Resolving ueAddr ambiguity when it is the UE private address #34
Comments
|
Depending on outcome of the discussion/issue the API documentation need to be updated (see #17 (comment)) |
|
We can derive the ipDomain from the UE public IP address if known. This is much simpler than trying to derive the UE identity itself from the public IP + port, but requires the API to know both the private and public UE IP to identify the UE. If it is the UE itself calling the API, then the public IP can be determined from the source IP of that request. But otherwise that parameter needs to be passed explicitly along with the private IP. I'd propose that the ueAddr parameter be replaced by two separate optional parameters uePublicAddr and uePrivateAddr (or equivalent, if our terminology is updated). The API caller could then provide either none, one or both of these parameters, depending on their knowledge. |
|
I was waiting until PR #67 was resolved before proposing changes, but I'll make a proposal here before creating a new PR. I propose to modify the current UEId schema to the following:
Usage guide:
Some comments on property name styles would be useful as we already have a mix of styles in use (e.g. should |
|
Thank you @eric-murray, We think that adding more options to identify the UE is adding more complexity for both the consumers and the providers of the API. Providers should support all of them or relay on errors for not supported options, and consumers have to use all options simultaneously or invoke each provider in a different way. As you know, TEF is promoting via commonalities Issue #101, the use of a universal identifier which can be obtained from the public IP and port, and used in every API. This is still under discussion but the outcome of it would impact how the UE is identified. About the topic of private addresses, in our scenarios, we are only considering public IP addresses, and then the port becomes required. Is there a use case to include a private address? If the API consumer is an intermediary, it will see the public ip and port, and not the private address. If it is the UE itself, the private address is not enough as you say, but it is not straightforward for a UE to know its public address (it requires some service in the public internet). Regarding the design, it would make sense to us to include both (public) ip_address and port, in the context of UE identification, within the same object. Also, when referring to IP Addresses, we may consider allowing both IPv4 and IPv6 addresses being used as value for any generic ip_address, as server does not need to be told explicitly about the format. But, as said before, we think that is better to decouple device identification to a previous step and use another universal identifier in the API. |
|
Hi @jlurien On the issue of whether the private UE IP should be accepted as a UE identifier, my view is that this should be accepted if known to the API caller because private IP and IP domain can be used to identify the UE to the NEF whereas public IP and port cannot. The reason for introducing publicipv4addr as an identifier is to identify the IP domain, of course. Until your comment, nobody had said that the QoD API should not accept private IP as a UE identifier, and the current API allows this. But on its own, it is ambiguous. So either additional parameters are required to resolve this ambiguity (I propose public IP address) or this scenario needs to be excluded. The views of other QoD participants would be appreciated. Proposals to include UE port(s) within the UeId object is a separate issue to this one. |
Sorry, but I don't fully understand the use case, that was my point. In which case a caller would know both the private and public addresses but it is not able to identify the UE with public address and port? Is this a limitation raised by some participant?
I agree that the current API is ambiguous and we should work to document the use of the API properly. If nobody requires a private address to be specified in any case, we should make it clear and exclude that possibility.
