Ybts auth authz

This document describes YBTS procedures for authentication and authorization.

About Authentication in YateBTS

YateBTS supports 2G and 3G authentication. It currently authenticates only registration request. This is limited in the nipc.js script. If this script is modified we could authenticate other requests as well.

Authenticating a mobile terminated call

Here is a diagram that explains how OpenVoLTE, the Javascript script located on YateBTS, the ybts module and the mobile station (when OpenVoLTE sends a call to the MS) communicate. JS refers to a NiPC like JavaScript script.

Mobile terminated call authentication

First, OpenVoLTE sends an INVITE request. It will be handled by ybts directly.

Then, ybts starts paging and when paging response is received, it moves on to sending an Auth message that will be handled by the Javascript script.

Javascript generates a Register request and sends it to OpenVoLTE.

If OpenVoLTE doesn’t challenge this request (200 OK), the call starts. If any 401 and any 200 OK answers are received, the call stops.

If the 401 answer is received together with authentication vectors, the authentication vectors are sent to ybts that sends an Authentication request to the MS.

When the authentication response is received by ybts, it will then be forwarded to Javascript, which sends a new REGISTER request that also holds the authentication response.

If OpenVoLTE answers with 200 OK, the call is started. Otherwise, the authentication process is retried one more time.

Note 1: This behavior will be added in YateBTS 3 as soon as roaming is added.

Note 2: In the YateBTS LabKit only the registration request is authenticated. The nipc.js script generates the authentication vectors locally instead of sending REGISTER request to outside server.

Update Location

When processing location update requests from MS the module will dispatch an user.register message with username parameter set to IMSI.
The message will also contain imei and tmsi if available.