Junos® OS
Securing GTP and SCTP |
User |
Guide for Security Devices |
|
Published
2021-04-18
ii
Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this b c n without n c
Junos® OS Securing GTP and SCTP r c User Guide for Security Devices
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm n in this document is current as of the date on the page.
YEAR 2000 NOTICE
Juniper Networks hardware and s w r products are Year 2000 compliant. Junos OS has no known m r
m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical |
c m n |
n consists of (or is intended for use |
||||||
with) Juniper Networks s w r |
Use of such s |
w r |
is subject to the terms and c n |
ns of the End User License |
||||
Agreement ("EULA") posted at |
s s |
r |
n r n |
s |
r |
. By downloading, installing or using such |
||
s w r you agree to the terms and c n |
ns of that EULA. |
|
|
|
|
iii
1
2
About This Guide | xii
General Packet Radio Service (GPRS) Overview
n r c n to GPRS | 2
GPRS Overview | 2
Understanding GTP Support for Central Point Architecture | 6
Securing GTP r c
Policy-Based GTP | 11
Understanding Policy-Based GTP | 11
Example: Enabling GTP ns c n in Policies | 13
Requirements | 13
Overview | 14
n |
r |
n | 14 |
|
r |
c |
n | 18 |
|
Understanding GTP ns c |
n Objects | 19 |
||
Example: |
r |
n a GTP ns |
c n Object | 19 |
Requirements | 20
Overview | 20
nr n | 20
r c n | 20
Understanding GTPv2 | 21
Understanding Policy-Based GTPv2 | 23
Example: Enabling GTPv2 ns c n in Policies | 24
Requirements | 24
Overview | 24
nr n | 24
r c n | 28
Understanding GTP Path Restart | 28
iv
Example: R s r n a GTPv2 Path | 29
Requirements | 29
Overview | 29
nr n | 29
r c n | 30
Understanding GTPv2 Tunnel Cleanup | 31
Example: S n the Timeout Value for GTPv2 Tunnels | 31
Requirements | 31
Overview | 31
nr n | 32
|
r |
c |
n | 32 |
|
Understanding GTPv2 r |
c Logging | 33 |
|||
Example: Enabling GTPv2 |
r c Logging | 33 |
|||
|
Requirements | 34 |
|
||
|
|
|||
|
Overview | 34 |
|
||
|
n |
r |
n | 34 |
|
|
r |
c |
n | 35 |
|
|
|
|
|
|
GTPv1 Message Filtering | 35
Understanding GTP Message Filtering | 36
Example: S n the GTP Message-Length Filtering | 37
Requirements | 37
Overview | 37
nr n | 37
r c n | 38
Supported GTP Message Types | 38
Example: Filtering GTP Message Types | 42
Requirements | 42
Overview | 42
nr n | 42
r c n | 43
Understanding Rate m n for GTP Control Messages | 43
v
Understanding Path Rate m n for GTP Control Messages | 44
Example: m n the Message Rate and Path Rate for GTP Control Messages | 45
Requirements | 45
Overview | 45
nr n | 46
|
r |
c |
n | 50 |
|
Example: Enabling GTP Sequence Number |
n | 51 |
|||
|
Requirements | 51 |
|
||
|
|
|||
|
Overview | 51 |
|
||
|
n |
r |
n | 51 |
|
|
r |
c |
n | 52 |
|
|
|
|
|
|
nr n GTP Handover Group | 52
GTP Handover Group Overview | 53
Understanding GTP Handover Messages | 54
Example: n r n Handover Groups | 55
Requirements | 56
Overview | 56
nr n | 57
r c n | 63
Enabling GTP Interoperability between 2G and 3G Networks | 63
Understanding GTP n rm n Elements | 64
Understanding R6, R7, R8, and R9 n |
rm |
n Elements Removal | 64 |
||||
Supported R6, R7, R8, and R9 n rm |
n Elements | 64 |
|||||
Example: Removing R6, R7, R8, and R9 n |
rm n Elements from GTP Messages | 71 |
|||||
|
Requirements | 72 |
|
|
|
||
|
|
|
|
|||
|
Overview | 72 |
|
|
|
||
|
n |
r |
n | 72 |
|
|
|
|
r |
c |
n | 73 |
|
|
|
Understanding GTPv1 n rm |
n Element Removal | 73 |
|||||
Example: Removing GTPv1 n |
rm |
n Elements Using IE Number | 74 |
||||
|
Requirements | 74 |
|
|
|
||
|
|
|
|
|||
|
|
|
|
|
|
|
vi
Overview | 74
nr n | 74
Understanding GTPv2 n rm n Elements | 76
Example: n r Must-IE check for GTPv1 and GTPv2 | 77