Agree |
|
Well, there are techniques that allow a UE to determine their public IP address, but not the port. For example:
So it is possible that public IP is known but port is not. Even if the public port is known, then it will not necessarily be the port seen by the application server or the API gateway. Whilst mobile operators usually use PBA for CGNAT, and hence a given public IP and port tend to be allocated to a given UE for a reasonable period of time (even if not currently in use), purely dynamic allocation is possible. In that case public IP and port information obtained from a 3rd party service may be in use by a different UE by the time the information is passed to the API. But for identifying the IP domain, any public IP that was recently used by the UE would still identify that, even if currently allocated to a different UE. So there are indeed scenarios where the UE would know its private and public IP, but not the public port seen by the application server or API gateway. Whether this use case would be common or not is not the question. The question is do we support it or not. |
|
Thank you Eric for the detailed explanation. In the end that is the question. As this issue was raised some months ago I'm not aware of the context, that's why I wondered about whether this proposal tackles a limitation or necessity raised by some participant in the short term. In our scenarios we do not foresee the UE to call the API directly. |
|
Even if the UE does not call the API directly, it can still pass parameters to an application server for identification. It is simple for any 3rd party UE application to determine both its private and public IP, but try asking iOS for your MSISDN. |
|
As discussed on the call today, I'll raise a PR for the above solution once PR #67 is resolved. I'll also migrate the uePorts field into the UEId object, and add some documentation on how the different IP and port fields should be used. |
|
In anticipation of pushing the necessary changes to v0.10.0, I thought I'd outline how I intend to approach this. I'm going to modify the So the and a new object The |
|
I was also thinking about possible errors that the client could then make when constructing the
Let me know of any more |
|
@eric-murray The proposal looks good to me. Not sure if |
|
Thanks @jlurien . On the points you raise:
|
|
If the I think also that defining a SingleIpv4Addr is convenient. Thanks! |
@eric-murray Are these errors translated from Network error response? My assumption is that it may not be practical for the operator to provision UE details to the QoD service to do the validation. Regarding the
|
|
@sfnuser If the current |
I think what you are asking here is that, if the only southbound network element interface available to the QoD API is the T8 AsSessionWithQoS, then how can the MSISDN and/or External ID identifiers be validated for consistency with any IP address that is specified? In that scenario, indeed MSISDN and External ID cannot be used to identify the UE, as the AsSessionWithQoS interface does not accept these parameters. So I guess we need an "Specified identifier not supported" error message for implementations that do not support UE identification by MSISDN or External ID. As we allow multiple identifiers to be specified by the client, my view is that the API should validate them all for consistency rather than just pick the one that is most convenient to use southbound and ignore the rest. The alternative would be to limit
The scenario here is not clear to me. Is there a scenario in which, for a given application server target (say 10..0.0.1:443), then some active UE flows to that target should be prioritised (e.g. 10.100.0.1:50000) but other active flows (e.g. 10.100.0.1:50001) should not? What is that scenario? My expectation was that a UE port wildcard would be used to set-up the flow (10.100.0.1:*), even the UE has been identified by IP address and (a single) public port. If there is a scenario where UE private port range needs to be restricted for the QoS flows, then |
|
@eric-murray Thanks for the detailed and good discussion. Some thoughts - knowing that it will get difficult to cover all cases in a way which is both easy to understand and easy to use:
|
|
@eric-murray Thanks for the clarifications.
By validate, I assume we mean format checking only - correct? For e.g. if the UE passes v4 & v6 addr, do we expect the QoD service to validate the v4 & v6 addresses matches for a UE? The NFs have to do this validation anyway and moving this forward to QoD service also means provisioning the UE data again for QoD. Not sure if such validation is required at QoD level for Also, if a UE provides v4 & v6 address for
@eric-murray @jlurien Yes, in the current versions, it is not mentioned that @hdamker Thanks for the inputs. It's nice to know about the scenarios you have added.
Agreed. |
|
Thanks @sfnuser
No. I meant that, where the API client supplies multiple UE identifiers that identify different UEs, then I would expect this to be flagged to the client as an error. However, this is implementation dependent behaviour - there is no requirement that all implementations of the API behave identically, and an implementation can choose to ignore identifiers that it cannot validate. Rather, I'm just identifying the need for a "Multiple inconstant properties specified" error message to be available for those implementations that need it. The alternative is to mandate that only a single UE identifier be supplied. As a side note, Vodafone would not use the NEF itself to validate these parameters and, more generally, our policy is not to throw unverified parameters supplied by 3rd parties at our southbound network elements and rely on them to detect any errors. The teams managing those network elements don't like that at all.
So the purpose of this proposal is to solve the issue of identifying a UE from a private IPv4 address. Requirements for defining flows is a separate issue, so So my proposal to resolve the IPv4 private address ambiguity remains as above, but |
|
Thanks @eric-murray for the clarifications.
I agree. On a side note, when multiple UE Ids are passed to QoD service and if only one of the id is used southbound, can we use the successful response body
I agree. Thanks. |
I wouldn't wait, the changes will be mainly a search and replace through the YAML and documentation, but we might wait with that until there is also a discussion in Commonalities done (and there is also snake_case vs camelCase).
