Add SGs Interface

Add an SGs interface (3GPP TS 29.118) to osmo-msc in order to support
SMS tunneling and Circuit Switched Fallback (CSFB)

Change-Id: I73359925fc1ca72b33a1466e6ac41307f2f0b11d
Related: OS#3615

13 files changed, 1728 insertions, 14 deletions

diff --git a/src/libmsc/Makefile.am b/src/libmsc/Makefile.am
index 72da747c2..454b9708e 100644
--- a/src/libmsc/Makefile.am
+++ b/src/libmsc/Makefile.am
@@ -17,6 +17,7 @@ AM_CFLAGS = \
 	$(LIBOSMOMGCPCLIENT_CFLAGS) \
 	$(LIBOSMOGSUPCLIENT_CFLAGS) \
 	$(LIBOSMORANAP_CFLAGS) \
+	$(LIBOSMONETIF_CFLAGS) \
 	$(NULL)
 
 noinst_HEADERS = \
@@ -52,6 +53,9 @@ libmsc_a_SOURCES = \
 	transaction.c \
 	osmo_msc.c \
 	ctrl_commands.c \
+	sgs_iface.c \
+	sgs_server.c \
+	sgs_vty.c \
 	$(NULL)
 if BUILD_IU
 libmsc_a_SOURCES += \
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index adc946eb9..c6e5528af 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -469,13 +469,12 @@ static uint8_t bcdify(uint8_t value)
         return ret;
 }
 
-
-/* Section 9.2.15a */
-int gsm48_tx_mm_info(struct ran_conn *conn)
+/* Generate a message buffer that contains a valid MM info message,
+ * See also 3GPP TS 24.008, chapter 9.2.15a */
+struct msgb *gsm48_create_mm_info(struct gsm_network *net)
 {
 	struct msgb *msg = gsm48_msgb_alloc_name("GSM 04.08 MM INF");
 	struct gsm48_hdr *gh;
-	struct gsm_network *net = conn->network;
 	uint8_t *ptr8;
 	int name_len, name_pad;
 
@@ -617,8 +616,18 @@ int gsm48_tx_mm_info(struct ran_conn *conn)
 		ptr8[2] = dst;
 	}
 
-	LOG_RAN_CONN(conn, LOGL_DEBUG, "Tx MM INFO\n");
+	return msg;
+}
 
+/* Section 9.2.15a */
+int gsm48_tx_mm_info(struct ran_conn *conn)
+{
+	struct gsm_network *net = conn->network;
+	struct msgb *msg;
+
+        msg = gsm48_create_mm_info(net);
+
+	LOG_RAN_CONN(conn, LOGL_DEBUG, "Tx MM INFO\n");
 	return gsm48_conn_sendmsg(msg, conn, NULL);
 }
 
diff --git a/src/libmsc/gsm_04_08_cc.c b/src/libmsc/gsm_04_08_cc.c
index 0119e7b0c..93e136c16 100644
--- a/src/libmsc/gsm_04_08_cc.c
+++ b/src/libmsc/gsm_04_08_cc.c
@@ -1969,7 +1969,8 @@ int mncc_tx_to_cc(struct gsm_network *net, int msg_type, void *arg)
 							vsub,
 							setup_trig_pag_evt,
 							trans,
-							"MNCC: establish call");
+							"MNCC: establish call",
+							SGSAP_SERV_IND_CS_CALL);
 			if (!trans->paging_request) {
 				LOGP(DCC, LOGL_ERROR, "Failed to allocate paging token.\n");
 				vlr_subscr_put(vsub);
diff --git a/src/libmsc/gsm_04_11.c b/src/libmsc/gsm_04_11.c
index 1edf2d415..e63d1b6ea 100644
--- a/src/libmsc/gsm_04_11.c
+++ b/src/libmsc/gsm_04_11.c
@@ -193,7 +193,9 @@ static int gsm411_mmsms_est_req(struct gsm_trans *trans)
 	LOGP(DLSMS, LOGL_DEBUG, "Initiating Paging procedure "
 		"for %s due to MMSMS_EST_REQ\n", vlr_subscr_name(trans->vsub));
 	trans->paging_request = subscr_request_conn(trans->vsub,
-		paging_cb_mmsms_est_req, trans, "MT SMS");
+						    paging_cb_mmsms_est_req,
+						    trans, "MT SMS",
+						    SGSAP_SERV_IND_SMS);
 	if (!trans->paging_request) {
 		LOGP(DLSMS, LOGL_ERROR, "Failed to initiate Paging "
 			"procedure for %s\n", vlr_subscr_name(trans->vsub));
diff --git a/src/libmsc/gsm_09_11.c b/src/libmsc/gsm_09_11.c
index 608d4ff99..dca315d7f 100644
--- a/src/libmsc/gsm_09_11.c
+++ b/src/libmsc/gsm_09_11.c
@@ -343,7 +343,8 @@ static struct gsm_trans *establish_nc_ss_trans(struct gsm_network *net,
 
 	/* Trigger Paging Request */
 	trans->paging_request = subscr_request_conn(vsub,
-		&handle_paging_event, trans, "GSM 09.11 SS/USSD");
+		&handle_paging_event, trans, "GSM 09.11 SS/USSD",
+	        SGSAP_SERV_IND_CS_CALL);
 	if (!trans->paging_request) {
 		LOGP(DMM, LOGL_ERROR, "Failed to allocate paging token\n");
 		trans_free(trans);
diff --git a/src/libmsc/gsm_subscriber.c b/src/libmsc/gsm_subscriber.c
index 9ca5e2bef..e60344fec 100644
--- a/src/libmsc/gsm_subscriber.c
+++ b/src/libmsc/gsm_subscriber.c
@@ -48,6 +48,7 @@
 #include <osmocom/msc/vlr.h>
 #include <osmocom/msc/msc_ifaces.h>
 #include <osmocom/msc/a_iface.h>
+#include <osmocom/msc/sgs_iface.h>
 
 void subscr_paging_cancel(struct vlr_subscr *vsub, enum gsm_paging_event event)
 {
@@ -109,7 +110,9 @@ int subscr_paging_dispatch(unsigned int hooknum, unsigned int event,
 	return 0;
 }
 
-static int msc_paging_request(struct vlr_subscr *vsub)
+/* Execute a paging on the currently active RAN. Returns the number of
+ * delivered paging requests or -EINVAL in case of failure. */
+static int msc_paging_request(struct vlr_subscr *vsub, enum sgsap_service_ind serv_ind)
 {
 	/* The subscriber was last seen in subscr->lac. Find out which
 	 * BSCs/RNCs are responsible and send them a paging request via open
@@ -122,6 +125,8 @@ static int msc_paging_request(struct vlr_subscr *vsub)
 					vsub->tmsi == GSM_RESERVED_TMSI?
 					NULL : &vsub->tmsi,
 					vsub->cgi.lai.lac);
+	case OSMO_RAT_EUTRAN_SGS:
+		return sgs_iface_tx_paging(vsub, serv_ind);
 	default:
 		break;
 	}
@@ -142,10 +147,11 @@ static void paging_response_timer_cb(void *data)
  * \param cbfn  function to call when the conn is established.
  * \param param  caller defined param to pass to cbfn().
  * \param label  human readable label of the request kind used for logging.
+ * \param serv_ind  sgsap service indicator (in case SGs interface is used to page).
  */
 struct subscr_request *subscr_request_conn(struct vlr_subscr *vsub,
 					   gsm_cbfn *cbfn, void *param,
-					   const char *label)
+					   const char *label, enum sgsap_service_ind serv_ind)
 {
 	int rc;
 	struct subscr_request *request;
@@ -155,7 +161,7 @@ struct subscr_request *subscr_request_conn(struct vlr_subscr *vsub,
 	if (!vsub->cs.is_paging) {
 		LOGP(DMM, LOGL_DEBUG, "Subscriber %s not paged yet, start paging.\n",
 		     vlr_subscr_name(vsub));
-		rc = msc_paging_request(vsub);
+		rc = msc_paging_request(vsub, serv_ind);
 		if (rc <= 0) {
 			LOGP(DMM, LOGL_ERROR, "Subscriber %s paging failed: %d\n",
 			     vlr_subscr_name(vsub), rc);
diff --git a/src/libmsc/msc_ifaces.c b/src/libmsc/msc_ifaces.c
index 3074d07a6..e2c52dfda 100644
--- a/src/libmsc/msc_ifaces.c
+++ b/src/libmsc/msc_ifaces.c
@@ -28,6 +28,7 @@
 #include <osmocom/mgcp_client/mgcp_client.h>
 #include <osmocom/msc/vlr.h>
 #include <osmocom/msc/a_iface.h>
+#include <osmocom/msc/sgs_iface.h>
 #include <osmocom/msc/gsm_04_08.h>
 #include <osmocom/msc/msc_mgcp.h>
 
@@ -60,6 +61,10 @@ static int msc_tx(struct ran_conn *conn, struct msgb *msg)
 		msg->dst = conn->iu.ue_ctx;
 		return ranap_iu_tx(msg, 0);
 
+	case OSMO_RAT_EUTRAN_SGS:
+		msg->dst = conn;
+		return sgs_iface_tx_dtap_ud(msg);
+
 	default:
 		LOGP(DMSC, LOGL_ERROR,
 		     "msc_tx(): conn->via_ran invalid (%d)\n",
diff --git a/src/libmsc/msc_vty.c b/src/libmsc/msc_vty.c
index 93d093f5b..e1019a287 100644
--- a/src/libmsc/msc_vty.c
+++ b/src/libmsc/msc_vty.c
@@ -56,6 +56,8 @@
 #include <osmocom/msc/signal.h>
 #include <osmocom/msc/mncc_int.h>
 #include <osmocom/msc/rrlp.h>
+#include <osmocom/msc/vlr_sgs.h>
+#include <osmocom/msc/sgs_vty.h>
 
 static struct gsm_network *gsmnet = NULL;
 
@@ -565,7 +567,7 @@ static void vty_dump_one_conn(struct vty *vty, const struct ran_conn *conn)
 {
 	vty_out(vty, "%08x %3s %5u %3u %08x %c /%1u %27s %22s%s",
 		conn->a.conn_id,
-		conn->via_ran == OSMO_RAT_UTRAN_IU ? "Iu" : "A",
+		osmo_rat_type_name(conn->via_ran),
 		conn->lac,
 		conn->use_count,
 		conn->use_tokens,
@@ -729,6 +731,15 @@ static void subscr_dump_full_vty(struct vty *vty, struct vlr_subscr *vsub)
 		reqs += 1;
 	vty_out(vty, "    Paging: %s paging for %d requests%s",
 		vsub->cs.is_paging ? "is" : "not", reqs, VTY_NEWLINE);
+
+	/* SGs related */
+	vty_out(vty, "    SGs-state: %s%s",
+		osmo_fsm_inst_state_name(vsub->sgs_fsm), VTY_NEWLINE);
+	if (vsub->sgs.mme_name && strlen(vsub->sgs.mme_name))
+		vty_out(vty, "    SGs-MME: %s%s", vsub->sgs.mme_name, VTY_NEWLINE);
+	else
+		vty_out(vty, "    SGs-MME: (none)%s", VTY_NEWLINE);
+
 	vty_out(vty, "    Use count: %u%s", vsub->use_count, VTY_NEWLINE);
 
