GPRS Tunneling Protocol V2 Support · GPRS Tunneling Protocol V2 Support...
14
GPRS Tunneling Protocol V2 Support General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2) is introduced by the 3rd Generation Partnership Project (3GPP) Technical Specification (TS) 29.274, which modifies and enhances the GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP Application Inspection and Control (AIC) policies to provide security to subscriber data. This module describes how to configure GTPv2 on a zone-based policy firewall. • Finding Feature Information, page 1 • Restrictions for GPRS Tunneling Protocol V2 Support, page 1 • Information About GPRS Tunneling Protocol V2 Support, page 2 • How to Configure GPRS Tunneling Protocol V2 Support, page 5 • Configuration Examples for GPRS Tunneling Protocol V2 Support, page 10 • Additional References for GPRS Tunneling Protocol V2 Support, page 11 • Feature Information for GPRS Tunneling Protocol V2 Support, page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for GPRS Tunneling Protocol V2 Support • The limit for the number of match statements in a Layer 7 class map is 64. • The limit for the number of classes (including the default class) in a Layer 7 policy map is 255. Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 1
Transcript of GPRS Tunneling Protocol V2 Support · GPRS Tunneling Protocol V2 Support...
GPRS Tunneling Protocol V2 Support
General Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2) is introduced by the 3rdGeneration Partnership Project (3GPP) Technical Specification (TS) 29.274, which modifies and enhancesthe GPRS Tunneling Protocol used in 2G and 3G mobile networks. GTPv2 enhances the GTP ApplicationInspection and Control (AIC) policies to provide security to subscriber data.
This module describes how to configure GTPv2 on a zone-based policy firewall.
• Finding Feature Information, page 1
• Restrictions for GPRS Tunneling Protocol V2 Support, page 1
• Information About GPRS Tunneling Protocol V2 Support, page 2
• How to Configure GPRS Tunneling Protocol V2 Support, page 5
• Configuration Examples for GPRS Tunneling Protocol V2 Support, page 10
• Additional References for GPRS Tunneling Protocol V2 Support, page 11
• Feature Information for GPRS Tunneling Protocol V2 Support, page 12
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for GPRS Tunneling Protocol V2 Support• The limit for the number of match statements in a Layer 7 class map is 64.
• The limit for the number of classes (including the default class) in a Layer 7 policy map is 255.
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 1
• The limit for the number of characters in a pattern string for a regular expression (regex) parameter mapis 245.
• The data path supports up to 512 regular expressions.
• No statistics are available for thematch command. Statistics are available for only packets and bytesin a class.
• 3GPP Technical Specification 29.274 release 8 and 9 are not compatible with GPRS Tunneling ProtocolVersion 2 (GTPv2).
Information About GPRS Tunneling Protocol V2 Support
GTPv2 OverviewGeneral Packet Radio Service (GPRS) Tunneling Protocol Version 2 (GTPv2), also known as evolved packetservices—GTP or eGTP, is modified and enhanced from the GPRS Tunneling Protocol used in 2G and 3Gmobile networks. GTPv2 has two flavors, a control plane protocol (GTPv2-C) and a user plane protocol(GTPv2-U). GTPv2 is primarily used for control signaling between the Serving Gateway (SGW) and thePacket Data Network (PDN) Gateway (PGW) in an Evolved Packet Core (EPC) network.
The 3rd-Generation Partnership Project (3GPP) develops globally acceptable specifications for 3rd-Generation(3G) mobile systems. GPRS integrates with the existing Global System for Mobile Communication (GSM)networks and provides always-on packet-switched data services to corporate networks and the Internet.
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S2
GPRS Tunneling Protocol V2 SupportInformation About GPRS Tunneling Protocol V2 Support
For more information on GTPv0 and GTPv1, see the “Configuring GPRS Tunneling Protocol Support” chapterin the Security Configuration Guide: Zone-Based Policy Firewall.
Figure 1: General Format of the GTPv2-C Header
Figure 2: Format of Echo and Version Not Supported Message GTPv2-C Header
The usage of the GTPv2-C header for EPC-specific interfaces is defined below:
Octet 1:
• Octet 1 represents Version (bits 8 through 6) that is set to decimal 2 (“010”).
• If the “T” flag (bit 4) is set to 1, the Tunnel Endpoint Identifier (TEID) field immediately follows theLength field in octets 5 through 8.
• The “P” flag (Piggybacking Support) is not supported.
Octet 2:
• Octet 2 represents the Message Type field. This field supports GTPv2-C message type values.
Octets 3-4:
• Octets 3 and 4 represent the Length field. This is the length of the message in octets excluding themandatory part of the GTPv2-C header (the first 4 octets).
