot.com/2022/12/initial-procedure-for-kernel-switching.html
Combined effort by :
V Abhishek Raj (vabhishekraj@idrbt.ac.in)
Beeranna Dude (dbeeranna@idrbt.ac.in)
Project supported by 5G Use case lab - IDRBT
Comments
Post a Comment