 	/* Connection */
@@ -1159,7 +1170,7 @@ DEFUN(subscriber_paging,
 		return CMD_WARNING;
 	}
 
-	req = subscr_request_conn(vsub, NULL, NULL, "manual Paging from VTY");
+	req = subscr_request_conn(vsub, NULL, NULL, "manual Paging from VTY", SGSAP_SERV_IND_CS_CALL);
 	if (req)
 		vty_out(vty, "%% paging subscriber%s", VTY_NEWLINE);
 	else
@@ -1590,6 +1601,7 @@ void msc_vty_init(struct gsm_network *msc_network)
 #ifdef BUILD_IU
 	ranap_iu_vty_init(MSC_NODE, &msc_network->iu.rab_assign_addr_enc);
 #endif
+	sgs_vty_init();
 	osmo_fsm_vty_add_cmds();
 
 	osmo_signal_register_handler(SS_SCALL, scall_cbfn, NULL);
diff --git a/src/libmsc/ran_conn.c b/src/libmsc/ran_conn.c
index 4eefa6df2..6629bf6d1 100644
--- a/src/libmsc/ran_conn.c
+++ b/src/libmsc/ran_conn.c
@@ -31,6 +31,7 @@
 #include <osmocom/msc/transaction.h>
 #include <osmocom/msc/signal.h>
 #include <osmocom/msc/a_iface.h>
+#include <osmocom/msc/sgs_iface.h>
 #include <osmocom/msc/iucs.h>
 
 #include "../../bscconfig.h"
@@ -338,6 +339,13 @@ static void ran_conn_fsm_releasing_onenter(struct osmo_fsm_inst *fi, uint32_t pr
 {
 	struct ran_conn *conn = fi->priv;
 
