This commit adds support for processing network-initiated PDU Session
Modification in a home-routed roaming context, following section 4.3.3.3
of the specification.
Previously, policies were configured via YAML files without MongoDB.
This update enhances the YAML approach by adding the 'supi_range' key to
filter policies based on UE SUPI ranges. When both 'supi_range' and
'plmn_id' are provided, both conditions must be met.
Note that PLMN-ID filtering will be deprecated in a future release.
Introduce client_delegated_config to manage delegation settings for NRF and SCP
separately. This ensures that in Model C, all NRF-related procedures
(registration, heartbeat, deregistration, etc.) communicate directly with the
NRF without routing through the SCP. This change aligns Open5GS behavior with
3GPP standards, providing consistent direct communication for both discovery
and management in Model C, and maintaining indirect communication in Model D.
- Direct Communication with NRF
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
```
- Indirect Communication by Delegating to SCP
```
sbi:
client:
scp:
- uri: http://127.0.0.200:7777
```
- Indirect Communication without Delegation
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
delegated:
nrf:
nfm: no # Directly communicate NRF management functions
disc: no # Directly communicate NRF discovery
scp:
next: no # Do not delegate to SCP for next-hop
```
- Indirect Communication with Delegated Discovery
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
delegated:
nrf:
nfm: no # Directly communicate NRF management functions
disc: yes # Delegate discovery to SCP
scp:
next: yes # Delegate to SCP for next-hop communications
```
- Default delegation: all communications are delegated to the SCP
```
sbi:
client:
nrf:
- uri: http://127.0.0.10:7777
scp:
- uri: http://127.0.0.200:7777
# No 'delegated' section; defaults to AUTO delegation
```
This update allows the parsing and handling of user-defined port numbers
in the `advertise` field or explicitly in the `server` configuration for
SBI. Users can now specify non-default ports for both binding and
advertising while maintaining compatibility with existing configurations.
The feature includes logic to handle FQDNs with embedded port numbers
(e.g., `example.com:8080`) and ensures proper memory management during
parsing. Updated the client association logic to utilize custom ports
when specified.
Examples:
- Bind to the address on the eth0 and advertise as open5gs-amf.svc.local
```
sbi:
server:
- dev:eth0
advertise: open5gs-amf.svc.local
```
- Specify a custom port number 7777 while binding to the given address
```
sbi:
server:
- address: amf.localdomain
port: 7777
```
- Bind to 127.0.0.5 and advertise as open5gs-amf.svc.local
```
sbi:
server:
- address: 127.0.0.5
port: 7777
advertise: open5gs-amf.svc.local
```
- Bind to port 7777 but advertise with a different port number 8888
```
sbi:
server:
- address: 127.0.0.5
port: 7777
advertise: open5gs-amf.svc.local:8888
```
- Add `sslkeylogfile` configuration options to `*.yaml.in` in NFs.
- Update `open5gs-common.dirs` to include `var/log/open5gs/tls` directory
- Extend `ogs_sbi_context_s` structure in `context.h` to include `sslkeylog`
- Modify `context.c` to parse and handle `sslkeylogfile` settings
- Update `server.c` and `server.h` to manage the `sslkeylog` field
in server structures
- Update `ogs_sbi_client_add` and `ogs_sbi_client_remove` functions to handle
`sslkeylog` field.
- Adjust `meson.build` to create the TLS log directory during installation
This commit introduces SSL key logging functionality to Open5GS,
enabling the capture of SSL/TLS keys. This feature is essential
for debugging encrypted traffic and allows integration with tools
like Wireshark for decrypting TLS sessions.
Added support for binding to local IP addresses in ogs_sctp_client and
ogs_sctp_server, and correct SGsAP configuration
Implemented the ability to bind to one or multiple local IP addresses using
`sctp_bindx()` in both the `ogs_sctp_client()` and `ogs_sctp_server()` APIs.
