search

travelping / ergw

erGW - Erlang implementations of GGSN or P-GW
GNU General Public License v2.0
82 stars 33 forks source link

APN validation #10

Closed msupra closed 2 years ago

msupra commented 7 years ago

Hi

I configured ergw to only validate one APN: {apns, [{[<<"vservices">>], [{vrf, upstream}]} ]}

But during testing, I could use any APN and ergw would send radius authentication request to AAA servers. With correct APN and user configured on AAA, PDP context is created and logs show: 11:01:36.802 [info] AuthResult: success 11:01:36.803 [info] ActiveSessionOpts: #{'3GPP-Allocation-Retention-Priority' => 2,'3GPP-Charging-Characteristics' => <<8,0>>,'3GPP-GGSN-Address' => {10,0,0,154},'3GPP-GPRS-Negotiated-QoS-Profile' => <<11,146,31>>,'3GPP-IMSI' => <<"240010123456789">>,'3GPP-IMSI-MCC-MNC' => <<"24001">>,'3GPP-NSAPI' => 0,'3GPP-PDP-Type' => 'IPv6','3GPP-SGSN-Address' => <<10,0,0,152>>,'Acct-Authentic' => 'RADIUS','AuthProvider' => ergw_aaa_radius,'AuthProviderState' => {state,<<"ergw.conor.co.za">>,{{10,0,0,80},1812,<<"testing123">>},{{10,0,0,80},1813,<<"testing123">>},success,[],default},'Called-Station-Id' => <<"vservices">>,'Calling-Station-Id' => <<"27828099496">>,'Framed-IP-Address' => {172,25,0,1},'Framed-Protocol' => 'GPRS-PDP-Context','Interim-Accounting' => 10000,'MS-Primary-DNS-Server' => <<"\b\b\b\b">>,'MS-Primary-NBNS-Server' => <<127,0,0,1>>,'MS-Secondary-DNS-Server' => <<8,8,4,4>>,'MS-Secondary-NBNS-Server' => <<127,0,0,1>>,'Multi-Session-Id' => 66101610735641112384308940457214434475822284805,'Password' => <<"hemmelig">>,'Service-Type' => 'Framed-User','Session-Id' => 66101610735641112384308940457214434475822284806,'Username' => <<"mig">>} 11:01:36.803 [debug] handle_call: {allocate_pdp_ip,19,{172,25,0,1},undefined} 11:01:36.803 [debug] DP Call #gtp_port{name=grx,type='gtp-u',pid=<0.201.0>,restart_counter=16,ip={10,0,0,154}}: {create_pdp_context,{10,0,0,152},23,1,{172,25,0,1}} 11:01:36.803 [debug] DP Call <5226.181.0>: {create_pdp_context,{10,0,0,152},23,1,{172,25,0,1}} 11:01:36.804 [debug] DP Call Reply: {error,4026531839} 11:01:36.804 [debug] Event: Account 'Start'

With incorrect APN, AAA is still being called, but because the APN is not configured in AAA, the Auth request fails and no PDP context is created: 11:02:44.859 [info] AuthResult: fail 11:02:44.860 [error] Received DOWN information for <0.654.0> with info normal 11:02:44.860 [error] ctld Session terminating with state {state,0,<0.654.0>,#Ref<0.0.1.7738>,false,false,undefined,undefined,#{'3GPP-Allocation-Retention-Priority' => 2,'3GPP-Charging-Characteristics' => <<8,0>>,'3GPP-GGSN-Address' => {10,0,0,154},'3GPP-GPRS-Negotiated-QoS-Profile' => <<11,146,31>>,'3GPP-IMSI' => <<"240010123456789">>,'3GPP-IMSI-MCC-MNC' => <<"24001">>,'3GPP-NSAPI' => 0,'3GPP-PDP-Type' => 'IPv6','3GPP-SGSN-Address' => <<10,0,0,152>>,'AuthProvider' => ergw_aaa_radius,'AuthProviderState' => {state,<<"ergw.conor.co.za">>,{{10,0,0,80},1812,<<"testing123">>},{{10,0,0,80},1813,<<"testing123">>},fail,[],default},'Called-Station-Id' => <<"vservices1">>,'Calling-Station-Id' => <<"27828099496">>,'Framed-Protocol' => 'GPRS-PDP-Context','Interim-Accounting' => 10000,'Multi-Session-Id' => 66101610735641112384308940457214434475822284807,'Password' => <<"hemmelig">>,'Service-Type' => 'Framed-User','Session-Id' => 66101610735641112384308940457214434475822284808,'Username' => <<"mig">>}} with reason normal

I would have expected that ergw should have validated the APN and not tried to do an Auth.

Regards Morne

RoadRunnr commented 7 years ago

The APN is indeed not validated properly and the error return is not well defined.

The fix for this will require a partial rewrite of the error return logic. Currently, the plan is to use throws for deep error returns and catch them in the right places. However, implementing this will take some time and there is no quick fix for this.

msupra commented 7 years ago

Hi Andreas

Thanks for the feedback.

Regards Morne

On 20 Jan 2017, at 11:24, Andreas Schultz notifications@github.com wrote:

The APN is indeed not validated properly and the error return is not well defined.

The fix for this will require a partial rewrite of the error return logic. Currently, the plan is to use throws for deep error returns and catch them in the right places. However, implementing this will take some time and there is no quick fix for this.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/travelping/ergw/issues/10#issuecomment-274020979, or mute the thread https://github.com/notifications/unsubscribe-auth/AA8VWrRxIMxbsN4KbAifcTG7l9jf-k7Aks5rUH0_gaJpZM4LpFHo.

vkatsuba commented 2 years ago

The AVP validation was added and logic was extended in the latest versions. @RoadRunnr please reopen or create new one if I miss something.