[re-post] NAS messages format

Posted: August 8, 2012 in technical
Tags: , , , ,

It’s been a long time since the last time I wrote anything, but latly I feel the need to write down what I’ve been reading (just to have some reference for the future). Today’s post will be about how the NAS messages are constructed. As I was used to working with GTPv2, the NAS protocol looked like a big mess to me. Here’s what I’ve figured out so far.

The spec governing the NAS protocol in 4G is 24.301. It describes both the procedures and the message format. Each time I need to figure out what messages should appear for a certain event I first have to read the procedure and find the names of the messages. The description of the procedure usually contains some directions for the content of the messages too. The next phase is analyzing each message. For each message there is a table with the Information Elements (IEs) that are to be included. Note that the IEs are marked as mandatory, conditional or optional. Each IE has the a dedicated chapter where the structure of the IE is described. Note that there are multi types of IEs (V – value, LV – length-value, TV – type-value, TLV-type-length-value, etc.). The mandatory IEs are included in the packets without the type (24.301 8.1 )and that is why for the NAS messages the IEs need to be put in the packet in the exact same order as in the table describing the message. In that table it can be noticed that these mandatory IEs have no IEI (IE Identifier) associated with them.
As the communication between the UE and the MME needs to be secure, usually the NAS messages are integrity protected and sometimes ciphered. Depending on wheather the NAS message is security protected or not, the format changes. In case the message is security protected a security header appears. (24.301 9.1) This security header contains the security type, the protocol discriminator(always “EPS mobility management messages” for security protected messages, – 24.301 9.2), a MAC (message authentication code – a hash that allows the other end of the communication to see if the messages was tempered with) and a sequence number. After this header the NAS message actually begins, with its own header. This header of the plain NAS message consists of protocol discriminator (this time it can be different tha “EPS mobility management messages”), EPS bearer identity or security header type (this time “Plain NAS message, not security protected”), a procedure transaction identifier and a message type. After this mandatory header the other information elements appear.

Note: When setting the security type the negotiated encryption and ciphering algorithms play no part at all. (24.301 4.4.5 Ciphering of NAS signalling messages). This means to say a message that was encrypted with the NULL algorithm (not encryoted at all) can still be encoded as a security protected message that is ciphered.

  1. Anonymous says:

    Good Information!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s