Introduction to GPRS
Learn about GPRS architecture, interfaces, GTP security risks, and Junos OS support including IPv4/IPv6, ISSU, and central point architecture enhancements.
General Packet Radio Service (GPRS) networks connect to multiple external networks, including roaming partner networks, corporate intranet, GPRS Roaming Exchange (GRX) providers, and the public Internet. Operators must secure these connections while controlling access, and Juniper Networks provides solutions for these security challenges.
A key vulnerability in GPRS architecture is the lack of built-in security in the GPRS Tunneling Protocol (GTP). GTP establishes tunnels between GPRS support nodes (GSNs) for user endpoints (UEs), and in 4G between the Service Gateway (SGW) and Packet Data Network Gateway (PGW). Within a tunnel, the SGSN (or SGW) encapsulates UE packets with a GTP header and forwards them to the gateway GPRS support node (GGSN or PGW), which decapsulates and sends them to external networks.
Because GTP lacks authentication, integrity, and confidentiality, inter-network communication is not inherently secure. These risks are mitigated using IPsec, traffic rate limiting, and stateful inspection, with GTP firewall features in Junos OS addressing these vulnerabilities.
GTP inspection supports both IPv4 and IPv6. A GTP tunnel can be established using either address type between:
-
SGSN (3G) or SGW (4G)
-
GGSN (3G) or PGW (4G)
The GTP ALG inspects or ignores IPv6 GTP sessions based on policy. All IPv4 ALG functions are supported for IPv6, including inspection of signaling and data messages.
Juniper Networks security devices protect the following types of GPRS interfaces:
| Interface | Network Generation | Description |
|---|---|---|
| Gn | 2G/3G | Connection between an SGSN and a GGSN within the same Public Land Mobile Network (PLMN). |
| S5 | 4G | Connection between a Serving Gateway (SGW) and a Packet Data Network Gateway (PGW) within the PLMN. |
| Gp | 2G/3G | Connection between two Public Land Mobile Networks (PLMNs). |
| S8 | 4G | Bearer plane connection between home and visited PLMNs. |
| Gi | 2G/3G | Connection between a GGSN and the Internet or destination networks connected to a PLMN. |
| SGi | 4G | Connection between a Packet Data Network Gateway (P-GW) and the Internet or destination networks connected to a PLMN. |
The term interface has different meanings in Junos OS and in GPRS technology. In Junos OS, an interface is a doorway to a security zone that allows traffic to enter and exit the zone. In GPRS, an interface is a connection, or a reference point, between two components of a GPRS infrastructure, for example, an SGSN (SGW) and a GGSN (PGW).
Gp and Gn Interfaces
You deploy a security device on the Gn interface to protect core network assets such as the SGSN (SGW) and GGSN (PGW). To secure GTP tunnels on the Gn interface, place the security device between the SGSNs (SGW) and GGSNs (PGW) within the same PLMN.
On the Gp interface, the security device protects one PLMN from another. To secure GTP tunnels on the Gp interface, position the SGSNs (SGW) and GGSNs (PGW) of the PLMN behind the security device so that all inbound and outbound traffic passes through the firewall.
The Figure 1 shows how Juniper Networks firewalls are positioned to protect PLMNs on the Gp and Gn interfaces.
Gi Interface
Deploying a security device on the Gi interface enables you to control traffic for multiple networks, protect a PLMN from the Internet and external networks, and safeguard mobile users from external threats. Junos OS supports numerous virtual routers, allowing you to dedicate one virtual router per customer network and keep traffic isolated. The security device can forward packets securely to the Internet or destination networks using Layer 2 Tunneling Protocol (L2TP) for IPsec VPN tunnels.The Figure 2 shows how a security device protects a PLMN on the Gi interface.
Operational Modes
Junos OS supports two GTP operational modes:
-
Route Mode
-
Participates in network routing
-
Requires network redesign
-
Supports active/passive and active/active chassis clusters
-
-
Transparent Mode
-
Functions as a Layer 2 bridge
-
Requires no major network changes
-
Interfaces use IP 0.0.0.0
-
Supports active/passive only
-
NAT is supported on interfaces and policies where GTP inspection is not enabled.
