2.4.7 Realm and IMSI Consistency Check (RealmIMSICst)
This countermeasure screens the ingress diameter request message to check if the MCC and MNC values present in IMSI match the MCC and MNC values in the Origin-Realm/Destination-Realm AVP.
For Inbound Roaming Subscriber, MCC and MNC values of the Origin-Realm AVP are used for matching; and for Outbound Roaming Subscriber, MCC and MNC values of the Destination-Realm AVP are used for matching.
The pre-conditions for executing this countermeasure are as follows. If any of these conditions are not met, then the ingress diameter request message is not screened for vulnerability:
- For an Inbound Roamer, the countermeasure screens only S6a/d IDR, RSR, DSR or CLR messages.
- Screening is performed only if the Origin-Realm AVP is in the format as defined in 3GPP 23.003.
- For an Outbound Roamer, the countermeasure screens only S6a/d AIR, ULR, PUR, or NOR messages.
- Screening is performed only if the Destination-Realm AVP is in the format as defined in 3GPP 23.003.
This countermeasure considers the ingress diameter request message as vulnerable if any of these conditions are true:
- For an Inbound Roamer, the MCC and MNC values present in Origin-Realm AVP do not match the MCC and MNC values in the IMSI and both MCC and MNC in Realm and IMSI are not configured in MCC_MNC_Exception_List.
- For an Outbound Roamer, the MCC & MNC value present in Destination-Realm AVP do not match the MCC and MNC values in the IMSI and both MCC and MNC in Realm and IMSI are not configured in MCC_MNC_Exception_List.
Note:
- For S6a IDR, DSR, CLR, AIR, ULR, PUR, and NOR messages, User-Name AVP is used to
fetch the MCC and MNC of the IMSI.
For S6a RSR messages, User-ID AVP is used to fetch the MCC and MNC of the IMSI.
- As per Section 19.2 of 3GPP 23.003, the Realm should be in the form of:
epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org
Where, <MNC> and <MCC> fields correspond to the MNC and MCC of the operator’s PLMN. Both the fields are of 3 digits. If the MNC of the PLMN is of 2 digits, then add a zero at the beginning. For example, for a network with MCC = 234 and MNC = 15, Realm/Domain name is epc.mnc015.mcc234.3gppnetwork.org.
Apart from the mandatory configuration in DSA Mandatory Configuration, Realm_IMSI_Cst_Config table has to be configured for this countermeasure.
If there is a requirement to allow provisioning of same MCC with different MNC's as part of the same realm and apply countermeasures accordingly, then this comparison is done for both home and non-home subscribers.
For example, for different allowed combinations of MCC or MNC as part of one realm.
MCC 208 MNC 1 in IMSI (eg: 208 123)
MCC 208 MNC 2 or 3 or X in Realm (eg: 208 125)
For example, for allowing provisioning of multiple MCCs and MNCs to be grouped together as part of a single Realm and apply countermeasures accordingly.
MCC 208 MNC 1 in IMSI (eg: 208 123)
MCC 901 MNC Y in Realm (eg: 901 567)
To make these as allowed, configure MCC_MNC from IMSI and MCC_MNC in the Realm in MCC_MNC_Exception_List table.