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 3
GPRS Tunneling Protocol V2 SupportGTPv2 Overview
Octets 5-8:
• Octets 5 through 8 represent the Tunnel Identifier field if the “T” flag is set in the first octet.
Octets 9-10:
• Octets 9 and 10 represent the Sequence Number field if the TEID is present. If the TEID field is notpresent, the Sequence Number field will be contained in octets 5 and 6.
Octets 11-12:
• Octets 11 and 12 are two spare octets followed by the Sequence Number field.
Apart from the following messages, all other GTPv2-C messages contain the TEID in their headers.Note
• Echo Request
• Echo Response
• Version Not Supported Indication
Figure 3: General Format of GTPv2 Message for Control Plane
Stateful InspectionStateful inspection, also referred to as dynamic packet filtering, examines a packet based on the informationin its header and tracks and validates each connection to which a firewall is connected. During statefulinspection, firewalls close ports until a connection request to a specific port is received.
A global database is built on the GTPApplication Inspection and Control (AIC) policies for stateful inspectionof the GTPv2 traffic. When GTPv2 messages traverse the zone-based firewall, GTP AIC policies inspectmessages based on the Packet Data Protocol (PDP) context database. Packets that require Layer 7 inspection(the packet payload must be inspected or altered) are passed to the control plane.
Information ElementsA GTP header contains a number of options fields called Information Elements (IEs). An IE may be presentin a GTP protocol data unit (PDU). The IE may be included in a message header.
An IE is identified by an IE type and an instance value. The combination of IE type and instance value uniquelyidentifies an IE in a message. Grouped IEs contain more than one IE and have a 4-octet IE header. Each IE
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S4
GPRS Tunneling Protocol V2 SupportStateful Inspection
within a grouped IE also has a 4-octet IE header. The IE format in GTPv2 is TLIV (Type, Length, Instance,Value) encoded. The length value of a grouped IE is the total length of the embedded IEs.
Figure 4: General Format of an Information Element (IE) in a GTPv2-C Message
Octet 1:
Octet 1 represents the IE Type field. The IE Type field supports GTPv2-C IE type values.
Octets 2-3:
Octets 2 and 3 represent the length of the IE excluding the Type and the Length field.
Octet 4:
Octet 4 represents the instance number (bit 4-1) of the IE.
Octets 5-n:
Octets 5 through n represent the actual data contained in the IE.
How to Configure GPRS Tunneling Protocol V2 Support
Configuring GPRS Tunneling Protocol V2 SupportGPRS Tunneling Protocol Version 2 (GTPv2) is configured using the zone-based firewall structure of policiesand class maps. Because GTPv2 and GTPv1 protocols share the same destination port, Layer 4 class mapscannot classify GTPv2 and GTPv1; they are classified by Layer 7 class maps.
Configuring a Parameter Map for GPRS Tunneling Protocol V2 Support
SUMMARY STEPS
1. enable2. configure terminal3. parameter-map type regex parameter-map-name4. pattern expression5. exit6. parameter-map type inspect-global gtp7. gtpv2 {request-queue elements | tunnel-limit tunnels}8. end
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 5
GPRS Tunneling Protocol V2 SupportHow to Configure GPRS Tunneling Protocol V2 Support
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:Device# configure terminal
Step 2
Configures a regex parameter-map type to match a specifictraffic pattern and enters parameter map type configurationmode.
parameter-map type regex parameter-map-name
Example:Device(config)# parameter-map type regexPARAM-REG
Step 3
Configures a matching pattern that specifies a list of domains,URL keywords, or URLmeta-characters that should be allowedor blocked by local URL filtering.
pattern expression
Example:Device(config-profile)# patternapn.cisco.com
Step 4
Exits parameter map type configuration mode and returns toglobal configuration mode.
exit
Example:Device(config-profile)# exit
Step 5
Configures an inspect-type parameter map for connectingthresholds, timeouts, and other parameters pertaining to the
parameter-map type inspect-global gtp
Example:Device(config)# parameter-map typeinspect-global gtp
Step 6
inspect action and enters parameter map type configurationmode.