+	/* The SGs interface needs to access vsub struct members to send the
+	 * release message, however the following release procedures will
+	 * remove conn->vsub, so we need to send the release right now. */
+	if (conn->via_ran == OSMO_RAT_EUTRAN_SGS) {
+		sgs_iface_tx_release(conn);
+	}
+
 	/* Use count for either conn->a.waiting_for_clear_complete or
 	 * conn->iu.waiting_for_release_complete. 'get' it early, so we don't deallocate after tearing
 	 * down active transactions. Safeguard against double-get (though it shouldn't happen). */
@@ -381,6 +389,12 @@ static void ran_conn_fsm_releasing_onenter(struct osmo_fsm_inst *fi, uint32_t pr
 		}
 		conn->iu.waiting_for_release_complete = true;
 		break;
+	case OSMO_RAT_EUTRAN_SGS:
+		/* Release message is already sent at the beginning of this
+		 * functions (see above), but we still need to notify the
+		 * conn that a release has been sent / is in progress. */
+		ran_conn_sgs_release_sent(conn);
+		break;
 	default:
 		LOGP(DMM, LOGL_ERROR, "%s: Unknown RAN type, cannot tx release/clear\n",
 		     vlr_subscr_name(conn->vsub));
@@ -667,6 +681,8 @@ struct ran_conn *ran_conn_alloc(struct gsm_network *network,
 	case OSMO_RAT_UTRAN_IU:
 		conn->log_subsys = DRANAP;
 		break;
+	case OSMO_RAT_EUTRAN_SGS:
+		conn->log_subsys = DSGS;
 	default:
 		conn->log_subsys = DMSC;
 		break;
@@ -772,3 +788,11 @@ void ran_conn_rx_iu_release_complete(struct ran_conn *conn)
 {
 	rx_close_complete(conn, "Iu Release Complete", &conn->iu.waiting_for_release_complete);
 }
+
+void ran_conn_sgs_release_sent(struct ran_conn *conn)
+{
+	bool dummy_waiting_for_release_complete = true;
+
+	/* Note: In SGsAP there is no confirmation of a release. */
+	rx_close_complete(conn, "SGs Release Complete", &dummy_waiting_for_release_complete);
+}
diff --git a/src/libmsc/sgs_iface.c b/src/libmsc/sgs_iface.c
new file mode 100644
index 000000000..1c2146a7e
--- /dev/null
+++ b/src/libmsc/sgs_iface.c
@@ -0,0 +1,1265 @@
+/* SGs Interface according to 3GPP TS 23.272 + TS 29.118 */
+
+/* (C) 2018-2019 by sysmocom s.f.m.c. GmbH
+ * All Rights Reserved
+ *
+ * Author: Harald Welte, Philipp Maier
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <osmocom/core/utils.h>
+#include <osmocom/core/msgb.h>
+#include <osmocom/core/fsm.h>
+#include <osmocom/core/socket.h>
+#include <osmocom/core/select.h>
+
+#include <osmocom/gsm/tlv.h>
+#include <osmocom/gsm/gsm48.h>
+#include <osmocom/gsm/gsm23003.h>
+#include <osmocom/gsm/gsm29118.h>
+
+#include <osmocom/netif/stream.h>
+
+#include <osmocom/msc/vlr.h>
+#include <osmocom/msc/vlr_sgs.h>
+#include <osmocom/msc/gsm_data.h>
+#include <osmocom/msc/a_iface.h>
+#include <osmocom/msc/gsm_04_08.h>
+
+#include <osmocom/msc/debug.h>
+#include <osmocom/msc/sgs_iface.h>
+#include <osmocom/msc/sgs_server.h>
+#include <osmocom/msc/msc_ifaces.h>
+#include <osmocom/gsm/protocol/gsm_29_118.h>
+
+#include <osmocom/gsm/apn.h>
+
+#define S(x) (1 << (x))
+
+/* A pointer to the GSM network we work with. By the current paradigm,
+ * there can only be one gsm_network per MSC. The pointer is set once
+ * when calling a_init() */
+static struct gsm_network *gsm_network = NULL;
+
+static struct osmo_fsm sgs_vlr_reset_fsm;
+static void sgs_tx(struct sgs_connection *sgc, struct msgb *msg);
+
+struct sgs_state *g_sgs;
+
+/***********************************************************************
+ * SGs state per MME connection
+ ***********************************************************************/
+
+#define LOGSGC(sgc, lvl, fmt, args...)				\
+	LOGP(DSGS, lvl, "%s: " fmt, sgc->sockname, ## args)
+
+#define LOGSGC_VSUB(sgc, sub_info, lvl, fmt, args...)			\
+	LOGP(DSGS, lvl, "(sub %s) %s: " fmt, sub_info, sgc->sockname, ## args)
+
+#define LOGMME(mme, lvl, fmt, args...)					\
+	LOGP(DSGS, lvl, "%s: " fmt, mme->fqdn ? mme->fqdn : mme->conn->sockname, ## args)
+
+enum sgs_vlr_reset_fsm_state {
+	SGS_VLRR_ST_NULL,
+	SGS_VLRR_ST_WAIT_ACK,
+	SGS_VLRR_ST_COMPLETE,
+};
+
+enum sgs_vlr_reset_fsm_event {
+	SGS_VLRR_E_START_RESET,
+	SGS_VLRR_E_RX_RESET_ACK,
+};
+
+/***********************************************************************
+ * SGs utility functions
+ ***********************************************************************/
+
+/* Allocate a new subscriber connection */
+static struct ran_conn *subscr_conn_allocate_sgs(struct sgs_connection *sgc, struct vlr_subscr *vsub, bool mt)
+{
+	struct ran_conn *conn;
+
+	conn = ran_conn_alloc(gsm_network, OSMO_RAT_EUTRAN_SGS, vsub->sgs.lai.lac);
+	if (!conn) {
+		LOGSGC_VSUB(sgc, vlr_subscr_name(vsub), LOGL_ERROR, "Connection allocation failed\n");
+		return NULL;
+	}
+
+	conn->vsub = vsub;
+	conn->vsub->cs.attached_via_ran = conn->via_ran;
+
+	/* Accept the connection immediately, since the UE is already
+	 * authenticated by the MME no authentication is required. */
+	conn->complete_layer3_type = mt ? COMPLETE_LAYER3_PAGING_RESP : COMPLETE_LAYER3_CM_SERVICE_REQ;
+	ran_conn_update_id(conn);
+	osmo_fsm_inst_dispatch(conn->fi, RAN_CONN_E_COMPLETE_LAYER_3, NULL);
+	osmo_fsm_inst_dispatch(conn->fi, RAN_CONN_E_ACCEPTED, NULL);
+
+	LOG_RAN_CONN(conn, LOGL_DEBUG, "RAN connection successfully allocated!\n");
+	return conn;
+}
+
+/* Check if there are connections associated with a given subscriber. If yes,
+ * make sure that those connections are tossed. */
+static void subscr_conn_toss(struct vlr_subscr *vsub)
+{
+	struct ran_conn *conn;
+
+	conn = connection_for_subscr(vsub);
+	if (!conn)
+		return;
+
+	LOG_RAN_CONN(conn, LOGL_DEBUG, "RAN connection tossed because of unexpected RAN change!\n");
+
+	ran_conn_mo_close(conn, GSM48_REJECT_CONGESTION);
+}
+
+struct sgs_mme_ctx *sgs_mme_by_fqdn(struct sgs_state *sgs, const char *mme_fqdn)
+{
+	struct sgs_mme_ctx *mme;
+
+	llist_for_each_entry(mme, &sgs->mme_list, entry) {
+		if (!strcasecmp(mme_fqdn, mme->fqdn))
+			return mme;
+	}
+	return NULL;
+}
+
+static struct sgs_mme_ctx *sgs_mme_alloc(struct sgs_state *sgs, const char *mme_fqdn, const struct osmo_gummei *gummei)
+{
+	struct sgs_mme_ctx *mme;
+
+	OSMO_ASSERT(sgs_mme_by_fqdn(sgs, mme_fqdn) == NULL);
+
+	mme = talloc_zero(sgs, struct sgs_mme_ctx);
+	if (!mme)
+		return NULL;
+	mme->sgs = sgs;
+	OSMO_STRLCPY_ARRAY(mme->fqdn, mme_fqdn);
+	mme->fi = osmo_fsm_inst_alloc(&sgs_vlr_reset_fsm, mme, mme, LOGL_INFO, osmo_gummei_name(gummei));
+	if (!mme->fi) {
+		talloc_free(mme);
+		return NULL;
+	}
+	llist_add_tail(&mme->entry, &sgs->mme_list);
+	return mme;
+}
+
+/* Decode and verify MME name */
+static int decode_mme_name(char *mme_name, const struct tlv_parsed *tp)
+{
+	const uint8_t *mme_name_enc = TLVP_VAL_MINLEN(tp, SGSAP_IE_MME_NAME, SGS_MME_NAME_LEN);
+	struct osmo_gummei gummei;
+
+	if (!mme_name_enc)
+		return -EINVAL;
+
+	/* decode the MME name from DNS labels to string */
+	osmo_apn_to_str(mme_name, TLVP_VAL(tp, SGSAP_IE_MME_NAME), TLVP_LEN(tp, SGSAP_IE_MME_NAME));
+
+	/* try to parse the MME name into a GUMMEI as a test for the format */
+	if (osmo_parse_mme_domain(&gummei, mme_name) < 0)
+		return -EINVAL;
+
+	return 0;
+}
+
+/* A MME FQDN was received (e.g. RESET-IND/RESET-ACK/LU-REQ) */
+static int sgs_mme_fqdn_received(struct sgs_connection *sgc, const char *mme_fqdn)
+{
+	struct sgs_mme_ctx *mme;
+	struct osmo_gummei gummei;
+
+	/* caller must pass in a valid FQDN string syntax */
+	OSMO_ASSERT(osmo_parse_mme_domain(&gummei, mme_fqdn) == 0);
+
+	if (!sgc->mme) {
+		/* attempt to find MME with given name */
+		mme = sgs_mme_by_fqdn(sgc->sgs, mme_fqdn);
+		if (!mme)
+			mme = sgs_mme_alloc(sgc->sgs, mme_fqdn, &gummei);
+		OSMO_ASSERT(mme);
+
+		if (mme->conn) {
+			/* The MME context has another connection !?! */
+			LOGSGC(sgc, LOGL_ERROR, "Rx MME name %s, but that MME already has other "
+			       "SCTP connection?!?\n", mme_fqdn);
+			return -1;
+		} else {
+			/* associate the two */
+			mme->conn = sgc;
+			sgc->mme = mme;
+		}
+	} else {
+		mme = sgc->mme;
+		if (strcasecmp(mme->fqdn, mme_fqdn) != 0) {
+			LOGMME(mme, LOGL_ERROR, "Rx MME name \"%s\" in packet from MME \"%s\" ?!?\n", mme_fqdn,
+			       mme->fqdn);
+			return -2;
+		}
+	}
+	return 0;
+}
+
+/* Safely get the mme-name for an sgs-connection */
+static char *sgs_mme_fqdn_get(struct sgs_connection *sgc)
+{
+	if (!sgc)
+		return NULL;
+	if (!sgc->mme)
+		return NULL;
+	if (sgc->mme->fqdn[0] == '\0')
+		return NULL;
+	return sgc->mme->fqdn;
+}
+
+/* Find an sgs_mme_ctx for a given vlr subscriber, also check result */
+struct sgs_mme_ctx *sgs_mme_ctx_by_vsub(struct vlr_subscr *vsub, uint8_t msg_type)
+{
+	struct sgs_mme_ctx *mme;
+
+	/* Find SGS connection by MME name */
+	mme = sgs_mme_by_fqdn(g_sgs, vsub->sgs.mme_name);
+	if (!mme) {
+		LOGP(DSGS, LOGL_ERROR, "(sub %s) Tx %s cannot find suitable MME!\n",
+		     vlr_subscr_name(vsub), sgsap_msg_type_name(msg_type));
+		return NULL;
+	}
+	if (!mme->conn) {
+		LOGP(DSGS, LOGL_ERROR,
+		     "(sub %s) Tx %s suitable MME found, but no SGS connection present!\n",