Requirements | 77
Overview | 77
nr n | 78
r c n | 83
Example: n r IE removal for GTPV1 and GTPv2 | 86
Requirements | 86
Overview | 86
nr n | 87
r c |
n |
| 90 |
Understanding GTP APN Filtering | 91 |
||
Example: S |
n |
a GTP APN and a S c n Mode | 92 |
Requirements | 93
Overview | 93
nr n | 93
r c |
n |
| 94 |
Understanding IMSI r x Filtering of GTP Packets | 94 |
||
Example: S |
n |
a Combined IMSI r x and APN Filter | 94 |
Requirements | 95
Overview | 95
nr n | 95
r c |
n | 96 |
|
|
Understanding GTPv2 IMSI |
r |
x and APN Filtering | 96 |
|
Monitoring GTP |
r c | 98 |
|
|
Understanding GTP-U ns |
c |
n | 98 |
|
Understanding GTP Tunnel Enhancements | 99 |
|||
Understand |
n of IP Address in GTP Messages | 100 |
vii
Example: n r the Validity of IP Address in GTP Messages | 109
Requirements | 109
Overview | 109
n r IP Address in GTP Messages | 109 r c n | 117
GTP r c logs | 120
Understanding GTP r c logs | 120
NAT for GTP | 131
Understanding NAT for GTP | 131
Example: n r n GTP ns c n in NAT | 132
Requirements | 132
Overview | 132
nr n | 133
r c n | 138
Understanding Network Address r ns |
n |
r |
c |
r ns |
n | 139 |
|||||
Example: Enhancing |
r c Engineering by |
|
n |
r n |
NAT-PT Between an IPv4 and an IPv6 |
|||||
|
Endpoint with SCTP M |
m n | 139 |
|
|
|
|
||||
|
Requirements | 140 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
||||
|
Overview | 140 |
|
|
|
|
|
|
|
||
|
n |
r |
n | 141 |
|
|
|
|
|
|
|
|
r |
c |
n | 147 |
|
|
|
|
|
|
|
PMI Flow Based CoS |
nc |
ns for GTP-U | 150 |
|
|
|
|||||
PMI Flow Based CoS |
nc |
ns for GTP-U scenario with TEID |
s r b n and Asymmetric Fat |
|||||||
|
Tunnel S |
n | 150 |
|
|
|
|
|
|
nr ns to enable PMI and GTP | 152
GGSN Overview | 154
Understanding GGSN R r c n | 154
GGSN Pooling Scenarios Overview | 155
Example: n r n a GGSN Custom Policy | 160
Requirements | 160
Overview | 160
3
4
viii
nr n | 161
r c n | 163
Example: |
n |
r n Custom GGSN |
c ns | 164 |
|
|
Requirements | 165 |
|
||
|
Overview | 165 |
|
||
|
n |
r |
n | 165 |
|
|
|
|
|
|
Securing Stream Control Transmission Protocol (SCTP) r c
SCTP Overview | 170
Understanding Stream Control Transmission Protocol | 170
SCTP Packet Structure Overview | 177
Understanding SCTP M |
m n |
| 179 |
|||
Understanding SCTP M |
c n |
ns c n | 180 |
|||
Understanding SCTP Behavior in Chassis Cluster | 181 |
|||||
SCTP |
n |
r |
n | 182 |
|
|
SCTP |
n |
r |
n Overview | 183 |
||
Example: |
n |
r n a Security Policy to Permit or Deny SCTP r c | 183 |
Requirements | 183
Overview | 184
nr n | 187
r c n | 189
Example: |
n |
r n a GPRS SCTP r |
for Policy-Based ns c n to Reduce Security |
|
|
Risks | 190 |
|
||
|
Requirements | 190 |
|
||
|
|
|||
|
Overview | 190 |
|
||
|
n |
r |
n | 190 |
|
|
r |
c |
n | 192 |
|
|
|
|
|
|
nr n Statements
cn (APN GTP) | 196
alarm-threshold (Security GPRS) | 198
apn | 199
ix
ss c |
n m |
| 202 |
|
create-req |
| 203 |
|
|
delete-req |
| 205 |
|
drop (Security GTP) | 207 drop (Security SCTP) | 212
drop-threshold (Security GPRS) | 216
echo-req | 218 |
|
|
|
n b |
s r b |
n | 220 |
|
gprs | 221 |
|
|
|
rs |
r |
| 227 |
|
rs sc |
r |
| 229 |
|
r |
r |
|
| 231 |
gtp | 233 |
|
|
|
handover-default | 237 |
|||
handover-group | 239 |
|||
n s |
m |
|
| 241 |
ie-set | 242 |
|
|
|
ms r |
x | 244 |
|
|
limit (Security SCTP) | 246 |
|||
listening-mode | 248 |
|||
log (Security GTP) | 250 |
|||
log (Security SCTP) | 252 |
|||
max-message-length | 254 |
|||
m ss |
r |
|
v1 | 255 |
m ss |
r |
|
v2 | 257 |
x
message-list | 259 message-type | 261 min-message-length | 264 m c n ns c n | 265 nullpdu | 267
other | 269 path-rate-limit | 272
permit (Security SCTP) | 275
r(Security GTP) | 276
