Push Tracker
ria-ran--sim-drop/plan/roadmap.md

147 lines
7.6 KiB
Markdown
Raw Permalink Normal View History

# Roadmap — Closed-Loop eSIM Provisioning ("SIM Drop")
_Last updated: 2026-07-02_
## Context
**Goal.** A "SIM drop": a WiFi access point dropped into the field, pre-loaded
with a batch of eSIM profiles already registered in the 5G core, that hands
credentials to devices through a captive portal reached by QR code. If a backhaul
link to the core exists, it can also register new subscribers dynamically.
**End devices.**
- **COTS UEs** (handsets / modems) with real eUICCs.
- An in-house **software UE stack** that can load credentials from a file.
**Constraints & resources.**
- **Purely eSIM** — no physical SIM programming (Open-Cells cards on hand are not
the target path).
- Available for testing: **srsRAN gNB + Open5GS running**, a **test eUICC / phone**.
- Deployment targets **Pi and Android**, equally.
## The trust model (and how we work with it — not against it)
Consumer eSIM (GSMA SGP.22 RSP) doesn't let you sideload a profile file into an
eUICC: the device's LPA downloads it from an **SM-DP+**, and the eUICC only
installs profiles from an SM-DP+ whose certificate chains to a **CI root the
eUICC trusts**.
The key realization: **we control which eUICC the device uses.** We do *not* need
to defeat a phone's soldered factory eUICC (that would need GSMA CI accreditation).
Instead we supply a **controllable eUICC** whose root-of-trust is ours/test — and
then any COTS UE works with our own local SM-DP+, with **no GSMA involvement**.
This is a productized, well-trodden path (sysmocom sells the cards and runs a
test SM-DP+ for them).
Concretely, three ingredients:
1. **A controllable eUICC**, e.g. **sysmoEUICC1** — a removable eUICC in 2FF/3FF/4FF
plastic (or MFF2 solder) form, loaded with **test (SGP.26) or private roots**
instead of GSMA keys. Plugs into virtually any COTS phone/modem with a SIM slot.
2. **A local SM-DP+** — Osmocom **`osmo-smdpp`** (proof-of-concept, ships with
pySim), serving *our* SAIP profiles, using SGP.26 test / private-root certs that
match the eUICC.
3. **An LPA on the device****EasyEUICC / OpenEUICC** (Android, via UICC Carrier
Privileges; needs the eUICC's ISD-R to grant an ARA-M rule) or **`lpac`** for
modems / CLI. The LPA consumes an activation-code **QR** and drives the install.
Delivery tracks:
-**Software UE** — loads a profile/credential file directly. Works today, no RSP.
-**COTS UE + controllable eUICC** — removable sysmoEUICC (test/private root) in a
COTS phone/modem + LPA + our local `osmo-smdpp`. The real eSIM path.
- ⚠️ **A phone's untouched factory eUICC** — would reject a local SM-DP+ (needs GSMA
CI accreditation). We sidestep this by supplying the eUICC, so it's not a blocker.
## Where we are (done)
Provisioning server: credential generation (IMSI/Ki/OPc/ICCID), SQLite store,
per-MAC rate limiting, captive portal, Open5GS/free5gc adapters, `v2` + real
`SAIP` profile generation, security-hardened, 109 tests. **Missing: the last mile
(delivery to a device) and live core-integration proof.**
## Target architecture
```
Drop device (Pi / Android)
├─ WiFi AP (open) + captive portal (QR entry)
├─ Provisioning server (Flask) ← built
├─ Subscriber DB (pre-registered batch + dynamic) ← built, needs batch layer
├─ Local SM-DP+ (osmo-smdpp) ← Phase 3
└─ Backhaul to core (optional) ← dynamic registration when present
Two delivery tracks:
Track S — Software UE: profile file → soft-UE → attach (Phase 1)
Track E — COTS UE + eUICC: COTS phone/modem with a controllable
(removable/private-root) eUICC + LPA:
QR activation code → LPA → local SM-DP+
→ eUICC installs SAIP profile → attach (Phase 3)
```
## Phases
### Phase 0 — Prove core attach (de-risk the foundation)
Register one generated credential in Open5GS and attach with the software UE (or
a test eUICC) on srsRAN+Open5GS; confirm authentication succeeds.
