GTPv1 Message Filtering
A GTP packet contains a message body and the GTP, UDP, and the IP headers. A GTP packet is passed or dropped based on the GTP message filters. The GTP messages are filtered based on the message-length and message-type.
Understanding GTP Message Filtering
When the device receives a GPRS tunneling protocol (GTP) packet, it checks the packet against policies configured on the device. If the packet matches a policy, the device inspects the packet according to the GTP configuration applied to the policy. If the packet fails to meet any of the GTP configuration parameters, the device will pass or drop the packets based on the configuration of the GTP inspection object.
A GTP packet consists of the message body and three headers: GTP, UDP, and IP. If the resulting IP packet is larger than the maximum transmission unit (MTU) on the transferring link, the sending Serving GPRS Support Node (SGSN) or gateway GPRS support node (GGSN) performs an IP fragmentation.
By default, the device buffers IP fragments until it receives a complete GTP message, and then inspects the GTP message.
Understanding GTP Message-Length Filtering
You can configure the device to drop packets that do not meet your specified minimum or maximum message lengths. In the GPRS tunneling protocol (GTP) header, the message length field indicates the length, in octets, of the GTP payload. It does not include the length of the GTP header itself, the UDP header, or the IP header. The default minimum and maximum GTP message lengths are 0 and 65,535 bytes, respectively.
Understanding GTP Message-Type Filtering
You can configure the device to filter GPRS tunneling protocol (GTP) packets and permit or deny them based on their message type. By default, the device permits all GTP message types.
A GTP message type includes one or many messages. When you permit or deny a message type, you automatically permit or deny all messages of the specified type. For example, if you select to drop the sgsn-context message type, you thereby drop sgsn-context-request, sgsn-context-response, and sgsn-context-acknowledge messages.
You permit and deny message types based on the GTP version number. For example, you can deny message types for one version while you permit them for the other version.
Example: Setting the GTP Message-Length Filtering
This example shows how to set the GTP message lengths.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you configure the minimum GTP message length to 8 octets and the maximum GTP message length to 1200 octets for the GTP inspection object.
Configuration
Procedure
Step-by-Step Procedure
To configure the GTP message lengths:
Specify the GTP profile.
[edit] user@host# set security gprs gtp profile gtp1
Specify the minimum message length.
[edit] user@host# set security gprs gtp profile gtp1 min-message-length 8
Specify the maximum message length.
[edit] user@host# set security gprs gtp profile gtp1 max-message-length 1200
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security gprs
command.
Supported GTP Message Types
Table 1 lists the GTP messages supported in GTP Releases 1997 and 1999 (including charging messages for GTP) and the message types that you can use to configure GTP message-type filtering.
Message |
Message Type |
Version 0 |
Version 1 |
---|---|---|---|
create AA pdp context request |
create-aa-pdp |
b |
|
create AA pdp context response |
create-aa-pdp |
b |
|
create pdp context request |
create-pdp |
b |
b |
create pdp context response |
create-pdp |
b |
b |
data record request |
data-record |
b |
b |
data record response |
data-record |
b |
b |
delete AA pdp context request |
delete-aa-pdp |
b |
|
delete AA pdp context response |
delete-aa-pdp |
b |
|
delete pdp context request |
delete-pdp |
b |
b |
delete pdp context response |
delete-pdp |
b |
b |
echo request |
echo |
b |
b |
echo response |
echo |
b |
b |
error indication |
error-indication |
b |
b |
failure report request |
failure-report |
b |
b |
failure report response |
failure-report |
b |
b |
forward relocation request |
fwd-relocation |
b |
b |
forward relocation response |
fwd-relocation |
b |
b |
forward relocation complete |
fwd-relocation |
b |
b |
forward relocation complete acknowledge |
fwd-relocation |
b |
b |
forward SRNS context |
fwd-srns-context |
b |
b |
forward SRNS context acknowledge |
fwd-srns-context |
b |
b |
identification request |
identification |
b |
b |
identification response |
identification |
b |
b |
node alive request |
node-alive |
b |
b |
node alive response |
node-alive |
b |
b |
note MS GPRS present request |
note-ms-present |
b |
b |
note MS GPRS present response |
note-ms-present |
b |
b |
pdu notification request |
pdu-notification |
b |
b |
pdu notification response |
pdu-notification |
b |
b |
pdu notification reject request |
pdu-notification |
b |
b |
pdu notification reject response |
pdu-notification |
b |
b |
RAN info relay |
ran-info |
b |
b |
redirection request |
redirection |
b |
b |
redirection response |
redirection |
b |
b |
relocation cancel request |
relocation-cancel |
b |
b |
relocation cancel response |
relocation-cancel |
b |
b |
send route info request |
send-route |
b |
b |
send route info response |
send-route |
b |
b |
sgsn context request |
sgsn-context |
b |
b |
sgsn context response |
sgsn-context |
b |
b |
sgsn context acknowledge |
sgsn-context |
b |
b |
supported extension headers notification |
supported-extension |
b |
b |
g-pdu |
gtp-pdu |
b |
b |
update pdp context request |
update-pdp |
b |
b |
updated pdp context response |
update-pdp |
b |
b |
version not supported |
version-not-supported |
b |
b |
Example: Filtering GTP Message Types
This example shows how to permit and deny GTP message types.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, for the gtp1 profile, you configure the device to drop the error-indication and failure-report message types for version 1.
