Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav
keyboard_arrow_up
Expand All close
Expand All close
list Table of Contents

Example: Configure Must-IE check for GTPv1 and GTPv2

date_range 17-Sep-20
Summary

You can enable this function to verify the presence of IEs in GTPv1 and GTPv2 message. This helps to verify message integrity. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device.

  • Junos OS Release 20.2R1.

Overview

Information elements (IEs) are included in all GPRS tunnelling protocol (GTP) control message packets. Every GTP-C message is constructed by a GTP header and multiple GTP Information Elements (IE). Each IE type is identified by a number between 1 – 255. Third-Generation Partnership Project (3GPP) TS defines an IE list, for every GTP message, some of them are mandatory, others are optional or conditional.

IEs of GTPv1 are encoded in TV or TLV format. Therefore, GTPv1 use IE number to identify IEs. IEs of GTPv2 are encoded in TLIV format. Therefore, GTPv2 use IE number and instance number to identify IEs.

Must-IE check is a function to check the presence of IEs that should be contained in a GTP message, which helps to verify the GTP message integrity. Must-IEs are not limited to the Mandatory IEs in 3GPP TS. You can define any IE as a Must-IE in a message in accordance with your GTPv1 or GTPv2 versions and GTPv1 or GTPv2 interfaces. The device checks the presence of Must-IEs of specific GTP messages and forwards the messages only if Must-IEs are present.

We’ve implemented Must-IE check with flexible message profile configurations, which helps you to define must IEs of interested messages. We call it as interested messages because IEs are not defined as mandatory in TS. Along with appropriate message profile configurations, Must-IE check can easily accommodate any GTP releases, message format, or IE status.

Configuration

Configure Must-IE check for GTPv1

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security gprs gtp message-ie-profile-v1 msgie-v1 message 2 ie 14
set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 2
set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 3
set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 16
set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 17
set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 20
set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 133
set security gprs gtp profile GTP must-ie-v1 msgie-v1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. If you need help, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure a GTPv1 message-ie profile msgie-v1. In this example, we have created a profile named msgie-v1.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1
  2. Create a message-ie-profile-v1 and add interested messages and IEs in message-ie-profile-v1. GTPv1 use IE number to identify IEs. In this example, in 3GPP TS 29.060, message type 2 is an Echo response and message type 16 is a Create PDP Context request. For message type 2, IE 14 is a recovery IE, which is mandatory in Echo response. For message type 16, the IEs provided are mandatory IEs in Create PDP Context request.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 2 ie 14
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 2
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 3
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 16
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 17
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 20
    user@host# set security gprs gtp message-ie-profile-v1 msgie-v1 message 16 ie 133
  3. Bind the message-ie profile to GTP profile as Must-IE. Must-IE check is implemented with message profile configurations, which helps you to define must IEs of interested messages.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp profile GTP must-ie-v1 msgie-v1

Configure Must-IE check for GTPv2

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 73
set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 80
set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 87
set security gprs gtp grouped-ie-profile Bearer-ctxt-rmv ie 73
set security gprs gtp message-ie-profile-v2 msgie-v2 message 2 ie 3
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 1
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 71
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 82
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 87 instance 0
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 87 instance 1
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 93 instance 0 grouped-ie-profile Bearer-ctxt-crt
set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 93 instance 1 grouped-ie-profile Bearer-ctxt-rmv
set security gprs gtp profile GTP must-ie-v2 msgie-v2

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure a GTPv2 message-ie profile msgie-v2. In this example, we have created a profile named msgie-v2.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2
  2. Define a grouped-ie-profile and link to the IEs. A grouped IE is a group of IEs, or a group of grouped IEs. For example, Bearer Context is a grouped IE containing multiple IEs. PDN Connection is another grouped IE containing multiple instances of Bearer Context and other IEs. You must link a grouped-ie-profile only to a grouped IE, otherwise you will receive an error: “Error: IE %d is not a grouped-ie”.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 73
    user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 80
    user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-crt ie 87
    user@host# set security gprs gtp grouped-ie-profile Bearer-ctxt-rmv ie 73
  3. Create a message-ie-profile-v2 and add interested messages and IEs in message-ie-profile-v2. We call the messages as interested messages because IEs are not defined as mandatory in TS. GTPv2 use IE number and instance number to identify IEs. Instance is defined in 3GPP TS 29.274 for only GTPv2. If more than one IEs of the same type are sent with a message for different purpose, these IEs will have different instance values. If you do not specify the instance value, the device will automatically take the default value as 0.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 2 ie 3
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 1
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 71
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 82
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 87 instance 0
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 87 instance 1
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 93 instance 0 grouped-ie-profile Bearer-ctxt-crt
    user@host# set security gprs gtp message-ie-profile-v2 msgie-v2 message 32 ie 93 instance 1 grouped-ie-profile Bearer-ctxt-rmv
  4. Bind the message-ie profile to GTP profile as Must-IE. Must-IE check is implemented with message profile configurations, which helps you to define must IEs of interested messages.
    content_copy zoom_out_map
    [edit]
    user@host# set security gprs gtp profile GTP must-ie-v2 msgie-v2