- Validates our Milenage/OPc derivation and the adapter document shape against a
**live** core — everything downstream depends on this being correct.
- **Needs from you:** Open5GS reachability (MongoDB URI / network) or you run the
sync; the slice (SST/SD), APN/DNN, and PLMN the gNB expects.
### Phase 1 — Software-UE loop (file delivery; first closed loop, no SM-DP+)
- Define the soft-UE profile format and add an exporter (extend
`scripts/make_profile.py` / a new `/api/provision` format).
- Flow: WiFi → captive portal → provision → download soft-UE profile → attach.
- **Needs from you:** the exact format your soft-UE ingests (e.g. srsUE-style
`ue.conf` with `imsi/k/opc/opc_type`, or a custom schema).
### Phase 2 — Pre-registered batch + drop packaging (the "drop" model) [software-only; can start now]
- Batch generator: pre-generate _N_ profiles, register all in the core, persist to
the drop DB marked "available".
- Captive-portal **claim** flow: atomically hand an unclaimed pre-registered
profile to a device (QR/portal).
- **Offline operation:** with no backhaul, hand out from the pre-loaded batch;
queue dynamic registrations for when the core link returns.
- Deliverable: a drop that works fully offline from a pre-loaded batch.
### Phase 3 — COTS UE via local SM-DP+ (the real eSIM last mile)
- Obtain **controllable eUICCs** (removable sysmoEUICC1 with SGP.26/private root, or
equivalent) and confirm an **LPA** on the target UEs (EasyEUICC/OpenEUICC on
Android; `lpac` for modems). Verify the eUICC's ISD-R grants the ARA-M rule the
LPA needs.
- Stand up **`osmo-smdpp`** on the drop; wire our SAIP profiles into it; manage the
matching (SGP.26/private) CI cert chain.
- Complete the SAIP profile to an installable one (PIN/PUK, ARR, security domain,
remaining mandatory PEs) — **validated against the real eUICC** (this is where
the deferred SAIP PE work finally gets card-validated rather than guessed).
Cross-check against pySim's known-good test profiles.
- Captive portal renders the LPA activation-code **QR**; a COTS phone/modem (with
the controllable eUICC) installs and attaches.
- Deliverable: COTS UE + controllable eUICC → scan QR → eSIM installed → on the network.
### Phase 4 — Field hardening (Pi + Android, first-class)
Offline/power/thermal, monitoring/observability, capacity, subscriber
revoke/expire/resync, backhaul-aware dynamic registration, secure batch loading.
## Recommended immediate next steps
1. **Phase 0** — prove live attach (software UE + Open5GS). Highest de-risking value.
2. **Phase 2 groundwork (in parallel, software-only, no hardware needed):** the
batch pre-registration generator + atomic claim flow. This is squarely on the
critical path for the "dropped, pre-loaded, offline" model and I can build and
test it now.
## Open questions
- **Soft-UE profile format** — what schema does your software UE ingest?
- **Open5GS access** — reachable from the dev environment, or do you run sync?
MongoDB URI, slice SST/SD, APN/DNN, PLMN to match the gNB.
- **SM-DP+** — OK to vendor/run `osmo-smdpp` on the drop, or a different RSP?
- **Controllable eUICCs** — which eUICC do we standardize on (sysmoEUICC1 with
SGP.26 vs private root)? Do the current "test eUICC/phone" you have match the
SGP.26 root osmo-smdpp ships, or do we need a private-root batch?
- **LPA** — EasyEUICC/OpenEUICC (Android) and/or `lpac` (modems) as the on-device
LPA? Any UEs whose SIM slot / carrier-privilege behavior needs checking?
- **Batch model** — expected batch size per drop; how batches are provisioned and
loaded (offline media vs one-time backhaul).