We can discuss that tomorrow. Maybe we can also ask to do it directly. If not waiting for in total 7 days might be right. |
|
I wouldn't wait too much either. Discussions around commonalities are never ending. I think it's better to progress on functionality and if guidelines change, adapt our latest version to them. Changing formats is no-brain. |
|
PR #123 created |
This issue and associated PR are not intended to cover combined IPv4/IPv6 scenarios. I would suggest that anyone who wants a specific scenario to be considered should open an issue if that scenario is not covered by the current API definition. |
|
Given the discussion paper presented in PR #127 and some additional research on my part, I'd like to return to my original proposal in an above comment, but modifying it to make the logical constraints on allowed parameter combinations much clearer and intuitive. So object where the custom object and IPv4 addresses are restricted to a single address using the new object Using the terminology in PR #127, I have no preference as to whether the terminology Specifying multiple required parameter options using the |
|
@eric-murray, Maybe you can use a construct like this Because this one is more openapi-generator friendly and seems also to be readable |
|
@patrice-conil |
I think that this schema is not compliant with the openapi spec. I think that the original proposal by @eric-murray is compliant to the spec, but some generator may have problems with it. It may be more supported by generators, but more redundant, to reference both alternative schemas: But this may depend on the generator used, some may even work with the non-compliant version, but we should avoid it. |
|
@eric-murray, |
|
@jlurien, |
|
I posted details of how the scenario this issue was intended to address (that of the device itself calling the QoD API) would actually work in a comment in PR #127. Please have a look if you did not understand the full context of this specific issue. @jlurien But the important point is that both proposals enforce the valid parameter options on the API caller, which is not achieved by the proposal in PR #127, which is why I am not in favour of that proposal. |
|
UE IP address and ports in QoD.pdf I attach a revised discussion paper for this issue. In this scenario, we generalize how Device App can obtain observed UE IP address and observed UE port(s), i.e., from an Application Server which may be DNS or Traffic Application Server. |
|
Ericsson's proposal:
UeId:
type: object
required:
- observedIpAddr
properties:
externalId:
$ref: "#/components/schemas/ExternalId"
msisdn:
$ref: "#/components/schemas/MSISDN"
assignedIpAddr:
oneOf:
- $ref: "#/components/schemas/Ipv4Addr"
- $ref: "#/components/schemas/Ipv6Addr"
observedIpAddr:
oneOf:
- $ref: "#/components/schemas/Ipv4Addr"
- $ref: "#/components/schemas/Ipv6Addr"
description: User equipment identifier
UePorts:
type: object
required:
- observedPorts
properties:
localPorts:
$ref: "#/components/schemas/PortsSpec"
observedPorts:
$ref: "#/components/schemas/PortsSpec" |
|
@emil-cheung From your presentation, it looks like you believe that the API caller needs to provide all of the private / public IP addresses and ports involved, which is just not necessary. But from your proposed definitions above, only The other proposals above attempt to strike a balance between allowing the API caller flexibility in what parameters they provide, whilst still placing some constraints on parameter combinations to try and avoid the API caller providing insufficient parameters. Just to document some comments I made in the last meeting about the IPv4 CGNAT case:
Commenting on the presentation:
|
UE IP address and ports in QoD.PA3.pdf @eric-murray , please check p11-p13 in PA3 of my discussion paper, for the QoD request examples.
