7 Security management object model

12.033GPPSecurity ManagementTS

This clause of the present document contains the full definition of the management information model. To aid understanding this model, a containment tree is presented below. This containment tree contains a graphical representation of the naming hierarchy of the managed objects defined in this model.

Figure 1

7.1 Security object classes

7.1.1 vlr1203AuthenticationFunction

vlr1203AuthenticationFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

vlr1203authenticationPackage PACKAGE

BEHAVIOUR

vlr1203authenticationBehaviour

BEHAVIOUR DEFINED AS "Refer to subclause 6.2. The securityServiceOrMechanismViolation notification is sent based on an authentication failure in the VLR;the reported security alarm cause is authenticationFailureInVLR. Refer to subclause 6.6.1.1 for further details" ;

;

ATTRIBUTES

vlr1203AuthenticationFunctionId GET,

authenticationNecessaryWhen GET-REPLACE ADD-REMOVE,

authenticationRetriedAllowed GET-REPLACE,

numberOfAuthenticationVectorsKept GET-REPLACE,

authenticationVectorReuseAllowed GET-REPLACE;

NOTIFICATIONS

"Rec.X.721:1992".securityServiceOrMechanismViolation

authenticationFailureInVLRParameter ;;;

REGISTERED AS {gsm1203managedObjectClass 1};

7.1.2 vlr1203SubscriberIdFunction

vlr1203SubscriberIdFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

vlr1203subscriberIdPackage PACKAGE

BEHAVIOUR

vlr1203subscriberIdBehaviour

BEHAVIOUR DEFINED AS "Refer to subclause 6.1.2. The securityServiceOrMechanismViolation notification is sent as an imsi request failure in the VLR ; the reported security alarm cause is imsiRequestFailureInVLR. The integrityViolation notification is sent based on the unknownSubscriberInVLRevent and the unknownSubscriberInVLR will be reported as the security alarm cause. Refer to subclauses 6.6.1.4 and 6.6.1.5 for further details" ;

;

ATTRIBUTES

vlr1203SubscriberIdFunctionId GET,

allocateNewTMSIWhen GET-REPLACE ADD-REMOVE;

NOTIFICATIONS

"Rec.X.721:1992".securityServiceOrMechanismViolation

imsiRequestFailureInVLRParameter ,

"Rec.X.721:1992".integrityViolation

unknownSubscriberInVLRParameter ;;;

REGISTERED AS {gsm1203managedObjectClass 2};

7.1.3 vlr1203EquipmentIdFunction

vlr1203EquipmentIdFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

vlr1203equipmentIdPackage PACKAGE

BEHAVIOUR

vlr1203equipmentIdBehaviour

BEHAVIOUR DEFINED AS "Refer to subclause 6.4.1. The securityServiceOrMechanismViolation notification is sent as an imei check violation in VLR or an imei request failure in VLR . The imeiCheckViolationInVLR and imeiRequestFailureInVLR will be reported as the security alarm causes respectively. Refer to subclauses 6.6.1.2 and 6.6.1.3 for further details" ;

;

ATTRIBUTES

vlr1203EquipmentIdFunctionId GET,

checkIMEIWhen GET-REPLACE ADD-REMOVE;

NOTIFICATIONS

"Rec.X.721:1992".securityServiceOrMechanismViolation

imeiCheckViolationInVLRParameter ,

"Rec.X.721:1992".securityServiceOrMechanismViolation

imeiRequestFailureInVLRParameter ;;;

REGISTERED AS {gsm1203managedObjectClass 3};

7.1.4 msc1203EncryptionFunction

msc1203EncryptionFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

msc1203EncryptionPackage PACKAGE

BEHAVIOUR

msc1203EncryptionBehaviour

BEHAVIOUR DEFINED AS "Refer to subclause 6.3";

;

ATTRIBUTES

msc1203EncryptionFunctionId GET,

encryptionControl GET-REPLACE,

algorithmListMSC GET-REPLACE;;;

REGISTERED AS {gsm1203managedObjectClass 4};

7.1.5 msc1203IMSIConfidentialityFunction

msc1203IMSIConfidentialityFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

msc1203IMSIConfidentialityPackage PACKAGE

BEHAVIOUR

msc1203IMSIConfidentialityBehaviour

BEHAVIOUR DEFINED AS "The securityServiceOrMechanismViolation notification is sent as an imsi confidentiality failure in MSC ; the imsiConfidentialityFailureInMSC will be reported as the security alarm cause. Refer to subclause 6.6.1.8 for further details";

