an active measurements approach to discover 3g networks parameter settings antonio barbuzzi...
TRANSCRIPT
An active measurements An active measurements approach to discover 3G approach to discover 3G
networks parameter settingsnetworks parameter settings
Antonio Barbuzzi
Telematics LAB – DEE, Politecnico di Bari, Italy
(in cooperation with FTW, Austria)
COST-TMA
Samos, Greece, 22 Sep. 2008
1. Motivation Resource Management and Mobility Management Motivation
2. Our work Testbed CCH to DCH transition DCH release CCH release and Paging Tool
3. Work In Progress
OutlineOutline
COST-TMA, Samos, Greece22 Sep. 2008
OutlineOutline
1. Motivation Resource Management and Mobility Management Motivation
2. Our work Testbed CCH to DCH transition DCH release CCH release and Paging Tool
3. Work In Progress
COST-TMA, Samos, Greece22 Sep. 2008
Resource Management and Mobility ManagementResource Management and Mobility Management
Resource Management and Mobility Management involve simple algorithms with only a few parameters
Usually only one parameter involved (timeout or threshold), tunable by the network operator.
Algorithms react to the traffic generated by the users (both in active and passive way).
We are trying to generate traffic patterns to discover these values.
Example of RR and MM proceduresAssignment/Releases of Dedicated CHannelAssignement/Release of Common CHannel Paging Procedures...
COST-TMA, Samos, Greece22 Sep. 2008
MotivationsMotivations
Set up more realistic 3G simulations scenarios
3G operator willing to discover their competitor's settings
Check compliance between planned values and equipment behaviour
Fine tuning of DoS attack
...
COST-TMA, Samos, Greece22 Sep. 2008
OutlineOutline
1. Motivation Resource Management and Mobility Management Motivation
2. Our work Testbed CCH to DCH transition DCH release CCH release and Paging Tool
3. Work In Progress
COST-TMA, Samos, Greece22 Sep. 2008
TestbedTestbed
Packets from the Wired Host to Mobile Station under test
Post-Process elaboration on dumped traffic
Synchronization issues Mobile Station and Wired Host coincide
Independence of wired part delay from sending pattern
Almost only downlink-only ICMP Echo-Request packets
3G core network
Internet
MobileStation
WiredHost
M H W
COST-TMA, Samos, Greece22 Sep. 2008
CCH to DCH TransitionCCH to DCH TransitionBasic idea: DCH Channel is
assigned when we need more bandwidth
Aim: controlling CCH to DCH switch
Execution: start from CCH, send fixed-IDT packets
Findings:DCH switch time
CCH and DCH bandwidth
Empirical DCH switch on procedure
Detailed DCH assignment algorithms is leaved for further study
More parameters can be extracted from figureS
W(t) = count process
of bytes sent from W
SM(t) = count process of
bytes received from M
COST-TMA, Samos, Greece22 Sep. 2008
DCH ReleaseDCH Release
Basic Idea: DCH release is based on a timeout that is reset upon each sent or received packet.
Aim: we want to verify this hypothesis and find the DCH release timeout
Execution: send ICMP Echo-Request with slowly increasing interdeparture time (IDT), until the switch to CCH
Findings:
DCH Release timeout
DCH to CCH completion time
Sending packets with IDT slightly lower than the timeout forces the DCH to remain assigned indefinitely to the MS (DCH starvation attacks)
• τk = τ
k−1 + ∆τ + ω
• ∆τ, a fixed incrementω, a random value
Detecting the switch using:Increase of one-way delayChannel status as reported from some 3G cards
COST-TMA, Samos, Greece22 Sep. 2008
DCH ReleaseDCH Release
Net.1 Net.2
•DCH Release timeout ~ 2.7 s•Switching time ~ 1.5 s
•DCH Release timeout ~ 5 s•Switching time ~ 2 s
COST-TMA, Samos, Greece22 Sep. 2008
CCH Release and PagingCCH Release and Paging
Basic Idea: If the MS is silent for more than a timeout, the RNC force the MS to switch to the Paging Channel (PCH).
Aim: Determine the timer governing the paging
Execution: experiment similar to the previous one used for the DCH, sending packets with increasing IDT.
Findings:
Paging procedure length
Paging timeout
timeout is restarted every DCH release
After a paging procedure, MS switch to DCH
Note:
Possibility to fine tune a paging attack
COST-TMA, Samos, Greece22 Sep. 2008
CCH Release and PagingCCH Release and Paging
Net.1 Net.2
Paging timer: 28.6÷29.1 sPaging delay:
Paging timer: 105÷106 sPaging delay:
overlapoverlap
COST-TMA, Samos, Greece22 Sep. 2008
CCH Relase and PagingCCH Relase and Paging
We send a packet in CCHWe wait x secondskth packet triggers pagingWe wait x s
In this x seconds we have:Paging procedure + DCH switch on + DCH_timeout + DCH_switch offPaging timer is reset
(k+1) th paging is x s far from previous one, but less than x s from paging timer reset,so it doesn't trigger the paging procedure
COST-TMA, Samos, Greece22 Sep. 2008
Estimated Value of Most Relevant ValuesEstimated Value of Most Relevant Values
COST-TMA, Samos, Greece22 Sep. 2008
ToolTool
We have developed a tool to automatize data collection and extraction of parameters•Need another name! “Tool” doesn't sound good!
Python
Linux, but potentially platform indipendent
Simple pre-process of datas
Preliminary visualization of datas
Minimal configuration from operator
It's a preliminary version
COST-TMA, Samos, Greece22 Sep. 2008
OutlineOutline
1. Motivation Resource Management and Mobility Management Motivation
2. Our work Testbed CCH to DCH transition DCH release CCH release and Paging Tool
3. Work In Progress
COST-TMA, Samos, Greece22 Sep. 2008
Work In ProgressWork In Progress
More complex characterisation of involved algorithms
Automatic extraction of all parameters with change-point detection techniques
Of course, enhancement of the tool
Analyse of other 3G networks
We would like to share this tool and cooperate with everybody is interested in it!
Is there anybody interested in?
COST-TMA, Samos, Greece22 Sep. 2008
Any questions?(please speak slowly)
COST-TMA, Samos, Greece22 Sep. 2008