2.4.11 AVP Whitelist Screening (AVPWLScr)

This countermeasure screens the ingress diameter request/answer message for whitelist AVP(s) screening.

The option is available to configure the list of AVP values used by this countermeasure for performing screening.

This countermeasure considers the ingress diameter request/answer message as vulnerable if any of these conditions are true:

  • Any AVP present in diameter message is not needed by technical specifications (AVP whitelist screening).
  • Nesting level of grouped AVPs: Control of maximum nesting level of grouped AVPs over interconnection interfaces (maximum Nesting Depth should be 8).
  • Encoding risks of AVPs: If an AVP has been defined as UTF8 String, OctetString, and DiameterIdentity and/or if an address format purposely contains manipulated contents with the objective to introduce unintended behavior.

Note:

Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure the AVPWLScr_Config Table for configuring values for AVP(s) used by this countermeasure for screening. The AVPWLScr_Config Table contains list of AVPs with AVP_Name, AVP_Code, AVP_DataType, Vendor_Id, Command_Code_List, Message_Type, and Diameter_Version.