;

ATTRIBUTES

msc1203IMSIConfidentialityFunctionId GET,

threshold GET-REPLACE;

NOTIFICATIONS

"Rec.X.721:1992".securityServiceOrMechanismViolation

imsiConfidentialityFailureInMSCParameter ;;;

REGISTERED AS {gsm1203managedObjectClass 5};

7.1.6 hlr1203SubscriberIdFunction

hlr1203SubscriberIdFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

hlr1203subscriberIdPackage PACKAGE

BEHAVIOUR

hlr1203subscriberIdBehaviour

BEHAVIOUR DEFINED AS "The integrityViolation notification is sent as an unkown subscriber in HLR event and the unkownSubscriberInHLR will be reported as the security alarm cause. Refer to subclause 6.6.1.6 for further details";

;

ATTRIBUTES

hlr1203SubscriberIdFunctionId GET;

NOTIFICATIONS

"Rec.X.721:1992".integrityViolation

unknownSubscriberInHLRParameter ;;;

REGISTERED AS {gsm1203managedObjectClass 6};

7.1.7 bts1203EncryptionFunction

bts1203EncryptionFunction MANAGED OBJECT CLASS

DERIVED FROM

"Rec.X.721:1992":top;

CHARACTERIZED BY

"Rec. M.3100:1992":createDeleteNotificationsPackage,

bts1203EncryptionPackage PACKAGE

BEHAVIOUR

bts1203EncryptionBehaviour

BEHAVIOUR DEFINED AS "Refer to subclause 6.3.2";

;

ATTRIBUTES

bts1203EncryptionFunctionId GET,

algorithmListBTS GET-REPLACE;;;

REGISTERED AS {gsm1203managedObjectClass 7};

7.2 Security attributes definitions

7.2.1 authenticationNecessaryWhen

authenticationNecessaryWhen ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.SecurityTriggers;

BEHAVIOUR authenticationNecessaryWhenBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines which MAP procedures shall include authentication. Refer to subclause 6.2.1";;

REGISTERED AS {gsm1203attribute 1};

7.2.2 authenticationRetriedAllowed

authenticationRetriedAllowed ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.AuthenticationRetriedAllowed;

BEHAVIOUR authenticationRetriedAllowedWhenBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines whether the network can retry authentication in case of a TMSI authentication failure. Refer to subclause 6.2.2";;

REGISTERED AS {gsm1203attribute 2};

7.2.3 numberOfAuthenticationVectorsKept

numberOfAuthenticationVectorsKept ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.NumberOfAuthenticationVectorsKept;

BEHAVIOUR numberOfAuthenticationVectorsKeptBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines the number of authentication vectors to be kept in the VLR. Refer to subclause 6.2.3";;

REGISTERED AS {gsm1203attribute 3};

7.2.4 authenticationVectorReuseAllowed

authenticationVectorReuseAllowed ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.AuthenticationVectorReuseAllowed;

BEHAVIOUR authenticationVectorReuseAllowedBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines whether the VLR can reuse authentication vectors. Refer to subclause 6.2.3";;

REGISTERED AS {gsm1203attribute 4};

7.2.5 allocateNewTMSIWhen

allocateNewTMSIWhen ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.SecurityTriggers;

BEHAVIOUR allocateNewTMSIWhenBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines which MAP procedures should include TMSI reallocation. Refer to subclause 6.1.2";;

REGISTERED AS {gsm1203attribute 5};

7.2.6 checkIMEIWhen

checkIMEIWhen ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.SecurityTriggers;

BEHAVIOUR checkIMEIWhenBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines which MAP procedures should include the request of the IMEI. Refer to subclause 6.4.1";;

REGISTERED AS {gsm1203attribute 6};

7.2.7 encryptionControl

encryptionControl ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.EncryptionControl;

BEHAVIOUR encryptionControlBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines whether encryption is not necessary, desirable or mandatory . Refer to subclause 6.3.1";;

REGISTERED AS {gsm1203attribute 7};

