the peril of cellular network evolution · 2015-09-25 · recap:’mobile’network’evolu5on’...

The Peril of Cellular Network Evolution

Chunyi Peng Fall 2015

Recap: Mobile Network Evolu5on

MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 2

1G AMPS, NMT,

TACS

M1980s

analog voice

2G GSM/GPRS/EDGE

cdmaOne

1990s

Digital voice + Simple data

3G WCDMA/HSPA+ CDMA2000/EVDO

TD-‐SCDMA

2000s

Mobile broadband

APP

4G LTE

LTE-‐advanced

2010s

More and Faster

The Power of Evolu5on •  Larger capacity (support more online) •  Higher speed (up to 42Mbps for HSPA, 150Mbps for LTE)

•  Seamless mobility support •  Versa5le services (web-‐>mobile apps) •  New services (eg, HD conference calls) •  …


The Peril?


Double-‐Edged Evolu5on •  Q1: Will the exis5ng, well-‐established techniques s5ll well support emerging features?

•  Q2: Will new features bring new side-‐effects?


Network Architecture Evolu5on


Telecomm IP-‐based Internet

•  Circuit-‐switching for voice

•  Packet-‐switching for everything

•  IP-‐based


•  Packet-‐switching for data

2G 3G 4G

Emerging Problems in Network Evolu5on



•  Packet-‐switching for everything

•  IP-‐based


•  Packet-‐switching for data

2G 3G 4G

Q1: Will existing techniques fail to well support emerging requirements? YES!

Q2: Will new features raise new side-effects?

Double-‐Edged Evolu5on •  Q1: Will current and well-‐established technique well support new features? – From Voice to Data (2G -‐> 3G/4G)

• Mobile data charging: [mobicom’12, CCS’12, Mobisys’13, CCS’14]

•  Q2: Will new features bring new side-‐effects? – From CS+PS to PS only (3G-‐>4G)

•  Voice support: CSFB and VoLTE: [mobicom’13, CNS’15, CCS’15]

•  Control-‐plane interacRons: [SIGCOMM’14, TON’15]


The Peril of Mobile Data Charging

Q1: Will the exis5ng, well-‐established techniques fail to well support emerging requirements?

[Mobicom’12, CCS’12, Mobisys’13, CCS’14]

Volume-‐based Charging •  Essen5al to mobile operators and users

– $500B revenue – $10-‐80/month per line in USA

•  What is your data plan?

•  Key: data usage volume – How much? Who? Agree?


Are Our Data Bills Correct?

Three Technical Requirements on AAA •  Mobile data charging: collect how much data is actually used by whom at his/her consent


Authentication The user being billed

= Who transfers data.

Authorization The user agrees to use data and pay it.

Accounting Volume should be accurate.

Background on Current Data Charging


P-GW

4G Mobile Network

HSS

Accoun5ng: How many bytes through the core?

Internet

Seemingly Simple, Sound and Solid


What’s Wrong?

What if the wireless link fails?


UDP Server ✗ U P-GW

Accoun5ng

Packet lost, but accounRng conRnues! We pay for what we do not receive!

Mobicom’12

in Real World •  450MB observed in one run (no sign of limit)

•  Over-‐accoun5ng volume = rate x dura5on (no coverage)

•  Observed in all the test carriers (US, China, Japan, etc)

•  No coverage -‐> weak coverage (par5al loss)


WHAT’S WRONG? •  Root Cause: Open-‐loop Accoun5ng, Accoun5ng before delivery

•  Data: Volume = local view@core


Volume_OPERATOR ñ Volume_MOBILE = 0

U P-GW✗

WHY for Mobile Data? •  Data: Volume = local view@core

•  Voice: minute = local view@core – Open-‐loop accoun5ng for circuit-‐switching: OK


Volume_OPERATOR ñ Volume_MOBILE = 0

U P-GW✗

U MSC/GMSC✗

Inconsistent view due to PS

consistent

view due to CS

What if Mobility? •  Over-‐accoun5ng example in LA: 71.3%

•  Over-‐accoun5ng for mobility observed – @ 3 major US operators – @ 2 largest ci5es in US: New York and Los Angeles – @ freeway and local

•  Cause: Inter-‐system handoff ( e.g., 3G-‐>4G) – Accoun5ng gap: 0.5~ 1.5MB per handoff

