Length, IE and Extension Header-based Filtering

Length Filtering

The lengths of GTP messages are the payloads length in bytes, that is, the remaining length (first eight bytes) excluding the mandatory part of the GTP header. The length does not include the length of the GTP packet header, UDP header, and IP header.

The Eudemon resolves the length field of the GTP message header, and obtains the length of the GTP packet. If the length is between the minimum and maximum lengths, the GTP packet is allowed to pass. Otherwise, the GTP packet is discarded.

IE Filtering

A GTP message contains multiple IEs. There are three types of the status of the IE in a GTP message, namely, mandatory, optional, and conditional. The Eudemon detects mandatory IEs, optional IEs and repetitive IEs, thus avoiding malicious packet attacks.

• Mandatory IE detection

  When receiving a GTP message, the Eudemon automatically detects the mandatory IEs. If the GTP message does not cover all mandatory IEs required by related regulations, the GTP message is discarded.

• Optional IE detection

  If the Eudemon is configured through related command to detect a certain optional IE but the received GTP message does not contain this optional IE, the GTP message is discarded.

• Repetitive IE detection

  According to GTP protocol specifications, when the NE receives repetitive IEs that do not comply with protocol specifications, only the first IE is processed. The Eudemon can detect repeated mandatory IEs. When a repeated IE is identified in a GTP message, the message is discarded.

Extension Header-based Filtering

In GTPv1, extension headers can be added to the GTP message header, which easily lead to attacks. Therefore, the detection of extension headers is needed.

The Eudemon supports the detection of extension headers in the following modes:

• Filtering is based on the types of extension headers. Only GTP messages with specific types of extension headers can pass.
• GTP messages with repeated extension headers are filtered out.