7.2.8 algorithmListMSC

algorithmListMSC ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.CipheringAlgorithmList;

BEHAVIOUR algorithmListMSCBehaviour

BEHAVIOUR DEFINED AS

" This attribute defines the list of ciphering algorithms supported by the MSC. Refer to subclause 6.3.2";;

REGISTERED AS {gsm1203attribute 8};

7.2.9 algorithmListBTS

algorithmListBTS ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.CipheringAlgorithmList;

BEHAVIOUR algorithmListBTSBehaviour

BEHAVIOUR DEFINED AS

"This attribute defines the list of ciphering algorithms supported by the BTS. Refer to subclause 6.3.2 ";;

REGISTERED AS {gsm1203attribute 9};

7.2.10 threshold

threshold ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Threshold;

BEHAVIOUR thresholdBehaviour

BEHAVIOUR DEFINED AS

"This attribute controls the generation of alarms. Refer to subclause 6.6.1.8";;

REGISTERED AS {gsm1203attribute 10};

7.2.11 vlr1203AuthenticationFunctionId

vlr1203AuthenticationFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR vlr1203AuthenticationFunctionBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class vlr1203authenticationFunction";;

REGISTERED AS {gsm1203attribute 11};

7.2.12 vlr1203SubscriberIdFunctionId

vlr1203SubscriberIdFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR vlr1203SubscriberIdFunctionIdBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class vlr1203subscriberIdFunction";;

REGISTERED AS {gsm1203attribute 12};

7.2.13 vlr1203EquipmentIdFunctionId

vlr1203EquipmentIdFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR vlr1203EquipmentFunctionIdBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class vlr1203EquipmentIdFunction";;

REGISTERED AS {gsm1203attribute 13};

7.2.14 msc1203EncryptionFunctionId

msc1203EncryptionFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR msc1203EncryptionFunctionIdBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class msc1203EncryptionFunctionId";;

REGISTERED AS {gsm1203attribute 14};

7.2.15 msc1203IMSIConfidentialityFunctionId

msc1203IMSIConfidentialityFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR msc1203IMSIConfidentialityFunctionIdBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class msc1203IMSIConfidentialityFunction";;

REGISTERED AS {gsm1203attribute 15};

7.2.16 hlr1203SubscriberIdFunctionId

hlr1203SubscriberIdFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR hlr1203SubscriberFunctionIdBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class hlr1203subscriberIdFunction";;

REGISTERED AS {gsm1203attribute 16};

7.2.17 bts1203EncryptionFunctionId

bts1203EncryptionFunctionId ATTRIBUTE

WITH ATTRIBUTE SYNTAX GSM1203TypeModule.Identifier;

BEHAVIOUR bts1203EncryptionFunctionIdBehaviour

BEHAVIOUR DEFINED AS

"This ATTRIBUTE is the unique identifier for an instance of the object class bts1203EncryptionFunction";;

REGISTERED AS {gsm1203attribute 17};

7.3 Notifications

The notifications identified for security management are specified by CCITT. They are listed below:

"Recommendation X.721:1992".securityServiceOrMechanismViolation

"Recommendation X.721:1992".integrityViolation

"Recommendation X721:1992".objectCreation

"Recommendation X721:1992".objectDeletion

The latter 2 notifications are contained in the createDeleteNotificationsPackage package defined in CCITT recommendation M.3100 [24].

7.4 Name bindings

7.4.1 vlr1203AuthenticationFunction

vlr1203AuthenticationFunction-vlrFunction NAME BINDING

SUBORDINATE OBJECT CLASS vlr1203AuthenticationFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.00 : 1994". vlrFunction;

WITH ATTRIBUTE vlr1203AuthenticationFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 1};

7.4.2 vlr1203SubscriberIdFunction

vlr1203SubscriberIdFunction -vlrFunction NAME BINDING

SUBORDINATE OBJECT CLASS vlr1203SubscriberIdFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.00 : 1994". vlrFunction;

WITH ATTRIBUTE vlr1203SubscriberIdFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 2};

7.4.3 vlr1203EquipmentIdFunction

vlr1203EquipmentIdFunction -vlrFunction NAME BINDING

SUBORDINATE OBJECT CLASS vlr1203EquipmentIdFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.00 : 1994". vlrFunction;

WITH ATTRIBUTE vlr1203EquipmentIdFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 3};

7.4.4 msc1203EncryptionFunction

msc1203EncryptionFunction mscFunction NAME BINDING

SUBORDINATE OBJECT CLASS msc1203EncryptionFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.00 : 1994". mscFunction;

WITH ATTRIBUTE msc1203EncryptionFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 4};

7.4.5 msc1203IMSIConfidentialityFunction

msc1203IMSIConfidentialityFunction -mscFunction NAME BINDING

SUBORDINATE OBJECT CLASS msc1203IMSIConfidentialityFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.00 : 1994". mscFunction;

WITH ATTRIBUTE msc1203IMSIConfidentialityFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 5};

7.4.6 hlr1203SubscriberIdFunction

hlr1203SubscriberIdFunction -hlrFunction NAME BINDING

SUBORDINATE OBJECT CLASS hlr1203SubscriberIdFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.00 : 1994". hlrFunction;

WITH ATTRIBUTE hlr1203SubscriberIdFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 6};

7.4.7 bts1203EncryptionFunction

bts1203EncryptionFunction -bts NAME BINDING

SUBORDINATE OBJECT CLASS bts1203EncryptionFunction;

NAMED BY SUPERIOR OBJECT CLASS "GSM 12.20 : 1994".bts;

WITH ATTRIBUTE bts1203EncryptionFunctionId;

CREATE;

DELETE;

REGISTERED AS {gsm1203nameBinding 7};

7.5 Parameters

7.5.1 authenticationFailureInVLRParameter

authenticationFailureInVLRParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule.AuthenticationFailureInVLRSecurityAlarmInfo ;;

7.5.2 imsiRequestFailureInVLRParameter

imsiRequestFailureInVLRParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule.imsiRequestFailureInVLRSecurityAlarmInfo ;;

7.5.3 imsiRequestFailureInVLRParameter

unknownSuscriberInVLRParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule.unknownSubscriberInVLRSecurityAlarmInfo ;;

7.5.4 imeiCheckViolationInVLRParameter

imeiCheckViolationInVLRParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule.imeiCheckViolationInVLRSecurityAlarmInfo ;;

7.5.5 imeiRequestFailureInVLRParameter

imeiRequestFailureInVLRParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule.imeiRequestFailureInVLRSecurityAlarmInfo ;;

7.5.6 imsiConfidentialityFailureInMSCParameter

imsiConfidentialityFailureInMSCParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule. imsiConfidentialityFailureInMSCSecurityAlarmInfo ;;

7.5.7 imsiConfidentialityFailureInHLRParameter

imsiConfidentialityFailureInHLRParameter PARAMETER

CONTEXT Attribute-ASN1Module.SecurityAlarmInfo

WITH SYNTAX GSM1203TypeModule. imsiConfidentialityFailureInHLRSecurityAlarmInfo ;;

7.6 Abstract syntax definitions

This subclause contains the ASN.1 module defining the attributes syntax referenced by the managed object classes in subclause 7.1.

GSM1203TypeModule

{ccitt (0) identified-organisation (4) etsi (0)

mobileDomain(0) gsm-Operation-Maintenance(3)

gsm-12-03(3) informationModel(0) asn1Module(2)

asn1TypeModule(0) version1(1)}

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

IMPORTS

IMSI,TMSI,IMEI FROM MAP-CommonDataTypes

{ccitt (0) identified-organisation (4) etsi (0)

mobileDomainId(0) gsm-NetworkId(1) moduleId(3)

map-CommonDataTypes(18) version2(2)}

VlrId FROM GSM1200ATypeModule

{ccitt (0) identified-organisation (4) etsi (0)

mobileDomain(0) gsm-Operation-Maintenance(3)

gsm-12-00(0) annexA(0)informationModel(0) asn1Module(2)

version1(1)}

gsm-12-03 FROM GSM-DomainDefinitions

{ccitt(0) identified-organisation (4) etsi(0)

mobileDomain(0) gsm-Operation-Maintenance(3)

gsm-12-30(30) informationModel(0) asn1Module(2)

gsm-OM-DomainDefinitions(0) version1(1)}

SecurityAlarmCause, ManagementExtension, SecurityAlarmInfo FROM Attribute-ASN1Module

{joint-iso-ccitt ms(9) smi(3) part2(2) asn1Module(2) 1}

— Object Identifiers

— Information Model Related Object Identifiers

gsm1203informationModel OBJECT IDENTIFIER ::=

{ gsm-12-03 informationModel(0) }

gsm1203managedObjectClass OBJECT IDENTIFIER ::=

{ gsm1203informationModel managedObjectClass(3) }

gsm1203package OBJECT IDENTIFIER ::=

{ gsm1203informationModel package(4) }

gsm1203nameBinding OBJECT IDENTIFIER ::=

{ gsm1203informationModel nameBinding(6) }

gsm1203attribute OBJECT IDENTIFIER ::=

{ gsm1203informationModel attribute(7) }

gsm1203notification OBJECT IDENTIFIER ::=

{ gsm1203informationModel notification(10) }

— Application Context Related Object Identifiers

gsm1203applicationContext OBJECT IDENTIFIER ::=

{gsm-12-03 protocolSupport(1) applicationContext(0) gsm-Management(0)}

— 1203 Specific Alarm-related object Identifiers

gsm1203standardSpecificExtension OBJECT IDENTIFIER ::=

{gsm1203informationModel standardSpecificExtension(0)}

gsm1203securityAlarmCause OBJECT IDENTIFIER ::=

{gsm1203standardSpecificExtension gsm1203securityAlarmCause(1) }

gsm1203extendedInformation OBJECT IDENTIFIER ::=

{gsm1203standardSpecificExtension gsm1203extendedInformation(2)}

authenticationFailureInVLRSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 1}

imeiCheckViolationInVLRsecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 2}

imeiRequestFailureInVLRSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 3}

imsiRequestFailureInVLRSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 4}

unknownSubscriberInVLRSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 5}

unknownSubscriberInHLRSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 6}

unknownSubscriberInAuCHLRSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 7}

imsiConfidentialityFailureInMSCSecurityAlarmInformation OBJECT IDENTIFIER::=

{gsm1203extendedInformation 8}

— 12.03 Specific alarm cause related object identifiers

authenticationFailureInVLR SecurityAlarmCause ::= { gsm1203securityAlarmCause 1}

imeiCheckViolationInVLR SecurityAlarmCause ::= { gsm1203securityAlarmCause 2}

imeiRequestFailureInVLR SecurityAlarmCause ::= { gsm1203SecurityAlarmCause 3}

imsiRequestFailureInVLR SecurityAlarmCause ::= { gsm1203SecurityAlarmCause 4}

unknownSubscriberInVLR SecurityAlarmCause ::= { gsm1203securityAlarmCause 5}

unknownSubscriberInHLR SecurityAlarmCause ::= { gsm1203securityAlarmCause 6}

unknownSubscriberInAuCHLR SecurityAlarmCause ::= { gsm1203securityAlarmCause 7}

imsiConfidentialityFailureInMSC SecurityAlarmCause ::= { gsm1203SecurityAlarmCause 8}

— 1203 Specific Type Definitions

–Authentication failure in VLR group begin

AuthenticationFailureInVLRAdditionalInformation ::=

SET OF AuthenticationFailureInVLRManagementExtension

AuthenticationFailureInVLRInformation ::= SEQUENCE {

iMSI IMSI,

iMEI IMEI OPTIONAL,

authenticationFailureType AuthenticationFailureType,

locationInfo LocationInfo }

AuthenticationFailureInVLRManagementExtension ::= ManagementExtension

( WITH COMPONENTS

{ identifier (authenticationFailureInVLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES AuthenticationFailureInVLRInformation)

}

)

AuthenticationFailureInVLRSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (authenticationFailureInVLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES AuthenticationFailureInVLRAdditionalInformation)

}

)

–Authentication failure in VLR group end

AuthenticationRetriedAllowed ::= ENUMERATED {

disallow (0),

allow (1) }

AuthenticationFailureType ::= ENUMERATED {

mismatchedSRES (1),

missingSRES (2) }

AuthenticationVectorReuseAllowed ::= ENUMERATED {

disallow (0),

allow (1) }

CounterTrigger ::= INTEGER

CipheringAlgorithm ::= ENUMERATED {

a5_1(1),

a5_2(2),

a5_3(3),

a5_4(4),

a5_5(5),

a5_6(6),

a5_7(7) }

CipheringAlgorithmList ::= SEQUENCE OF CipheringAlgorithm

— The reason for this is that at the BTS, one needs an ordered list of algorithms

EncryptionControl ::= ENUMERATED {

noEncryption (1),

encryptionSupported (2),

encryptionNecessary (3) }

Frequency ::= INTEGER(1..255)

— 1.. 255 reduced

HlrId ::= GraphicString

Identifier ::= INTEGER

IMEICheckFailureType ::= ENUMERATED {

black-listed (1),

grey-listed (2),

unknown (3),

noResponseFromVLR (4) }

–Imei check violation in VLR group begin

ImeiCheckViolationInVLRAdditionalInformation ::=

SET OF ImeiCheckViolationInVLRManagementExtension

ImeiCheckViolationInVLRInformation ::= SEQUENCE {

iMSI IMSI,

iMEI IMEI OPTIONAL,

iMEICheckFailureType IMEICheckFailureType,

locationInfo LocationInfo }

ImeiCheckViolationInVLRManagementExtension ::= ManagementExtension

(WITH COMPONENTS

{ identifier (imeiCheckViolationInVLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES ImeiCheckViolationInVLRInformation)

}

)

ImeiCheckViolationInVLRSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (imeiCheckViolationInVLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES ImeiCheckViolationInVLRAdditionalInformation)

}

)

–Imei check violation in VLR group end

–Imei request failure in VLR group begin

ImeiRequestFailureInVLRAdditionalInformation ::=

SET OF ImeiRequestFailureInVLRManagementExtension

ImeiRequestFailureInVLRInformation ::= SEQUENCE {

iMSI IMSI,

tMSI TMSI OPTIONAL,

locationInfo LocationInfo }

ImeiRequestFailureInVLRManagementExtension ::= ManagementExtension

(WITH COMPONENTS

{ identifier (imeiRequestFailureInVLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES ImeiRequestFailureInVLRInformation)

}

)

ImeiRequestFailureInVLRSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (imeiRequestFailureInVLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES ImeiRequestFailureInVLRAdditionalInformation)

}

)

–Imei request failure in VLR group end

–Imsi confidentiality failure in MSC group begin

ImsiConfidentialityFailureInMSCAdditionalInformation ::=

SET OF ImsiConfidentialityFailureInMSCManagementExtension

ImsiConfidentialityFailureInMSCInformation ::= SEQUENCE { }

–If no useful information can be supplied, this attribute will be deleted

ImsiConfidentialityFailureInMSCManagementExtension ::= ManagementExtension

( WITH COMPONENTS

{ identifier (imsiConfidentialityFailureInMSCSecurityAlarmInformation),

significance (FALSE),

information ABSENT

}

)

ImsiConfidentialityFailureInMSCSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (ImsiConfidentialityFailureInMSC),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES ImsiConfidentialityFailureInMSCAdditionalInformation)

}

)

–Imsi confidentiality failure in MSC group end

–Imsi request failure in VLR group begin

ImsiRequestFailureInVLRAdditionalInformation ::=

SET OF ImsiRequestFailureInVLRManagementExtension

ImsiRequestFailureInVLRInformation ::= SEQUENCE {

tMSI TMSI OPTIONAL,

locationInfo LocationInfo }

ImsiRequestFailureInVLRManagementExtension ::= ManagementExtension

(WITH COMPONENTS

{ identifier (imsiRequestFailureInVLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES ImsiRequestFailureInVLRInformation)

}

)

ImsiRequestFailureInVLRSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (imsiRequestFailureInVLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES ImsiRequestFailureInVLRAdditionalInformation)

}

)

–Imsi request failure in VLR group end

LocationInfo ::= OCTET STRING (SIZE(2..5))

NumberOfAuthenticationVectorsKept ::= INTEGER(0..65535)

ResetInterval ::= INTEGER(0..65535)

— time interval in minutes

— 0 means "infinite"

SecurityTriggers ::= ResetInterval

SubscriberType ::= INTEGER(1..16)

— homePlmnSubscriber ::=1

— visitingSubscriber ::=2

SubscriberTypeSecurityTriggers ::= SEQUENCE {

subscriberType SubscriberType,

triggerCondition TriggerCondition }

–each TriggerEvent is , per subscriber type, occuring at most once in the triggerCondition

Threshold ::= SEQUENCE {

thresholdFrequency Frequency,

thresholdCounter CounterTrigger,

resetInterval ResetInterval}

resetInterval GeneralizedTime }

TriggerCondition ::= SEQUENCE {

triggerEvents TriggerEvents,

frequency Frequency }

TriggerEvent ::= INTEGER {

locationUpdateNewVlr (1),

locationUpdateSameVlr (2),

periodicLocationUpdate (3),

mobileOriginatingCall (4),

mobileOriginatingCallReestablishment (5),

mobileTerminatingCall (6),

supplementaryServiceUsage (7),

shortMessageServiceMobileOriginating (8),

shortMessageServiceMobileTerminating (9),

accessViaIMSI (10),

imsiAttach (11),

emergencyCall (12) }

TriggerEvents ::= SET OF TriggerEvent

–Unknown subscriber in AuC(HLR) group begin

UnknownSubscriberInAuCHLRAdditionalInformation ::=

SET OF UnknownSubscriberInAuCHLRManagementExtension

UnknownSubscriberInAuCHLRInformation ::= SEQUENCE {

iMSI IMSI }

UnknownSubscriberInAuCHLRManagementExtension ::= ManagementExtension

(WITH COMPONENTS

{ identifier (unknownSubscriberInAuCHLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES UnknownSubscriberInAuCHLRInformation)

}

)

UnknownSubscriberInAUCSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (unknownSubscriberInAuCHLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES UnknownSubscriberInAuCHLRAdditionalInformation)

}

)

–Unknown subscriber in AuC(HLR) group end

–Unknown subscriber in HLR group begin

UnknownSubscriberInHLRAdditionalInformation ::=

SET OF UnknownSubscriberInHLRManagementExtension

UnknownSubscriberInHLRInformation ::= SEQUENCE {

iMSI IMSI,

vLRIdentity VlrId }

UnknownSubscriberInHLRManagementExtension ::= ManagementExtension

( WITH COMPONENTS

{ identifier (unknownSubscriberInHLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES UnknownSubscriberInHLRInformation)

}

)

UnknownSubscriberInHLRSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (unknownSubscriberInHLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES UnknownSubscriberInHLRAdditionalInformation)

}

)

–Unknown subscriber in HLR group end

–Unknown subscriber in VLR group begin

UnknownSubscriberInVLRAdditionalInformation ::=

SET OF UnknownSubscriberInVLRManagementExtension

UnknownSubscriberInVLRInformation ::= SEQUENCE {

iMSI IMSI,

hLRIdentity HlrId,

locationInfo LocationInfo }

UnknownSubscriberInVLRManagementExtension ::= ManagementExtension

(WITH COMPONENTS

{ identifier (unknownSubscriberInVLRSecurityAlarmInformation),

significance (TRUE),

information (INCLUDES UnknownSubscriberInVLRInformation)

}

)

UnknownSubscriberInVLRSecurityAlarmInfo ::= SecurityAlarmInfo

( WITH COMPONENTS

{ securityAlarmCause (unknownSubscriberInVLR),

securityAlarmSeverity,

securityAlarmDetector,

serviceUser,

serviceProvider,

notificationIdentifier ABSENT,

correlatedNotifications ABSENT,

additionalText ABSENT,

additionalInformation (INCLUDES UnknownSubscriberInVLRAdditionalInformation)

}

)

–Unknown subscriber in VLR group end

— Security measurement related types

GSMSecurityMeasurementFunctionId ::= INTEGER

GSMMeasurementType1 ::= INTEGER

END — End of GSM1203TypeModule module —

7.7 Application contexts

The application context name of the GSM 12.03 application context shall have the following object identifier value:

{gsm-OM-DomainId gsm-12-03(3) protocolSupport(1) applicationContext(0) gsm-Management(0) }

and the following object descriptor value:

"gsm 12.03 management application context"

The object identifier gsm-OM-DomainId is defined in the ETR GSM 12.30 [25]

Annex A (normative):
Relation between the authentication and encryption attributes

Due to the fact that authentication and encryption are correlated, and that several caching and reuse mechanisms (CKSN, authentication set reuse) exist, care should be taken when setting the attributes used in the management of authentication and encryption.

