Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configure Must-IE check for GTPv1 and GTPv2

 
Summary

You can enable this function to verify the presence of IEs in GTPv1 and GTPv2 message. This helps to verify message integrity. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device.

  • Junos OS Release 20.2R1.

Overview

Information elements (IEs) are included in all GPRS tunnelling protocol (GTP) control message packets. Every GTP-C message is constructed by a GTP header and multiple GTP Information Elements (IE). Each IE type is identified by a number between 1 – 255. Third-Generation Partnership Project (3GPP) TS defines an IE list, for every GTP message, some of them are mandatory, others are optional or conditional.

IEs of GTPv1 are encoded in TV or TLV format. Therefore, GTPv1 use IE number to identify IEs. IEs of GTPv2 are encoded in TLIV format. Therefore, GTPv2 use IE number and instance number to identify IEs.

Must-IE check is a function to check the presence of IEs that should be contained in a GTP message, which helps to verify the GTP message integrity. Must-IEs are not limited to the Mandatory IEs in 3GPP TS. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

We’ve implemented Must-IE check with flexible message profile configurations, which helps you to define must IEs of interested messages. We call it as interested messages because IEs are not defined as mandatory in TS. Along with appropriate message profile configurations, Must-IE check can easily accommodate any GTP releases, message format, or IE status.

Configuration

Configure Must-IE check for GTPv1

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. If you need help, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure a GTPv1 message-ie profile msgie-v1. In this example, we have created a profile named msgie-v1.
  2. Create a message-ie-profile-v1 and add interested messages and IEs in message-ie-profile-v1. GTPv1 use IE number to identify IEs. In this example, in 3GPP TS 29.060, message type 2 is an Echo response and message type 16 is a Create PDP Context request. For message type 2, IE 14 is a recovery IE, which is mandatory in Echo response. For message type 16, the IEs provided are mandatory IEs in Create PDP Context request.
  3. Bind the message-ie profile to GTP profile as Must-IE. Must-IE check is implemented with message profile configurations, which helps you to define must IEs of interested messages.

Configure Must-IE check for GTPv2

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure a GTPv2 message-ie profile msgie-v2. In this example, we have created a profile named msgie-v2.
  2. Define a grouped-ie-profile and link to the IEs. A grouped IE is a group of IEs, or a group of grouped IEs. For example, Bearer Context is a grouped IE containing multiple IEs. PDN Connection is another grouped IE containing multiple instances of Bearer Context and other IEs. You must link a grouped-ie-profile only to a grouped IE, otherwise you will receive an error: “Error: IE %d is not a grouped-ie”.
  3. Create a message-ie-profile-v2 and add interested messages and IEs in message-ie-profile-v2. We call the messages as interested messages because IEs are not defined as mandatory in TS. GTPv2 use IE number and instance number to identify IEs. Instance is defined in 3GPP TS 29.274 for only GTPv2. If more than one IEs of the same type are sent with a message for different purpose, these IEs will have different instance values. If you do not specify the instance value, the device will automatically take the default value as 0.
  4. Bind the message-ie profile to GTP profile as Must-IE. Must-IE check is implemented with message profile configurations, which helps you to define must IEs of interested messages.

Results

From configuration mode, confirm your configuration by entering the show security gprs gtp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify the GTPv1 Message-IE Profile

Purpose

To verify GTPv1 Message-IE profile.

Action

From operational mode, enter the show security gprs gtp message-ie-profile-v1 (all | <msgie-prf-v1-name>) command.

user@host> show security gprs gtp message-ie-profile-v1 all
user@host> show security gprs gtp message-ie-profile-v1 msgie-v1

Meaning

The output displays the details of GTPv1 Message-IE profile.

Verify the GTPv2 Message-IE Profile

Purpose

To verify the GTPv2 Message-IE profile.

Action

From operational mode, enter the show security gprs gtp message-ie-profile-v2 (all | <msgie-prf-v2-name>) command.

user@host> show security gprs gtp message-ie-profile-v2 all
user@host> show security gprs gtp message-ie-profile-v2 msgie-v2

Meaning

The output displays the details of GTPv2 Message-IE profile.

Verify the grouped-ie profile

Purpose

To verify grouped-ie profile.

Action

From operational mode, enter the show security gprs gtp grouped-ie-profile (all | <grpie-prf-name>) command.

user@host> show security gprs gtp grouped-ie-profile all
user@host> show security gprs gtp grouped-ie-profile Bearer-ctxt-crt
user@host> show security gprs gtp grouped-ie-profile Bearer-ctxt-rmv

Meaning

The output displays the details of grouped-IE profile.