Visited-PLMN-ID and Origin-Realm Consistency Check (VplmnORCst)

This countermeasure screens the ingress diameter request message to check if the MCC and MNC values in Visited-PLMN-ID AVP match the MCC and MNC values in the Origin-Realm AVP.

The option is available to configure the Application-ID and Command-Code combinations this countermeasure uses for screening.

The pre-conditions for executing this countermeasure are stated as follows. If any of these conditions are not met, then the ingress diameter request message is not screened for vulnerability.

  • The Application-ID and Command-Code of the ingress diameter request message must be configured.
  • Visited-PLMN-ID AVP must be present in the ingress diameter request message.
  • The Origin-Realm AVP must be in the format as defined in 3GPP 23.003.

This countermeasure considers the ingress diameter request message as vulnerable if MCC and MNC values in Visited-PLMN-ID AVP do not match the MCC and MNC values in the Origin-Realm AVP.

Note:

As per Section 19.2 of 3GPP 23.003, the Realm should be in the form of: epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org.

Where, <MNC> and <MCC> fields correspond to the MNC and MCC of the operator’s PLMN. Both the fields are of 3 digits. If the MNC of the PLMN is of 2 digits, then add a zero at the beginning. For example, for a network with MCC = 234 and MNC = 15, Realm/Domain name is epc.mnc015.mcc234.3gppnetwork.org.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure VPLMN_ID_Exception_Config Table for configuring the Application-ID and Command-Code combinations used by this countermeasure for screening.