+		     vlr_subscr_name(vsub), sgsap_msg_type_name(msg_type));
+		return NULL;
+	}
+	if (!mme->sgs) {
+		LOGP(DSGS, LOGL_ERROR,
+		     "(sub %s) Tx %s suitable MME found, but no SGS state present!\n",
+		     vlr_subscr_name(vsub), sgsap_msg_type_name(msg_type));
+		return NULL;
+	}
+
+	return mme;
+}
+
+/* Make sure that the subscriber is known and that the subscriber is in the
+ * SGs associated state. In case of failure the function returns false and
+ * automatically sends a release message to the MME */
+static bool check_sgs_association(struct sgs_connection *sgc, struct msgb *msg, char *imsi)
+{
+	struct vlr_subscr *vsub;
+	struct msgb *resp;
+	uint8_t msg_type = msg->data[0];
+
+	/* Subscriber must be known by the VLR */
+	vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+	if (!vsub) {
+		LOGSGC(sgc, LOGL_NOTICE, "SGsAP Message %s with unknown IMSI (%s), releasing\n",
+		       sgsap_msg_type_name(msg_type), imsi);
+		resp = gsm29118_create_release_req(imsi, SGSAP_SGS_CAUSE_IMSI_UNKNOWN);
+		sgs_tx(sgc, resp);
+		return false;
+	}
+
+	/* The SGs FSM must also be in SGs associated state */
+	if (vsub->sgs_fsm->state != SGS_UE_ST_ASSOCIATED) {
+		LOGSGC(sgc, LOGL_NOTICE, "(sub %s) SGsAP Message %s subscriber not SGs-associated, releasing\n",
+		       vlr_subscr_name(vsub), sgsap_msg_type_name(msg_type));
+		resp = gsm29118_create_release_req(vsub->imsi, SGSAP_SGS_CAUSE_IMSI_DET_EPS_NONEPS);
+		sgs_tx(sgc, resp);
+		vlr_subscr_put(vsub);
+		return false;
+	}
+
+	vlr_subscr_put(vsub);
+	return true;
+}
+
+/***********************************************************************
+ * SGsAP transmit functions
+ ***********************************************************************/
+
+/* Send message out to remote end (final step) */
+static void sgs_tx(struct sgs_connection *sgc, struct msgb *msg)
+{
+	if (!msg) {
+		LOGSGC(sgc, LOGL_NOTICE, "Null message, cannot transmit!\n");
+		return;
+	}
+
+	msgb_sctp_ppid(msg) = 0;
+	if (!sgc) {
+		LOGSGC(sgc, LOGL_NOTICE, "Cannot transmit %s: connection dead. Discarding\n",
+		       sgsap_msg_type_name(msg->data[0]));
+		msgb_free(msg);
+		return;
+	}
+	osmo_stream_srv_send(sgc->srv, msg);
+}
+
+/* Get some subscriber info from ISMI (for the log text) */
+const char *subscr_info(const char *imsi)
+{
+	const char *subscr_string = "<unknown>";
+	struct vlr_subscr *vsub;
+
+	if (imsi) {
+		vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+		if (!vsub)
+			subscr_string = imsi;
+		else {
+			subscr_string = vlr_subscr_name(vsub);
+			vlr_subscr_put(vsub);
+		}
+	}
+
+	return subscr_string;
+}
+
+/* Comfortable status message generator that also generates some basic
+ * context-dependent dependand log output */
+static int sgs_tx_status(struct sgs_connection *sgc, const char *imsi, enum sgsap_sgs_cause cause, struct msgb *msg,
+			 int sgsap_iei)
+{
+	struct msgb *resp;
+
+	if (sgsap_iei < 0) {
+		LOGSGC_VSUB(sgc, subscr_info(imsi), LOGL_ERROR, "Rx %s failed with cause %s!\n",
+			    sgsap_msg_type_name(msg->data[0]), sgsap_sgs_cause_name(cause));
+	} else if (cause == SGSAP_SGS_CAUSE_MISSING_MAND_IE) {
+		LOGSGC_VSUB(sgc, subscr_info(imsi), LOGL_ERROR, "Rx %s with missing mandatory %s IEI!\n",
+			    sgsap_msg_type_name(msg->data[0]), sgsap_iei_name(sgsap_iei));
+	} else if (cause == SGSAP_SGS_CAUSE_INVALID_MAND_IE) {
+		LOGSGC_VSUB(sgc, subscr_info(imsi), LOGL_ERROR, "Rx %s with invalid mandatory %s IEI!\n",
+			    sgsap_msg_type_name(msg->data[0]), sgsap_iei_name(sgsap_iei));
+	} else if (cause == SGSAP_SGS_CAUSE_COND_IE_ERROR) {
+		LOGSGC_VSUB(sgc, subscr_info(imsi), LOGL_ERROR, "Rx %s with errornous conditional %s IEI!\n",
+			    sgsap_msg_type_name(msg->data[0]), sgsap_iei_name(sgsap_iei));
+	} else {
+		LOGSGC_VSUB(sgc, subscr_info(imsi), LOGL_ERROR, "Rx %s failed with cause %s at %s IEI!\n",
+			    sgsap_msg_type_name(msg->data[0]), sgsap_sgs_cause_name(cause), sgsap_iei_name(sgsap_iei));
+	}
+
+	resp = gsm29118_create_status(imsi, cause, msg);
+	sgs_tx(sgc, resp);
+	return 0;
+}
+
+/* Called by VLR via callback, transmits the the location update response or
+ * reject, depending on the outcome of the location update. */
+static void sgs_tx_loc_upd_resp_cb(struct sgs_lu_response *response)
+{
+	struct msgb *resp;
+	struct vlr_subscr *vsub = response->vsub;
+	struct sgs_mme_ctx *mme;
+	uint8_t new_id[2 + GSM48_TMSI_LEN];
+	uint8_t *new_id_ptr = new_id;
+	unsigned int new_id_len = 0;
+	uint8_t resp_msg_type;
+
+	if (response->accepted)
+		resp_msg_type = SGSAP_MSGT_LOC_UPD_ACK;
+	else
+		resp_msg_type = SGSAP_MSGT_LOC_UPD_REJ;
+
+	mme = sgs_mme_ctx_by_vsub(vsub, resp_msg_type);
+	if (!mme)
+		return;
+
+	if (response->accepted) {
+		if (vsub->tmsi_new != GSM_RESERVED_TMSI) {
+			new_id_len = gsm48_generate_mid_from_tmsi(new_id, vsub->tmsi_new);
+			new_id_ptr = new_id + 2;
+			new_id_len -= 2;
+		}
+		resp = gsm29118_create_lu_ack(vsub->imsi, &vsub->sgs.lai, new_id_ptr, new_id_len);
+		sgs_tx(mme->conn, resp);
+		vlr_sgs_loc_update_acc_sent(vsub);
+	} else {
+		resp = gsm29118_create_lu_rej(vsub->imsi, SGSAP_SGS_CAUSE_IMSI_UNKNOWN, &vsub->sgs.lai);
+		sgs_tx(mme->conn, resp);
+		vlr_sgs_loc_update_rej_sent(vsub);
+	}
+}
+
+/* Called by VLR via callback, transmits MM information to the UE */
+static void sgs_tx_mm_info_cb(struct vlr_subscr *vsub)
+{
+	struct msgb *msg;
+	struct msgb *msg_mm_info;
+	struct sgs_mme_ctx *mme;
+
+	/* The sending of MM information requests is an optional feature and
+	 * depends on the network configuration (VTY) */
+	if (!gsm_network->send_mm_info)
+		return;
+
+	mme = sgs_mme_ctx_by_vsub(vsub, SGSAP_MSGT_MM_INFO_REQ);
+	if (!mme)
+		return;
+
+	/* Create and send MM information request message, see also:
+	 * 3GPP TS 29.118, chapter 8.12 SGsAP-MM-INFORMATION-REQUEST and
+	 * 3GPP TS 29.018, chapter 18.4.16 MM information. */
+	msg_mm_info = gsm48_create_mm_info(gsm_network);
+	msg = gsm29118_create_mm_info_req(vsub->imsi, msg_mm_info->data + 2, msg_mm_info->len - 2);
+	sgs_tx(mme->conn, msg);
+	msgb_free(msg_mm_info);
+}
+
+/*! Page UE through SGs interface
+ *  \param[in] vsub subscriber context
+ *  \param[in] serv_ind service indicator (sms or voide)
+ *  \returns 0 in case of success, -EINVAL in case of error. */
+int sgs_iface_tx_paging(struct vlr_subscr *vsub, enum sgsap_service_ind serv_ind)
+{
+	struct msgb *resp;
+	struct gsm29118_paging_req paging_params;
+	struct sgs_mme_ctx *mme;
+
+	/* See also: 3GPP TS 29.118, chapter 5.1.2.2 Paging Initiation */
+	if (vsub->sgs_fsm->state == SGS_UE_ST_NULL && vsub->conf_by_radio_contact_ind == true)
+		return -EINVAL;
+
+	mme = sgs_mme_ctx_by_vsub(vsub, SGSAP_MSGT_PAGING_REQ);
+	if (!mme)
+		return -EINVAL;
+
+	/* Check if there is still a paging in progress for this subscriber,
+	 * if yes, don't initiate another paging request. */
+	if (vlr_sgs_pag_pend(vsub))
+		return 0;
+
+	memset(&paging_params, 0, sizeof(paging_params));
+	osmo_strlcpy(paging_params.imsi, vsub->imsi, sizeof(paging_params.imsi));
+	osmo_strlcpy(paging_params.vlr_name, mme->sgs->cfg.vlr_name, sizeof(paging_params.vlr_name));
+	paging_params.serv_ind = serv_ind;
+	if (vsub->conf_by_radio_contact_ind == true) {
+		memcpy(&paging_params.lai, &vsub->sgs.lai, sizeof(paging_params.lai));
+		paging_params.lai_present = true;
+	}
+	resp = gsm29118_create_paging_req(&paging_params);
+	sgs_tx(mme->conn, resp);
+
+	/* FIXME: If we are in SGS_UE_ST_NULL while sub->conf_by_radio_contact_ind == false,
+	 * we are supposed to start a search procedure as defined in 3GPP TS 23.018 */
+
+	/* Inform the VLR that a paging via SGs is in progress */
+	vlr_sgs_pag(vsub, serv_ind);
+
+	/* Return a page count of 1 (success) */
+	return 1;
+}
+
+/***********************************************************************
+ * SGs incoming messages from the MME
+ ***********************************************************************/
+
+/* Safely read out the SGs cause code from a given message/tlv set, send status
+ * message in case the cause code is invalid or missing. */
+static int sgs_cause_from_msg(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp,
+			      const char *imsi)
+{
+	enum sgsap_sgs_cause cause;
+	const uint8_t *cause_ptr;
+	cause_ptr = TLVP_VAL_MINLEN(tp, SGSAP_IE_SGS_CAUSE, 1);
+	if (!cause_ptr) {
+		sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_SGS_CAUSE);
+		return -1;
+	} else
+		cause = *cause_ptr;
+	return cause;
+}
+
+/* SGsAP-STATUS 3GPP TS 29.118, chapter 8.18 */
+static int sgs_rx_status(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, const char *imsi)
+{
+	int cause;
+	const uint8_t *err_msg;
+	const char *imsi_ptr;
+	char *err_msg_hex = "(none)";
+
+	cause = sgs_cause_from_msg(sgc, msg, tp, NULL);
+	if (cause < 0)
+		return 0;
+
+	if (imsi[0] != '\0')
+		imsi_ptr = imsi;
+	else
+		imsi_ptr = "<none>";
+
+	if (TLVP_PRESENT(tp, SGSAP_IE_ERR_MSG))
+		err_msg = TLVP_VAL(tp, SGSAP_IE_ERR_MSG);
+	else
+		err_msg = NULL;
+
+	if (err_msg)