r(Security SCTP) | 281
rate-limit (Aggregated rate limit) | 284 rate-limit (Security GTP) | 287 remove-ie | 289
r q m |
| |
291 |
restart-path | |
293 |
|
sctp | 294 |
|
|
seq-number-validated (GTP) | 297
m |
(Security GTP) | 299 |
r c |
ns (Security GTP) | 300 |
r c |
ns (Security SCTP) | 303 |
5 |
r n Commands |
clear gtp tunnels | 309 |
|
clear security gtp counters | 310 |
|
clear security gprs sctp ss c |
n | 313 |
clear security gprs sctp counters | 316
xi
show gtp tunnels | 318 |
|
show security gtp r |
| 324 |
show security gtp counters | 337
show security gprs gtp counters path-rate-limit | 350
show security gprs gtp r |
r |
| 353 |
|
show security gprs gtp gsn s |
s cs | 355 |
|
|
show security gprs gtp handover-group | 356 |
|
||
show security gprs gtp ie-set | 358 |
|
|
|
show security gprs gtp ip-group | 360 |
|
|
|
show security gprs gtp m ss |
r |
v1 |
| 362 |
show security gprs gtp m ss |
r |
v2 |
| 365 |
show security gtp message-list | 367 |
|||
show security gtp rate-limit default |
| |
369 |
|
show security gprs sctp ss c |
n |
| |
371 |
show security gprs sctp counters | 374
xii
Use this guide to c n r General Packet Radio Switching (GPRS) Tunneling Protocol (GTP) and Stream Control Transmission Protocol (SCTP) in Junos OS on the SRX Series devices to secure GTP and SCTP
r c w to external networks. The GTP r w features such as policy-based GTP, GTP ns c n and GTP handover techniques address key security issues in mobile operators networks.
1
CHAPTER
General Packet Radio Service (GPRS)
Overview
n r c n to GPRS | 2
2
n r c n to GPRS
IN THIS SECTION
GPRS Overview | 2
Understanding GTP Support for Central Point Architecture | 6
IN THIS SECTION
Gp and Gn Interfaces | 3
Gi Interface | 4
r n Modes | 5
GTP In-Service S w r Upgrade | 6
General Packet Radio Service (GPRS) networks connect to several external networks including those of roaming partners, corporate customers, GPRS Roaming Exchange (GRX) providers, and the public Internet. GPRS network operators face the challenge of r c n their network while providing and
controlling access to and from these external networks. Juniper Networks provides s |
ns to many of |
the security problems plaguing GPRS network operators. |
|
In the GPRS architecture, the fundamental cause of security threats to an operator’s network is the inherent lack of security in the GPRS tunneling protocol (GTP). GTP is the protocol used between GPRS support nodes (GSNs). GTP is used to establish a GTP tunnel for individual user endpoints (UEs) and between a Service Gateway (S-GW) and a PDN Gateway (P-GW) in 4G. A GTP tunnel is a channel between GSNs through which two hosts exchange data. The SGSN (S-GW ) receives packets from the user endpoints and encapsulates them within a GTP header before forwarding them to the GGSN through the GTP tunnel. When the GGSN receives the packets, it decapsulates them and forwards them to the external host.
mm n c |
n between |
r n |
GPRS networks is not secure because GTP does not provide any |
|
n c |
n data integrity, or c |
n n |
y r c n m m n n IP Security (IPsec) for |
3
c nn c ns between roaming partners, s |
n r c rate limits, and using stateful ns c n can |
|
eliminate a majority of the GTP’s security risks. The GTP r w |
features in Junos OS address key |
|
security issues in mobile operators’ networks. |
|
|
Juniper Networks security devices m |
a wide variety of |
c s on the following types of GPRS |
interfaces: |
|
|
•Gn—The Gn interface is the c nn c n between an SGSN (S-GW ) and a GGSN within the same public land mobile network (PLMN).
S5 - The S5 interface is the c nn c n between a S-GW and P-GW within the PLMN in 4G networks.