Results

From configuration mode, confirm your configuration by entering the show security gprs gtp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show security gprs gtp
profile GTP {
must-ie-v1 {
msgie-v1;
}
}
message-ie-profile-v1 msgie-v1 {
message 2 {
ie 14;
}
message 16 {
ie 2;
ie 3;
ie 16;
ie 17;
ie 20;
ie 133;
}
}
content_copy zoom_out_map
[edit]
user@host# show security gprs gtp
profile GTP {
must-ie-v2 {
msgie-v2;
}
}
grouped-ie-profile Bearer-ctxt-crt {
ie 73;
ie 80;
ie 87;
}
grouped-ie-profile Bearer-ctxt-rmv {
ie 73;
}
message-ie-profile-v2 msgie-v2 {
message 2 {
ie 3;
}
message 32 {
ie 1;
ie 71;
ie 82;
ie 87 {
instance 0;
instance 1;
}
ie 93 {
instance 0 {
grouped-ie-profile {
Bearer-ctxt-crt;
}
}
instance 1 {
grouped-ie-profile {
Bearer-ctxt-rmv;
}
}
}
}
}

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify the GTPv1 Message-IE Profile

Purpose

To verify GTPv1 Message-IE profile.

Action

From operational mode, enter the show security gprs gtp message-ie-profile-v1 (all | <msgie-prf-v1-name>) command.

user@host> show security gprs gtp message-ie-profile-v1 all
content_copy zoom_out_map
GTP Profile List (id, name):
            1 msgie-v1
user@host> show security gprs gtp message-ie-profile-v1 msgie-v1
content_copy zoom_out_map
Profile msgie-v1, uid 1
 
Message Number 2
IE numbers:
14
 
Message Number 16
IE numbers:
2, 3, 16, 17, 20, 133

Meaning

The output displays the details of GTPv1 Message-IE profile.

Verify the GTPv2 Message-IE Profile

Purpose

To verify the GTPv2 Message-IE profile.

Action

From operational mode, enter the show security gprs gtp message-ie-profile-v2 (all | <msgie-prf-v2-name>) command.

user@host> show security gprs gtp message-ie-profile-v2 all
content_copy zoom_out_map
GTP Profile List (id, name):
            1 msgie-v2
user@host> show security gprs gtp message-ie-profile-v2 msgie-v2
content_copy zoom_out_map
Profile msgie-v2, uid 1

Message Number   IE number/Grouped-IE   Instance numbers
2
                 3                      0

32
                 1                      0
                 71                     0
                 82                     0
                 87                     0
                 87                     1
                 Bearer-ctxt-crt        0
                 Bearer-ctxt-rmv        1

Meaning

The output displays the details of GTPv2 Message-IE profile.

Verify the grouped-ie profile

Purpose

To verify grouped-ie profile.

Action

From operational mode, enter the show security gprs gtp grouped-ie-profile (all | <grpie-prf-name>) command.

user@host> show security gprs gtp grouped-ie-profile all
content_copy zoom_out_map
GTP Profile List (id, name):
            1 Bearer-ctxt-crt
            2 Bearer-ctxt-rmv
user@host> show security gprs gtp grouped-ie-profile Bearer-ctxt-crt
content_copy zoom_out_map
Profile Bearer-ctxt-crt, uid 1
Grouped-IE Number   IE number/Grouped-IE   Instance numbers
93                  73                      0
                    80                      0
                    87                      0

user@host> show security gprs gtp grouped-ie-profile Bearer-ctxt-rmv
content_copy zoom_out_map
Profile Bearer-ctxt-rmv, uid 2
Grouped-IE Number   IE number/Grouped-IE   Instance numbers
93                   73                     0

Meaning

The output displays the details of grouped-IE profile.

external-footer-nav