+		err_msg_hex = osmo_hexdump(err_msg, TLVP_LEN(tp, SGSAP_IE_ERR_MSG));
+
+	LOGSGC(sgc, LOGL_NOTICE, "Rx STATUS cause=%s, IMSI=%s, err_msg=%s\n",
+	       sgsap_sgs_cause_name(cause), imsi_ptr, err_msg_hex);
+
+	return 0;
+}
+
+/* SGsAP-RESET-INDICATION 3GPP TS 29.118, chapter 8.16 */
+static int sgs_rx_reset_ind(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp)
+{
+	struct gsm29118_reset_msg reset_params;
+	struct msgb *resp;
+
+	memset(&reset_params, 0, sizeof(reset_params));
+	osmo_strlcpy(reset_params.vlr_name, sgc->sgs->cfg.vlr_name, sizeof(reset_params.vlr_name));
+	reset_params.vlr_name_present = true;
+
+	resp = gsm29118_create_reset_ack(&reset_params);
+
+	/* Perform a reset of the SGS FSM of all subscribers that are present in the VLR */
+	vlr_sgs_reset(gsm_network->vlr);
+
+	sgs_tx(sgc, resp);
+	return 0;
+}
+
+/* SGsAP-RESET-ACK 3GPP TS 29.118, chapter 8.15 */
+static int sgs_rx_reset_ack(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp)
+{
+	/* dispatch event to VLR reset FSM for this MME */
+	if (sgc->mme && sgc->mme->fi)
+		osmo_fsm_inst_dispatch(sgc->mme->fi, SGS_VLRR_E_RX_RESET_ACK, msg);
+	return 0;
+}
+
+/* SGsAP-LOCATION-UPDATE-REQUEST 3GPP TS 29.118, chapter 8.11 */
+static int sgs_rx_loc_upd_req(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	struct msgb *resp;
+	const uint8_t *lu_type_ie;
+	enum vlr_lu_type type;
+	struct osmo_location_area_id new_lai;
+	const struct gsm48_loc_area_id *gsm48_lai;
+	int rc;
+	char *mme_name;
+	struct vlr_sgs_cfg vlr_sgs_cfg;
+	struct vlr_subscr *vsub;
+
+	/* Check for lingering connections */
+	vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+	if (vsub) {
+		subscr_conn_toss(vsub);
+		vlr_subscr_put(vsub);
+	}
+
+	/* Determine MME-Name */
+	mme_name = sgs_mme_fqdn_get(sgc);
+	if (!mme_name) {
+		resp = gsm29118_create_lu_rej(imsi, SGSAP_SGS_CAUSE_IMSI_UNKNOWN, NULL);
+		sgs_tx(sgc, resp);
+		return 0;
+	}
+
+	/* Parse LU-Type */
+	lu_type_ie = TLVP_VAL_MINLEN(tp, SGSAP_IE_EPS_LU_TYPE, 1);
+	if (!lu_type_ie)
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_EPS_LU_TYPE);
+	if (lu_type_ie[0] == 0x01)
+		type = VLR_LU_TYPE_IMSI_ATTACH;
+	else
+		type = VLR_LU_TYPE_REGULAR;
+
+	/* Parse LAI of the new location */
+	gsm48_lai = (struct gsm48_loc_area_id *)TLVP_VAL_MINLEN(tp, SGSAP_IE_LAI, 5);
+	if (!gsm48_lai)
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_LAI);
+	gsm48_decode_lai2(gsm48_lai, &new_lai);
+
+	/* Perform actual location update */
+	memcpy(vlr_sgs_cfg.timer, sgc->sgs->cfg.timer, sizeof(vlr_sgs_cfg.timer));
+	memcpy(vlr_sgs_cfg.counter, sgc->sgs->cfg.counter, sizeof(vlr_sgs_cfg.counter));
+	rc = vlr_sgs_loc_update(gsm_network->vlr, &vlr_sgs_cfg, sgs_tx_loc_upd_resp_cb, sgs_iface_tx_paging,
+				sgs_tx_mm_info_cb, mme_name, type, imsi, &new_lai);
+	if (rc != 0) {
+		resp = gsm29118_create_lu_rej(imsi, SGSAP_SGS_CAUSE_IMSI_UNKNOWN, NULL);
+		sgs_tx(sgc, resp);
+	}
+
+	return 0;
+}
+
+/* SGsAP-IMSI-DETACH-INDICATION 3GPP TS 29.118, chapter 8.8 */
+static int sgs_rx_imsi_det_ind(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	struct msgb *resp;
+	enum sgsap_imsi_det_noneps_type type;
+	const uint8_t *type_ie;
+
+	type_ie = TLVP_VAL_MINLEN(tp, SGSAP_IE_IMSI_DET_NONEPS_TYPE, 1);
+	if (!type_ie)
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_IMSI_DET_NONEPS_TYPE);
+
+	switch (type_ie[0]) {
+	case SGSAP_ID_NONEPS_T_EXPLICIT_UE_NONEPS:
+		type = SGSAP_ID_NONEPS_T_EXPLICIT_UE_NONEPS;
+		break;
+	case SGSAP_ID_NONEPS_T_COMBINED_UE_EPS_NONEPS:
+		type = SGSAP_ID_NONEPS_T_COMBINED_UE_EPS_NONEPS;
+		break;
+	case SGSAP_ID_NONEPS_T_IMPLICIT_UE_EPS_NONEPS:
+		type = SGSAP_ID_NONEPS_T_IMPLICIT_UE_EPS_NONEPS;
+		break;
+	default:
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_INVALID_MAND_IE, msg, SGSAP_IE_IMSI_DET_NONEPS_TYPE);
+		break;
+	}
+
+	vlr_sgs_imsi_detach(gsm_network->vlr, imsi, type);
+	resp = gsm29118_create_imsi_det_ack(imsi);
+	sgs_tx(sgc, resp);
+
+	return 0;
+}
+
+/* SGsAP-EPS-DETACH-INDICATION 3GPP TS 29.118, chapter 8.6 */
+static int sgs_rx_eps_det_ind(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	struct msgb *resp;
+	enum sgsap_imsi_det_eps_type type;
+	const uint8_t *type_ie;
+
+	type_ie = TLVP_VAL_MINLEN(tp, SGSAP_IE_IMSI_DET_EPS_TYPE, 1);
+	if (!type_ie)
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_IMSI_DET_EPS_TYPE);
+
+	switch (type_ie[0]) {
+	case SGSAP_ID_EPS_T_NETWORK_INITIATED:
+		type = SGSAP_ID_EPS_T_NETWORK_INITIATED;
+		break;
+	case SGSAP_ID_EPS_T_UE_INITIATED:
+		type = SGSAP_ID_EPS_T_UE_INITIATED;
+		break;
+	case SGSAP_ID_EPS_T_EPS_NOT_ALLOWED:
+		type = SGSAP_ID_EPS_T_EPS_NOT_ALLOWED;
+		break;
+	default:
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_INVALID_MAND_IE, msg, SGSAP_IE_IMSI_DET_EPS_TYPE);
+		break;
+	}
+
+	vlr_sgs_eps_detach(gsm_network->vlr, imsi, type);
+	resp = gsm29118_create_eps_det_ack(imsi);
+	sgs_tx(sgc, resp);
+
+	return 0;
+}
+
+/* SGsAP-PAGING-REJECT 3GPP TS 29.118, chapter 8.13 */
+static int sgs_rx_pag_rej(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	int cause;
+	struct vlr_subscr *vsub;
+
+	cause = sgs_cause_from_msg(sgc, msg, tp, NULL);
+	if (cause < 0)
+		return 0;
+
+	/* Subscriber must be known by the VLR */
+	vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+	if (!vsub)
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_IMSI_UNKNOWN, msg, SGSAP_IE_IMSI);
+
+	/* Inform the VLR */
+	vlr_sgs_pag_rej(gsm_network->vlr, imsi, cause);
+
+	/* Stop all paging activity */
+	subscr_paging_cancel(vsub, GSM_PAGING_EXPIRED);
+
+	/* Depending on the cause code some action is required */
+	if (cause == SGSAP_SGS_CAUSE_MT_CSFB_REJ_USER) {
+		/* FIXME: We are supposed to trigger a User Determined User Busy (UDUB)
+		 * as specified in 3GPP TS 24.082 here, SGs association state shall not
+		 * be changed */
+		LOGSGC(sgc, LOGL_ERROR,
+		       "Rx %s with SGSAP_SGS_CAUSE_MT_CSFB_REJ_USER, but sending UDUP is not implemented yet!\n",
+		       sgsap_msg_type_name(msg->data[0]));
+	} else if (cause == SGSAP_SGS_CAUSE_IMSI_DET_EPS) {
+		/* FIXME: In this case we should send the paging via A/Iu interface */
+		OSMO_ASSERT(false);
+	}
+
+	vlr_subscr_put(vsub);
+	return 0;
+}
+
+/* SGsAP-UE-UNREACHABLE 3GPP TS 29.118, chapter 8.21 */
+static int sgs_rx_ue_unr(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	int cause;
+
+	cause = sgs_cause_from_msg(sgc, msg, tp, NULL);
+	if (cause < 0)
+		return 0;
+
+	vlr_sgs_ue_unr(gsm_network->vlr, imsi, cause);
+
+	return 0;
+}
+
+/* SGsAP-TMSI-REALLOCATION-COMPLETE 3GPP TS 29.118, chapter 8.19 */
+static int sgs_rx_tmsi_reall_cmpl(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	vlr_sgs_tmsi_reall_compl(gsm_network->vlr, imsi);
+	return 0;
+}
+
+/* SGsAP-SERVICE-REQUEST 3GPP TS 29.118, chapter 8.17 */
+static int sgs_rx_service_req(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	enum sgsap_service_ind serv_ind;
+	const uint8_t *serv_ind_ie;
+	struct ran_conn *conn;
+	struct vlr_subscr *vsub;
+
+	/* Note: While in other RAN concepts a service request is used to
+	 * initiate mobile originated operation, the service request in SGsAP
+	 * is comparable to a paging response. The SGsAP SERVICE REQUEST must
+	 * not be confused or compared with a CM SERVICE REQUEST! */
+
+	if (!check_sgs_association(sgc, msg, imsi))
+		return 0;
+
+	vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+	/* Note: vsub is already sufficiently verified by check_sgs_association(),
+	 * we must have a vsub at this point! */
+	OSMO_ASSERT(vsub);
+
+	/* The Service request is intended as a paging response, if one is
+	 * received while nothing is paging something is very wrong! */
+	if (!vlr_sgs_pag_pend(vsub)) {
+		vlr_subscr_put(vsub);
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MSG_INCOMP_STATE, msg, -1);
+	}
+	serv_ind_ie = TLVP_VAL_MINLEN(tp, SGSAP_IE_SERVICE_INDICATOR, 1);
+
+	if (!serv_ind_ie) {
+		vlr_subscr_put(vsub);
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_SERVICE_INDICATOR);
+	}
+	if (serv_ind_ie[0] == SGSAP_SERV_IND_CS_CALL)
+		serv_ind = serv_ind_ie[0];
+	else if (serv_ind_ie[0] == SGSAP_SERV_IND_SMS)
+		serv_ind = serv_ind_ie[0];
+	else {
+		vlr_subscr_put(vsub);
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_INVALID_MAND_IE, msg, SGSAP_IE_SERVICE_INDICATOR);
+	}
+
+	/* FIXME: The MME shall include an UE EMM Mode IE, but the field is
+	 * marked optional. (Why do we need this info at all?) */
+
+	/* Report to the VLR that the paging has successfully completed */
+	vlr_sgs_pag_ack(gsm_network->vlr, imsi);
+
+	/* Exit early when the service indicator indicates that a call is being
+	 * established. In those cases we do not allocate a connection, instead
+	 * the connection will be allocated when the MS is appearing on the
+	 * A-Interface. */
+	if (serv_ind == SGSAP_SERV_IND_CS_CALL) {
+		vlr_subscr_put(vsub);
+		return 0;
+	}
+
+	/* Allocate subscriber connection */
+	conn = subscr_conn_allocate_sgs(sgc, vsub, true);
