6.5 ART Configuration for DSA
DSA processes ingress diameter messages received from other networks to check vulnerability. For this:
- Create an ART to route all the ingress traffic to DSA.
- Assign the ART to all the foreign peers.
If you do not want to screen ingress diameter messages from a specific foreign peer, then skip the ART configuration for that peer.
DSA also processes egress diameter messages to send to a foreign network from a home network. For this:
- Create an ART to route only egress traffic from a home network toward a foreign network to DSA, that is, messages where Origin-Realm matches the Home network Realm, and Destination-Realm does not match the Home network Realm.
- Assign the ART only to those home network peers that can send egress messages to a foreign network.
If you want to screen the diameter message using any of these countermeasures, then assign the ART to the home peers that can send egress messages to a foreign network:
- Stateless countermeasures:
- Origin Realm and Destination Realm Whitelist Screening (RealmWLScr)
- Specific AVP Screening (SpecAVPScr)
- AVP Multiple Instance Check (AVPInstChk)
- AVP Whitelist Screening (AVPWLScr)
- Stateful countermeasures:
- Previous Location Check (PreLocChk)
- Source Host Validation HSS (SrcHostValHss)
- Source Host Validation MME (SrcHostValMme)
For the above stateful countermeasures, if egress traffic is not routed to DSA, then the countermeasure business logic does not work, which may lead to traffic loss due to wrongly marking the messages as vulnerable by the countermeasures.
- Create an ART rule with condition of AppId equal to 3GPP S6a and routes to DSA application.
- Create an ART rule with conditions of AppId equal to 3GPP Gx and CmdCode equals to CCR/CCA-I and routes to DSA application.
Figure 6-1 ART Rules Configured for SIVC CM