Configuration
Procedure
Step-by-Step Procedure
To permit and deny GTP message types:
Configure the device.
[edit] user@host# set security gprs gtp profile gtp1
Drop the error indication.
[edit] user@host# set security gprs gtp profile gtp1 drop error-indication 1
Drop the failure report messages.
[edit] user@host# set security gprs gtp profile gtp1 drop failure-report 1
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security gprs
command.
Understanding Rate Limiting for GTP Control Messages
You can configure the device to limit the rate of network traffic going to a GPRS support node (GSN). You can set separate thresholds, in packets per second, for GGSN tunneling protocol, control (GTP-C) messages. Because GTP-C messages require processing and replies, they can potentially overwhelm a GSN. By setting a rate limit on GTP-C messages, you can protect your GSNs from possible denial-of-service (DoS) attacks such as the following:
Border gateway bandwidth saturation—A malicious operator connected to the same GPRS Roaming Exchange (GRX) as your public land mobile network (PLMN) can direct so much network traffic at your Border Gateway that legitimate traffic is starved for bandwidth in or out of your PLMN, thus denying roaming access to or from your network.
GTP flood—GPRS tunneling protocol (GTP) traffic can flood a GSN, forcing it to spend its CPU cycles processing illegitimate data. This can prevent subscribers from roaming and forwarding data to external networks, and it can prevent a General Packet Radio Service (GPRS) from attaching to the network.
This feature limits the rate of traffic sent to each GSN from the Juniper Networks device. The default rate is unlimited.
Understanding Path Rate Limiting for GTP Control Messages
You can restrict the maximum packets per second for specific
control messages on a path on SRX1500, SRX4100, SRX4200, SRX5400,
SRX5600, and SRX5800 devices. These GPRS tunneling protocol (GTP)
messages include create-req
, delete-req
, and
other GTP messages. However, you can restrict the maximum packets
per minute for an echo-req
GTP message.
The path-rate-limit
function controls specific GTP
messages in both the forward and reverse directions. A drop threshold
and an alarm threshold can be configured for each control message
in the forward and reverse direction for one path. If the control
messages on one path reach the alarm threshold, an alarm log is generated.
If the number of control messages received reaches the drop threshold,
a packet drop log is generated and all other control messages of this
type received later are dropped.
To control message traffic in the forward and reverse directions,
configure a policy on the device such that the direction that is consistent
with the configured policy is defined as forward, and the opposite
direction is defined as reverse. Use the set security gprs gtp
profile <profile-name> path-rate-limit
statement to restrict
the maximum packets per second for specific control messages on a
path.
You can configure both the rate-limit
and the path-rate-limit
options at the same time.
Example: Limiting the Message Rate and Path Rate for GTP Control Messages
This example shows how to limit the message
rate and the path rate for GTP control messages. The rate-limit
option limits the GTP messages per second and the path-rate-limit
option controls specific GTP messages in both the forward and reverse
directions.
Requirements
This example uses the following hardware and software components:
SRX5400 device
Junos OS Release 12.1X45-D10
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you limit the rate of incoming GTP messages
to 300 packets per second and you limit the path rate for GTP control
messages in both the forward and reverse directions. You configure
the device to limit the rate of network traffic going to a GPRS support
node (GSN), and you restrict the maximum packets per second or per
minute for specific control messages on a path. For create-req
, delete-req
, and other
GTP messages you restrict
the maximum packets per second. However, for an echo-req
GTP message, you restrict the maximum packets per minute.
The path-rate-limit
function controls specific GTP
messages in both the forward and reverse directions. Configure the alarm-threshold
parameter to configure the device to raise
an alarm when the GTP control messages on a path have reached the
configured limit. Configure the drop-threshold
to drop
traffic when the number of packets per second or per minute exceeds
the configured limit.
