Visited-PLMN-ID and Origin-Realm Consistency Check (VplmnORCst)
This countermeasure screens the ingress diameter request message to check if the MCC and MNC values in Visited-PLMN-ID AVP match the MCC and MNC values in the Origin-Realm AVP.
The option is available to configure the Application-ID and Command-Code combinations this countermeasure uses for screening.
The pre-conditions for executing this countermeasure are stated as follows. If any of these conditions are not met, then the ingress diameter request message is not screened for vulnerability.
- The Application-ID and Command-Code of the ingress diameter request message must be configured.
- Visited-PLMN-ID AVP must be present in the ingress diameter request message.
- The Origin-Realm AVP must be in the format as defined in 3GPP 23.003.
This countermeasure considers the ingress diameter request message as vulnerable if MCC and MNC values in Visited-PLMN-ID AVP do not match the MCC and MNC values in the Origin-Realm AVP.
Note:
As per Section 19.2 of 3GPP 23.003, the Realm should be in the form of:epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org
.
Where, <MNC> and <MCC> fields correspond to the MNC and MCC of the
operator’s PLMN. Both the fields are of 3 digits. If the MNC of the PLMN is of 2
digits, then add a zero at the beginning. For example, for a network with MCC = 234
and MNC = 15, Realm/Domain name is
epc.mnc015.mcc234.3gppnetwork.org
.
Apart from the mandatory configuration in DSA Mandatory Configuration, configure VPLMN_ID_Exception_Config Table for configuring the Application-ID and Command-Code combinations used by this countermeasure for screening.