2.5.5 Source Host Validation MME (SrcHostValMme)

This countermeasure screens S6a/d ULR and PUR message of Outbound Roaming Subscribers to check if the MME from which these messages are received is valid. This countermeasure also validates the sequential ordering of authentication and registration process when the subscriber moves from one foreign network to another foreign network.

The Outbound Roaming Subscriber is considered successfully authenticated by the Home network when a ingress S6a/d AIR/A (AIA with Result-Code as 2xxx) is processed by DSA.

The Outbound Roaming Subscriber is considered as successfully registered to a Foreign network when a non-vulnerable ingress S6a/d ULR/A (ULA with Result-Code as 2xxx) is processed by DSA.

The subscriber is considered de-registered from the Foreign network when:

• An egress S6a/d CLR is processed by DSA, or
• An egress S6a/d RSR is processed by DSA, or
• A non-vulnerable ingress PUR message is processed by DSA

This countermeasure considers the ingress S6a/d ULR message as vulnerable if any of these conditions are true:

• The subscriber has not authenticated by the Home network.
• The Visited-PLMN-Id from which the subscriber has authenticated is not matching with the Visited-PLMN-Id from which registration request is received.

This countermeasure considers the ingress S6a/d PUR message as vulnerable if any of these conditions are true:

• The subscriber has not authenticated by the Home network.
• The subscriber has not registered with the Home network.
• The MME from which the PUR message is received is different from the MME on which the subscriber is registered.

Appropriate ART configuration needs to be done for routing the egress request messages (only towards foreign networks) to DSA so that the egress CLR/RSR can be processed by this countermeasure. For more information refer to the ART Configuration for DSA.