Enabling GTP Interoperability between 2G and 3G Networks

Information elements (IEs) are included in all GPRS tunneling protocol (GTP) control message packets. IEs provide information about GTP tunnels, such as creation, modification, deletion, and status. Junos OS supports IEs consistent with Third–Generation Partnership Project (3GPP) Release 6, Release 7, Release 8, and Release 9. If you have contractual agreements with operators running earlier releases of 3GPP, you can reduce network overhead by restricting control messages containing unsupported IEs.

If a new information element (IE) is introduced, there will be no drop in GTP messages because GTP passes the messages even if it encounters unknown new IEs.

The Third-Generation Partnership Project (3GPP) R6, R7, R8, and R9 information elements (IEs) removal feature allows you to retain interoperability in roaming between Second-Generation Partnership Project (2GPP) and 3GPP networks. You can configure the GPRS tunneling protocol (GTP)-aware Juniper Networks device, residing on the border of a public land mobile network (PLMN) and a GPRS Roaming Exchange (GRX) and acting as a Gp firewall, to remove 3GPP-specific attributes from the GTP packet header when the packet passes into a 2GPP network. You can configure the device to remove the RAT, RAI, Common Flags, ULI, MS Time Zone, IMEI-SV, and access point name (APN) restriction IEs from GTP messages prior to forwarding these messages to the gateway GPRS support node (GGSN).

Junos OS supports all 3GPP R6 IEs for GTP), as listed in Table 1.

Junos OS supports all 3GPP R7 IEs for GTP, as listed in Table 2.

Junos OS supports all 3GPP R8 IEs for GTP, as listed in Table 3.

Junos OS supports all 3GPP R9 IEs for GTP, as listed in Table 4.

This example shows how to remove R6 information elements from GTP messages.

The number of network elements in a mobile network is expanding with the introduction of multiple releases of 3GPP specifications. Every release introduces newer information elements (IEs) that are not defined in the prior releases. Therefore mobile networks have diverse set of network elements creating inter operability problems between different releases of the devices. You can configure the GPRS tunneling protocol (GTP) firewall to remove information elements (IE) by release with the following command.

set security gprs gtp profile gtp1 remove-ie.

However newer IEs that will be introduced in the future releases might also cause inter operability problems. Each information element has a unique ID, the IE number. IE numbers range from 1 to 255. You can configure the GTP firewall to remove specific IEs using the user-configured IE number.

When you configure the IE removal, the GTP firewall deletes the corresponding IEs of the GTPv1 messages; updates the length of the GTP, the UDP, and the IP; and then passes the GTPv1 message. The GTP firewall also updates the cyclic redundancy check (CRC) code. IE removal by IE number supports all IEs, ranging from 1 to 255.

You can remove the IE removal configuration with the following commands:

delete security gprs gtp profile gtp1 remove-ie—Deletes the IE removal configuration for the GTP profile GTP1.

delete security gprs gtp profile gtp1 remove-ie version v1 number 4—Deletes the IE removal configuration for GTP profile with version v1 and IE number 4.

Starting from Release 20.2R1, Junos OS supports IE removal feature for both GTPv1-C and GTPv2-C.

This example shows how to configure the GPRS tunelling protocol (GTP) interface of the security device to remove user-configured IEs from GTP messages.

Information elements (IEs) are included in all GPRS tunneling protocol version 2 (GTPv2) control message packets. IEs provide information about GTPv2 tunnels, such as creation, modification, deletion, and status. The Junos operating system (Junos OS) supports IEs consistent with the Third-Generation Partnership Project (3GPP) Release 8.

Starting from Junos OS Release 20.2R1, a new IE enforcement function, Must-IE check is supported to check the presence of IEs that should be contained in a GTP message. Support for an existing feature IE removal is extended from GTPv1-C to both GTPv1-C and GTPv2-C.

Must-IE check—You can use this function to check the presence of IEs that should be contained in a GTP message. It is a function to verify the GTP message integrity. Must-IEs are not limited to the Mandatory IEs in 3GPP TS. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present. We’ve implemented Must-IE check with flexible message profile configurations, which helps you to define must IEs of interested messages. Along with appropriate message profile configurations, Must-IE check can easily accommodate any GTP releases, message format, or IE status.