• |
Gp—The Gp interface is the c nn c |
n between two PLMNs. |
|
|
||
|
S8 -The S8 interface is the bearer plane c nn c |
n between home and visited PLMNs in 4G |
||||
|
networks. |
|
|
|
|
|
• |
Gi—The Gi interface is the c nn c n between a GGSN and the Internet or s |
n |
n networks |
|||
|
connected to a PLMN. |
|
|
|
|
|
|
SGi - The SGi interface is the c nn c |
n between a P-GW and the Internet or |
s n |
n networks |
||
|
connected to a PLMN in 4G networks. |
|
|
|
||
The term interface has |
r n meanings in Junos OS and in GPRS technology. In Junos OS, an |
|||||
interface is a doorway to a security zone that allows |
r c to enter and exit the zone. In GPRS, an |
|||||
interface is a c nn c |
n or a reference point, between two components of a GPRS infrastructure, for |
|||||
example, an SGSN (S-GW) and a GGSN (P-GW). |
|
|
|
|||
S |
r n in Junos OS Release 18.4R1, GPRS tunneling protocol (GTP) r c security ns |
c n is |
||||
supported on IPv6 addresses along with |
x s n IPv4 support. With this enhancement, a GTP tunnel |
using either IPv4 and IPv6 addresses is established for individual user endpoints (UEs) between a Serving GPRS Support Node (SGSN) in 3G or a Service Gateway (S-GW) and a Gateway GPRS Support
Node (GGSN) in 3G or a PDN Gateway (P-GW) in 4G. With IPv6 support, GTP |
c |
n Layer |
||
Gateway (ALG) inspects or ignores IPv6 GTP sessions according to the policy c n |
r |
ns All ALG |
||
nc ns on IPv4 are supported on IPv6. You can Inspect GTP signaling or data messages r nsm |
||||
over IPv6 based on the policy c n |
r |
ns |
|
|
This topic contains the following s |
c |
ns |
|
|
Gp and Gn Interfaces
You implement a security device on the Gn interface to protect core network assets such as the SGSN (S-GW) and GGSN (P-GW). To secure GTP tunnels on the Gn interface, you place the security device between SGSNs (S-GW) and GGSNs (P-GW) within a common PLMN.
4
When you implement a security device to the Gp interface, you protect a PLMN from another PLMN. To secure GTP tunnels on the Gp interface, you place the SGSNs (S-GW) and GGSNs(P-GW) of a PLMN behind the security device so that all r c incoming and outgoing, goes through the r w
Figure 1 on page 4 illustrates the placement of Juniper Networks SRX Series devices used to protect PLMNs on the Gp and Gn interfaces.
Figure 1: Gp and Gn Interfaces
Gi Interface
When you implement a security device on the Gi interface, you can simultaneously control r c for
m networks, protect a PLMN against the Internet and external networks, and protect mobile users from the Internet and other networks. Junos OS provides a great number of virtual routers, making it possible for you to use one virtual router per customer network and thereby allow the s r n of
rc for each customer network.
The security device can securely forward packets to the Internet or s n n networks using the Layer 2 Tunneling Protocol (L2TP) for IPsec virtual private network (VPN) tunnels.
SRX Series devices do not support full L2TP.
5
Figure 2 on page 5 illustrates the m m n |
n of a security device to protect a PLMN on the Gi |
interface. |
|
Figure 2: Gi Interface |
|
r |
n Modes |
|
|
|
|
|
|
Junos OS supports two interface |
r |
n modes with GTP: transparent mode and route mode. If you |
|||||
want the security device to |
r c |
|
in the r |
n infrastructure of your network, you can run it in |
|||
route mode. This requires a certain amount of network redesign. |
rn v y you can implement the |
||||||
security device into your x s |
n |
network in transparent mode without having to r c n |
r the n r |
||||
network. In transparent mode, the security device |
nc ns as a Layer 2 switch or bridge, and the IP |
6
addresses of interfaces are set at 0.0.0.0, making the presence of the security device invisible, or transparent, to users.
Junos OS supports NAT on interfaces and policies that do not have GTP ns |
c n enabled. |
||
Currently in Junos OS, route mode supports c v |
ss v and c v c v |
chassis cluster. |
|
Transparent mode supports c v |
ss v only. |
|
|
GTP In-Service S |
w r |
Upgrade |
|
|||
GTP supports |
n |
in-service s |
w r upgrade (ISSU) between two SRX Series devices running two |
|||
r n |
Junos OS releases. |
n |
ISSU is performed on a chassis cluster, enabling a s w r upgrade |
|||
between two |
r n |
Junos OS releases with no sr |
n on the control plane and with minimal |
|||
sr |
n of r |
c |
|
|
|
|
On SRX5400, SRX5600, and SRX5800 devices, ISSU is supported from Junos OS Release 12.1X45 through Junos OS Release 12.1X46 and from Junos OS Release 12.1X46 through Junos OS Release 12.3X48-D10. ISSU is not supported from Junos OS Release 12.1X45 through Junos OS Release 12.3X48-D10.
