7.3.3 System_Config_Options Table

This table is used to configure various options, which customizes various countermeasure behavior.

Table 7-6 System_Config_Options Fields

Field Description
MCC or VPLMN-ID

Indicates the source and destination node IDs configured in TimeDistChk_Country_Config Table are MCCs or VPLMN-IDs.

If MCC_Or_VPLMNID is configured as MCC_Based, then the source and destination node IDs are treated as MCC values.

If MCC_Or_VPLMNID is configured as VPLMNID_Based, then the source and destination node IDs are treated as VPLMN-ID values.
Vulnerable If Time Distance entry Not Configured

Defines the behavior when no matching source and destination node ID is configured while executing business logic.

If vulnerable_If_TimeNotConfigured is configured as Yes, then the message is considered as vulnerable when no matching source and destination node is configured.

If vulnerable_If_TimeNotConfigured is configured as No, the message is not considered as vulnerable when no matching source and destination node is configured. The message is processed further by other countermeasures (if provisioned).
Ingress Message Validation For Origin-Realm Screening

Defines the behavior to screen or not to screen the Origin-Realm AVP of the ingress diameter message for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr).

If Ingress_Msg_Chk_For_OR_Scr is configured as Yes, then the Origin-Realm AVP of the ingress diameter message is checked for vulnerability.

If Ingress_Msg_Chk_For_OR_Scr is configured as No, then the Origin-Realm AVP of the ingress diameter message is not checked for vulnerability.
Ingress Message Validation For Destination-Realm Screening

Defines the behavior to screen or not to screen the Destination-Realm AVP of the ingress diameter message for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr).

If Ingress_Msg_Chk_For_DR_Scr is configured as Yes, then the Destination-Realm AVP of the ingress diameter message is checked for vulnerability.

If Ingress_Msg_Chk_For_DR_Scr is configured as No, then the Destination-Realm AVP of the ingress diameter message is not checked for vulnerability.
Egress Message Validation For Destination-Realm Screening

Defines the behavior to screen or not to screen the Destination-Realm AVP of the egress diameter message for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr).

If Egress_Msg_Chk_For_DR_Scr is configured as Yes, then the Destination-Realm AVP of the egress diameter message is checked for vulnerability.

If Egress_Msg_Chk_For_DR_Scr is configured as No, then the Destination-Realm AVP of the egress diameter message is not checked for vulnerability.
Exception Realms For OhOrCstChk Exception_Realms_For_OhOrCstChk holds the list of Whitelist Realms. If received as Origin-Realm in the ingress diameter message, then the message is not screened by Origin Host and Origin Realm Consistency Check (OhOrCstChk) countermeasure for checking vulnerability.
Error Action if UDR Failure

Defines the action performed if a UDR failure occurs while executing the business logic of a Stateful countermeasure.

If Error_Action_for_UDR_Failure is configured as Continue_Processing, thenthe message is treated as non-vulnerable by the countermeasure under process and is passed to the next countermeasure (if provisioned) to process further.

If Error_Action_for_UDR_Failure is configured as Drop, then the message is discarded at DSR and is not processed/relayed any further.
Error Action if countermeasure’s business logic execution failure

Defines the action performed if any logical error occurs while executing the countermeasure’s business logic.

If Error_Action_for_CmExec_Failure is configured as Continue_Processing, thenthe message is treated as non-vulnerable by the countermeasure under process and is passed to the next countermeasure (if provisioned) to process further.

If Error_Action_for_CmExec_Failure is configured as Drop, thenthe message is discarded at DSR and is not processed/relayed any further.
Enable Tracing

Defines DSA tracing status.

If Enable_Tracing is configured as Yes, then vulnerable message details are added to DSA log file.

If Enable_Tracing is configured as No, then vulnerable message details are not added to DSA log file.

Process_Foreign_RSR_Msg

If checked, the DSA Application will process the ingress RSR message from a foreign node.

If not checked, the DSA Application will ignore the ingress RSR Message from a foreign node.
TDC_Chk_For_First_ULR_AIR_Msg If checked, the DSA Application will screen first ULR/AIR message for vulnerability by Time Distance Check Countermeasure.
Error_Action_For_CASM_Failure

Defines the action performed if a CreateAndSendMsg request failure occurs while executing the business logic of a Stateful countermeasure.

If Error_Action_for_CASM_Failure is configured as Continue_Processing, thenthe message is treated as non-vulnerable by the countermeasure under process and is passed to the next countermeasure (if provisioned) to process further.

If Error_Action_for_UDR_Failure is configured as Drop, then the message is discarded at DSR and is not processed/relayed any further.
Avg_Flight_Velocity Defines the Average Flight speed considered to calculate the Distance between two points using latitude and longitude for Time Distance Check CM. [Velocity in km].
TDC_Chk_For_Neighbour_Country To decide whether Time Distance Check CM should be exempted for neighboring countries.
Max_Tuple_For_SrcHostValHss

(Bug#30133341) Defines the Max tuple to be stored in the UDR Db for Source Host Validation HSS CM for each subscriber.

Either of 'Maximum Size of Application State' or Max_Tuple_For_SrcHostValHss ' is reached the limit, Oldest Tuple in UDR State Data will be popped off to store the latest tuple.
CounterMeasure_Exception_Chk To decide whether to Enable or Disable the Security Exception function for the CounterMeasure.
MCCMNC_AVP To decide from which AVP, MCCMNC value is to be fetched for Session Integrity validation Check [SesIntValChk] Countermeasure.

This table describes the field details for the System_Config_Options Table.

Note:

While the failure of a UDR is rare, loss of connectivity to a remote UDR can sometimes occur due to network fluctuations. Loss of connectivity is also treated by the DSA as a UDR failure and it is therefore desirable to set the value for the Error Action if UDR Failure parameter (in the System_Config_Options table) as Continue Processing. This ensures the requests are not dropped and roaming subscribers continue to receive service.

In the rare case of a UDR failure that results in loss of a significant amount of data in the database, Oracle recommends switching the Operating mode for any enabled stateful countermeasures (in the Security_Countermeasure_Config table) to Detection_Only for 24 hours. The setting can be reverted to its original setting after 24 hours.

Table 7-7 Field Details for System_Config_Options

Field Name Unique Mandatory Data Type, Range, and Default Value Description
MCC_Or_VPLMNID Yes Yes

Enumerated

Range:

MCC_Based: 1

VPLMNID_Based: 2

Default: MCC_Based

To check the mode of configuration for TimeDistChk_Config Table.

MCC_Based: Source and Destination ID configuration is MCC based.

VPLMNID_Based: Source and Destination ID configuration is VPLMNID based.
Vulnerable_If_TimeNotConfigured N/A N/A

Boolean

Range: Yes/No

Default: No

To decide whether mark the message as vulnerable by

countermeasure if no matching Source and Destination ID is configured in TimeDistChk_Config Table.

Yes: Mark vulnerable

No: Ignore the message
Ingress_Msg_Chk_For_OR_Scr N/A N/A

Boolean

Range: Yes/No

Default: Yes

To decide whether to screen Origin-Realm for ingress Diameter Request messages for vulnerability by Origin Realm and Destination Realm whitelist screening (RealmWLScr).

Yes: Check for vulnerability

No: Do not check for vulnerability
Ingress_Msg_Chk_For_DR_Scr N/A N/A

Boolean

Range: Yes/No

Default: Yes

To decide whether to screen Destination-Realm for ingress Diameter Request messages for vulnerability by Origin Realm and Destination Realm whitelist screening (RealmWLScr).

Yes: Check for vulnerability

No: Do not check for vulnerability
Egress_Msg_Chk_For_DR_Scr N/A N/A

Boolean

Range: Yes/No

Default: No

To decide whether to screen Destination-Realm for egress Diameter Request messages for vulnerability by Origin Realm and Destination Realm Whitelist Screening (RealmWLScr).

Yes: Check for vulnerability

No: Do not check for vulnerability
Exception_Realms_For_OhOrCstChk Yes No

UTF8String

Range: 1–2048 characters

Default: N/A
List of Whitelist Realms (in valid format) separated by semicolon “;” for which Origin host and Origin Realm consistency is not checked.
Error_Action_for_UDR_Failure Yes Yes

Enumerated

Range:

Continue_Processing: 1

Drop: 2

Default: Continue_Processing

Error action performed if UDR failure occurs.

Continue_Processing: The message is treated as non-vulnerable and is processed further.

Drop: The message is treated as vulnerable and is dropped.
Error_Action_for_CmExec_Failure Yes Yes

Enumerated

Range:

Continue_Processing: 1

Drop: 2

Default: Continue_Processing

Error action performed if countermeasure execution failed.

Continue_Processing: The message is treated as non-vulnerable and is processed further.

Drop: The message is treated as vulnerable and is dropped.
Enable_Tracing N/A N/A

Boolean

Range: Yes/No

Default: No

Log the message details if found vulnerable by a countermeasure.

Yes: Log the message details

No: Do not log the message details
Process_Foreign_RSR_Msg N/A N/A

Boolean

Range: Yes/No

Default: No

To decide whether to process RSR Message received from a Foreign Network

Yes: Process RSR Message

No: Don't process RSR Message
TDC_Chk_For_First_ULR_AIR_Msg N/A N/A

Boolean

Range: Yes/No

Default: No

To decide whether to screen first ULR/AIR for vulnerability by Time Distance Check CM.

Yes: Check first ULR/AIR for Vulnerability
Error_Action_For_CASM_Failure Yes Yes

Enumerated

Range:

Continue_Processing: 1

Drop: 2

Default: Continue_Processing

[CASM:- CreateAndSendMsg]

Perform Error Action when CreateAndSendMsg gets failed.

Continue_Processing: The message will be treated as nonVulnerable and will be processed further.

Drop: The message will be treated as Vulnerable and will be dropped.
TDC_Chk_For_Continent N/A N/A

Boolean

Range: Yes/No

Default:Yes

To decide whether to screen ULR/AIR message for Continent check by Time Distance Check CM.

Yes: Apply Continent check on AIR/ULR message for Vulnerability

No: Don't Apply Continent check on AIR/ULR message for Vulnerability
MCCMNC_AVP N/A N/A

Enumerated:

3GPP_SGSN_MCC_MNC:1, 3GPP_User_Location_Info:2
To decide from which AVP, MCCMNC value is to be fetched for Session Integrity validation Check [SesIntValChk] Countermeasure.