1. Diameter Security Application User Guide with UDR
  2. Security Exception Function for CounterMeasure

10 Security Exception Function for CounterMeasure

An option has been provided to define an exception list for each countermeasure to bypass the incoming message for Vulnerability check.
  • Exception Function can be enabled or disabled with flag ‘CounterMeasure_Exception_Chk’ provided in the System_Config_Options Table.
  • Exception List can be defined for the following parameters for each Countermeasure:
    • IMSI
    • MCC_MNC
    • REALM (Origin/Destination)
    • ORIGIN-HOST
    • VPLMN-ID
  • Exception Function starts executing for the provisioned countermeasure in Exception_Rule_Config Table as per the defined priority sequence of Exception types in the table.
  • Execution priority can be configured for only following Exception types IMSI, MCC_MNC and REALM. Remaining exception types ORIGIN-HOST and VPLMN-ID are internally executed along with the REALM exception Type.
  • For REALM exception along with Realm in the Realm_Exception_Config Table add either VPLMN-ID in the VPLMN_ID_Exception_Config Table or Origin-Host in the Origin_Host_Exception_Config Table to get it exempted.
  • For MCC_MNC exception along with MCC_MNC in the MCC_MNC_Exception_Config Table we have to add VPLMN-ID in the VPLMN_ID_Exception_Config Table to get it exempted.

    Note:

    In some messages, CLR does not have VPLMN_ID in the message. In such cases, the Realm_Exception config message (where Realm and VPLMN-ID are configured on the exception table) and MCC_MNC_Exception configs do not get exempted. Here, to get such messages exempt, use IMSI_Exception_Config.
  • Each of the exception parameters mentioned above has a separate table to configure the list of values to be bypassed for the countermeasure.
  • Following is the mapping of exception parameters and their corresponding tables to configure exception list:
  • Each exception list table will be used to configure the list of values for which the incoming traffic should bypass Vulnerability check and also configure the countermeasures for which this value should be applied.
  • If there is a match found in exception list table for the priority_1 exception type, traffic will be bypass current countermeasure execution and subsequent exception type’s check will be skipped.
  • If there is no match found in exception list table for the priority_1 exception type, then the subsequent exception type configured as priority_2 will be executed traffic will be bypass current countermeasure execution if match found.
  • If no match is found for any exception types configured for a Countermeasure, then current countermeasure will be executed and traffic will not be bypassed.