Users can now specify local addresses in the configuration files under the new
`local_addresses` field, reducing unnecessary complexity and signaling caused
by binding to `ANY_ADDR`.
This update addresses issue https://osmocom.org/issues/6509 by ensuring
correct operation in multi-interface and complex networking setups.
Additionally, corrected the `sgsap` configuration by changing it
from `server` to `client`, and added support for specifying `local_addresses`
for local binding as follows:
```
sgsap:
client:
- address: msc.open5gs.org # SCTP server address configured on the MSC/VL
local_address: 127.0.0.2 # SCTP local IP addresses to be bound in the M
```
SMF selection according to 4.3.2.2.3 of TS23.502.
V-SMF makes discovery in the V-NRF according to V-NSSF.
H-SMF makes discovery in the H-NRF according to H-NSSF.
(The AMF goes through the V-NSSF and forwards the message seeking the NRF to the H-NSSF.)
When running the open5gs package with systemd network config, the 1st IP address
of the UE pool configured in open5gs-upfd config file for ogstun is
being assigned to the interface through this file.
That was discussed as being a desirable default setup.
However, in the event a user wants a setup where no IP address is
assigned to the tundev, then it's not enough removing the IP address,
because then the implicit routing rules regarding the subnet of the IP
address added automatically by the kernel are also removed.
This patch adds config sections to set up the routing explicitly, with
the aim to get the routing still applied if the user decides to comment
out the IP address, so that packets are still forwarded properly in that
case.
Related: https://osmocom.org/issues/6361
The way subnet is set up has changed as shown below.
```
<OLD Format>
smf:
session:
- subnet: 10.45.0.1/16
<NEW Format>
smf:
session:
- subnet: 10.45.0.0/16
gateway: 10.45.0.1
```
For more information, please refer to Pull Request #2975.
Do not attempt to run "systemctl reload" on the open5gs services, unless
they are running. This fixes the logrotate service failing on this
postrotate script, if units are not running or not installed.
Move the config to the sgsn node instead of having a specific route with
specific format "default: route", since anyway internally it's already
applied to the sgsn object.
* [MME] Introduce aging timers
* Creating three new timers
* mirroring work done by gstaa on the AMF
* Implicit detach procedures added
* Fix for detach from unknown UE
* no Purge Timer, no config, expanded code
o Generate the private key as below.
$ openssl genpkey -algorithm X25519 -out /etc/open5gs/hnet/curve25519-1.key
$ openssl ecparam -name prime256v1 -genkey -conv_form compressed -out /etc/open5gs/hnet/secp256r1-2.key
o The private and public keys can be viewed with the command.
The public key is used when creating the SIM.
$ openssl pkey -in /etc/open5gs/hnet/curve25519-1.key -text
$ openssl ec -in /etc/open5gs/hnet/secp256r1-2.key -conv_form compressed -text
In ausf/udm.yaml
hnet:
o Home network public key identifier(PKI) value : 1
Protection scheme identifier : ECIES scheme profile A
- id: 1
scheme: 1
key: /etc/open5gs/hnet/curve25519-1.key
o Home network public key identifier(PKI) value : 2
Protection scheme identifier : ECIES scheme profile B
- id: 2
scheme: 2
key: /etc/open5gs/hnet/secp256r1-2.key
o Home network public key identifier(PKI) value : 3
Protection scheme identifier : ECIES scheme profile A
- id: 3
scheme: 1
key: /etc/open5gs/hnet/curve25519-1.key
o Home network public key identifier(PKI) value : 4
Protection scheme identifier : ECIES scheme profile B
- id: 4
scheme: 2
key: /etc/open5gs/hnet/secp256r1-2.key
Related to #1779
Expose metrics with labels according to ETSI TS 128 552 V16.13.0 in
PCF by using hash.
The metrics are named respecting the rule:
<generation>_<measurement_object_class>_<measurement_family_name>_<metric_name_as_in_TS_128_552>
Since slice itself is not unique, the plmnid label is exposed in
addition to snssai.