Configuration
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit from configuration
mode.
set security gprs gtp profile gtp1 rate-limit 300 set security gprs gtp profile gtp1 path-rate-limit message-type create-req alarm-threshold forward 50 reverse 50 set security gprs gtp profile gtp1 path-rate-limit message-type delete-req alarm-threshold forward 50 reverse 50 set security gprs gtp profile gtp1 path-rate-limit message-type echo-req alarm-threshold forward 50 reverse 50 set security gprs gtp profile gtp1 path-rate-limit message-type other alarm-threshold forward 50 reverse 50 set security gprs gtp profile gtp1 path-rate-limit message-type create-req drop-threshold forward 80 reverse 80 set security gprs gtp profile gtp1 path-rate-limit message-type delete-req drop-threshold forward 80 reverse 80 set security gprs gtp profile gtp1 path-rate-limit message-type echo-req drop-threshold forward 80 reverse 80 set security gprs gtp profile gtp1 path-rate-limit message-type other drop-threshold forward 80 reverse 80
Procedure
Step-by-Step Procedure
To configure the GTP message rate and path rate limit:
Specify the GTP profile.
[edit] user@host# set security gprs gtp profile gtp1
Set the GTP message rate limit.
[edit security gprs gtp profile gtp1] user@host# set rate-limit 300
Specify the message type to set the path rate limit for GTP control messages.
[edit security gprs gtp profile gtp1] user@host# set path-rate-limit message-type
Select GTP control message types.
[edit security gprs gtp profile gtp1] user@host# set path-rate-limit message-type create-req user@host# set path-rate-limit message-type delete-req user@host# set path-rate-limit message-type echo-req user@host# set path-rate-limit message-type other
Set the alarm threshold for the GTP control message types.
[edit security gprs gtp profile gtp1 path-rate-limit] user@host# set message-type create-req alarm threshold user@host# set message-type delete-req alarm threshold user@host# set message-type echo-req alarm threshold user@host# set message-type other alarm threshold
Limit the control messages in the forward direction.
[edit security gprs gtp profile gtp1 path-rate-limit message-type] user@host# set create-req alarm threshold forward 50 user@host# set delete-req alarm threshold forward 50 user@host# set echo-req alarm threshold forward 50 user@host# set other alarm threshold forward 50
Limit the control messages in the reverse direction.
[edit security gprs gtp profile gtp1 path-rate-limit message-type] user@host# set create-req alarm threshold reverse 50 user@host# set delete-req alarm threshold reverse 50 user@host# set echo-req alarm threshold reverse 50 user@host# set other alarm threshold reverse 50
Set the drop threshold for the GTP control message types.
[edit security gprs gtp profile gtp1 path-rate-limit] user@host# set message-type create-req drop threshold user@host# set message-type delete-req drop threshold user@host# set message-type echo-req drop threshold user@host# set message-type other drop threshold
Limit the control messages in the forward direction.
[edit security gprs gtp profile gtp1 path-rate-limit message-type] user@host# set create-req drop threshold forward 80 user@host# set delete-req drop threshold forward 80 user@host# set echo-req drop threshold forward 80 user@host# set other drop threshold forward 80
Limit the control messages in the reverse direction.
[edit security gprs gtp profile gtp1 path-rate-limit message-type] user@host# set create-req drop threshold reverse 80 user@host# set delete-req drop threshold reverse 80 user@host# set echo-req drop threshold reverse 80 user@host# set other drop threshold reverse 80
Results
From configuration mode, confirm your configuration
by entering the show security gprs gtp profile profile-name
command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit] user@host# show security gprs gtp profile p1 rate-limit 300; path-rate-limit { message-type create-req { drop-threshold { forward 80; reverse 80; } alarm-threshold { forward 50; reverse 50; } } message-type delete-req { drop-threshold { forward 80; reverse 80; } alarm-threshold { forward 50; reverse 50; } } message-type echo-req { drop-threshold { forward 80; reverse 80; } alarm-threshold { forward 50; reverse 50; } } message-type other { drop-threshold { forward 80; reverse 80; } alarm-threshold { forward 50; reverse 50; } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Configuration
Purpose
Verify that the GTP message rate and path rate limit configuration is correct.
Action
From operational mode, enter the show security
gprs gtp counters path-rate-limit
command.
Path-rate-limit counters: Drop Alarm Create Request 20 50 Delete Request 20 50 Echo Request 20 50 Others 20 50
Meaning
The show security gprs gtp counters path-rate-limit
command displays the number of packets received since the alarm
threshold or the drop threshold value was reached. If you configure
the alarm-threshold
value as 50 and the drop-threshold
value as 80 for the Create Request message, and if the device receives
100 packets in a second or minute, then the Drop number will be 20
and the Alarm number will be 50.
Example: Enabling GTP Sequence Number Validation
This example shows how to enable GTP sequence number validation feature.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you set the gtp profile as gtp1 and you also enable the sequence number validation feature.
Configuration
Procedure
Step-by-Step Procedure
To enable GTP sequence number validation feature:
Set the GTP profile.
[edit] user@host# set security gprs gtp profile gtp1
Enable the sequence number validation.
[edit] user@host# set security gprs gtp profile gtp1 seq-number-validated
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security gprs
command.