GTP In-Service Software Upgrade
GTP supports unified in-service software upgrade (Unified ISSU) between two firewalls running two different Junos OS releases in a chassis cluster. This enables software upgrades with:
-
No control plane distribution
-
Minimal traffic impact
GTP & SCTP Terminology
| Term | Description |
|---|---|
| GTP | |
| General Packet Radio Service (GPRS) |
A packet-based mobile data technology used in 2G and 3G networks to transmit IP data over cellular infrastructure. |
| GPRS Tunneling Protocol (GTP) |
A tunneling protocol used in mobile core networks to carry user-plane and control-plane traffic between core nodes. |
| GTP Version 0 (GTPv0) |
The earliest implementation of GTP used in initial GPRS deployments before standardization evolved. |
| GTP Version 1 (GTPv1) |
Used primarily in 2G/3G networks for both control-plane signaling (GTP-C) and user-plane data transport (GTP-U). |
| GTP Version 2 (GTPv2) |
Introduced for LTE (4G) networks, mainly used for control-plane signaling such as session creation and mobility management. |
| GTP User Plane (GTP-U) |
Carries actual subscriber data (internet traffic, app data, etc.) inside a GTP tunnel between gateways. |
| GTP Control Plane (GTP-C) |
Handles signaling messages such as session creation, modification, deletion, and mobility procedures. |
| Tunnel Endpoint Identifier (TEID) |
A unique identifier used to distinguish multiple GTP tunnels between the same pair of nodes. |
| User Equipment (UE) |
The subscriber’s mobile device such as a smartphone, modem, or IoT device. |
| Mobile Station (MS) |
The 2G/3G terminology for user equipment in legacy mobile networks. |
| Serving GPRS Support Node (SGSN) |
A 2G/3G core network node responsible for mobility management and session control for users. |
| Gateway GPRS Support Node (GGSN) |
Connects the mobile core network to external IP networks like the Internet. |
| Serving Gateway (SGW) |
In LTE, forwards user-plane traffic and acts as the mobility anchor during handovers. |
| Packet Data Network Gateway (PGW) |
The LTE gateway that connects the mobile core network to external IP networks. |
| Mobility Management Entity (MME) |
LTE control-plane entity responsible for subscriber authentication, session setup, and mobility tracking. |
| Public Land Mobile Network (PLMN) |
A mobile operator’s network infrastructure (e.g., Airtel, Jio, Vodafone). |
| Access Point Name (APN) |
Defines which external network or service a mobile subscriber is allowed to access. |
| International Mobile Subscriber Identity (IMSI) |
A globally unique number that identifies a mobile subscriber. |
| Services Processing Unit (SPU) |
Hardware processing unit in devices that handles traffic sessions and inspection. |
| Network Address Translation (NAT) |
Translates private IP addresses to public IP addresses or vice versa. |
| Network Address Translation-Protocol Translation (NAT-PT) |
Translates between IPv4 and IPv6 networks. |
| Packet Mode Interface (PMI) |
Feature used for flow-based Class of Service (CoS) handling in GTP-U traffic. |
| SCTP | |
| Stream Control Transmission Protocol (SCTP) |
A reliable, message-oriented transport protocol used mainly for telecom signaling. |
| SCTP Association |
A logical connection between two SCTP endpoints that can support multiple streams. |
| Multihoming |
Allows an SCTP endpoint to use multiple IP addresses for redundancy and failover. |
| Multistreaming |
Allows multiple independent data streams within a single SCTP association. |
| MTU (Maximum Transmission Unit) |
The maximum packet size that can be transmitted on a network link without fragmentation. |
| Recovery IE (Recovery Information Element) |
A GTP parameter used to detect restart events of GSN nodes. |
| Path Restart |
Mechanism used to restart GTP paths when a peer node reboot is detected. |
| Tunnel Timeout |
Configured duration after which idle GTP tunnels are automatically removed. |
| Message-Length Filter |
Validates that GTP message size falls within configured limits. |
| Message-Type Filter |
Allows or denies specific GTP message types based on security configuration. |
| Rate-Limit |
Limits the number of GTP control messages per second to protect core nodes. |
| Path-Rate-Limit |
Limits specific GTP control message types per communication path. |
| Alarm Threshold |
Configured limit that triggers an alert when exceeded. |
| Drop Threshold |
Configured value after which packets are automatically dropped. |
| Echo Request |
GTP message used to verify availability of a peer node. |
| Echo Response |
Reply confirming the peer node is active. |
| G-PDU (GTP Protocol Data Unit) |
Encapsulated packet carrying user-plane data. |
| Radio Access Network (RAN) |
Network segment that connects user devices to the mobile core. |
| Services Processing Card (SPC) |
Hardware module in SRX5000 series responsible for traffic processing. |
| Gn Interface |
Interface between SGSN and GGSN within the same PLMN. |
| Gp Interface |
Interface between different PLMNs (inter-operator). |
| Gi Interface |
Interface between GGSN and the Internet. |
| SGi Interface |
Interface between PGW and external IP networks in LTE. |
| GRX (GPRS Roaming Exchange) |
IP backbone network interconnecting different mobile operators. |