GTP-C out-of-state message-type protection

GTP is a stateful protocol. Consequently, some message types can only be sent in specific states. For example, PDP context update messages are not allowed for PDP contexts that do not exist or have been closed.

AA performs stateful GTP protocol validation and allows only packets that are allowed for any state or a specific deployment.

Table: Invalid message types in GTP FW roaming deployments lists the message types that are invalid in GTP FW roaming deployments. When AA FW GTP-C inspection is enabled, the packets with the message types listed in Table: Invalid message types in GTP FW roaming deployments are dropped and the associated event logs include a ‟wrong interface” indication.

Note: The packets are dropped regardless of the configuration in the message-type or message-type-gtpv2 filter.
Table: Invalid message types in GTP FW roaming deployments
GTP version GTP-U port GTP-C port

GTPv1

no invalid message types

GTPU PDU

GTPV1_END_MARKER

GTPV1_MSG_ERR_IND

GTPV1-ALL-MBMS message-types

GTPV1-ALL-Location management message-types

GTPv2

not applicable

GTP_PKT_ERROR_INDICATION

GTP_PKT_DNLK_DATA_FAIL_INDICATION

GTP_PKT_STOP_PAGING_INDICATION

GTP_PKT_CRE_INDR_TNL_REQ

GTP_PKT_CRE_INDR_TNL_RSP

GTP_PKT_DEL_INDR_TNL_REQ

GTP_PKT_DEL_INDR_TNL_RSP

GTP_PKT_RELEASE_BEARERS_REQ

GTP_PKT_RELEASE_BEARERS_RSP

GTP_PKT_DNLK_DATA

GTP_PKT_DNLK_DATA_ACK

GTP_PKT_MOD_ACCESS_BEARERS_REQ

GTP_PKT_MOD_ACCESS_BEARERS_RSP

GTP_PKT_REMOTE_UE_RPRT_NOTF

GTP_PKT_REMOTE_UE_RPRT_ACK

AA does not perform GTP-C inspection by default. To enable GTP-C inspection, use the following command:

*A:Dut-C>config>app-assure>group>
+---gtpc-inspection