IE removal—You can use this functionality to retain interoperability between Second-Generation Partnership Project (2GPP) and Third-Generation Partnership Project (3GPP) networks. You can remove IEs of specific types from all messages for GTPv1 and GTPv2. Each information element has a unique ID, the IE number. IE numbers range from 1 to 255. You can use the IE removal to configure the GTP firewall to remove specific IEs using the user-configured IE number. It enables the communication between GTP entities whose GTP protocols are of different releases. IE removal helps to remove all instances of specified IEs such as supporting IE, Grouped IE, Embedded IE, or embedded grouped IE.

SUMMARY You can enable this function to verify the presence of IEs in GTPv1 and GTPv2 message. This helps to verify message integrity. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

SUMMARY You can enable this function to remove IEs of specific types from all messages for GTPv1 and GTPv2. This helps to retain interoperability between Second-Generation Partnership Project (2GPP) and Third-Generation Partnership Project (3GPP) networks.

An access point name (APN) is an information element (IE) included in the header of a GPRS tunneling protocol (GTP) packet that provides information about how to reach a network. An APN comprises two elements:

• Network ID—Identifies the name of an external network such as example.com.

• Operator ID—Uniquely identifies the operators’ public land mobile network (PLMN) such as mnc123.mcc456.

By default, the device permits all APNs. However, you can configure the device to perform APN filtering to restrict access to roaming subscribers to external networks.

To enable APN filtering, you must specify one or more APNs. To specify an APN, you need to know the domain name of the network (for example, example.com) and, optionally, the operator ID. Because the domain name (network ID) portion of an APN can potentially be very long and contain many characters, you can use the wildcard (*) as the first character of the APN. The wildcard indicates that the APN is not limited only to example.com but also includes all the characters that might precede it.

You may also set a selection mode for the APN. The selection mode indicates the origin of the APN and whether or not the Home Location Register (HLR) has verified the user subscription. You set the selection mode according to the security needs of your network. Possible selection modes include the following:

• Mobile Station—Mobile station-provided APN, subscription not verified.

  This selection mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user’s subscription to the network.

• Network—Network-provided APN, subscription not verified.

  This selection mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user’s subscription to the network.

• Verified—MS or network-provided APN, subscription verified.

  This selection mode indicates that the MS or the network provided the APN and that the HLR verified the user’s subscription to the network.

APN filtering applies only to create-pdp-request messages. When performing APN filtering, the device inspects GTP packets to—look for APNs that match APNs that you set. If the APN of a GTP packet matches an APN that you specified, the device then verifies the selection mode and only forwards the GTP packet if both the APN and the selection mode match the APN and the selection mode that you specified. Because APN filtering is based on perfect matches, using the wildcard (*) when setting an APN suffix can prevent the inadvertent exclusion of APNs that you would otherwise authorize.

Additionally, the device can filter GTP packets based on the combination of an International Mobile Subscriber Identity (IMSI) prefix and an APN. When you filter GTP packets based on an IMSI prefix, you must also specify an APN.

An APN string is case-insensitive. For instance, in the following example you set two APN strings, WWW.EXAMPLE.COM and www.example.com, with the same IMSI prefix value. In this configuration, the lowercase string will display after the uppercase string, and the packet will be dropped.

user@host# show configuration security gprs gtp | display set

set security gprs gtp profile test apn WWW.EXAMPLE.COM imsi-prefix * action pass

set security gprs gtp profile test apn www.example.com imsi-prefix * action drop

If an APN is configured with two IMSI prefix entries, then the IMSI prefix with the longest match takes priority. For example, see the following configuration:

user@host# show configuration security gprs gtp | display set

set security gprs gtp profile test apn WWW.EXAMPLE.COM imsi-prefix 12345678 action pass

set security gprs gtp profile test apn www.example.com imsi-prefix 12345 action drop

If an incoming packet value matches the IMSI prefix value 12345678, then the packet will pass. The IMSI prefix value 12345678 takes precedence over the IMSI prefix value 12345, as the longest matched IMSI prefix takes priority.