Technically, we understand the combinations of 'minimum' attributes for various scenarios, but we would like to argue the necessity for developers. First of all, when a developer 'observes' a device connection from an Application Server, he always gets observed UE ports together with observed UE IP address. Always putting observed UE ports together with observed UE IP address in QoD request requires 'no additional cost'. Secondly, these combinations of 'minimum' attributes require developers to have knowledge about CSP network deployments (NAT, no NAT, NAT64) and telecom concepts (PDU session identification, CGNAT). Last, but not least, CAMARA layer shall provide 'intelligence' to adapt to different CSP network deployments (CAMARA also supports the aggregator role) and hide unnecessary telecom concepts. Again, the essence of Ericsson proposal is to let developers provide what they get (WHAT), and let CAMARA layer figure out how to use (HOW). |
|
@eric-murray #129 is finally merged, so the way is free for the next PRs. Would it be able for you to create your PR before the next call on April 21st (to follow the proposed timeline in #136)? |
|
@emil-cheung The public ports would only be known to the actual application server that the QoS flow would be created for, and "customising" the application server to provide a mechanism to communicate this information to the device would appear to be a pointless overhead given that the information is not required. Given that the reason for including this scenario was to allow a device to use the QoD API even if the application server knows nothing about it or CAMARA APIs, including device public ports in the API call rather defeats this objective. The device only needs to know any public IP address is it currently using in order to identify the IP domain, and DNS can provide this information. For the three "sub-scenarios" you consider (IPv4-NAT, IPv6 - No NAT, NAT 64), then my proposal above (modified to the updated terminology) would look as follows. Terminology can be changed, of course. Use of the IPv4-NAT IPv6 - No NAT NAT64 Note that, if this last scenario is a valid scenario, then both the |
|
@hdamker Yes, I will create a PR before Friday based on the current WIP API definition |
|
@hdamker If the IPv6 address alone is sufficient to identify the device, then the device would not need to provide its public (observed) IPv4 address in order to identify itself. |
IPv6 address alone is sufficient for us (as same prefix is also used for the public/observed IPv6 address). |
Eric, In NAT64 case, if the device App cannot get the local IP address (which is IPv6 address), it needs to use the observed IP + observed port (which is IPv4 address). |
|
I created PR #139 to address this issue. Please have a look.
This issue was created to address the scenario where it was desired to identify the device by its private (allocated) IPv4 address. If it is not possible to get this information, then this issue does not apply. The API has always supported and will continue to support identifying devices by public IPv4 address and port, along with other methods of identifying the device.
Again, this issue does not affect NAT64 scenarios. For those, the device can either be identified by its IPv6 address alone or, if this is not known, by its public (observed) IPv4 address and port. Both these methods are supported and will continue to be supported. |
|
@hdamker Vote 1:
|
|
@eric-murray
Hope that will give you enough time to update the PR before our next call if needed. P.S.: I've reduced the options for vote 2 to the ones listed in #139 (comment) |
The current QoD API definitions identify the UE by its source IP address (ueAddr). If that address is public (i.e. routable) then knowledge of any UE source port (via the uePorts parameter) will allow the UE to be uniquely identified, albeit that this is not trivial. So if the specified UE source IP address is public, uePorts becomes a mandatory additional parameter.
But if the UE source IP address is private (i.e. non-routable), then it may not be possible to uniquely identify the UE. This is because the private address is allocated by the PDN GW to which the UE is connected, and a typical mobile network will have several of these with the specific PDN GW being selected based on network routing policies. PDN GWs will typically use the same private address space (usually the 10.0.0.0/8 range) which means that it is possible that more than one UE is currently allocated a given private IP address.
For the T8 interface, 3GPP resolve this ambiguity by requiring that an ipDomain parameter is also specified. This parameter resolves the ambiguity by identifying which PDN GW (i.e. which "domain") has allocated the private IP address. But I don't think CAMARA can adopt this solution as the API consumer is unlikely to know this information.
If the API consumer is the UE itself, then other approaches can be used to uniquely identify the UE, such as OpenID connect or the public source IP that will be seen by the API gateway even if not explicitly sent as an API parameter. And when the agreed proposal to allow use of GPSI as a UE identifier is implemented, then that can be specified rather than the UE source IP address.
But if the only identifying parameter for the UE is the private source IP address, then either a mechanism to resolve this ambiguity must be introduced by CAMARA, or the documentation should make clear that specifying a private IP for ueAddr is likely to result in an error response (probably 400 BAD REQUEST). Unfortunately I don't have a good proposal as to how this ambiguity can be resolved, so Vodafone's current position is that we will return an error message if the UE source IP specified is private.
The text was updated successfully, but these errors were encountered: