What it does

In the Rhino VoLTE TAS, the purpose of the network application function (NAF) authentication filter is to verify a subscriber’s identity before allowing them to view or modify their subscriber configuration using XCAP.

The NAF filter is part of the 3GPP specified general authentication architecture (GAA).

Service information

The configuration for the NAF filter includes a number of settings that provide information about the service it’s providing.

  • The service-type is a number that identifies the type of service the NAF filter is providing within the GAA. Recognized values for this setting are defined in Annex B of 3GPP TS 29.109. The default value for the NAF filter is 0, which indicates an "unspecific service".

  • The service-id is a number that uniquely identifies the exact service the NAF filter is providing within an operator’s network. The value that should be used is operator specific, but must match the service ID in the subscriber’s Generic Bootstrapping Architecture User Security Settings (GUSS) in the HSS.

  • The naf-group is a name that identifies the group that the NAF filter instance is a part of. The group name is decided by the operator and it is optional to use this field. The NAF group provides an additional layer of control on top of the service type and ID over what part of the GUSS is used by the NAF filter instance.

Cassandra database

The Rhino VoLTE TAS’s implementation of the NAF filter differs from the 3GPP specification in the way that it communicates with the Bootstrap Security Function (BSF). Rather than communicating directly using the Diameter Zn interface, a Cassandra database is used as an intermediary. This allows the BSF and NAF nodes to be stateless, making it easy to scale out horizontally.

The NAF filter also uses a Cassandra database to track all nonce values that are currently in use; see Nonce values for details. The Cassandra keyspace to use for nonce storage must be specified in the nonce-cassandra-keyspace field.

Nonce values

When generating an authentication challenge for the subscriber’s handset, the NAF filter must create a nonce value to include as part of it. This nonce value is one part of the mechanism used by the handset to verify its identity in subsequent messages. For this reason, the NAF filter must keep track of the values used for each subscriber for each authentication challenge.

Nonce values are tracked in a Cassandra database. This allows the NAF filter to operate statelessly, meaning that if there are multiple NAF filter nodes in use, messages from a given subscriber do not always need to go to the same node. The Cassandra keyspace to use must be specified in the nonce-cassandra-keyspace field.

Normally, a single nonce should never be used more than once, but to avert the need to send a new challenge every time the handset wants to send a message, a separate nonce count number is included in each message. This allows the same nonce to be reused up to a number of times determined by the reuse-count field. The count starts at 1 in the first message and is incremented in each subsequent message.

A nonce can become invalid under a number of circumstances, if this happens the subscriber’s handset must restart authentication procedures. The nonce will become invalid when any of the following conditions are met:

  • Too much time has passed since the nonce was generated. The time period can be configured in the lifetime-milliseconds field.

  • The IP address of the subscriber’s handset changes.

  • The nonce count exceeds the maximum count configured in the reuse-count field.

  • A message with the same nonce and nonce-count as a previous message is received.

Configuration

What you need

  • ❏ The service type for the NAF filter.

  • ❏ The service ID for the NAF filter.

  • ❏ Optionally, the name of the group that the NAF filter instance is a part of.

  • ❏ The Cassandra keyspace to use for storing nonce values.

  • ❏ The maximum amount of time a nonce should remain valid.

  • ❏ The maximum number of times a nonce can be reused by incrementing the nonce count.

Setting up the NAF filter

I want to…​

Set the service type

In the naf-filter section, set the service-type to the desired value:

  service-type: 1

Related section: Service information

Set the service ID

In the naf-filter section, set the service-id to the desired value:

  service-id: 2

Related section: Service information

Set the NAF group name

In the naf-filter section, set the naf-group to the desired value:

  naf-group: "nafgroup1"

Related section: Service information

Change the number of times a single nonce can be reused by incrementing the nonce count

In the nonce-options section, set reuse-count to the required maximum:

    reuse-count: 100

Related section: Nonce values

Change how long a single nonce will remain valid after it is created

In the nonce-options section, set lifetime-milliseconds to the required time period in milliseconds:

    lifetime-milliseconds: 180000

Related section: Nonce values

Enable debug logging
Warning Never enable debug logging on production systems.

In the naf-filter section, set debug-logging-enabled to true:

  debug-logging-enabled: true
Disable debug logging

In the naf-filter section, set debug-logging-enabled to false:

  debug-logging-enabled: false
Previous page Next page
Rhino VoLTE TAS Version 4.1