IN THIS SECTION
GTP Tunnel Management | 7
GSN | 8
Path Object Management | 8
User equipment (for example, a cellphone) c s to a Serving GPRS Support Node (SGSN) or S-GW (Serving Gateway) for General Packet Radio Service (GPRS) data service. The SGSN (S-GW) connects to a gateway GPRS support node to access the Internet. The user equipment requests the SGSN to create
one or m |
GPRS tunneling protocol (GTP) tunnels to the GGSN or P-GW (PDN Gateway) for |
|
||
Internet access. In s |
ns where the user equipment moves to a new c n the user equipment |
|
||
has to |
c to another SGSN. The new SGSN n |
s the GGSN to update the new SGSN n rm |
n |
|
in the original tunnel. |
|
|
|
|
The GTP |
c n Layer Gateway (ALG) maintains the status of the tunnels and permits tunnel |
|
||
update request packets only for the x s n tunnels. When the user equipment moves to a new c |
n |
7
and |
c |
s to another SGSN, the new SGSN n |
rm |
n must be updated in the original tunnel. |
||||
Because few GTP-C messages are b |
r c |
n |
and messages can be sent either sent by the SGSN or |
|||||
the GGSN, correct session s r b |
n is not guaranteed. That is, the GTP ALG stops cr n a session |
|||||||
if the rs |
packet originates from an unknown |
r c |
n In this case, the rs packet and the other |
|||||
pending packets are dropped. |
|
|
|
|
|
|||
To prevent GTP-C packets from being dropped, a new |
w session is created and the GTP-C r c is |
|||||||
allowed to pass even if the GGSN or SGSN |
r c |
n is not determined. Later, the GGSN IP is |
||||||
determined using the correct SPU to create the |
|
w session; otherwise, the session is migrated to the |
||||||
designated SPU. |
|
|
|
|
|
|
||
S r n |
from Junos OS Release 18.4R1, the GTP-C tunnel is enhanced to support the tunnel-based |
|||||||
session |
|
s r b |
n to speed up the tunnel set up process and load balance the sessions between the |
SPUs. The tunnel-based session guarantees that the GTP-C tunnel messages reach the control tunnel
and n s |
the stateful ns c |
n If the GTP-C |
s r b |
n is enabled, the GTP-C tunnels and the GTP-C |
|||
tunnel sessions are distributed by the SGSN tunnel endpoint |
n r (TEID) of the tunnel. Use the set |
||||||
security forwarding-process |
c |
n s rv c |
s n b |
|
s r b |
n command to enable the |
|
tunnel-based session s r b |
n where the GTP-C r |
c of |
r n tunnels are spread across |
||||
r n |
SPUs. |
|
|
|
|
|
|
S r n |
in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, the central point architecture |
||||||
is enhanced. Enhancements are as follows: |
|
|
|
|
|||
• Prevent GTP-C packet drop issues during the SGSN handover. |
|
||||||
• Support the GTP-C message r |
m n to protect the GGSN from |
n of GTP-C messages. |
• Distribute GTP-C and GTP-U r tunnel-based session s r b
across |
r n |
SPUs. Use the |
session |
s r b |
n |
c handled by a GGSN and SGSN pair on all SPUs by switching to
n in which the GTP-C and GTP-U r c of |
r n tunnels is spread |
|
n b |
s r b n command to enable GTP-C or GTP-U |
GTP Tunnel Management
GTP is used to establish a GTP tunnel for individual user endpoints (UEs) and between a Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN). A GTP tunnel is a channel between GSNs through which two hosts exchange data. The SGSN receives packets from the user endpoints (UEs) and encapsulates them within a GTP header before forwarding them to the GGSN through the GTP tunnel. When the GGSN receives the packets, it decapsulates them and forwards them to the external host.
Tunnel Object: The Client endpoints contain n rm |
n for downstream GSN (SGSN), the Server |
||
endpoints hold n rm |
n for upstream GSN (GGSN). Each tunnel endpoint reserves the |
s one for |
IPv4 address and one for IPv6 address. The tunnel endpoint saves the addresses learned in the tunnel cr n or update messages.
8
Redirect Entry: Redirect entries (also called redirect tunnels) are installed to help n n the anchor SPU. Redirect endpoints are created by means of the cr n of normal GTP tunnels. A redirect entry is mapped to one tunnel endpoint and it copies IP address(es), TEID value, and the anchor SPU ID from the tunnel. With IPv6 tunnel support, redirect entry is expanded like tunnel object.
GSN
The gateway GPRS support node (GGSN) or P-GW (PDN Gateway) converts the incoming data r c coming from the mobile users through the Service gateway GPRS support node (SGSN) and forwards it to the relevant network, and vice versa. The GGSN and the SGSN together form the GPRS support nodes (GSN).
GSN Object: The GTP ALG maintains a GSN table. Each GSN node in a GSN table will record one GSN IP address, (IPv4 or IPv6), GSN restart counter, and GSN-based r m n counter, and so on. If a GSN node has both IPv4 and IPv6 address, The GTP ALG will generate two GSN entries, one for IPv4 address and the other for IPv6 address and the two GSN entries in the same GSN node counts the rate-limit signaling messages independently, and ages out separately.