Configures inspection parameters for GTP.gtpv2 {request-queue elements | tunnel-limittunnels}
Step 7
Example:Device(config-profile)# gtpv2 request-queue429496
Exits parameter-map type inspect mode and returns to privilegedEXEC mode.
end
Example:Device(config-profile)# end
Step 8
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S6
GPRS Tunneling Protocol V2 SupportConfiguring a Parameter Map for GPRS Tunneling Protocol V2 Support
Example: Parameter Map for GPRS Tunneling Protocol V2 SupportThe following is sample output from the show parameter-map type command:Device# show parameter-map type inspect-global gtp
parameter-map type inspect-global gtpgtp request-queue 40000 (default)gtp tunnel-limit 40000 (default)gtp pdp-context timeout 300 (default)gtp request-queue timeout 60 (default)permit-error Disable (default)gtpv2 request-queue 429496729gtpv2 tunnel-limit 42949672
Configuring a Class Map and a Policy Map for GPRS Tunneling Protocol V2Support
SUMMARY STEPS
1. enable2. configure terminal3. class-map type inspect protocol-name {match-any |match-all} class-map-name4. match {apn regex parameter-name | {mcc country-codemnc network-code |message-length msisdn
regex parameter-name | version number}5. exit6. policy-map type inspect protocol-name policy-map-name7. class type inspect protocol-name class-map-name8. inspect9. service-policy protocol-name policy-map10. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:Device# configure terminal
Step 2
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 7
GPRS Tunneling Protocol V2 SupportConfiguring a Class Map and a Policy Map for GPRS Tunneling Protocol V2 Support
PurposeCommand or Action
Creates a Layer 7 (application-specific) inspect-typeclass map and enters class map configuration mode.
class-map type inspect protocol-name {match-any |match-all} class-map-name
Example:Device(config)# class-map type inspect gtpv1match-any gtpv2-cl7-1
Step 3
Configures the classification criteria for the inspect-typeclass map for the GTP.
match {apn regex parameter-name | {mcc country-codemnc network-code |message-length msisdn regexparameter-name | version number}
Step 4
Example:Device(config-cmap)# match version 2
Exits class map configurationmode and returns to globalconfiguration mode.
exit
Example:Device(config-cmap)# exit
Step 5
Creates a Layer 7 (protocol-specific) inspect-type policymap and enters policy map configuration mode.
policy-map type inspect protocol-name policy-map-name
Example:Device(config)# policy-map type inspect gtpv1gtpv2-POLICY-MAP
Step 6
Specifies the traffic (class) on which an action is to beperformed and enters policy-map class configurationmode.
class type inspect protocol-name class-map-name
Example:Device(config-pmap)# class type inspect gtpv1gtpv2-cl7-1
Step 7
Enables stateful packet inspection.inspect
Example:Device(config-pmap-c)# inspect
Step 8
Attaches a Layer 7 policy map to the top-level Layer 3or Layer 4 policy map.
service-policy protocol-name policy-map
Example:Device(config-pmap-c)# service-policy gtpv1gtpv2-POLICY-MAP
Step 9
Exits policy-map class configuration mode and returnsto privileged EXEC mode.
end
Example:Device(config-pmap-c)# end
Step 10
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S8
GPRS Tunneling Protocol V2 SupportConfiguring a Class Map and a Policy Map for GPRS Tunneling Protocol V2 Support
Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support
SUMMARY STEPS
1. enable2. configure terminal3. zone security {zone-name | default}4. exit5. zone-pair securityzone-pair-namesource {source-zone-name | self | default} destination
{destination-zone-name | self | default}6. service-policy type inspect policy-map-name7. exit8. interface type number9. zone-member security zone-name10. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:Device# configure terminal
Step 2
Creates a security zone to which interfaces can be assigned andenters security zone configuration mode.
zone security {zone-name | default}
Example:Device(config)# zone security z1Device(config)# zone security z2
Step 3
To create a security zone pair, you must configure twosecurity zones (z1 and z2) to which interfaces can beassigned.
Note
Exits security zone configuration mode and returns to globalconfiguration mode.
exit
Example:Device(config-sec-zone)# exit
Step 4
Creates a security zone pair and enters security zone-pairconfiguration mode.
zone-pair securityzone-pair-namesource{source-zone-name | self | default} destination{destination-zone-name | self | default}
Step 5
To apply a policy, you must configure a zonepair.
Note
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 9
GPRS Tunneling Protocol V2 SupportConfiguring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support
PurposeCommand or Action
Example:
Device(config)# zone-pair security clt2srv1source z1 destination z2
Attaches a firewall policy map to the destination zone pair.service-policy type inspect policy-map-nameStep 6
Example:
Device(config-sec-zone-pair)#
If a policy is not configured between a pair of securityzones, traffic is dropped by default.
