1. Diameter Security Application User Guide with UDR
  2. Understanding DSA Functionality and Logic
  3. DSA Stateful Countermeasure Logic
  4. Source Host Validation HSS (SrcHostValHss)

2.5.4 Source Host Validation HSS (SrcHostValHss)

This countermeasure screens S6a/d IDR, DSR and CLR message of Inbound Roaming Subscribers to check if the HSS from which the IDR/DSR/CLR/RSR message is received is the same HSS to which earlier registration request has been sent successfully.

The Inbound Roaming Subscriber is considered successfully registered with the Home network when an egress S6a/d ULR/A (ULA with Result-Code as 2xxx) is processed by DSA.

The Inbound Roaming Subscriber is considered de-registered from the Home network when:

  • An egress S6a/d PUR is processed by DSA, or
  • A non-vulnerable ingress CLR or RSR(with appropriate range of User-Ids) message is processed by DSA.
This countermeasure considers the ingress S6a/d IDR, DSR and CLR message as vulnerable if any of these conditions are true:
  • The subscriber has not registered with the Home network.
  • The HSS from which the IDR/DSR/CLR message is received is different from the HSS to which earlier registration request has been sent.

Note:

Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that the egress CLR can be processed by this countermeasure. For more information, refer to ART Configuration for DSA.

System_Config_Options Table: Check the Process_Foreign_RSR_Msg field, if RSR message needs to be processed by this counter measure.