GTP message type filtering

In addition to performing stateful GTP validation, in which packets with invalid message types (that is, message types that are not applicable to the roaming interfaces) are denied, AA FW allows the operator to further restrict allowed message types by configuring entries for GTP message type filters to deny (or permit) the message types listed in Table: Allowed message types that can be denied.

Table: Allowed message types that can be denied
GTP version GTP-U port GTP-C port

GTPv1

GTPV1_MSG_ECHO_REQ

GTPV1_MSG_ECHO_RESP

GTPV1_SUPP_EXT_HDR_NOTIF

GTPV1_MSG_ERR_IND

GTPV1_END_MARKER

GTPU_PDU

GTPV1_MSG_ECHO_REQ

GTPV1_MSG_ECHO_RESP

GTPV1_SUPP_EXT_HDR_NOTIF

GTPV1_MSG_VER_NOT_SUPP_IND

GTPV1_MSG_PDP_CREATE_REQ

GTPV1_MSG_PDP_CREATE_RESP

GTPV1_MSG_PDP_UPD_REQ

GTPV1_MSG_PDP_UPD_RESP

GTPV1_MSG_PDP_DEL_REQ

GTPV1_MSG_PDP_DEL_RESP

GTPV1_MSG_NET_INIT_REQ

GTPV1_MSG_NET_INIT_RESP

GTPV1_MSG_MSINFO_REQ

GTPV1_MSG_MSINFO_RESP

GTPv2

N/A

GTP_PKT_ECHO_REQ

GTP_PKT_ECHO_RSP

GTP_PKT_VERSION_NOT_SUPPORTED

GTP_PKT_CRE_SES_REQ

GTP_PKT_CRE_SES_RSP

GTP_PKT_MOD_BEARER_REQ

GTP_PKT_MOD_BEARER_RSP

GTP_PKT_DEL_SES_REQ

GTP_PKT_DEL_SES_RSP

GTP_PKT_CHG_NOT_REQ

GTP_PKT_CHG_NOT_RSP

GTP_PKT_MOD_BEARER_CMD

GTP_PKT_MOD_BEARER_FAIL_INDICATION

GTP_PKT_DEL_BEARER_CMD

GTP_PKT_DEL_BEARER_FAIL_INDICATION

GTP_PKT_BEARER_RESOURCE_CMD

GTP_PKT_BEARER_RESOURCE_FAIL_INDICATION

GTP_PKT_SUSPEND_NOTIFICATION

GTP_PKT_SUSPEND_ACK

GTP_PKT_RESUME_NOTIFICATION

GTP_PKT_RESUME_ACK

GTP_PKT_CRE_BEARER_REQ

GTP_PKT_CRE_BEARER_RSP

GTP_PKT_UPD_BEARER_REQ

GTP_PKT_UPD_BEARER_RSP

GTP_PKT_DEL_BEARER_REQ

GTP_PKT_DEL_BEARER_RSP

GTP_PKT_TRACE_SESSION_ACTIVATION

GTP_PKT_TRACE_SESSION_DEACTIVATION

GTP_PKT_UPDATE_PDN_CONNECTION_SET_REQ

GTP_PKT_UPDATE_PDN_CONNECTION_SET_RSP

GTP_PKT_DELETE_PDN_CONNECTION_SET_REQ

GTP_PKT_DELETE_PDN_CONNECTION_SET_RSP

By default, GTP message filtering allows all of the GTP messages.

To configure GTPv2 message filtering, use the following command:

*A:Dut-C>config>app-assure>group>
+---gtp-filter <gtp-filter-name> [create]
    +---gtpc-inspection
|   +---message-type-v2
|   |   |
|   |   +---default-action {permit|deny}
|   |   |
|   |   +---entry <entry-id> value <gtpv2-message-value> action {permit|deny}
|   |   |   no entry <entry-id>

To configure GTPv1 message filtering, use the following command:

*A:Dut-C>config>app-assure>group>
|   +---message-type
|   |   |
|   |   +--default-action {permit|deny}
|   |   |
|   |   +--entry <entry-id: 1..255> value <gtpv1-message-value> action {permit|deny}
|   |   |  no entry <entry-id>
Note: If the operator configures a message type invalid for the roaming interface and the user configures the message type to be denied, the message type is dropped and counted under that filter entry (and not tagged dropped because of ‟wrong-interface” in the event log). However, configuring the message-type filter to ‟permit” a message type that is invalid for the roaming interface does not take effect, because the packet with the specified message type is dropped by the GTP-C protocol inspection process.
Parent topic: GTP backhaul roaming firewall protection