关于registration request消息的形态问题

varsarch

registration request是一条NAS mm消息，应该不需要像sm消息那样要piggyback在mm消息中传递，但从实战报文中看到，却经常以这样的方式嵌在NAS message container里面，请问这是出于什么考虑？



另外，我在别的实战报文中也见过并没有再嵌入的形式，而是直接体现在了mm消息中，我的理解是其实这样就可以了，因为mm消息是给AMF处理的，并不像sm消息那样因为要透传而封装起来，谢谢！

admin

不好意思，才看到您的问题。之前还1、2天来看一下bbs，后来看没人发帖，来的频次就慢了。

这个问题我的理解是这样的，得看看23501、23502和33501，和安全有关。本意是为了保护在安全上下文建立以前（建立安全上下文是在SMC security mode command流程之后），保护敏感信息不被空口抓到。23501的原文是这样的：“The NAS message container shall be included if the UE is sending a Registration Request message as an Initial NAS message and the UE has a valid 5G NAS security context and the UE needs to send non-cleartext IEs, see clause 4.4.6 in TS 24.501 [25]. If the UE does not need to send non-cleartext IEs, the UE shall send a Registration Request message without including the NAS message container.”。

- 大概的意思就是在安全上下文建立之后，如果UE需要发送非明文参数（也就是敏感参数），就需要放在注册请求消息的NAS message container里发送。当然，如果UE没有需要保护的敏感参数，就可以不用带NAS message container。这个就是有些NAS消息有，有些没有这个container的原因。

第2段规范是：
If the UE does not have a valid 5G NAS security context, the UE shall send the Registration Request message without including the NAS message container. The UE shall include the entire Registration Request message (i.e. containing cleartext IEs and non-cleartext IEs) in the NAS message container that is sent as part of the Security Mode Complete message in step 9b.

-- 就是说UE如果没有安全上下文，就一定不能带NAS message container，因为没有意义。UE要在建立安全上下文之后，把完整的注册请求消息（包括明文、非明文的敏感参数）都放在这个NAS message container里传上去。AMF侧要解开安全上下文后，才能看到NAS message container里边的内容。

另外，24501的4.4.6 Protection of initial NAS signalling messages也提到了，原文如下，供参考：
If the UE does not have a valid 5G NAS security context, the UE sends a REGISTRATION REQUEST message including cleartext IEs only. After activating a 5G NAS security context resulting from a security mode control procedure:
1) if the UE needs to send non-cleartext IEs, the UE shall include the entire REGISTRATION REQUEST message (i.e. containing both cleartext IEs and non-cleartext IEs) in the NAS message container IE and shall include the NAS message container IE in the SECURITY MODE COMPLETE message; or
2) if the UE does not need to send non-cleartext IEs, the UE shall include the entire REGISTRATION REQUEST message (i.e. containing cleartext IEs only) in the NAS message container IE and shall include the NAS message container IE in the SECURITY MODE COMPLETE message.
b) If the UE has a valid 5G NAS security context and:
1) the UE needs to send non-cleartext IEs in a REGISTRATION REQUEST or SERVICE REQUEST message,the UE includes the entire REGISTRATION REQUEST or SERVICE REQUEST message (i.e. containing both cleartext IEs and non-cleartext IEs) in the NAS message container IE and shall cipher the value part of the NAS message container IE. The UE shall then send a REGISTRATION REQUEST or SERVICE REQUEST message containing the cleartext IEs and the NAS message container IE;


最后，就是哪些算clearText IE呢？33501的6.4.6 Protection of initial NAS message给出了一些举例：
--  If the UE has no NAS security context, the initial NAS message shall only contain the cleartext IEs, i.e. subscription identifiers (e.g. SUCI or GUTIs), UE security capabilities,
ngKSI, indication that the UE is moving from EPC, Additional GUTI, and IE containing the TAU Request in the case idle mobility from LTE.

admin

另外，还有个投机取巧的办法，汗。就是在wireshark抓包里看到说有security prototeced NAS 5GS message的字眼，那就是有安全上下文保护的NAS消息，这种消息里就可能出现nas message container。如果没有看到这个字眼的NAS消息，一定没有nas message container。

admin

刚查了下，所有cleartext IE在24501的4.4.6节有明确定义，没提到的都属于non-cleartext IE.
如下：
Cleartext IEs: Information elements that can be sent without confidentiality protection in initial NAS messages as specified in subclause 4.4.6.

When the initial NAS message is a REGISTRATION REQUEST message, the cleartext IEs are:
- Extended protocol discriminator;
- Security header type;
- Spare half octet;
- Registration request message identity;
- 5GS registration type;
- ngKSI;
- 5GS mobile identity;
- UE security capability;
- Additional GUTI;
- UE status; and
- EPS NAS message container.