Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

GTPv1 Message Filtering

A GTP packet contains a message body and the GTP, UDP, and the IP headers. A GTP packet is passed or dropped based on the GTP message filters. The GTP messages are filtered based on the message-length and message-type.

Understanding GTP Message Filtering

When the device receives a GPRS tunneling protocol (GTP) packet, it checks the packet against policies configured on the device. If the packet matches a policy, the device inspects the packet according to the GTP configuration applied to the policy. If the packet fails to meet any of the GTP configuration parameters, the device will pass or drop the packets based on the configuration of the GTP inspection object.

A GTP packet consists of the message body and three headers: GTP, UDP, and IP. If the resulting IP packet is larger than the maximum transmission unit (MTU) on the transferring link, the sending Serving GPRS Support Node (SGSN) or gateway GPRS support node (GGSN) performs an IP fragmentation.

By default, the device buffers IP fragments until it receives a complete GTP message, and then inspects the GTP message.

Understanding GTP Message-Length Filtering

You can configure the device to drop packets that do not meet your specified minimum or maximum message lengths. In the GPRS tunneling protocol (GTP) header, the message length field indicates the length, in octets, of the GTP payload. It does not include the length of the GTP header itself, the UDP header, or the IP header. The default minimum and maximum GTP message lengths are 0 and 65,535 bytes, respectively.

Understanding GTP Message-Type Filtering

You can configure the device to filter GPRS tunneling protocol (GTP) packets and permit or deny them based on their message type. By default, the device permits all GTP message types.

A GTP message type includes one or many messages. When you permit or deny a message type, you automatically permit or deny all messages of the specified type. For example, if you select to drop the sgsn-context message type, you thereby drop sgsn-context-request, sgsn-context-response, and sgsn-context-acknowledge messages.

You permit and deny message types based on the GTP version number. For example, you can deny message types for one version while you permit them for the other version.

Example: Setting the GTP Message-Length Filtering

This example shows how to set the GTP message lengths.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you configure the minimum GTP message length to 8 octets and the maximum GTP message length to 1200 octets for the GTP inspection object.

Configuration

Procedure

Step-by-Step Procedure

To configure the GTP message lengths:

  1. Specify the GTP profile.

  2. Specify the minimum message length.

  3. Specify the maximum message length.

  4. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security gprs command.

Supported GTP Message Types

Table 1 lists the GTP messages supported in GTP Releases 1997 and 1999 (including charging messages for GTP) and the message types that you can use to configure GTP message-type filtering.

Table 1: GTP Messages

Message

Message Type

Version 0

Version 1

create AA pdp context request

create-aa-pdp

b

 

create AA pdp context response

create-aa-pdp

b

 

create pdp context request

create-pdp

b

b

create pdp context response

create-pdp

b

b

data record request

data-record

b

b

data record response

data-record

b

b

delete AA pdp context request

delete-aa-pdp

b

 

delete AA pdp context response

delete-aa-pdp

b

 

delete pdp context request

delete-pdp

b

b

delete pdp context response

delete-pdp

b

b

echo request

echo

b

b

echo response

echo

b

b

error indication

error-indication

b

b

failure report request

failure-report

b

b

failure report response

failure-report

b

b

forward relocation request

fwd-relocation

b

b

forward relocation response

fwd-relocation

b

b

forward relocation complete

fwd-relocation

b

b

forward relocation complete acknowledge

fwd-relocation

b

b

forward SRNS context

fwd-srns-context

b

b

forward SRNS context acknowledge

fwd-srns-context

b

b

identification request

identification

b

b

identification response

identification

b

b

node alive request

node-alive

b

b

node alive response

node-alive

b

b

note MS GPRS present request

note-ms-present

b

b

note MS GPRS present response

note-ms-present

b

b

pdu notification request

pdu-notification

b

b

pdu notification response

pdu-notification

b

b

pdu notification reject request

pdu-notification

b

b

pdu notification reject response

pdu-notification

b

b

RAN info relay

ran-info

b

b

redirection request

redirection

b

b

redirection response

redirection

b

b

relocation cancel request

relocation-cancel

b

b

relocation cancel response

relocation-cancel

b

b

send route info request

send-route

b

b

send route info response

send-route

b

b

sgsn context request

sgsn-context

b

b

sgsn context response

sgsn-context

b

b

sgsn context acknowledge

sgsn-context

b

b

supported extension headers notification

supported-extension

b

b

g-pdu

gtp-pdu

b

b

update pdp context request

update-pdp

b

b

updated pdp context response

update-pdp

b

b

version not supported

version-not-supported

b

b

Example: Filtering GTP Message Types

This example shows how to permit and deny GTP message types.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, for the gtp1 profile, you configure the device to drop the error-indication and failure-report message types for version 1.

Configuration

Procedure

Step-by-Step Procedure

To permit and deny GTP message types:

  1. Configure the device.

  2. Drop the error indication.

  3. Drop the failure report messages.

  4. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security gprs command.

