2.4.8 Subscriber Identity Validation (SubsIdenValid)

This countermeasure screens the ingress diameter request message for an Inbound Roaming Subscriber to check if the Subscriber’s identity is valid.

This countermeasure considers the ingress diameter request message for an Inbound Roaming Subscriber as vulnerable if the MCC and MNC values present in the User-Name AVP and MCC MNC from the Origin Realm are not matching and are not configured in MCC_MNC_Exception_List table. If these values are fine, then it checks whether the MCC_MNC in the User-Name AVP are provisioned as MCC and MNC of a Foreign network. If not, it marks it as vulnerable.

Note:

Realm should be in 3gpp format.

Apart from the mandatory configuration in DSA Mandatory Configuration, configure MCC_MNC_List Table for configuring MCC and MNC combinations of Foreign networks used by this countermeasure for validating Subscriber’s identity.

If it is required to allow provisioning of same MCC with different MNC's as part of the same realm and apply countermeasures accordingly.

For example, for different allowed combinations of MCC or MNC as part of one realm.

MCC 208 MNC 1 in IMSI (eg: 208 123)

MCC 208 MNC 2 or 3 or X in Realm (eg: 208 125)

For example, for allowing provisioning of multiple MCCs and MNCs to be grouped together as part of a single Realm and apply countermeasures accordingly.

MCC 208 MNC 1 in IMSI (eg: 208 123)

MCC 901 MNC Y in Realm (eg: 901 567)

To make these as allowed, configure MCC_MNC from IMSI and MCC_MNC in the Realm in MCC_MNC_Exception_List table.