This example shows how to set a GTP APN and a selection mode.

A GPRS support node (GSN) identifies a mobile station (MS) by its International Mobile Station Identity (IMSI). An IMSI consists of three elements: the mobile country code (MCC), the mobile network code (MNC), and the Mobile Subscriber Identification Number (MSIN). The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or public land mobile network (PLMN).

By setting IMSI prefixes, you can configure the device to deny GPRS tunneling protocol (GTP) traffic coming from nonroaming partners. By default, a device does not perform IMSI prefix filtering on GTP packets. By setting IMSI prefixes, you configure the device to filter create-pdp-request messages and permit only GTP packets with IMSI prefixes that match the ones you set. The device allows GTP packets with IMSI prefixes that do not match any of the IMSI prefixes that you set. To block GTP packets with IMSI prefixes that do not match any of the IMSI prefixes set, use an explicit wildcard for the IMSI filter, and the drop action should be the last IMSI prefix filtering policy.

When you filter GTP packets based on an IMSI prefix, you must also specify an APN.

This example shows how to set and combine IMSI prefix and APN filter.

A GPRS support node (GSN) identifies a Mobile Station (MS) by its International Mobile Subscriber Identity (IMSI). An IMSI comprises three elements: the mobile country code (MCC), the mobile network code (MNC), and the Mobile Subscriber Identification Number (MSIN). The MCC is a three-digit number, and the MNC is a two-digit or three-digit number. The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network or public land mobile network (PLMN). Therefore, the IMSI prefix acts as the PLMN identifier and is used to identify valid roaming partners.

By default, a device does not perform IMSI prefix filtering on GPRS tunneling protocol version 2 (GTPv2) packets. By setting IMSI prefixes, you configure the device to filter create-session-request messages and permit only GTPv2 packets with IMSI prefixes that match the ones you set.

When you filter GTPv2 packets based on an IMSI prefix, you must also specify an access point name (APN).

An APN is an information element (IE) included in the header of a GTPv2 packet that provides information about how to reach a network. An APN comprises two elements:

• Network ID—Identifies the name of an external network, such as example.com.

• Operator ID—Uniquely identifies the operators’ PLMN, such as mnc123.mcc789.gprs.

For example, example.com.mnc123.mcc789.gprs is an APN for reaching the example.com network through the mnc123.mcc789.gprs operator.

By default, a device does not perform APN filtering on GTPv2 packets. However, you can configure the device to perform APN filtering to restrict access to roaming subscribers to external networks.

You can use the set security gprs gtp profile profile name apn pattern-string imsi-prefix imsi-prefix-digits action (pass |drop |selection) configuration statement to filter packets based on the combination of an IMSI prefix and an APN.

To specify an APN, you need to know the network ID or the domain name of the network (for example, example.com) and, optionally, the operator ID. Because the network ID portion of an APN can be very long, you can use the wildcard (*) as the first character of the APN string. For example, if you use *.example.com as the network ID, the wildcard indicates that the APN is not limited only to example.com but also includes all the characters that might precede it.

You can use the selection option to set a selection mode for the APN. The selection mode indicates the origin of the APN and whether or not the Home Location Register (HLR) has verified the user subscription. You set the selection mode according to the security needs of your network. Possible selection modes include the following:

• ms—MS-provided APN, subscription is not verified.

• net—Network-provided APN, subscription is not verified.

• vrf—MS-provided or network-provided APN, subscription is verified.

You can use the drop option to drop all APNs and the pass option to pass all APNs for any selection mode.

When performing APN filtering, the device inspects packets to look for APNs that match APNs that you set. If the APN of a packet matches an APN that you specified, then the device verifies the selection mode and forwards the GTPv2 packet.

The device only forwards the GTPv2 packet if both the APN and the selection mode match the APN and the selection mode that you specified.

Because APN filtering is based on perfect matches, using the wildcard (*) when setting an APN suffix can prevent the inadvertent exclusion of APNs that you would otherwise authorize.

IMSI prefix and APN filtering apply to create-session-request messages only.