General Packet Radio Service Tunneling Protocol

The General Packet Radio Service (GPRS) is a new carrier service for Global System for Mobile Communication (GSM) that enhances and simplifies wireless access to packet data networks. GPRS architecture uses a radio-packet technique to transfer user data packets in an efficient way between GSM mobile stations and external data networks. The GPRS Tunneling Protocol (GTP) allows multiprotocol packets to be tunneled through a GPRS backbone.

Figure 8-3 illustrates a basic representation of the GPRS architecture.

Figure 8-3. GPRS Architecture Example

Figure 8-3 shows a mobile station (MS) logically connected to an SGSN. The SGSN provides data services to the MS. The SGSN is logically connected to a GGSN via GTP. If the GTP tunnel connection is over the same Public Land Mobile Network (PLMN), the interface connecting the tunnel is called the Gn interface. Connections between two different PLMNs are known as the Gp interfaces. The GGSN acts as a gateway to external networks such as the Internet or the corporate network via the Gi interface. In other words, the interface between a GGSN and an SGSN is called Gn, whereas the interface between the GGSN and an external data network is called Gi. GTP encapsulates data from the mobile station and controls the establishment, movement, and deletion of tunnels between SGSN and GGSN in roaming scenarios.

There are two versions of GTP:

  • GTPv0
  • GTPv1

GTPv0

In GTPv0, the GPRS mobile stations are connected to a SGSN without knowing GTP. A Packet Data Protocol (PDP) context is identified by the tunnel identifier (TID), which is a combination of the International Mobile Subscriber Identity (IMSI) and Network Service Access Point Identifier (NSAPI). The mobile stations can have up to 15 NSAPIs each. This allows the mobile stations to create multiple PDP contexts with different NSAPIs. These NSAPIs are based on application requirements for different QoS levels.

The common transport protocol for signaling messages for GTPv0 and v1 is UDP. GTPv0 can allow the use of TCP for the transport protocol data units (TPDUs). The Cisco ASA only supports UDP. The UDP destination port for requests is port 3386.

Figure 8-4 illustrates call flow and the signaling messages involved for GTPv0.

Figure 8-4. GTPv0 Call Flow

The following is the sequence of events in the call flow shown in Figure 8-4:

  1. The SGSN sends a create PDP request to the GGSN.
  2. The PDP context is created and the GGSN sends a PDP response back to the SGSN.
  3. The SGSN sends an update PDP request message to the GGSN.
  4. The GGSN replies back.
  5. TPDUs are sent by the SGSN. (Figure 8-4 shows a sample of the TPDU as seen by the Cisco ASA inspection engine.)
  6. The SGSN sends a request to delete the PDP context.
  7. The PDP context is deleted and the GGSN sends its deletion response.

GTPv1

GTPv1 supports primary and secondary contexts for mobile stations. The primary context is identified with an IP address. Secondary contexts are created sharing the IP address and other parameters already associated with the primary context. The advantage of this technique is that the mobile station is able to initiate a connection to a context with different QoS requirements, while sharing the IP address obtained for the primary context.

GTPv1 uses UDP port 2123 for requests and UDP port 2152 for data transfer.

Figure 8-5 illustrates call flow and the signaling messages involved for GTPv1.

Figure 8-5. GTPv1 Call Flow

The following is the sequence of events in the call flow shown in Figure 8-5:

  1. The SGSN sends a PDP context create request for the primary PDP context.
  2. The primary context is created and the GGSN sends its response.
  3. The SGSN sends a PDP context create request for the second PDP context.
  4. The second context is created and the GGSN sends its response.
  5. The SGSN sends a PDP update request to the GGSN.
  6. The GGSN replies back with a PDP update response.
  7. TPDU (data packets) are sent to the GGSN.
  8. TPDU (data packets) are sent to the SGSN.
  9. The SGSN sends a request to delete the primary PDP context.
  10. The primary PDP context is deleted and the GGSN sends its response.
  11. The SGSN sends a request to delete the second PDP context.
  12. The second PDP context is deleted and the GGSN sends its response.

Figure 8-6 shows how the Cisco ASA can be positioned between GPRS networks.

Figure 8-6. Cisco ASA in GPRS Network

In Figure 8-6, the Cisco ASA is positioned between two GPRS PLMNs. This exemplifies how a mobile station may move from its home PLMN (HPLMN) to a visited PLMN (VPLMN) and communication will still be possible through the Cisco ASA. The Cisco ASA inspects all traffic between the respective SGSNs and GGSNs.

Configuring GTP Inspection

To enable GTP inspection, use the inspect gtp command. You can also associate a GTP map to create a more customizable configuration. This provides granular control of various GTP parameters and filtering options.

Note

GTP inspection is not supported with NAT or PAT. GTP inspection requires a special license from Cisco. For more information about licensing go to Cisco's website at www.cisco.com/go/nac

A GTP map can be created using the gtp-map command followed by the name of the map. Example 8-10 demonstrates how the Cisco ASA is configured with a GTP map, called mygtpmap, to enforce different restrictions.

Example 8-10. GTP Inspection Example

gtp-map mygtpmap

 tunnel-limit 1000

 request-queue 500

class-map inspection_default

 match default-inspection-traffic

policy-map asa_global_fw_policy

 class inspection_default

 inspect gtp mygtpmap

In Example 8-10, the Cisco ASA only allows a maximum of 1000 GTP tunnels and only allows a maximum of 500 requests to be queued. The GTP map is mapped to the default policy map under the default inspection class.

Table 8-4 lists all the subcommands available to configure under a GTP map.

Table 8-4. GTP Map Subcommands

Subcommand

Description

description

Used to enter a brief description of the GTP map.

drop

Used to drop messages based on three different keywords:

  • apn The APN to be dropped after this keyword
  • message The message ID to be dropped
  • version Used to specify the version to be dropped

mcc

Used to specify a three-digit mobile country code. Values can be from 000 to 999. Country codes with one or two digits will be prepended with zeros.

message-length

Used to specify the minimum and maximum message length.

permit

Used to enable the Cisco ASA to allow packets with errors.

request-queue

Used to specify the maximum requests allowed on the queue.

timeout

Used to configure the idle timeout for the following:

  • GSN (GPRS Support Node)
  • PDP (Packet Data Protocol) contexts
  • Requests
  • Signaling connections
  • Tunnels

tunnel-limit

Used to configure the maximum tunnels allowed.


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net