+	if (!conn) {
+		vlr_subscr_put(vsub);
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MSG_INCOMP_STATE, msg, -1);
+	}
+
+	return 0;
+}
+
+/* SGsAP-UPLINK-UNITDATA 3GPP TS 29.118, chapter 8.22 */
+static int sgs_rx_ul_ud(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	struct dtap_header *dtap;
+	struct ran_conn *conn;
+	bool ran_conn_created = false;
+	const uint8_t *nas_msg_container_ie;
+	struct vlr_subscr *vsub;
+
+	if (!check_sgs_association(sgc, msg, imsi))
+		return 0;
+
+	vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+	/* Note: vsub is already sufficiently verified by check_sgs_association(),
+	 * we must have a vsub at this point! */
+	OSMO_ASSERT(vsub);
+
+	/* Try to find existing connection (MT) or allocate a new one (MO) */
+	conn = connection_for_subscr(vsub);
+	if (!conn) {
+		conn = subscr_conn_allocate_sgs(sgc, vsub, false);
+		ran_conn_created = true;
+	} else {
+		if (conn->via_ran != OSMO_RAT_EUTRAN_SGS) {
+			LOGSGC(sgc, LOGL_ERROR,
+			       "Receiving uplink unit-data for non-sgs connection -- discarding message!\n");
+			msgb_free(msg);
+			return 0;
+		}
+	}
+
+	/* If we do not find an existing connection and allocating a new one
+	 * faild, give up and return status. */
+	if (!conn) {
+		vlr_subscr_put(vsub);
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MSG_INCOMP_STATE, msg, 0);
+	}
+
+	nas_msg_container_ie = TLVP_VAL_MINLEN(tp, SGSAP_IE_NAS_MSG_CONTAINER, 1);
+	if (!nas_msg_container_ie) {
+		vlr_subscr_put(vsub);
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_MISSING_MAND_IE, msg, SGSAP_IE_NAS_MSG_CONTAINER);
+	}
+
+	/* ran_conn_dtap expects the dtap payload in l3h */
+	dtap = (struct dtap_header *)nas_msg_container_ie;
+	msg->l3h = (uint8_t *) nas_msg_container_ie;
+	OMSC_LINKID_CB(msg) = dtap->link_id;
+
+	/* Forward dtap payload into the msc */
+	ran_conn_dtap(conn, msg);
+
+	/* If we did not create the conn right here, we just handle the ref
+	 * counting normally. Otherwise we are in the same role as
+	 * sgs_rx_service_req() and we want that the refcount says incremented
+	 * througout the lifetime of the newly created conn. */
+	if (!ran_conn_created)
+		vlr_subscr_put(vsub);
+	return 0;
+}
+
+/* SGsAP-MO-CSFB-INDICATION, chapter 8.25 */
+static int sgs_rx_csfb_ind(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	struct vlr_subscr *vsub;
+
+	/* The MME informs us with this message that the UE has returned back
+	 * to the 4G network, so we use the SGs interface again for further
+	 * communication with the UE. */
+
+	vsub = vlr_subscr_find_by_imsi(gsm_network->vlr, imsi);
+	if (!vsub)
+		return sgs_tx_status(sgc, imsi, SGSAP_SGS_CAUSE_IMSI_UNKNOWN, msg, SGSAP_IE_IMSI);
+
+	/* Check for lingering connections */
+	subscr_conn_toss(vsub);
+
+	vsub->cs.attached_via_ran = OSMO_RAT_EUTRAN_SGS;
+	vlr_subscr_put(vsub);
+	return 0;
+}
+
+/* SGsAP-UE-ACTIVITY-INDICATION, chapter 8.20 */
+static int sgs_rx_ue_act_ind(struct sgs_connection *sgc, struct msgb *msg, const struct tlv_parsed *tp, char *imsi)
+{
+	/* In this MSC/VLR implementation we do not support the alerting
+	 * procedure yet and therefore we will never request any alerting
+	 * at the MME. Given that it is unlikely that we ever get activity
+	 * indications from the MME, but if we do we should not act all too
+	 * hostile and ignore the indication silently. */
+
+	LOGSGC(sgc, LOGL_ERROR, "Rx %s unexpected, we do not implement alerting yet, ignoring!\n",
+	       sgsap_msg_type_name(msg->data[0]));
+
+	return 0;
+}
+
+#define TX_STATUS_AND_LOG(sgc, msg_type, cause, fmt) \
+	LOGSGC(sgc, LOGL_ERROR, fmt, sgsap_msg_type_name(msg_type));	\
+	resp = gsm29118_create_status(NULL, cause, msg); \
+	sgs_tx(sgc, resp); \
+
+/*! Process incoming SGs message (see sgs_server.c)
+ *  \param[in] sgc related sgs connection
+ *  \param[in] msg received message
+ *  \returns 0 in case of success, -EINVAL in case of error. */
+int sgs_iface_rx(struct sgs_connection *sgc, struct msgb *msg)
+{
+	struct msgb *resp;
+	uint8_t msg_type = msg->l2h[0];
+	struct tlv_parsed tp;
+	int rc;
+	char imsi[GSM48_MI_SIZE];
+	char mme_name[SGS_MME_NAME_LEN + 1];
+
+	memset(imsi, 0, sizeof(imsi));
+	memset(mme_name, 0, sizeof(mme_name));
+
+	/* When the receiving entity receives a message that is too short to contain a complete
+	 * message type information element, the receiving entity shall ignore that message. */
+	if (msgb_l2len(msg) < 1)
+		goto error;
+
+	/* Parse TLV elements */
+	rc = tlv_parse(&tp, &sgsap_ie_tlvdef, msgb_l2(msg) + 1, msgb_l2len(msg) - 1, 0, 0);
+	if (rc < 0) {
+		TX_STATUS_AND_LOG(sgc, msg_type, SGSAP_SGS_CAUSE_SEMANT_INCORR_MSG, "SGsAP Message %s parsing error\n");
+		goto error;
+	}
+
+	/* Most of the messages contain an IMSI as mandatory IE, parse it right here */
+	if (!TLVP_PRESENT(&tp, SGSAP_IE_IMSI) &&
+	    msg_type != SGSAP_MSGT_STATUS && msg_type != SGSAP_MSGT_RESET_IND && msg_type != SGSAP_MSGT_RESET_ACK) {
+		/* reject the message; all but the three above have mandatory IMSI */
+		TX_STATUS_AND_LOG(sgc, msg_type, SGSAP_SGS_CAUSE_MISSING_MAND_IE,
+				  "SGsAP Message %s without IMSI, dropping\n");
+		goto error;
+	}
+
+	if (TLVP_PRESENT(&tp, SGSAP_IE_IMSI)) {
+		gsm48_mi_to_string(imsi, sizeof(imsi), TLVP_VAL(&tp, SGSAP_IE_IMSI), TLVP_LEN(&tp, SGSAP_IE_IMSI));
+		if (strlen(imsi) < GSM23003_IMSI_MIN_DIGITS) {
+			TX_STATUS_AND_LOG(sgc, msg_type, SGSAP_SGS_CAUSE_INVALID_MAND_IE,
+					  "SGsAP Message %s with short IMSI, dropping\n");
+			goto error;
+		}
+	}
+
+	/* Some messages contain an MME-NAME as mandatore IE, parse it right here. The
+	 * MME-NAME is als immediately registered with the sgc, so it will be implicitly
+	 * known to all functions that have access to the sgc context. */
+	if (!TLVP_PRESENT(&tp, SGSAP_IE_MME_NAME)
+	    && (msg_type == SGSAP_MSGT_RESET_IND || msg_type == SGSAP_MSGT_RESET_ACK
+		|| msg_type == SGSAP_MSGT_LOC_UPD_REQ || msg_type == SGSAP_MSGT_IMSI_DET_IND
+		|| msg_type == SGSAP_MSGT_EPS_DET_IND)) {
+		TX_STATUS_AND_LOG(sgc, msg_type, SGSAP_SGS_CAUSE_MISSING_MAND_IE,
+				  "SGsAP Message %s without MME-Name, dropping\n");
+		goto error;
+	}
+
+	if (TLVP_PRESENT(&tp, SGSAP_IE_MME_NAME)) {
+		if (decode_mme_name(mme_name, &tp) != 0) {
+			TX_STATUS_AND_LOG(sgc, msg_type, SGSAP_SGS_CAUSE_INVALID_MAND_IE,
+					  "SGsAP Message %s with invalid MME-Name, dropping\n");
+			goto error;
+		}
+		/* Regsister/check mme_name with sgc */
+		if (sgs_mme_fqdn_received(sgc, mme_name) < 0) {
+			TX_STATUS_AND_LOG(sgc, msg_type, SGSAP_SGS_CAUSE_MSG_INCOMP_STATE,
+					  "SGsAP Message %s with invalid MME-Name, dropping\n");
+			goto error;
+		}
+	}
+
+	/* dispatch msg to various handler functions.  msgb ownership remains here! */
+	rc = -EINVAL;
+	switch (msg_type) {
+	case SGSAP_MSGT_STATUS:
+		rc = sgs_rx_status(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_RESET_IND:
+		rc = sgs_rx_reset_ind(sgc, msg, &tp);
+		break;
+	case SGSAP_MSGT_RESET_ACK:
+		rc = sgs_rx_reset_ack(sgc, msg, &tp);
+		break;
+	case SGSAP_MSGT_LOC_UPD_REQ:
+		rc = sgs_rx_loc_upd_req(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_IMSI_DET_IND:
+		rc = sgs_rx_imsi_det_ind(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_EPS_DET_IND:
+		rc = sgs_rx_eps_det_ind(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_PAGING_REJ:
+		rc = sgs_rx_pag_rej(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_UE_UNREACHABLE:
+		rc = sgs_rx_ue_unr(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_TMSI_REALL_CMPL:
+		rc = sgs_rx_tmsi_reall_cmpl(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_SERVICE_REQ:
+		rc = sgs_rx_service_req(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_UL_UD:
+		rc = sgs_rx_ul_ud(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_MO_CSFB_IND:
+		rc = sgs_rx_csfb_ind(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_UE_ACT_IND:
+		rc = sgs_rx_ue_act_ind(sgc, msg, &tp, imsi);
+		break;
+	case SGSAP_MSGT_ALERT_ACK:
+	case SGSAP_MSGT_ALERT_REJ:
+		LOGSGC(sgc, LOGL_ERROR, "Rx unmplemented SGsAP %s: %s\n",
+		       sgsap_msg_type_name(msg_type), msgb_hexdump(msg));
+		resp = gsm29118_create_status(imsi, SGSAP_SGS_CAUSE_MSG_UNKNOWN, msg);
+		sgs_tx(sgc, resp);
+		rc = 0;
+		break;
+	default:
+		LOGSGC(sgc, LOGL_ERROR, "Rx unknown SGsAP message type 0x%02x: %s\n", msg_type, msgb_hexdump(msg));
+		resp = gsm29118_create_status(imsi, SGSAP_SGS_CAUSE_MSG_UNKNOWN, msg);
+		sgs_tx(sgc, resp);
+		rc = 0;
+		break;
+	}
+
+	/* Catch unhandled errors */
+	if (rc < 0) {
+		/* Note: Usually the sgs_rx_ should catch errors locally and
+		 * eimit a status message with proper cause code, including
+		 * a suitable log message. If we end up here, something is
+		 * not right and should be fixed */
+		LOGSGC(sgc, LOGL_ERROR, "Rx unable to decode SGsAP %s: %s\n",
+		       sgsap_msg_type_name(msg_type), msgb_hexdump(msg));
+		resp = gsm29118_create_status(imsi, SGSAP_SGS_CAUSE_MSG_UNKNOWN, msg);
+		sgs_tx(sgc, resp);
+	}
+
+error:
+	msgb_free(msg);
+	return 0;
+}
+
+/***********************************************************************
+ * SGs connection "VLR Reset Procedure" FSM
+ ***********************************************************************/
+
+static const struct value_string sgs_vlr_reset_fsm_event_names[] = {
+	{SGS_VLRR_E_START_RESET, "START-RESET"},
+	{SGS_VLRR_E_RX_RESET_ACK, "RX-RESET-ACK"},
+	{0, NULL}
+};
+
+static void sgs_vlr_reset_fsm_null(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	switch (event) {
+	case SGS_VLRR_E_RX_RESET_ACK:
+		break;
+	default:
+		OSMO_ASSERT(0);
+		break;
+	}
+}
+
+static void sgs_vlr_reset_fsm_wait_ack(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	switch (event) {
+	case SGS_VLRR_E_RX_RESET_ACK:
+		osmo_fsm_inst_state_chg(fi, SGS_VLRR_ST_COMPLETE, 0, 0);
+		break;
+	default:
+		OSMO_ASSERT(0);
+		break;
+	}
+}
+
+static void sgs_vlr_reset_fsm_complete(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	switch (event) {
+	case SGS_VLRR_E_RX_RESET_ACK:
+		break;
+	default:
+		OSMO_ASSERT(0);
+		break;
+	}
+}
+
+static void sgs_vlr_reset_fsm_allstate(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct msgb *reset_ind;
+	struct gsm29118_reset_msg reset_params;
+	struct sgs_mme_ctx *mme = (struct sgs_mme_ctx *)fi->priv;
+	struct sgs_connection *sgc = mme->conn;
+	struct sgs_state *sgs = mme->sgs;
+
+	switch (event) {
+	case SGS_VLRR_E_START_RESET:
+		osmo_fsm_inst_state_chg(fi, SGS_VLRR_ST_NULL, 0, 0);
+		mme->ns11_remaining = sgs->cfg.counter[SGS_STATE_NS11];
+		/* send a reset message and enter WAIT_ACK state */
+		memset(&reset_params, 0, sizeof(reset_params));
+		osmo_strlcpy(reset_params.vlr_name, sgs->cfg.vlr_name, sizeof(reset_params.vlr_name));
+		reset_params.vlr_name_present = true;
+		reset_ind = gsm29118_create_reset_ind(&reset_params);
+		sgs_tx(sgc, reset_ind);
+		osmo_fsm_inst_state_chg(fi, SGS_VLRR_ST_WAIT_ACK, sgs->cfg.timer[SGS_STATE_TS11], 11);
+		break;
+	default:
+		OSMO_ASSERT(0);
+		break;
+	}
+}
+
+static int sgs_vlr_reset_fsm_timer_cb(struct osmo_fsm_inst *fi)
+{
+	struct msgb *reset_ind;
+	struct gsm29118_reset_msg reset_params;
+	struct sgs_mme_ctx *mme = (struct sgs_mme_ctx *)fi->priv;
+	struct sgs_connection *sgc = mme->conn;
+	struct sgs_state *sgs = mme->sgs;
+
+	switch (fi->T) {
+	case 11:
+		if (mme->ns11_remaining >= 1) {
+			memset(&reset_params, 0, sizeof(reset_params));
+			osmo_strlcpy(reset_params.vlr_name, sgs->cfg.vlr_name, sizeof(reset_params.vlr_name));
+			reset_params.vlr_name_present = true;
+			reset_ind = gsm29118_create_reset_ind(&reset_params);
+			sgs_tx(sgc, reset_ind);
+			osmo_fsm_inst_state_chg(fi, SGS_VLRR_ST_WAIT_ACK, sgs->cfg.timer[SGS_STATE_TS11], 11);
+			mme->ns11_remaining--;
+		} else {
+			LOGMME(mme, LOGL_ERROR, "Ts11 expired more than %u (Ns11) times, giving up\n",
+			       sgs->cfg.counter[SGS_STATE_TS11]);
+			osmo_fsm_inst_state_chg(fi, SGS_VLRR_ST_NULL, 0, 0);
+		}
+		break;
+	default:
+		OSMO_ASSERT(0);
+		break;
+	}
+	return 0;
+}
+
+static const struct osmo_fsm_state sgs_vlr_reset_fsm_states[] = {
+	[SGS_VLRR_ST_NULL] = {
+		/* We haven't even tried yet to send a RESET */
+		.name = "NULL",
+		.action = sgs_vlr_reset_fsm_null,
+		.in_event_mask = S(SGS_VLRR_E_RX_RESET_ACK),
+		.out_state_mask = S(SGS_VLRR_ST_NULL) | S(SGS_VLRR_ST_WAIT_ACK),
+	},
+	[SGS_VLRR_ST_WAIT_ACK] = {
+		/* We're waiting for a SGsAP_RESET_ACK */
+		.name = "WAIT-ACK",
+		.action = sgs_vlr_reset_fsm_wait_ack,
+		.in_event_mask = S(SGS_VLRR_E_RX_RESET_ACK),
+		.out_state_mask = S(SGS_VLRR_ST_NULL) |
+		S(SGS_VLRR_ST_COMPLETE) | S(SGS_VLRR_ST_WAIT_ACK),
+	},
+	[SGS_VLRR_ST_COMPLETE] = {
+		/* Reset procedure to this MME has been completed */
+		.name = "COMPLETE",
+		.action = sgs_vlr_reset_fsm_complete,
+		.in_event_mask = S(SGS_VLRR_E_RX_RESET_ACK),
+		.out_state_mask = S(SGS_VLRR_ST_NULL) | S(SGS_VLRR_ST_COMPLETE),
+	},
+};
+
+static struct osmo_fsm sgs_vlr_reset_fsm = {
+	.name = "SGs-VLR-RESET",
+	.states = sgs_vlr_reset_fsm_states,
+	.allstate_event_mask = S(SGS_VLRR_E_START_RESET),
+	.allstate_action = sgs_vlr_reset_fsm_allstate,
+	.timer_cb = sgs_vlr_reset_fsm_timer_cb,
+	.log_subsys = DSGS,
+	.event_names = sgs_vlr_reset_fsm_event_names,
+};
+
+/*! Send unit-data through SGs interface (see msc_ifaces.c)
+ *  \param[in] msg layer 3 message to send.
+ *  \returns 0 in case of success, -EINVAL in case of error. */
+int sgs_iface_tx_dtap_ud(struct msgb *msg)
+{
+	struct ran_conn *conn;
+	struct vlr_subscr *vsub;
+	struct msgb *msg_sgs;
+	struct sgs_mme_ctx *mme;
+	int rc = -EINVAL;
+
+	/* This function expects a pointer to the related gsm subscriber
+	 * connection (conn) in msg->dst. Also conn->vsub must point to
+	 * the related subscriber */
+
+	OSMO_ASSERT(msg->dst);
+	conn = msg->dst;
+	OSMO_ASSERT(conn->vsub);
+	vsub = conn->vsub;
+
+	mme = sgs_mme_ctx_by_vsub(vsub, SGSAP_MSGT_DL_UD);
+	if (!mme)
+		goto error;
+
+	/* Make sure the subscriber has a valid SGs association, otherwise
+	 * don't let unit-data through. */
+	if (vsub->sgs_fsm->state != SGS_UE_ST_ASSOCIATED) {
+		LOG_RAN_CONN(conn, LOGL_NOTICE, "Tx %s subscriber not SGs-associated, dropping\n",
+			     sgsap_msg_type_name(SGSAP_MSGT_DL_UD));
+		goto error;
+	}
+
+	msg_sgs = gsm29118_create_dl_ud(vsub->imsi, msg);
+	sgs_tx(mme->conn, msg_sgs);
+	rc = 0;
+
+error:
+	msgb_free(msg);
+	return rc;
+}
+
+/*! Send a relase message through SGs interface (see msc_ifaces.c)
+ *  \param[in] msg layer 3 message to send.
+ *  \returns 0 in case of success, -EINVAL in case of error. */
+void sgs_iface_tx_release(struct ran_conn *conn)
+{
+	struct msgb *msg_sgs;
+	struct vlr_subscr *vsub;
+	struct sgs_mme_ctx *mme;
+
+	/*! Use this function to release an SGs connection normally
+	 *  (cause code is 0). This function also automatically causes
+	 *  the VLR subscriber usage to be balanced. */
+
+	OSMO_ASSERT(conn->vsub);
+	vsub = conn->vsub;
+
+	mme = sgs_mme_ctx_by_vsub(vsub, SGSAP_MSGT_DL_UD);
+	if (!mme)
+		return;
+
+	msg_sgs = gsm29118_create_release_req(vsub->imsi, 0);
+	sgs_tx(mme->conn, msg_sgs);
+}
+
+/*! initalize SGs new interface
+ *  \param[in] ctx talloc context
+ *  \param[in] network associated gsm network
+ *  \returns returns allocated sgs_stae, NULL in case of error. */
+struct sgs_state *sgs_iface_init(void *ctx, struct gsm_network *network)
+{
+	struct sgs_state *sgs;
+
+	gsm_network = network;
+
+	sgs = sgs_server_alloc(ctx);
+	OSMO_ASSERT(sgs);
+
+	/* We currently only support one SGs instance */
+	if (g_sgs)
+		return NULL;
+	g_sgs = sgs;
+
+	osmo_fsm_register(&sgs_vlr_reset_fsm);
+	sgs_server_open(sgs);
+
+	return sgs;
+}
diff --git a/src/libmsc/sgs_server.c b/src/libmsc/sgs_server.c
new file mode 100644
index 000000000..56f1548cb
--- /dev/null
+++ b/src/libmsc/sgs_server.c
@@ -0,0 +1,187 @@
+/* (C) 2018-2019 by sysmocom s.f.m.c. GmbH
+ * All Rights Reserved
+ *
+ * Author: Harald Welte, Philipp Maier
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <osmocom/msc/sgs_iface.h>
+#include <osmocom/msc/debug.h>
+#include <osmocom/msc/sgs_server.h>
+#include <osmocom/core/utils.h>
+#include <osmocom/core/socket.h>
+#include <osmocom/core/select.h>
+#include <osmocom/netif/stream.h>
+#include <netinet/sctp.h>
+
+#define LOGSGC(sgc, lvl, fmt, args...) \
+	LOGP(DSGS, lvl, "%s: " fmt, (sgc)->sockname, ## args)
+
+/* call-back when data arrives on SGs */
+static int sgs_conn_readable_cb(struct osmo_stream_srv *conn)
+{
+	struct osmo_fd *ofd = osmo_stream_srv_get_ofd(conn);
+	struct sgs_connection *sgc = osmo_stream_srv_get_data(conn);
+	struct msgb *msg = gsm29118_msgb_alloc();
+	struct sctp_sndrcvinfo sinfo;
+	int flags = 0;
+	int rc;
+
+	/* we cannot use osmo_stream_srv_recv() here, as we might get some out-of-band info from
+	 * SCTP. FIXME: add something like osmo_stream_srv_recv_sctp() to libosmo-netif and use
+	 * it here as well as in libosmo-sigtran */
+	rc = sctp_recvmsg(ofd->fd, msgb_data(msg), msgb_tailroom(msg), NULL, NULL, &sinfo, &flags);
+	if (rc < 0) {
+		osmo_stream_srv_destroy(conn);
+		rc = -EBADF;
+		goto out;
+	} else if (rc == 0) {
+		osmo_stream_srv_destroy(conn);
+		rc = -EBADF;
+		goto out;
+	} else {
+		msgb_put(msg, rc);
+	}
+
+	if (flags & MSG_NOTIFICATION) {
+		union sctp_notification *notif = (union sctp_notification *)msgb_data(msg);
+
+		switch (notif->sn_header.sn_type) {
+		case SCTP_SHUTDOWN_EVENT:
+			osmo_stream_srv_destroy(conn);
+			rc = -EBADF;
+			break;
+		case SCTP_ASSOC_CHANGE:
+			/* FIXME: do we have to notify the SGs code about this? */
+			break;
+		default:
+			break;
+		}
+		rc = 0;
+		goto out;
+	}
+
+	/* set l2 header, as that's what we use in SGs code */
+	msg->l2h = msgb_data(msg);
+
+	if (msgb_sctp_ppid(msg) != 0) {
+		LOGSGC(sgc, LOGL_NOTICE, "Ignoring SCTP PPID %ld (spec violation)\n", msgb_sctp_ppid(msg));
+		msgb_free(msg);
+		return 0;
+	}
+
+	/* handle message */
+	sgs_iface_rx(sgc, msg);
+
+	return 0;
+out:
+	msgb_free(msg);
+	return rc;
+}
+
+/* call-back when new connection is closed ed on SGs */
+static int sgs_conn_closed_cb(struct osmo_stream_srv *conn)
+{
+	struct sgs_connection *sgc = osmo_stream_srv_get_data(conn);
+
+	LOGSGC(sgc, LOGL_NOTICE, "Connection lost\n");
+	if (sgc->mme) {
+		/* unlink ourselves from the MME context */
+		if (sgc->mme->conn == sgc)
+			sgc->mme->conn = NULL;
+	}
+	llist_del(&sgc->entry);
+	return 0;
+}
+
+/* call-back when new connection is accept() ed on SGs */
+static int sgs_accept_cb(struct osmo_stream_srv_link *link, int fd)
+{
+	struct sgs_state *sgs = osmo_stream_srv_link_get_data(link);
+	struct sgs_connection *sgc = talloc_zero(link, struct sgs_connection);
+	OSMO_ASSERT(sgc);
+	sgc->sgs = sgs;
+	osmo_sock_get_name_buf(sgc->sockname, sizeof(sgc->sockname), fd);
+	sgc->srv = osmo_stream_srv_create(sgc, link, fd, sgs_conn_readable_cb, sgs_conn_closed_cb, sgc);
+	if (!sgc->srv) {
+		talloc_free(sgc);
+		return -1;
+	}
+	LOGSGC(sgc, LOGL_INFO, "Accepted new SGs connection\n");
+	llist_add_tail(&sgc->entry, &sgs->conn_list);
+
+	return 0;
+}
+
+static struct sgs_state *sgs_state_alloc(void *ctx)
+{
+	struct sgs_state *sgs = talloc_zero(ctx, struct sgs_state);
+
+	INIT_LLIST_HEAD(&sgs->mme_list);
+	INIT_LLIST_HEAD(&sgs->conn_list);
+
+	memcpy(sgs->cfg.timer, sgs_state_timer_defaults, sizeof(sgs->cfg.timer));
+	memcpy(sgs->cfg.counter, sgs_state_counter_defaults, sizeof(sgs->cfg.counter));
+	sgs->cfg.local_port = SGS_PORT_DEFAULT;
+	osmo_strlcpy(sgs->cfg.local_addr, DEFAULT_SGS_SERVER_IP, sizeof(sgs->cfg.local_addr));
+	osmo_strlcpy(sgs->cfg.vlr_name, DEFAULT_SGS_SERVER_VLR_NAME, sizeof(sgs->cfg.vlr_name));
+
+	return sgs;
+}
+
+/*! allocate SGs new sgs state
+ *  \param[in] ctx talloc context
+ *  \returns returns allocated sgs state, NULL in case of error. */
+struct sgs_state *sgs_server_alloc(void *ctx)
+{
+	struct sgs_state *sgs;
+	struct osmo_stream_srv_link *link;
+
+	sgs = sgs_state_alloc(ctx);
+	if (!sgs)
+		return NULL;
+
+	sgs->srv_link = link = osmo_stream_srv_link_create(ctx);
+	if (!sgs->srv_link)
+		return NULL;
+
+	osmo_stream_srv_link_set_nodelay(link, true);
+	osmo_stream_srv_link_set_addr(link, sgs->cfg.local_addr);
+	osmo_stream_srv_link_set_port(link, sgs->cfg.local_port);
+	osmo_stream_srv_link_set_proto(link, IPPROTO_SCTP);
+	osmo_stream_srv_link_set_data(link, sgs);
+	osmo_stream_srv_link_set_accept_cb(link, sgs_accept_cb);
+
+	return sgs;
+}
+
+/*! (re)open SGs interface (SCTP)
+ *  \param[in] sgs associated sgs state
+ *  \returns 0 in case of success, -EINVAL in case of error. */
+int sgs_server_open(struct sgs_state *sgs)
+{
+	int rc;
+	struct osmo_fd *ofd = osmo_stream_srv_link_get_ofd(sgs->srv_link);
+
+	rc = osmo_stream_srv_link_open(sgs->srv_link);
+	if (rc < 0) {
+		LOGP(DSGS, LOGL_ERROR, "SGs socket cannot be opened: %s\n", strerror(errno));
+		return -EINVAL;
+	}
+
+	LOGP(DSGS, LOGL_NOTICE, "SGs socket bound to %s\n", osmo_sock_get_name2(ofd->fd));
+	return 0;
+}
diff --git a/src/libmsc/sgs_vty.c b/src/libmsc/sgs_vty.c
new file mode 100644
index 000000000..5b26178d6
--- /dev/null
+++ b/src/libmsc/sgs_vty.c
@@ -0,0 +1,197 @@
+/* (C) 2018-2019 by sysmocom s.f.m.c. GmbH
+ * All Rights Reserved
+ *
+ * Author: Harald Welte, Philipp Maier
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <string.h>
+#include <errno.h>
+#include <osmocom/core/utils.h>
+#include <osmocom/core/msgb.h>
+#include <osmocom/msc/vty.h>
+#include <osmocom/netif/stream.h>
+#include <osmocom/msc/sgs_iface.h>
+#include <osmocom/msc/sgs_server.h>
+#include <osmocom/msc/debug.h>
+#include <osmocom/gsm/tlv.h>
+
+struct cmd_node cfg_sgs_node = {
+	CFG_SGS_NODE,
+	"%s(config-sgs)# ",
+	1
+};
+
+DEFUN(cfg_sgs, cfg_sgs_cmd,
+      "sgs",
+      "Configure the SGs interface\n")
+{
+	vty->index = g_sgs;
+	vty->node = CFG_SGS_NODE;
+
+	return CMD_SUCCESS;
+}
+
+DEFUN(cfg_sgs_local_ip, cfg_sgs_local_ip_cmd,
+      "local-ip A.B.C.D",
+      "Set the Local IP Address of the SGs interface\n"
+      "Local IP Address of the SGs interface\n")
+{
+	struct sgs_state *sgs = vty->index;
+	int rc;
+
+	osmo_strlcpy(sgs->cfg.local_addr, argv[0], sizeof(sgs->cfg.local_addr));
+	osmo_stream_srv_link_set_addr(sgs->srv_link, sgs->cfg.local_addr);
+
+	rc = sgs_server_open(sgs);
+	if (rc < 0) {
+		vty_out(vty, "%% SGs socket cannot be opened: %s%s", strerror(errno), VTY_NEWLINE);
+		return CMD_WARNING;
+	}
+
+	return CMD_SUCCESS;
+}
+
+DEFUN(cfg_sgs_local_port, cfg_sgs_local_port_cmd,
+      "local-port <0-65535>",
+      "Set the local SCTP port of the SGs interface\n"
+      "Local SCTP port of the SGs interface\n")
+{
+	struct sgs_state *sgs = vty->index;
+	int rc;
+
+	sgs->cfg.local_port = atoi(argv[0]);
+	osmo_stream_srv_link_set_port(sgs->srv_link, sgs->cfg.local_port);
+
+	rc = sgs_server_open(sgs);
+	if (rc < 0) {
+		vty_out(vty, "%% SGs socket cannot be opened: %s%s", strerror(errno), VTY_NEWLINE);
+		return CMD_WARNING;
+	}
+
+	return CMD_SUCCESS;
+}
+
+DEFUN(cfg_sgs_vlr_name, cfg_sgs_vlr_name_cmd,
+      "vlr-name FQDN",
+      "Set the SGs VLR Name as per TS 29.118 9.4.22\n"
+      "Fully-Qualified Domain Name of this VLR\n")
+{
+	struct sgs_state *sgs = vty->index;
+	osmo_strlcpy(sgs->cfg.vlr_name, argv[0], sizeof(sgs->cfg.vlr_name));
+
+	return CMD_SUCCESS;
+}
+
+DEFUN(cfg_sgs_timer, cfg_sgs_timer_cmd,
+      "timer (ts5|ts6-2|ts7|ts11|ts14|ts15) <1-120>",
+      "Configure SGs Timer\n"
+      "Paging procedure guard timer\n"
+      "TMSI reallocation guard timer\n"
+      "Non-EPS alert procedure guard timer\n"
+      "VLR reset guard timer\n"
+      "UE fallback prcoedure timer\n"
+      "MO UE fallback procedure guard timer\n"
+      "Time in seconds\n")
+{
+	struct sgs_state *sgs = vty->index;
+	unsigned int i;
+
+	for (i = 0; i < ARRAY_SIZE(sgs->cfg.timer); i++) {
+		if (!strcasecmp(argv[0], vlr_sgs_state_timer_name(i))) {
+			sgs->cfg.timer[i] = atoi(argv[1]);
+			return CMD_SUCCESS;
+		}
+	}
+
+	return CMD_WARNING;
+}
+
+DEFUN(cfg_sgs_counter, cfg_sgs_counter_cmd,
+      "counter (ns7|ns11) <0-255>",
+      "Configure SGs Counter\n"
+      "Non-EPS alert request retry counter\n"
+      "VLR reset retry counter\n" "Counter value\n")
+{
+	struct sgs_state *sgs = vty->index;
+	unsigned int i = 0;
+
+	for (i = 0; i < ARRAY_SIZE(sgs->cfg.counter); i++) {
+		if (!strcasecmp(argv[0], vlr_sgs_state_counter_name(i))) {
+			sgs->cfg.counter[i] = atoi(argv[1]);
+			return CMD_SUCCESS;
+		}
+	}
+
+	return CMD_WARNING;
+}
+
+DEFUN(show_sgs_conn, show_sgs_conn_cmd,
+      "show sgs-connections", SHOW_STR
+      "Show SGs interface connections / MMEs\n")
+{
+	struct sgs_connection *sgc;
+
+	llist_for_each_entry(sgc, &g_sgs->conn_list, entry) {
+		vty_out(vty, " %s %s%s", sgc->sockname, sgc->mme ? sgc->mme->fqdn : "", VTY_NEWLINE);
+	}
+	return CMD_SUCCESS;
+}
+
+static int config_write_sgs(struct vty *vty)
+{
+	struct sgs_state *sgs = g_sgs;
+	unsigned int i;
+	char str_buf[256];
+
+	vty_out(vty, "sgs%s", VTY_NEWLINE);
+	if (sgs->cfg.local_port != SGS_PORT_DEFAULT)
+		vty_out(vty, " local-port %u%s", sgs->cfg.local_port, VTY_NEWLINE);
+	if (sgs->cfg.local_addr)
+		vty_out(vty, " local-ip %s%s", sgs->cfg.local_addr, VTY_NEWLINE);
+	if (sgs->cfg.vlr_name)
+		vty_out(vty, " vlr-name %s%s", sgs->cfg.vlr_name, VTY_NEWLINE);
+
+	for (i = 0; i < ARRAY_SIZE(sgs->cfg.timer); i++) {
+		if (sgs->cfg.timer[i] == sgs_state_timer_defaults[i])
+			continue;
+		osmo_str_tolower_buf(str_buf, sizeof(str_buf), vlr_sgs_state_timer_name(i));
+		vty_out(vty, " timer %s %u%s", str_buf, sgs->cfg.timer[i], VTY_NEWLINE);
+	}
+
+	for (i = 0; i < ARRAY_SIZE(sgs->cfg.counter); i++) {
+		if (sgs->cfg.counter[i] == sgs_state_counter_defaults[i])
+			continue;
+		osmo_str_tolower_buf(str_buf, sizeof(str_buf), vlr_sgs_state_counter_name(i));
+		vty_out(vty, " counter %s %u%s", str_buf, sgs->cfg.counter[i], VTY_NEWLINE);
+	}
+
+	return CMD_SUCCESS;
+}
+
+void sgs_vty_init(void)
+{
+	/* configuration commands / nodes */
+	install_element(CONFIG_NODE, &cfg_sgs_cmd);
+	install_node(&cfg_sgs_node, config_write_sgs);
+	install_element(CFG_SGS_NODE, &cfg_sgs_local_ip_cmd);
+	install_element(CFG_SGS_NODE, &cfg_sgs_local_port_cmd);
+	install_element(CFG_SGS_NODE, &cfg_sgs_timer_cmd);
+	install_element(CFG_SGS_NODE, &cfg_sgs_counter_cmd);
+	install_element(CFG_SGS_NODE, &cfg_sgs_vlr_name_cmd);
+
+	install_element_ve(&show_sgs_conn_cmd);
+}
diff --git a/src/libmsc/silent_call.c b/src/libmsc/silent_call.c
index b4fc15464..2a9fa9cd2 100644
--- a/src/libmsc/silent_call.c
+++ b/src/libmsc/silent_call.c
@@ -128,7 +128,8 @@ int gsm_silent_call_start(struct vlr_subscr *vsub, void *data, int type)
 	 * This doesn't apply to the situation after MSCSPLIT with an
 	 * A-interface. */
 	req = subscr_request_conn(vsub, paging_cb_silent, data,
-				  "establish silent call");
+				  "establish silent call",
+				  SGSAP_SERV_IND_CS_CALL);
 	if (!req)
 		return -ENODEV;
 	return 0;