1. Diameter Security Application User Guide with UDR
  2. Understanding DSA Functionality and Logic
  3. DSA Logic Process
  4. DSA Mandatory Configuration

2.3.1 DSA Mandatory Configuration

To screen the incoming message for vulnerability, DSA uses various values provisioned in DSA tables for executing countermeasure’s business logic. A few of these tables are required to be provisioned for enabling DSA business logic. Reaming tables are specific to countermeasure’s business logic and need to be provisioned only if the countermeasure is provisioned.

Countermeasure specific DSA tables are discussed in the respective countermeasures in more details. This is a list of configuration that must be done to enable DSA business logic.

  • At least one countermeasure needs to be provisioned in the Security_Countermeasure_Config Table.

    These provisioned values define the list of countermeasures that screen the incoming message for vulnerability.

  • At least one Home network’s MCC and MNC needs to be provisioned in the MCC_MNC_List Table.

    These provisioned values determine the Roaming Status (Inbound Roaming Subscriber with Outbound Roaming Subscriber) of any given subscriber. If the MCC and MNC portion of the subscriber’s IMSI matches with the Home network’s MCC and MNC, then the subscriber is treated as an outbound roaming subscriber. Otherwise, the subscriber is treated as an inbound roaming subscriber.

  • At least one Home networks’ Realm needs to be provisioned in the Realm_List Table.

    These provisioned values determine the Message Type (Ingress Message vs Egress Message) of any incoming diameter message. If the incoming message’s Origin-Realm AVP value does not match the Home network’s Realm, then the message is treated as an ingress message from a roaming network. If the incoming message’s Origin-Realm AVP value matches the Home network’s Realm, and Destination-Realm AVP value does not match the Home network’s Realm, then the message is treated as a home network’s egress message destined to a roaming network.

  • System_Config_Options Table needs to be provisioned with an entry.

    This provisioned value defines the behavior of DSA when an UDR failure occurs or any logical error occurs while executing DSA Perl business logic or enabling/disabling logs of vulnerable message details. It also defines a few countermeasure-specific options, which are discussed in more detail in the countermeasure’s business logic section.

  • Application Route Table need to be provisioned with two rules for SIVC CM if it is enabled.

    These provisioned ART rules have the conditions to route all 3GPP S6a and 3GPP Gx CCR-I messages to DSA application. If SIVC CM is not enabled, then the Application Route Table must be provisioned with one rule which has conditions to route all 3GPP S6a messages to DSA application.