GSN Reboot: If a GSN reboots, the restart counter changes and the related tunnels will get deleted. For example, if a GSN node is enabled with two IP addresses on tunnels. then the GSN restart is found by only one IP address (IPv4 or IPv6). The tunnels with both IP addresses are removed, and vice versa.
Path Object Management
A path object contains two GSN address and it supports both IPv4 and IPv6 addresses. A path object records the n rm n between the GSN addresses such as message counter, the last m and so on. For a GSN that has both IPv4 and IPv6 address, the two addresses have their separated paths. Each path
performs its own r |
m |
n and ages out separately. |
|
||
Release History Table |
|
|
|
|
|
Release |
scr |
n |
|
|
|
|
|
|
|
||
18.4R1 |
S r n |
in Junos OS Release 18.4R1, GPRS tunneling protocol (GTP) |
r c security ns c n is |
||
|
supported on IPv6 addresses along with x s n IPv4 support. With this enhancement, a GTP |
||||
|
tunnel using either IPv4 and IPv6 addresses is established for individual user endpoints (UEs) |
||||
|
between a Serving GPRS Support Node (SGSN) in 3G or a Service Gateway (S-GW) and a Gateway |
||||
|
GPRS Support Node (GGSN) in 3G or a PDN Gateway (P-GW) in 4G. With IPv6 support, GTP |
||||
|
c n Layer Gateway (ALG) inspects or ignores IPv6 GTP sessions according to the policy |
||||
|
c n |
r ns All ALG |
nc ns on IPv4 are supported on IPv6. You can Inspect GTP signaling or |
||
|
data messages |
r nsm |
over IPv6 based on the policy c n r |
ns |
|
|
|
|
|||
15.1X49- |
S r n |
in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, the central point |
|||
D40 |
architecture is enhanced. |
|
|
||
|
|
|
|
|
|
9
RELATED DOCUMENTATION
Chassis Cluster Overview
Day One: SRX Series Up and Running with Advanced Security Services
2
CHAPTER
Securing GTP
Policy-Based GTP | 11
GTPv1 Message Filtering | 35
nr n GTP Handover Group | 52
Enabling GTP Interoperability between 2G and 3G Networks | 63
Monitoring GTP r c |
| 98 |
GTP r c logs | 120 |
|
NAT for GTP | 131 |
|
PMI Flow Based CoS |
nc ns for GTP-U | 150 |
GGSN Overview | 154 |
|
|
|
11
IN THIS SECTION
Understanding Policy-Based GTP | 11
Example: Enabling GTP ns |
c |
n in Policies | 13 |
||
Understanding GTP ns |
c |
n Objects | 19 |
||
Example: r |
n a GTP ns |
c |
n Object | 19 |
|
Understanding GTPv2 | 21 |
|
|
||
Understanding Policy-Based GTPv2 | 23 |
||||
Example: Enabling GTPv2 ns |
c |
n in Policies | 24 |
||
Understanding GTP Path Restart | 28 |
||||
Example: R s |
r n a GTPv2 Path | 29 |
|||
Understanding GTPv2 Tunnel Cleanup | 31 |
||||
Example: S |
n the Timeout Value for GTPv2 Tunnels | 31 |
|||
Understanding GTPv2 r |
c Logging | 33 |
|||
Example: Enabling GTPv2 |
r |
c Logging | 33 |
The GPRS tunneling protocol (GTP) policies contain rules that permit, deny, or tunnel r c The device performs GTP policy r n by checking every GTP packet against policies that regulate GTP r c and by then forwarding, dropping, or tunneling the packet based on these policies.
