- What it does
- Configuration
- What you need
- Setting up the NAF filter
- I want to…
- Set the service type
- Set the service ID
- Set the NAF group name
- Adjust the reconnection behavior for communication with the Cassandra database
- Adjust the network socket settings for communication with the Cassandra database
- Adjust the load balancing settings for communication with the Cassandra database
- Use SSL when communicating with the Cassandra database
- Disable SSL when communicating with the Cassandra database
- Change the number of times a single nonce can be reused by incrementing the nonce count
- Change how long a single nonce will remain valid after it is created
- Track nonce values currently in use locally on the NAF filter
- Track nonce values currently in use in a Cassandra database
- Change how many nonce values can be cached locally by a NAF filter node
- Enable debug logging
- Disable debug logging
- I want to…
What it does
In the Rhino VoLTE TAS, the purpose of the network application function (NAF) authentication filter is to verify a subscriber’s identity before allowing them to view or modify their subscriber configuration using XCAP.
The NAF filter is part of the 3GPP specified general authentication architecture (GAA).
Service information
The configuration for the NAF filter includes a number of settings that provide information about the service it’s providing.
-
The
service-typeis a number that identifies the type of service the NAF filter is providing within the GAA. Recognized values for this setting are defined in Annex B of 3GPP TS 29.109. The default value for the NAF filter is0, which indicates an "unspecific service". -
The
service-idis a number that uniquely identifies the exact service the NAF filter is providing within an operator’s network. The value that should be used is operator specific, but must match the service ID in the subscriber’s Generic Bootstrapping Architecture User Security Settings (GUSS) in the HSS. -
The
naf-groupis a name that identifies the group that the NAF filter instance is a part of. The group name is decided by the operator and it is optional to use this field. The NAF group provides an additional layer of control on top of the service type and ID over what part of the GUSS is used by the NAF filter instance.
Cassandra database
The Rhino VoLTE TAS’s implementation of the NAF filter differs from the 3GPP specification in the way that it communicates with the Bootstrap Security Function (BSF). Rather than communicating directly using the Diameter Zn interface, a Cassandra database is used as an intermediary. This allows the BSF and NAF nodes to be stateless, making it easy to scale out horizontally.
Optionally, the NAF filter can also use a Cassandra database to track all nonce values that are currently in use; see Nonce values for details.
There are many settings available for controlling the behavior of the connection with the Cassandra database. This includes settings for:
-
load balancing
-
network sockets
-
reconnection behavior
-
SSL usage
For a comprehensive list of options, see the cassandra-connectivity section in the declarative configuration reference.
Nonce values
When generating an authentication challenge for the subscriber’s handset, the NAF filter must create a nonce value to include as part of it. This nonce value is one part of the mechanism used by the handset to verify its identity in subsequent messages. For this reason, the NAF filter must keep track of the values used for each subscriber for each authentication challenge.
Nonce values can either be tracked locally by the NAF filter or in a Cassandra database,
which can be selected using the storage-mechanism field.
Using a Cassandra database allows the NAF filter to operate statelessly,
meaning that if there are multiple NAF filter nodes in use,
messages from a given subscriber do not always need to go to the same node.
If a Cassandra database is to be used then the Cassandra keyspace to use must also be specified in the nonce-cassandra-keyspace field.
The maximum number of nonce values that can be cached locally is determined by the cache-capacity field.
Normally, a single nonce should never be used more than once,
but to avert the need to send a new challenge every time the handset wants to send a message,
a separate nonce count number is included in each message.
This allows the same nonce to be reused up to a number of times determined by the reuse-count field.
The count starts at 1 in the first message and is incremented in each subsequent message.
A nonce can become invalid under a number of circumstances, if this happens the subscriber’s handset must restart authentication procedures. The nonce will become invalid when any of the following conditions are met:
-
Too much time has passed since the nonce was generated. The time period can be configured in the
lifetime-millisecondsfield. -
The IP address of the subscriber’s handset changes.
-
The nonce count exceeds the maximum count configured in the
reuse-countfield. -
A message with the same nonce and nonce-count as a previous message is received.
Configuration
What you need
-
❏ The service type for the NAF filter.
-
❏ The service ID for the NAF filter.