This annex describes the relation between the attributes encryptionControl and authenticationNecessaryWhen, used in the management of authentication and encryption respectively.

The management of authentication comprises for every CM service type and LU type the following options:

– off (i.e authentication not necessary);

– on (i.e authentication mandatory).

If abstracted from the differentiation according to CM service/LU type and user classes, the following options exist for the management of authentication and encryption:

encryption:

– off (encryptionControl = noEncryption(1))

– on where possible (encryptionControl = encryptionSupported(2))

– necessary (encryptionControl = encryptionNecessary(3))

authentication:

– off (authenticationNecessaryWhen = 0.

This is a relevant factor since securityTrigger in the attribute authenticationNecessaryWhen is not present).

– on (authenticationNecessaryWhen = 1.

This is the relevant factor since securityTrigger in the attribute authenticationNecessaryWhen is present).

These parameters allow 6 combinations, the effects of which are discussed in table A.1

Table A.1

authentication on

authentication off

encryption off

authentication set reuse is not recommended (security breach by masquerade)

no protection mechanism is active

encryption on where possible

if possible (note 2) :maximum security level; else: same as encryption off

if possible: same as encryption necessary; else: same as encryption off

encryption necessary

maximum security level; however calls, including emergency calls will be rejected in case of incompatible encryption algorithms (note 3) .

(nearly (note 4)) maximum security level; however the call will fail in case of problems with the CKSN (notes 5, 6, and 7)

NOTE 1: (omitted in the table above) a change in the value of encryptionManagement affects all MAP procedures and has to be checked against all the (possibly different) settings of the authenticationNecessaryWhen attribute for all CM service/LU types procedures. The interaction between the various attributes is illustrated in the flowchart below (Ommitting the distinction between service type, subscriber class and type):

NOTE 2: "Not possible" means:

– incompatible encryption algorithms, or

– HANDOVER FAILURE with error cause "Ciphering Algorithm not supported" from BSS to MSC (in this case, the MSC may decide, depending on other considerations to continue in unencrypted mode or to clear the call, reference GSM 08.08 [22]), or

– CIPHER MODE REJECT with error cause "Ciphering algorithm not supported" from BSS to MSC (reference GSM 08.08 [22]).

In all those cases, the MSC may decide to clear the call or not.

The case where the CKSN is undefined (value "no key available" for CKSN in PAGING RESPONSE and various MM messages, reference GSM 04.08 [4]) or has a value different from that stored in the MSC/VLR is not(!) considered as "not possible", as is would allow an intruder to disable encryption by simply setting this value to "no key available". In this case, authentication shall always be performed if encryption is wanted (reference Subclause 6.3.1).

NOTE 3: A5/1 only mobile (e.g Phase 1) in A5/2 network.

NOTE 4: In this case, an intruder may use an SRES obtained by scanning the air interface. However this will to put him in a position to decrypt the data exchanged subsequently over the air interface as he still will not know the Ki or the encryption key. This means that he still is not able to get any reasonable service, nor will he be able to get any protected information.

NOTE 5: "problems with CKSN" means:

The CKSN in the network and in the mobile have the same value but refer to different RAND values respectively so that encryption starts with different keys in the network and the mobile

NOTE 6: In this case, authentication depends on the availability of a valid CKSN in the mobile. If no valid CKSN is available in the mobile, then authentication shall be performed (reference Subclause 6.2.1).

NOTE 7: It should be kept in mind that a change in the value of encryptionControl affects all MAP procedures whereas authenticationNecessaryWhen has individual settings for every CM service/LU type procedure.

Figure A.1

Annex B (normative):
Additional security counters

Following is the template used to describe the security measurements contained in this annex. It is the same template as used in GSM TS 12.04 [10] annex B.

A. Description

A short explanation of the measurement operation.

B. Collection Method

The form in which this measurement data is obtained:

– CC (Cumulative Counter)

C. Condition

The GSM condition which causes this measurement to be updated. Where it is not possible to give a precise GSM condition, then the conditional circumstances leading to the update are stated.

D. Measurement Attribute Name

The Measurement Attribute Name which will be referenced by the Object Model

E. Measurement Result

A short description of expected result value (e.g. a single integer value)

F. Measurement Function Name

Measurement Function Name for which this measurement is defined