By default, the public land mobile network (PLMN) that the Juniper Networks device protects is in the Trust zone. The device protects the PLMN in the Trust zone against other PLMNs in other zones. You
can place all the PLMNs against which you are |
r c n your PLMN in the Untrust zone, or you can |
||
create s r |
n zones for each PLMN. A PLMN can occupy one security zone or m |
security |
|
zones. |
|
|
|
You must create policies to enable r c to |
w between zones and PLMNs. Policies contain rules that |
||
permit, deny, or tunnel r c The device performs GPRS tunneling protocol (GTP) policy |
r n by |
12
checking every GTP packet against policies that regulate GTP |
r |
c and by then forwarding, dropping, |
|||||||||
or tunneling the packet based on these policies. |
|
|
|
|
|
|
|
||||
By s |
c n the GTP service in a policy, you enable the device to permit, deny, or tunnel GTP |
r |
c |
||||||||
However, this does not enable the device to inspect GTP r |
c For the device to inspect GTP |
r |
c |
||||||||
you must apply a GTP c n r |
n also referred to as a GTP ns |
c n object, to a policy. |
|
|
|||||||
You can apply only one GTP ns |
c |
n object per policy, but you can apply a GTP ns c |
n object to |
||||||||
m |
policies. Using policies, you can permit or deny the establishment of GTP tunnels from certain |
||||||||||
peers such as a Serving GPRS Support Node (SGSN). |
|
|
|
|
|
|
|
||||
S r n |
in Junos OS Release 19.4R1, to accommodate IoT (Internet of Things) and roaming r w |
use |
|||||||||
cases, the GTP tunnel scale per SPU is increased for the following SRX5000 (SRX5400, SRX5600, |
|
||||||||||
SRX5800), and SRX4600 devices: |
|
|
|
|
|
|
|
|
|
|
|
Table 1: |
|
|
|
|
|
|
|
|
|
|
|
|
rm |
|
|
SRX5000 SPC2 |
|
|
SRX5000 SPC3 |
|
SRX4600 |
||
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
||
Pre 19.4 Tunnel Scale per SPU |
|
|
600K |
|
|
1.2M |
|
400K |
|
||
|
|
|
|
|
|
|
|
|
|
||
Pre 19.4 Tunnel Scale per SPC |
|
|
600K * 4 |
|
|
1.2M * 2 |
|
400k |
|
||
|
|
|
|
|
|
|
|
|
|
||
19.4 onwards Tunnel Scale per SPU |
|
3M |
|
|
12M |
|
4M |
|
|
||
|
|
|
|
|
|
|
|
|
|
||
19.4 onwards Tunnel Scale per SPC |
|
3M * 4 |
|
|
12M * 2 |
|
4M |
|
|
||
|
|
|
|
|
|
||||||
S r n |
in Junos OS Release 20.1R1, to enable IoT (Internet of Things) and roaming r w |
use cases, |
the GTP tunnel scale is increased for the following SRX devices:
Table 2:
rm |
SRX1500 |
SRX4100 |
SRX4200 |
|
|
|
|
Pre 20.1 Tunnel Scale per system |
204800 |
409600 |
819200 |
|
|
|
|
20.1 onwards Tunnel Scale per system |
1024000 |
4096000 |
4096000 |
|
|
|
|
For vSRX instances, the number of tunnels supported depends on the available system memory.
13
Table 3: |
|
|
|
|
rm |
|
Memory |
|
Tunnel Number |
|
|
|||
|
|
|
|
|
vSRX |
|
4G/6G |
|
40K |
|
|
|
|
|
|
|
8G/10G/12G/14G |
|
200K |
|
|
|
|
|
|
|
16G/20G/24G/28G |
|
400K |
|
|
|
|
|
|
|
32G/40G/48G |
|
800K |
|
|
|
|
|
|
|
56G/64G |
|
1600K (1.6M) |
|
|
|
|
|
You can c n |
r policies that specify “Any” as the source or s n |
|
hosts in the zone), and you can c n |
r policies that specify m |
In policies, you can enable r c logging.
n zone (thereby including all source and s n n addresses.
Example: Enabling GTP ns c n in Policies
IN THIS SECTION
Requirements | 13
Overview | 14
n r n | 14
r c n | 18
This example shows how to enable GTP ns c n in policies.
Before you begin, the device must be restarted |
r GTP is enabled. By default, GTP is disabled on the |
device. |
|
14
In this example, you c n |
r interfaces as ge-0/0/1 and ge-0/0/2, the addresses are 2.0.0.254/8 and |
3.0.0.254/8. You then c n |
r the security zone and specify address as 2.0.0.5/32 and 3.0.0.6/32. You |
enable the GTP service in the security policies to allow b r c n r c between two networks within the same PLMN.
n r n
IN THIS SECTION
Procedure | 14
Procedure
CLI Quick |
n |
r |
n |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To quickly c n |
r this s |
c n of the example, copy the following commands, paste them into a text |
||||||||||||||||
remove any line breaks, change any details necessary to match your network c n |
r |
n copy |
||||||||||||||||
and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from |
||||||||||||||||||
c n |
r |
n mode. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
set security gprs gtp |
r |
gtp1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
set interfaces ge-0/0/1 unit 0 family inet address 2.0.0.254/8 |
|
|
|
|
|
|
|
|
||||||||||
set interfaces ge-0/0/2 unit 0 family inet address 3.0.0.254/8 |
|
|
|
|
|
|
|
|
||||||||||
set security zones security-zone sgsn interfaces ge-0/0/1.0 |
s |
nb |
n |
r |
c system-services all |
|||||||||||||
set security zones security-zone sgsn |
s |
nb |
n |
r |
c protocols all |
|
|
|
|
|
||||||||
set security zones security-zone ggsn interfaces ge-0/0/2.0 |
s |
nb |
n |
r |
c system-services all |
|||||||||||||
set security zones security-zone ggsn |
s |
nb |
n |
r |
c protocols all |
|
|
|
|
|
||||||||
set security address-book global address local-sgsn 2.0.0.5/32 |
|
|
|
|
|
|
|
|
||||||||||
set security address-book global address remote-ggsn 3.0.0.6/32 |
|
|
|
|
|
|
|
|||||||||||
set security policies from-zone sgsn to-zone ggsn policy sgsn_to_ggsn match source-address local-sgsn |
||||||||||||||||||
s |
n |
n |
r ss remote-ggsn |
c |
n junos-gprs-gtp |
|
|
|
|
|
|
|
|
|||||
set security policies from-zone sgsn to-zone ggsn policy sgsn_to_ggsn then permit |
c |
n s |
rv c s rs |
rgtp1
set security policies from-zone ggsn to-zone sgsn policy ggsn_to_sgsn match source-address remote-ggsn s n n r ss local-sgsn c n junos-gprs-gtp
15
set security policies from-zone ggsn to-zone sgsn policy ggsn_to_sgsn then permit |
c |
n s rv c s rs |
|
r |
gtp1 |
|
|
|
|
|
|
Step-by-Step Procedure
To c n r GTP ns |
c |
n in policies: |
|
|
1. Create the GTP ns |
c |
n object. |
|
|
|
|
|
|
|
|
[edit] |
|
|
|
|
user@host# set security gprs gtp r |
gtp1 |
||
|
|
|
|
|
2.n r interfaces.
