User reported tests of OAI UE simulator with free5GC core network: OAI UE is encoding the Registration Request incorrectly. In the attached packet trace file, frame 69 contains the offending packet: ``` UplinkNASTransport protocolIEs: 4 items Item 0: id-AMF-UE-NGAP-ID Item 1: id-RAN-UE-NGAP-ID Item 2: id-NAS-PDU ProtocolIE-Field id: id-NAS-PDU (38) criticality: reject (0) value NAS-PDU: 7e04f370e7b3007e005e7700096557547698103214f371001d7e004119000d0100f1100000000007505501002e08e060000000000000 Non-Access-Stratum 5GS (NAS)PDU Security protected NAS 5GS message Plain NAS 5GS Message Extended protocol discriminator: 5G mobility management messages (126) 0000 .... = Spare Half Octet: 0 .... 0000 = Security header type: Plain NAS message, not security protected (0) Message type: Security mode complete (0x5e) 5GS mobile identity NAS message container Element ID: 0x71 Length: 29 Non-Access-Stratum 5GS (NAS)PDU Plain NAS 5GS Message Extended protocol discriminator: 5G mobility management messages (126) 0000 .... = Spare Half Octet: 0 .... 0000 = Security header type: Plain NAS message, not security protected (0) Message type: Registration request (0x41) 5GS registration type NAS key set identifier 5GS mobile identity UE security capability Item 3: id-UserLocationInformation ``` The Registration Request was created by the UE and relayed by the OAI gNB simulator to the free5GC AMF. According to TS 124 501 https://www.etsi.org/deliver/etsi_ts/124500_124599/124501/15.02.01_60/ts_124501v150201p.pdf : > Section 8.2.6.1: In a Registration Request, the 5GMM capability field is "optional". > Section 8.2.6.3 5GMM capability: The UE shall include this IE, unless the UE performs a periodic registration updating procedure. My interpretation of the word "shall" is, this IE must be included in the initial Registration Request, but may be omitted during registration updating. However, OAI UE is not including this IE in the initial Registration Request. This subsequently caused free5GC AMF to reject the registration: ``` 2024-12-12T20:22:31.213235728Z [36m [INFO][AMF][Gmm][amf_ue_ngap_id:RU:1,AU:1(3GPP)][supi:SUPI:imsi-001017005551000] [0mHandle InitialRegistration 2024-12-12T20:22:31.218202767Z [36m [INFO][AMF][Gmm][amf_ue_ngap_id:RU:1,AU:1(3GPP)][supi:SUPI:imsi-001017005551000] [0mSend Registration Reject 2024-12-12T20:22:31.218278008Z [36m [INFO][AMF][Ngap][amf_ue_ngap_id:RU:1,AU:1(3GPP)][ran_addr:172.25.199.19:60528] [0mSend Downlink Nas Transport 2024-12-12T20:22:31.218903925Z [31m [ERRO][AMF][Gmm] [0mCapability5GMM is nil 2024-12-12T20:22:31.218930484Z [36m [INFO][AMF][Gmm] [0mHandle event[ContextSetup Fail], transition from [ContextSetup] to [Deregistered] 2024-12-12T20:23:34.836264722Z [36m [INFO][AMF][Ngap][ran_addr:172.25.199.19:60528] [0mHandle UEContextReleaseRequest ``` After that the OAI UE crashes: > [0m[NAS] [UE 0] Received NAS_DOWNLINK_DATA_IND: length 25 , buffer 0x7f466c0028e0 > [0m[NAS] [UE 0] Received NAS_DOWNLINK_DATA_IND: length 11 , buffer 0x7f466c002df0 > [0m [1;31m[NAS] Received Registration reject cause: Illegal_UE > [0mUE threads created by 7 > TYPE <CTRL-C> TO TERMINATE > kgnb : b8 a2 3b ef 03 4c 9a f4 7f 02 c3 f9 c4 bb 31 0e 43 6c 7d f1 d1 1c 0b c3 5a 0d f6 c0 7c 20 fa 2d > kausf:4b 5e 6d 8b 1c 5 ff 6 9a ab 0 ed cf b6 20 50 3c a4 5c 11 3c 4d 9 2f 36 12 41 a6 64 34 bb b1 > kseaf:f0 6c bc 0 b6 b6 63 d6 99 40 11 6e b ef d1 5 25 d1 f0 d0 48 de b 42 ee fb 51 94 60 30 a 44 > kamf:3 79 b3 3e 24 f3 14 89 72 32 49 77 ed 8d 2f c7 4c 6 17 fe 79 27 47 20 74 94 a5 15 d9 f5 16 9f > knas_int: 6 60 8b 64 e1 ce 59 5f 67 7c d5 3 1a 66 27 18 > knas_enc: 85 dd ae 95 21 b0 28 b7 2 4d e6 94 2a 63 97 9c > mac f3 70 e7 b3 Related discussion in free5GC: https://github.com/free5gc/free5gc/issues/114#issuecomment-708991082 https://github.com/free5gc/amf/pull/131#issuecomment-2149088507