Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

GTPv1 and GTPv2 Information Element Removal

Learn how to manage GTPv1, GTPv2 information elements by enforcing Must-IE checks, removing release- or IE-specific elements to ensure message integrity and interoperability across different 3GPP versions.

GTPv1 Information Element Removal

The number of network elements in a mobile network is expanding with the introduction of multiple releases of 3GPP specifications. Every release introduces newer IEs that are not defined in the prior releases. Therefore mobile networks have diverse set of network elements creating inter operability problems between different releases of the devices. You can configure the GTP firewall to remove IE by release with the following command.

set security gtp profile gtp1 remove-ie.

However newer IEs that will be introduced in the future releases might also cause inter-operability problems. Each information element has a unique ID, the IE number. IE numbers range from 1 to 255. You can configure the GTP firewall to remove specific IEs using the user-configured IE number.

When you configure the IE removal, the GTP firewall deletes the corresponding IEs of the GTPv1 messages; updates the length of the GTP, the UDP, and the IP; and then passes the GTPv1 message. The GTP firewall also updates the cyclic redundancy check (CRC) code. IE removal by IE number supports all IEs, ranging from 1 to 255.

You can remove the IE removal configuration with the following commands:

delete security gtp profile <gtp1> remove-ie—Deletes the IE removal configuration for the GTP profile gtp1.

delete security gtp profile <gtp1> remove-ie version <v1> number <4>—Deletes the IE removal configuration for GTP profile with version v1 and IE number 4.

Junos OS supports IE removal feature for both GTPv1-C and GTPv2-C.

Example: Remove GTPv1 Information Elements with IE Number

This example shows how to configure the GPRS tunelling protocol (GTP) interface of the security device to remove user-configured IEs from GTP messages.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you configure IE removal for the GTP profile called gtp1. The device removes the IE based on the user‑configured IE number 4.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure the GTP interface of the security device to remove user-configured IEs from the GTP message:

  1. Specify the GTP profile.

  2. Specify the IE number.

Results

From configuration mode, confirm your configuration by entering the show security gtp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

GTPv2 Information Elements

Information elements (IEs) are included in all GTPv2 control message packets. IEs provide information about GTPv2 tunnels, such as creation, modification, deletion, and status. Junos OS supports IEs consistent with the 3GPP Release 8.

A new IE enforcement function, Must-IE check is supported to check the presence of IEs that should be contained in a GTP message. Support for an existing feature IE removal is extended from GTPv1-C to both GTPv1-C and GTPv2-C.

Must-IE check—You can use this function to check the presence of IEs that should be contained in a GTP message. It is a function to verify the GTP message integrity. Must-IEs are not limited to the Mandatory IEs in 3GPP TS. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present. We’ve implemented Must-IE check with flexible message profile configurations, which helps you to define Must-IEs of interested messages. Along with appropriate message profile configurations, Must-IE check can easily accommodate any GTP releases, message format, or IE status.

Example: Configure Must-IE check for GTPv1 and GTPv2

You can enable this function to verify the presence of IEs in GTPv1 and GTPv2 message. This helps to verify message integrity. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

Requirements

This example uses the following hardware and software components:

  • A firewall.

  • Junos OS Release 20.2R1.

Overview

IEs of GTPv1 are encoded in TV or TLV format. Therefore, GTPv1 uses IE number to identify IEs. IEs of GTPv2 are encoded in TLIV format. Therefore, GTPv2 uses IE number and instance number to identify IEs.

Configuration

Configure Must-IE check for GTPv1

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. If you need help, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure a GTPv1 message-ie profile msgie-v1. In this example, we have created a profile named msgie-v1.

  2. Create message‑ie-profile‑v1 and add the interested message types and IEs to this profile. GTPv1 uses IE numbers to identify individual information elements. In this example, based on 3GPP TS 29.060, message type 2 corresponds to an Echo Response, and message type 16 corresponds to a Create PDP Context Request. For message type 2, IE 14 is the Recovery IE, which is mandatory for an Echo Response. For message type 16, the listed IEs are mandatory information elements for a Create PDP Context Request.

  3. Bind the message-ie profile to the GTP profile as Must-IE. Must-IE check is implemented with message profile configurations, which helps you to define Must-IEs of interested messages.

Configure Must-IE check for GTPv2

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure a GTPv2 message-ie profile msgie-v2. In this example, we have created a profile named msgie-v2.

  2. Define a grouped‑IE profile and link it to the appropriate grouped IEs. A grouped IE consists of multiple IEs or even multiple grouped IEs. For example, Bearer Context is a grouped IE that contains several IEs, and PDN Connection is another grouped IE that includes multiple instances of Bearer Context along with other IEs. You must link a grouped‑IE profile only to a grouped IE; otherwise, the system returns the following error:

    “Error: IE %d is not a grouped‑ie”.

  3. We call the messages as interested messages because IEs are not defined as mandatory in TS. Create message‑ie-profile‑v2 and add interested message types and IEs to this profile. The instance field is defined in 3GPP TS 29.274 and applies only to GTPv2. If a message includes more than one IE of the same type for different purposes, each IE is assigned a unique instance value. If you do not specify the instance value, the device automatically takes the default value as 0.

  4. Bind the message-ie profile to the GTP profile as Must-IE. Must-IE check is implemented with message profile configurations, which helps you to define must IEs of interested messages.

Results

From configuration mode, confirm your configuration by entering the show security gtp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

To confirm that the configuration is working properly, perform the following tasks:

Verify the GTPv1 Message-IE Profile

Purpose

To verify GTPv1 Message-IE profile.

Action

From operational mode, enter the show security gtp message-ie-profile-v1 (all | <msgie-prf-v1-name>) command.

Meaning

The output displays the details of GTPv1 Message-IE profile.

Verify the GTPv2 Message-IE Profile

Purpose

To verify the GTPv2 Message-IE profile.

Action

From operational mode, enter the show security gtp message-ie-profile-v2 (all | <msgie-prf-v2-name>) command.

Meaning

The output displays the details of GTPv2 Message-IE profile.

Verify the grouped-ie profile

Purpose

To verify grouped-ie profile.

Action

From operational mode, enter the show security gtp grouped-ie-profile (all | <grpie-prf-name>) command.

Meaning

The output displays the details of grouped-IE profile.

See Also

Example: Configure IE Set removal for GTPV1 and GTPv2

You can enable this function to remove IE sets of specific types from all messages for GTPv1 and GTPv2. This helps to retain interoperability between 2GPP and 3GPP networks.

Requirements

This example uses the following hardware and software components:

  • A firewall.

  • Junos OS Release 20.2R1.

Overview

The number of network elements in a mobile network is expanding with the introduction of multiple releases of 3GPP specifications. Every release introduces newer information elements (IEs) that are not defined in the prior releases. Therefore, mobile networks have diverse set of network elements creating interoperability problems between different releases of the devices. .

In this example, you can remove IE sets of specific types from all messages for GTPv1 and GTPv2. It enables the communication between GTP entities whose GTP protocols are of different releases. This configurations helps to remove all instances of specified IE sets such as supporting IE, Grouped IE, Embedded IE, or embedded grouped IE.

IE removal function is extending support for both GTPv1-C and GTPv2-C. You can use this functionality to retain interoperability between 2GPP and 3GPP networks.

Configuration

Configure IE set removal for GTPv1

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure an IE set for GTPv1. In this example, we have created an IE set named ieset-v1-r7.

  2. Bind the IE set to the GTP profile as a remove‑ie configuration. In this example, bind ieset‑v1‑r7 as remove‑ie‑v1.

  3. Bind the IE set to GTP profile as remove-ie. In this example, bind ieset-v1 as remove-ie-v1.

Configure IE set removal for GTPv2

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure an IE set for GTPv2. In this example, we have created an IE set named ieset-v2.

  2. Add interested IEs to the ieset-v2.

  3. Bind the IE set to GTP profile as a remove-ie configuration. In this example, bind ieset-v2 as remove-ie-v2.

Results

From configuration mode, confirm your configuration by entering the show security gtp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

Verify GTPv1 and GTPv2 IE removal Profile

Purpose

To verify GTPv1 and GTPv2 IE removal profile.

Action

From operational mode, enter the show security gtp ie-set (all | <ieset-name>) command.

Meaning

The output displays the details of GTPv1 and GTPv2 IE set removal profile.