[edit interfaces]
user@host# set ge-0/0/1 unit 0 family inet address 2.0.0.254/8 user@host# set ge-0/0/2 unit 0 family inet address 3.0.0.254/8
3.n r security zones.
[edit security zones]
user@host# set security-zone sgsn interfaces ge-0/0/1.0
user@host# set security-zone sgsn |
s |
nb |
n |
r |
c system-services all |
|
user@host# set security-zone sgsn |
s |
nb |
n |
r |
c protocols all |
|
user@host# set security-zone ggsn interfaces ge-0/0/2.0 |
||||||
user@host# |
set security-zone ggsn |
s |
nb |
n |
r |
c system-services all |
user@host# |
set security-zone ggsn |
s |
nb |
n |
r |
c protocols all |
4. Specify addresses.
[edit security address-book global] user@host# set address local-sgsn 2.0.0.5/32 user@host# set address remote-ggsn 3.0.0.6/32
16
5. Enable the GTP service in the security policies.
[edit security policies]
user@host# set from-zone sgsn to-zone ggsn policy sgsn_to_ggsn match source-address local-sgsn
s n |
n |
r ss remote-ggsn |
c |
n junos-gprs-gtp |
|
|
user@host# set from-zone sgsn to-zone ggsn policy sgsn_to_ggsn then permit |
c |
n s rv c s |
||||
rs |
r |
gtp1 |
|
|
|
|
user@host# set from-zone ggsn to-zone sgsn policy ggsn_to_sgsn match source-address remote-ggsn
s n |
n |
r ss local-sgsn |
c |
n junos-gprs-gtp |
|
|
user@host# set from-zone ggsn to-zone sgsn policy ggsn_to_sgsn then permit |
c |
n s rv c s |
||||
rs |
r |
gtp1 |
|
|
|
|
Results
From c |
n |
r n mode, c n rm your c n |
r |
n by entering the show security command. If the |
output does not display the intended c n |
r |
n repeat the c n r n ns r c ns in this example |
||
to correct it. |
|
|
||
For brevity, this show output includes only the c |
n r n that is relevant to this example. Any other |
|||
c n |
r |
n on the system has been replaced with ellipses (...). |
[edit]
user@host# show security
...
gprs { gtp {
profile gtp1;
}
}
zones { security-zone Trust {
host-inbound-traffic { system-services {
all;
}
protocols { all;
}
}
17
interfaces { ge-0/0/1.0;
}
}
...
host-inbound-traffic { system-services {
all;
}
protocols { all;
}
}
interfaces { ge-0/0/1.0;
}
}
host-inbound-traffic { system-services {
all;
}
protocols { all;
}
}
interfaces { ge-0/0/2.0;
}
}
}
address-book { global {
address local-sgsn 2.0.0.5/32; address remote-ggsn 3.0.0.6/32;
}
}
policies {
from-zone sgsn to-zone ggsn { policy sgsn_to_ggsn {
match {
source-address local-sgsn; destination-address remote-ggsn;
18
application junos-gprs-gtp;
}
then { permit {
application-services { gprs-gtp-profile gtp1;
}
}
}
}
}
from-zone ggsn to-zone sgsn { policy ggsn_to_sgsn {
match {
source-address remote-ggsn; destination-address local-sgsn; application junos-gprs-gtp;
}
}
then { permit {
application-services { gprs-gtp-profile gtp1;
}
}
}
}
default-policy { permit-all;
}
}
...
If you are done c n r n the device, enter commit from c n r n mode.
r c n
IN THIS SECTION
Verifying GTP ns c n in Policies | 19