ON THIS PAGE
Example: Configure Must-IE check for GTPv1 and GTPv2
Summary
You can enable this function to verify the presence of IEs in GTPv1 and GTPv2 message. This helps to verify message integrity. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.
Requirements
This example uses the following hardware and software components:
An SRX Series device.
Junos OS Release 20.2R1.
Overview
Information elements (IEs) are included in all GPRS tunnelling protocol (GTP) control message packets. Every GTP-C message is constructed by a GTP header and multiple GTP Information Elements (IE). Each IE type is identified by a number between 1 – 255. Third-Generation Partnership Project (3GPP) TS defines an IE list, for every GTP message, some of them are mandatory, others are optional or conditional.
IEs of GTPv1 are encoded in TV or TLV format. Therefore, GTPv1 use IE number to identify IEs. IEs of GTPv2 are encoded in TLIV format. Therefore, GTPv2 use IE number and instance number to identify IEs.
Must-IE check is a function to check the presence of IEs that should be contained in a GTP message, which helps to verify the GTP message integrity. Must-IEs are not limited to the Mandatory IEs in 3GPP TS. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.
We’ve implemented Must-IE check with flexible message profile configurations, which helps you to define must IEs of interested messages. We call it as interested messages because IEs are not defined as mandatory in TS. Along with appropriate message profile configurations, Must-IE check can easily accommodate any GTP releases, message format, or IE status.
Configuration
Configure Must-IE check for GTPv1
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. If you need help, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
- Configure a GTPv1 message-ie profile msgie-v1. In this
example, we have created a profile named msgie-v1. content_copy zoom_out_map[edit]user@host# set security gprs gtp message-ie-profile-v1 msgie-v1
- Create a message-ie-profile-v1 and add interested messages
and IEs in message-ie-profile-v1. GTPv1 use IE number to identify
IEs. In this example, in 3GPP TS 29.060, message type 2 is an Echo
response and message type 16 is a Create PDP Context request. For
message type 2, IE 14 is a recovery IE, which is mandatory in Echo
response. For message type 16, the IEs provided are mandatory IEs
in Create PDP Context request.content_copy zoom_out_map[edit]user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 2 ie 14user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 2user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 3user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 16user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 17user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 20user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 133
- Bind the message-ie profile to GTP profile as Must-IE.
Must-IE check is implemented with message profile configurations,
which helps you to define must IEs of interested messages.content_copy zoom_out_map[edit]user@host# set security gprs gtp profile GTP must-ie-v1 msgie-v1
Configure Must-IE check for GTPv2
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
- Configure a GTPv2 message-ie profile msgie-v2. In this
example, we have created a profile named msgie-v2. content_copy zoom_out_map[edit]user@host# set security gprs gtp message-ie-profile-v2 msgie-v2
- Define a grouped-ie-profile and link to the IEs. A grouped
IE is a group of IEs, or a group of grouped IEs. For example, Bearer
Context is a grouped IE containing multiple IEs. PDN Connection is
another grouped IE containing multiple instances of Bearer Context
and other IEs. You must link a grouped-ie-profile only to a grouped
IE, otherwise you will receive an error: “Error: IE %d is not
a grouped-ie”.content_copy zoom_out_map[edit]user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 73user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 80user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 87user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-rmv ie 73
- Create a message-ie-profile-v2 and add interested messages
and IEs in message-ie-profile-v2. We call the messages as interested
messages because IEs are not defined as mandatory in TS. GTPv2 use
IE number and instance number to identify IEs. Instance is defined
in 3GPP TS 29.274 for only GTPv2. If more than one IEs of the same
type are sent with a message for different purpose, these IEs will
have different instance values. If you do not specify the instance
value, the device will automatically take the default value as 0.content_copy zoom_out_map[edit]user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 2 ie 3user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 1user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 71user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 82user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 87 instance 0user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 87 instance 1user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 93 instance 0 grouped-ie-profile Bearer-ctxt-crtuser@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 93 instance 1 grouped-ie-profile Bearer-ctxt-rmv
- Bind the message-ie profile to GTP profile as Must-IE.
Must-IE check is implemented with message profile configurations,
which helps you to define must IEs of interested messages.content_copy zoom_out_map[edit]user@host# set security gprs gtp profile GTP must-ie-v2 msgie-v2
Results
From configuration mode, confirm your configuration by entering the show security gprs gtp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify the GTPv1 Message-IE Profile
Purpose
To verify GTPv1 Message-IE profile.
Action
From operational mode, enter the show security gprs gtp message-ie-profile-v1 (all | <msgie-prf-v1-name>) command.
user@host> show security gprs gtp message-ie-profile-v1
all
GTP Profile List (id, name): 1 msgie-v1
user@host> show security gprs gtp message-ie-profile-v1
msgie-v1
Profile msgie-v1, uid 1 Message Number 2 IE numbers: 14 Message Number 16 IE numbers: 2, 3, 16, 17, 20, 133
Meaning
The output displays the details of GTPv1 Message-IE profile.
Verify the GTPv2 Message-IE Profile
Purpose
To verify the GTPv2 Message-IE profile.
Action
From operational mode, enter the show security gprs gtp message-ie-profile-v2 (all | <msgie-prf-v2-name>) command.
user@host> show security gprs gtp message-ie-profile-v2
all
GTP Profile List (id, name): 1 msgie-v2
user@host> show security gprs gtp message-ie-profile-v2
msgie-v2
Profile msgie-v2, uid 1 Message Number IE number/Grouped-IE Instance numbers 2 3 0 32 1 0 71 0 82 0 87 0 87 1 Bearer-ctxt-crt 0 Bearer-ctxt-rmv 1
Meaning
The output displays the details of GTPv2 Message-IE profile.
Verify the grouped-ie profile
Purpose
To verify grouped-ie profile.
Action
From operational mode, enter the show security gprs gtp grouped-ie-profile (all | <grpie-prf-name>) command.
user@host> show security gprs gtp grouped-ie-profile
all
GTP Profile List (id, name): 1 Bearer-ctxt-crt 2 Bearer-ctxt-rmv
user@host> show security gprs gtp grouped-ie-profile
Bearer-ctxt-crt
Profile Bearer-ctxt-crt, uid 1 Grouped-IE Number IE number/Grouped-IE Instance numbers 93 73 0 80 0 87 0
user@host> show security gprs gtp grouped-ie-profile
Bearer-ctxt-rmv
Profile Bearer-ctxt-rmv, uid 2 Grouped-IE Number IE number/Grouped-IE Instance numbers 93 73 0
Meaning
The output displays the details of grouped-IE profile.