2.4.7 Realm and IMSI Consistency Check (RealmIMSICst)
This countermeasure screens the ingress diameter request message to check if the MCC and MNC values present in IMSI match the MCC and MNC values in the Origin-Realm/Destination-Realm AVP.
For Inbound Roaming Subscriber, MCC and MNC values of the Origin-Realm AVP are used for matching; and for Outbound Roaming Subscriber, MCC and MNC values of the Destination-Realm AVP are used for matching.
The pre-conditions for executing this countermeasure are as follows. If any of these conditions are not met, then the ingress diameter request message is not screened for vulnerability:
- For an Inbound Roamer, the countermeasure screens only S6a/d IDR, RSR, DSR or CLR messages.
- Screening is performed only if the Origin-Realm AVP is in the format as defined in 3GPP 23.003.
- For an Outbound Roamer, the countermeasure screens only S6a/d AIR, ULR, PUR, or NOR messages.
- Screening is performed only if the Destination-Realm AVP is in the format as defined in 3GPP 23.003.
This countermeasure considers the ingress diameter request message as vulnerable if any of these conditions are true:
- For an Inbound Roamer, the MCC and MNC values present in Origin-Realm AVP do not match the MCC and MNC values in the IMSI.
- For an Outbound Roamer, the MCC & MNC value present in Destination-Realm AVP do not match the MCC and MNC values in the IMSI.
Note:
- For S6a IDR, DSR, CLR, AIR, ULR, PUR, and NOR messages, User-Name AVP is used to
fetch the MCC and MNC of the IMSI.
For S6a RSR messages, User-ID AVP is used to fetch the MCC and MNC of the IMSI.
- As per Section 19.2 of 3GPP 23.003, the Realm should be in the form of:
epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org
Where, <MNC> and <MCC> fields correspond to the MNC and MCC of the operator’s PLMN. Both the fields are of 3 digits. If the MNC of the PLMN is of 2 digits, then add a zero at the beginning. For example, for a network with MCC = 234 and MNC = 15, Realm/Domain name is epc.mnc015.mcc234.3gppnetwork.org.
Apart from the mandatory configuration in DSA Mandatory Configuration, Realm_IMSI_Cst_Config table has to be configured for this countermeasure.