19

3G 4G

Handoff

Mobisys’13

12-mile in west LA

OP: 44.3MB Mobile: 12.7MB

71.3%

During Inter-‐system Handoff •  #1: Data transmission suspends on radio link

•  #2: Buffer discarded aser handoff

20

SGSN/GGSN 3G

4G S-‐GW/P-‐GW

5 to 100+ seconds

Results: 0.5-1.5MB per HO

✗ 100 - 300 KB

Handoff

THIS IS NOT THE END






Benign (normal) -‐ Accoun5ng inaccuracy

Malicious atacks(exploits) -‐ AAA vulnerable

CCS’14, CCS’12




User authentication via AKA

U.IP 10.0.0.1

IP allocation Bearer (GTP) established

P-GW

U.IP10.0.0.1

U

U.IP U’s bill

X

U.IP U’s bill

In charging: AuthenRcaRon bypass (IP spoofing)

WHAT’S WRONG? •  IP Spoofing allowed in data packets (smart-‐end) •  IP as the charging ID without secure binding (operator) –  Bypass exis5ng authen5ca5on

•  Free-‐uplink access using other’s IP –  Real threats: two US carriers allowed IP spoofing but one via IP-‐based charging

–  Status: fixed aser our report and work with both US carriers (Nov 2014)




PGW

U.GTP U.IPþ

þ Filtering

Outbound via authen5ca5on

Filter setup

þ  FilteringInbound via implicit mapping

U


Filter: still valid (stateful)Close the app(TCP: half-open, UDP: still open)

X

U.IP

þ þ

MMS Server X

Network-‐based; 1st-‐5me only (user can’t say no)

MMS

þ þ

U

More attacks: Skype, web/video phishing [CCS12]

PGW



UX

P-GW

TTL = n TTL >=0 TTL =0 (dropped)

Atack idea: Make packet lost aser accoun5ng but

before end-‐to-‐end delivery

Fundamental Conflicts in PS and MDC


Packet: source and des5na5on Charging: who is authen5cated en5ty? (control plane vs. data plane)

Packet: connec5onless, no state Charging: what is the state of connec5on packets belong to (@phone vs. @network)

Packet: independent over hops Charging: Is it delivered? (at the end vs. in the middle)

PGW

U

PS Supports Data Beter


But, PS may not well support data charging that somehow follows a conven5onal CS design

Disccussion


BACKUP: MOBILE DATA CHARGING


Undercharging: “Free” Data Access •  Free DNS (before Aug 2012)

– @ three US major operators – Flow-‐based charging policy, but not enforced carefully

•  OP-‐I: free if via Port 53 •  OP-‐II: free if UDP via Port 53

31

Core Router e.g. SGSN/GGSN

Policy: Free DNS Service

Accoun5ng

Undercharging: “Free” Data Access •  Free DNS Free data access (fixed now)

– @ three US major operators – DNS tunneling

32

Core Router e.g. SGSN/GGSN

Pseudo-DNS Server Results: 200MB+ free of charge No sign of limit

Policy: Free DNS Service

Accoun5ng

Beyond DNS •  Root-‐cause: differen5al policy & careless enforcement

•  Solu5on: stop it or use prudent enforcement

33

Differen5al charging policy e.g., free access to one website/ via some APN, or cheaper VoIP than Web, MMS

Gap btw policy and its enforcement Bullet-‐proof design & prac5ce

Incen5ve to pay less (A\ackers or even normal users)

Bill

How Bad the Gap Can Be? •  Gap ≈ Source-‐rate x dura5on

–  In propor5on to UDP source rate: 50Kbps ~ 8Mbps

–  In propor5on to 5me: 1min ~ 6 hour (< 3 hours)

34

0

20

40

60

0 1 2 3 4 5 6 7 8 9

Sent-‐by-‐Server Overaccoun5ng

Source-rate (Mbps), OP-I, 1min

Volu

me

(MB

)

0

20

40

60

0 1 2 3 4 5 6

OP-‐I OP-‐II

Duration (hr), source = 50Kbps

Gap Exists With Signals

35 Source Rate (Kbps)

RSSI (dBm)

-113

-105

-90 Strong-Signal (SS)

Weak-Signal (W)

Weaker-Signal (WR) No-Signal (NS)

ñ S ñ, Gapñ RSSI , Gapñ Cause: Packet drops over radio link.

Common Behaviors •  Gap for TCP without signals: 2.9 ~ 50KB •  Test with 5 applica5ons:

– Web, Skype, YouTube, PPS streaming, VLC streaming

•  User study: gap ≤ 2% (mostly, 5-‐7% observed)

36

Web Skype YouTube PPS VLC

Med (MB) -0.03 0.88 0.23 3.30 2.97 Min (MB) 0.00 0.40 0.20 0.72 1.45 Max (MB) -0.04 0.99 0.34 4.3 29.9

Data accounting is largely successful in practice. Users may occasionally be overcharged.

the peril of cellular network evolution · 2015-09-25 · recap:’mobile’network’evolu5on’...

Documents