-
❏ Optionally, the name of the group that the NAF filter instance is a part of.
-
❏ Whether to use SSL when communicating with the Cassandra database.
-
❏ Any required changes to load balancing behavior for the Cassandra database.
-
❏ Any required changes to reconnection behavior for the Cassandra database.
-
❏ Any required changes to socket setting for the connection to the Cassandra database.
-
❏ Whether nonce values should be tracked locally or in a Cassandra database.
-
❏ If tracking nonce values in a Cassandra database, the Cassandra keyspace to use.
-
❏ The maximum amount of time a nonce should remain valid.
-
❏ The maximum number of times a nonce can be reused by incrementing the nonce count.
-
❏ The maximum number of nonce values that can be cached locally on the NAF filter node.
Setting up the NAF filter
I want to…
Set the service type
In the naf-filter section,
set the service-type to the desired value:
service-type: 1Related section: Service information
Set the service ID
In the naf-filter section,
set the service-id to the desired value:
service-id: 2Related section: Service information
Set the NAF group name
In the naf-filter section,
set the naf-group to the desired value:
naf-group: "nafgroup1"Related section: Service information
Adjust the reconnection behavior for communication with the Cassandra database
In the cassandra-connectivity section,
set (or omit) any of the following fields with values as required:
reconnection-policy: constant
reconnection-interval-seconds: 10
reconnection-initial-delay-seconds: 1
reconnection-max-delay-seconds: 32For additional information about these fields, see their respective entries in the declarative configuration reference:
Related section: Cassandra database
Adjust the network socket settings for communication with the Cassandra database
In the cassandra-connectivity section,
set (or omit) any of the following fields with values as required:
socket-connect-timeout-milliseconds: 4000
socket-read-timeout-milliseconds: 4000
socket-keepalive: true
socket-reuse-address: true
socket-linger-seconds: 0
socket-tcp-nodelay: true
socket-receive-buffer-size-bytes: -1
socket-send-buffer-size-bytes: -1For additional information about these fields, see their respective entries in the declarative configuration reference:
Related section: Cassandra database
Adjust the load balancing settings for communication with the Cassandra database
In the cassandra-connectivity section,
set (or omit) any of the following fields with values as required:
lb-recipe: use-default
lb-latency-aware-exclusion-threshold: 0.0
lb-latency-aware-scale: 0.0For additional information about these fields, see their respective entries in the declarative configuration reference:
Related section: Cassandra database
Use SSL when communicating with the Cassandra database
There are two implementations of SSL available for use. One is provided by the JDK, and the other by the Netty library.
To use the JDK SSL implementation,
in the cassandra-connectivity section,
set use-ssl to jdk:
use-ssl: jdkTo use the Netty SSL implementation,
in the cassandra-connectivity section,
set use-ssl to netty:
use-ssl: nettyRelated section: Cassandra database
Disable SSL when communicating with the Cassandra database
In the cassandra-connectivity section,
set use-ssl to none:
use-ssl: noneRelated section: Cassandra database
Change the number of times a single nonce can be reused by incrementing the nonce count
In the nonce-options section,
set reuse-count to the required maximum:
reuse-count: 100Related section: Nonce values
Change how long a single nonce will remain valid after it is created
In the nonce-options section,
set lifetime-milliseconds to the required time period in milliseconds:
lifetime-milliseconds: 180000Related section: Nonce values
Track nonce values currently in use locally on the NAF filter
In the nonce-options section,
set storage-mechanism to local:
storage-mechanism: localRelated section: Nonce values
Track nonce values currently in use in a Cassandra database
In the nonce-options section:
storage-mechanism: cassandra
nonce-cassandra-keyspace: "nonce_info"-
set
storage-mechanismtocassandra -
set
nonce-cassandra-keyspaceto the Cassandra keyspace that should be used
Related section: Nonce values
Change how many nonce values can be cached locally by a NAF filter node
In the nonce-options section,
set cache-capacity to the required maximum:
cache-capacity: 100000Related section: Nonce values
Enable debug logging
|
Never enable debug logging on production systems. |
In the naf-filter section,
set debug-logging-enabled to true:
debug-logging-enabled: trueDisable debug logging
In the naf-filter section,
set debug-logging-enabled to false:
debug-logging-enabled: false