AVP Whitelist Screening (AVPWLScr)

This countermeasure screens the ingress diameter request/answer message for whitelist AVP(s) screening.

The option is available to configure the list of AVP values used by this countermeasure for performing screening.

This countermeasure considers the ingress diameter request/answer message as vulnerable if any of these conditions are true:

• Any AVP present in diameter message is not needed by technical specifications (AVP whitelist screening).
• Nesting level of grouped AVPs: Control of maximum nesting level of grouped AVPs over interconnection interfaces (maximum Nesting Depth should be 8).
• Encoding risks of AVPs: Checks like to determine if an AVP has been defined as UTF8 String, OctetString, and DiameterIdentity and/or if an address format contains purposely manipulated contents with the objective to introduce unintended behavior.

Note:

Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure the AVPWLScr_Config Table for configuring values for AVP(s) used by this countermeasure for screening. List of AVP(s) in AVPWLScr_Config Table with AVP_Name, AVP_Code, AVP_DataType, Vendor_Id,Command_Code_List, Message_Type and Diameter_Version.