AM policy:
fivegs_pcffunction_pa_policyamassoreq and
fivegs_pcffunction_pa_policyamassosucc do not expose snssai label
since it is not available at the time of exposure.
plmnid is defined during AM policy processing, so not to lose the
difference to ...succ, the basic metric
fivegs_pcffunction_pa_policyamassoreq is preserved.
SM policy:
snssai is defined during SM policy processing, so not to lose the
difference to ...succ, the basic metric
fivegs_pcffunction_pa_policysmassoreq is preserved.
Those 2 basic metrics retain their position but are exposed with empty
labels.
Metrics with labels are called later, when the label values are known.
Exposed metrics example:
-standard counters:
fivegs_pcffunction_pa_policyamassoreq{plmnid=""} 3
fivegs_pcffunction_pa_policyamassoreq{plmnid="99970"} 3
fivegs_pcffunction_pa_policyamassosucc{plmnid="99970"} 3
fivegs_pcffunction_pa_policysmassoreq{plmnid="",snssai=""} 3
fivegs_pcffunction_pa_policysmassoreq{plmnid="99970",snssai="1000009"} 3
fivegs_pcffunction_pa_policysmassosucc{plmnid="99970",snssai="1000009"} 3
-nonstandard gauge (added for controlling purposes -
same metric as existing metric on AMF and SMF):
fivegs_pcffunction_pa_sessionnbr{plmnid="99970",snssai="1000009"} 0
Expose metrics with labels according to ETSI TS 128 552 V16.13.0 in
UPF by using hash.
The metrics are named respecting the rule:
<generation>_<measurement_object_class>_<measurement_family_name>_<metric_name_as_in_TS_128_552>
5qi is not available in UPF.
To present 5qi to the user, MN will have to maintain a table qfi->5qi
for each QoS flow (will have to get information from SMF).
So UPF has to expose qfi. qfi itself is not useful. When used, UPF will
have to expose additional label to define the session (e.g. source
interface).
Label dnn is set to value of APN/DNN received in Establishment.
Since SMF does not add APN/DNN to Establishment, the label is empty.
When APN/DNN will be set by SMF, it should be added to sess in UPF
and used in metrics on Modification and Deletion.
Both datavolumeqosleveln3upf are exposed in bytes.
MN is providing the transformation to kbits.
fivegs_upffunction_upf_qosflows should expose the number of QFIs used in
sessions, but exposes number of QER rules, which is currently equal to
QFIs.
The label snsssai is not provided since the slice is not available on UPF.
Exposed metrics example:
Standard counters:
fivegs_ep_n3_gtp_indatapktn3upf 28637
fivegs_ep_n3_gtp_outdatapktn3upf 14729
fivegs_upffunction_sm_n4sessionestabreq 4
fivegs_upffunction_sm_n4sessionestabfail{cause="66"} 1
fivegs_upffunction_sm_n4sessionestabfail{cause="71"} 68
fivegs_upffunction_sm_n4sessionestabfail{cause="68"} 4
fivegs_upffunction_sm_n4sessionestabfail{cause="72"} 15
fivegs_upffunction_sm_n4sessionestabfail{cause="75"} 3
fivegs_upffunction_sm_n4sessionestabfail{cause="65"} 4
fivegs_upffunction_sm_n4sessionreport 0
fivegs_upffunction_sm_n4sessionreportsucc 0
fivegs_ep_n3_gtp_indatavolumeqosleveln3upf{qfi="1"} 39792997
fivegs_ep_n3_gtp_outdatavolumeqosleveln3upf{qfi="1"} 737548
Nonstandard gauge (added for controlling purposes -
same metric as existing metric on AMF and SMF):
fivegs_upffunction_upf_sessionnbr 1
Standard gauge:
fivegs_upffunction_upf_qosflows{dnn=""} 1
