2.4.11 AVP Whitelist Screening (AVPWLScr)
This countermeasure screens the ingress diameter request/answer message for whitelist AVP(s) screening.
The user can configure the list of AVP values used by this countermeasure in AVPWLScr_Config Table, for performing whitelist screening.
This countermeasure considers the ingress diameter request/answer message as vulnerable if any of these conditions are true:
- The technical specifications defined in the AVPWLScr_Config table do not require any AVP to be present in the diameter message.
- Nesting level of grouped AVPs: Control of maximum nesting level of grouped AVPs over interconnection interfaces (maximum Nesting Depth should be 8).
- Encoding risks of AVPs: If an AVP has been defined as UTF8 String, OctetString, and DiameterIdentity and/or if an address format purposely contains manipulated contents with the objective to introduce unintended behavior.
Note:
Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that ingress answer message from the foreign peers can be screened for vulnerability by this countermeasure. For more information, refer to ART Configuration for DSA.Apart from the mandatory configuration in DSA Mandatory Configuration, configure the AVPWLScr_Config Table for configuring values for AVP(s) used by this countermeasure for screening. The AVPWLScr_Config Table contains list of AVPs with AVP_Name, AVP_Code, AVP_DataType, Vendor_Id, Command_Code_List, Message_Type, and Diameter_Version.