Note
service-policy type inspectgtpv2-POLICY-MAP
Exits security zone-pair configuration mode and returns to globalconfiguration mode.
exit
Example:Device(config-sec-zone-pair)# exit
Step 7
Configures an interface and returns interface configuration mode.interface type number
Example:Device(config)# interface gigabitethernet0/0/0
Step 8
Assigns an interface to a specified security zone.zone-member security zone-nameStep 9
Example:Device(config-if)# zone-member security z1
When youmake an interface a member of a security zone,all traffic in and out of that interface (except traffic boundfor the device or initiated by the device) is dropped bydefault. To let traffic through the interface, you must makethe zone part of a zone pair to which you apply a policy.If the policy permits traffic, traffic can flow through thatinterface.
Note
Exits interface configuration mode and returns to privileged EXECmode.
end
Example:Device(config-if)# end
Step 10
Configuration Examples for GPRS Tunneling Protocol V2 Support
Example: Configuring GPRS Tunneling Protocol V2 SupportThe following example shows how to configure GTPv2 support:Device> enableDevice# configure terminalDevice(config)# parameter-map type regex PARAM-REG
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S10
GPRS Tunneling Protocol V2 SupportConfiguration Examples for GPRS Tunneling Protocol V2 Support
Device(config-profile)# pattern apn.cisco.comDevice(config-profile)# exitDevice(config)# parameter-map type inspect-globalDevice(config-profile)# gtpv2 tunnel-limit 100Device(config-profile)# exitDevice(config)# class-map type inspect gtpv1 match-any gtpv2-cl7-1Device(config-cmap)# match version 2Device(config-cmap)# exitDevice(config)# policy-map type inspect gtpv1 gtpv2-POLICY-MAPDevice(config-pmap)# class type inspect gtpv1 gtpv2-cl7-1Device(config-pmap-c)# inspectDevice(config-pmap-c)# service-policy gtpv1 gtpv2-POLICY-MAPDevice(config-pmap)# end
Example: Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2Support
The following example shows how to configure zones and zone pairs for GTPv2:Device> enableDevice# configure terminalDevice(config)# zone security z1Device(config-sec-zone)# exitDevice(config)# zone-pair security clt2srv1 source z1 destination z2Device(config-sec-zone-pair)# service-policy type inspect gtpv2-POLICY-MAPDevice(config-sec-zone-pair)# exitDevice(config)# interface gigabitethernet 0/0/0Device(config-if)# ip address 5.0.0.1 255.255.255.0Device(config-if)# zone-member security z1Device(config-if)# exitDevice(config)# interface gigabitethernet0/0/2Device(config-if)# ip address 4.0.0.1 255.255.255.0Device(config-if)# zone-member security z2Device(config)# end
Additional References for GPRS Tunneling Protocol V2 SupportRelated Documents
Document TitleRelated Topic
Cisco IOS Master Command List, All ReleasesCisco IOS commands
Security Command Reference: Commands A to C
Security Command Reference: Commands D to L
Security Command Reference: Commands M to R
Security Command Reference: Commands S to Z
Security commands
Security Configuration Guide: Zone-Based PolicyFirewall
Security configuration
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 11
GPRS Tunneling Protocol V2 SupportExample: Configuring Zones and Zone Pairs for GPRS Tunneling Protocol V2 Support
Technical Assistance
LinkDescription
http://www.cisco.com/supportThe Cisco Support website provides extensive onlineresources, including documentation and tools fortroubleshooting and resolving technical issues withCisco products and technologies.
To receive security and technical information aboutyour products, you can subscribe to various services,such as the Product Alert Tool (accessed from FieldNotices), the Cisco Technical Services Newsletter,and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support websiterequires a Cisco.com user ID and password.
Feature Information for GPRS Tunneling Protocol V2 SupportThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1: Feature Information for GPRS Tunneling Protocol Version 2 Support
Feature InformationReleasesFeature Name
The GTPv2 Support feature isintroduced by the 3rd-GenerationPartnership Project (3GPP) TS29.274, which modifies andenhances the GPRS TunnelingProtocol used in 2G and 3Gmobilenetworks. GTPv2 enhances theGTP Application Inspection andControl (AIC) policies to providesecurity to subscriber data.
This module describes how toconfigure GTPv2 on a zone-basedpolicy firewall.
The following commands havebeen newly introduced ormodified:show parameter-map typeinspect-global, zone-pairsecurity.
Cisco IOS XE Release 3.9SGTPv2 Support
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S12
GPRS Tunneling Protocol V2 SupportFeature Information for GPRS Tunneling Protocol V2 Support
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S 13
GPRS Tunneling Protocol V2 SupportFeature Information for GPRS Tunneling Protocol V2 Support
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S14
GPRS Tunneling Protocol V2 SupportFeature Information for GPRS Tunneling Protocol V2 Support