Understanding Rate Limiting for GTP Control Messages

You can configure the device to limit the rate of network traffic going to a GPRS support node (GSN). You can set separate thresholds, in packets per second, for GGSN tunneling protocol, control (GTP-C) messages. Because GTP-C messages require processing and replies, they can potentially overwhelm a GSN. By setting a rate limit on GTP-C messages, you can protect your GSNs from possible denial-of-service (DoS) attacks such as the following:

  • Border gateway bandwidth saturation—A malicious operator connected to the same GPRS Roaming Exchange (GRX) as your public land mobile network (PLMN) can direct so much network traffic at your Border Gateway that legitimate traffic is starved for bandwidth in or out of your PLMN, thus denying roaming access to or from your network.

  • GTP flood—GPRS tunneling protocol (GTP) traffic can flood a GSN, forcing it to spend its CPU cycles processing illegitimate data. This can prevent subscribers from roaming and forwarding data to external networks, and it can prevent a General Packet Radio Service (GPRS) from attaching to the network.

This feature limits the rate of traffic sent to each GSN from the Juniper Networks device. The default rate is unlimited.

Understanding Path Rate Limiting for GTP Control Messages

You can restrict the maximum packets per second for specific control messages on a path on SRX1500, SRX4100, SRX4200, SRX5400, SRX5600, and SRX5800 devices. These GPRS tunneling protocol (GTP) messages include create-req, delete-req, and other GTP messages. However, you can restrict the maximum packets per minute for an echo-req GTP message.

The path-rate-limit function controls specific GTP messages in both the forward and reverse directions. A drop threshold and an alarm threshold can be configured for each control message in the forward and reverse direction for one path. If the control messages on one path reach the alarm threshold, an alarm log is generated. If the number of control messages received reaches the drop threshold, a packet drop log is generated and all other control messages of this type received later are dropped.

To control message traffic in the forward and reverse directions, configure a policy on the device such that the direction that is consistent with the configured policy is defined as forward, and the opposite direction is defined as reverse. Use the set security gprs gtp profile <profile-name> path-rate-limit statement to restrict the maximum packets per second for specific control messages on a path.

You can configure both the rate-limit and the path-rate-limit options at the same time.

Example: Limiting the Message Rate and Path Rate for GTP Control Messages

This example shows how to limit the message rate and the path rate for GTP control messages. The rate-limit option limits the GTP messages per second and the path-rate-limit option controls specific GTP messages in both the forward and reverse directions.

Requirements

This example uses the following hardware and software components:

  • SRX5400 device

  • Junos OS Release 12.1X45-D10

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you limit the rate of incoming GTP messages to 300 packets per second and you limit the path rate for GTP control messages in both the forward and reverse directions. You configure the device to limit the rate of network traffic going to a GPRS support node (GSN), and you restrict the maximum packets per second or per minute for specific control messages on a path. For create-req, delete-req, and other GTP messages you restrict the maximum packets per second. However, for an echo-req GTP message, you restrict the maximum packets per minute.

The path-rate-limit function controls specific GTP messages in both the forward and reverse directions. Configure the alarm-threshold parameter to configure the device to raise an alarm when the GTP control messages on a path have reached the configured limit. Configure the drop-threshold to drop traffic when the number of packets per second or per minute exceeds the configured limit.

Configuration

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

To configure the GTP message rate and path rate limit:

  1. Specify the GTP profile.

  2. Set the GTP message rate limit.

  3. Specify the message type to set the path rate limit for GTP control messages.

  4. Select GTP control message types.

  5. Set the alarm threshold for the GTP control message types.

  6. Limit the control messages in the forward direction.

  7. Limit the control messages in the reverse direction.

  8. Set the drop threshold for the GTP control message types.

  9. Limit the control messages in the forward direction.

  10. Limit the control messages in the reverse direction.

Results

From configuration mode, confirm your configuration by entering the show security gprs gtp profile profile-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Configuration

Purpose

Verify that the GTP message rate and path rate limit configuration is correct.

Action

From operational mode, enter the show security gprs gtp counters path-rate-limit command.

Meaning

The show security gprs gtp counters path-rate-limit command displays the number of packets received since the alarm threshold or the drop threshold value was reached. If you configure the alarm-threshold value as 50 and the drop-threshold value as 80 for the Create Request message, and if the device receives 100 packets in a second or minute, then the Drop number will be 20 and the Alarm number will be 50.

Example: Enabling GTP Sequence Number Validation

This example shows how to enable GTP sequence number validation feature.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you set the gtp profile as gtp1 and you also enable the sequence number validation feature.

Configuration

Procedure

Step-by-Step Procedure

To enable GTP sequence number validation feature:

  1. Set the GTP profile.

  2. Enable the sequence number validation.

  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security gprs command.