AIR/AIA (Authentication-Information-Request/Answer)

Authentication is a Major function of HSS/AuC. AIR/AIA is an important and first message on s6a/s6d interface that has been exchange between MME/SGSN and HSS during very first attach procedure. Here MME/SGSN asks for authentication credentials from HSS usually called as Authentication Vectors to authenticate and authorize the subscriber.

As we know MME uses EPS authentication vectors and SGSN can ask for UMTS or GERAN authentication vectors. while combined MME/SGSN can ask for all kind of authentication vectors in a single request. MME/SGSN shall tell the number of authentication vector it needs, generally between 1-5, if this information is missing then HSS shall send one authentication vector to MME. 

AVP structure used by MME to ask for EPS vectors
Requested- EUTRAN-Authentication-Info ::= <AVP header:10415 >
                         [ Number-Of-Requested-Vectors]
                         [ Immediate-Response-Preferred ]
                         [ Re-synchronization-Info ]


AVP structure used by SGSN to ask for UTRAN/GERAN vectors
Requested-UTRAN-GERAN-Authentication-Info ::= <AVP header: 10415>
                         [ Number-Of-Requested-Vectors]
                         [ Immediate-Response-Preferred ]
                         [ Re-synchronization-Info ]


Combined MME/SGSN can use "Immediate-Response-Preferred" AVP to tell HSS which Authentication Vector it wants on urgent basis; then other type of vector could be sent in same response but they are optional. For example: Combined node sends "Immediate-Response-Preferred" in Requested- EUTRAN-Authentication-Info AVP then HSS must send EUTRAN authentication vectors; HSS may send GERAN/UTRAN vector but they are optional; it totally depends on HSS whether it want to send them or not; because it will not be immediately consumed by combined node.

Generally a time-period on MME/SGSN end for which if more than one vector are downloaded at MME/SGSN are treated as fresh; After that time is elapsed the vectors are treated as stale and shall be deleted by MME from its end.

MME/SGSN can send "Re-synchronization-Info" if sequence number mis-match at UE end and shall be discussed whole scenario in following article.

Re-synchronization Failure


HSS generates responses after processing request and shall send AIA

GERAN Vector are generated by HSS as discussed in Article


HSS sends GERAN vector in following AVP
GERAN-Vector ::= <AVP header: 1416 10415>
                 [ Item-Number ]
                 { RAND }
                 { SRES }
                 { Kc }

UTRAN Vector are generated by HSS as discussed in Article 

[UMTS - 3G] UTRAN Authentication Procedure


HSS sends UTRAN vector in following AVP
UTRAN-Vector ::= <AVP header: 1415 10415>
                [ Item-Number ]
                { RAND }
                { XRES }
                { AUTN }
                { Confidentiality-Key }
                { Integrity-Key }

EUTRAN Vector are generated by HSS as discussed in Article


HSS sends EUTRAN vector in following AVP
E-UTRAN-Vector ::= <AVP header: 1414 10415>
                [ Item-Number ]
                { RAND }
                { XRES }
                { AUTN }
                { KASME }

Usage of OP/OPc and Transport Key in authentication procedure is explained in following article 





Your Comments /Suggestions and Questions are always welcome,  shall clarify with best of our knowledge. So feel free to put Questions.

19 comments:

  1. Replies
    1. We appreciate you support.

      Thanks for your valuable time.
      Team-Diameter

      Delete
  2. Hi,
    When SGSN asks for UTRAN/GERAN vectors from HSS, how does HSS know whether to respond with UTRAN or GERAN vectors? Why would a 2G/3G SIM be hosted on a HSS? Shouldn't the SGSN use SS7 MAP Gr interface for the 2G/3G SIMs and only S6d for the 4G?
    Thanks

    ReplyDelete
    Replies
    1. What about those cases in which eNodeB is receiving data from BTS i.e. 4G->3g or 2G failover over radio services but at backend only LTE is supported for all the subscriber. It can be the cases where LTE coverage is not supported but subscriber has taken LTE connection.

      Delete
    2. There should be each avp have the
      "avp code "that has to recognise the type of info that has to contain....u just check the s6 spec for those info

      Delete
    3. I have a similar question. I've got an AIR with Requested-UTRAN-GERAN-Authentication-Info because the Attach came from IuPS.
      But the HSS is rejecting with a Failed AVP.
      What would be the reason ?

      Note that if the Attach is coming from S1, then I've got an AIR with Requested-EUTRAN-Auth-Info, then no problem

      Delete
  3. Can anybody please share LTE attaché (s6a/s6d) process in detail. Mail Id : parthapratim.hazra@gmail.com

    ReplyDelete
    Replies
    1. Hi

      Following link might help you.
      http://diameter-protocol.blogspot.in/2012/07/s6as6d.html

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  4. Hi ,

    Can anybody help to me to explain when mme sends AIR request to Hss and hss responds back to mme in AIA . then MME sends u.e to Authn. challenge request when u.e responds back with Auth. Challenge Answer . in u.e case u.e sends ans in "" RES "" and mme have XRES ok . me seen in traces the value are different i jus confuse about it please help me to solve my query

    ReplyDelete
    Replies
    1. Hi Sanjeev,

      UE sends (RES) to MME and then MME Compares (RES) with (XRES) [i.e. XRES received form HSS in AIA].
      if Both RES and XRES are equal then Authenticaiton is successful.

      Delete
  5. In Diameter Error Answer Message What are all the AVP will present

    ReplyDelete
    Replies
    1. Hi Stanley Paul,

      AIA in error case will contain experimental result code AVP

      Following links will help you

      http://diameter-protocol.blogspot.in/2012/10/result-code-and-experimental-result-code.html


      http://diameter-protocol.blogspot.in/2012/10/list-of-experimental-result-codes.html

      Delete
  6. hello
    I'm curious about LTE roaming restrict why HSS doesn't consider VPLMN-ID in AIR instead of ULR ?
    Because in AIR also have this VPLMN-ID as mandatory?

    ReplyDelete
    Replies
    1. Hi songkram tientong

      HSS considers VPLMN-ID for Authentication, VPLMN-ID is used for PLMN-Based authentication, to generate KASME for considered plmn.

      For Roaming restriction ULR is used because their may be the case of Limited-Restriction i.e. only few services(limited-services) are allowed to use by user in that PLMN(You can check HPLMN_ODB and ODB) then only that data is downloaded to MME, therefore Authentication is must for that plmn to initiate ULR and receive ULA with only limited data.


      Hope it suffice your query.


      Happy to help you again.
      Team-Diameter

      Delete
  7. Can someone explain to me, how authorization is performed in s6a?

    ReplyDelete
  8. What should MME behavior when no response received from HSS for AIR during initial attach procedure.
    Should MME retry S6a procedure OR start a timeout & reject attach request (no retry on S6a)

    ReplyDelete
    Replies
    1. Hi Amit,

      MME should retry to send AIR depending upon operator's policy on retry. It is the usually the operator's call on network policies in failure case.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  9. Requested-EUTRAN-Authentication-Info is rejected by HSS with DIAMETER_AUTHORIZATION_REJECTED (5003). There is no specific information in the message. What could be the reason HSS is rejecting the request.

    ReplyDelete
    Replies
    1. Hi Baskaran,

      Ref: 3gpp- 29272
      If the AuC is unable to calculate any corresponding AVs due to unallowed attachment for the UE, e.g. the UE is attaching via E-UTRAN with a SIM card equipped, the HSS shall return an error DIAMETER_AUTHORIZATION_REJECTED,

      Means you are trying to do something that is not ideal in that tracking area. "No suitable cells in tracking area"

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete