General packet radio service tunneling protocol (GTP) packet filter

US 20030081607A1
Filed: 06/17/2002
Published: 05/01/2003
Est. Priority Date: 10/30/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of filtering data packets in General Packet Radio Service (GPRS) Tunneling Protocol (GTP) signaling messages between service nodes in a GPRS network, said method comprising the steps of:

analyzing at least one GTP signaling message against a plurality of filtering criteria; and

responsive to the analyzing step, selectively dropping data packets from the GTP signaling message or allowing the packets to pass.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of filtering data packets in General Packet Radio Service (GPRS) Tunneling Protocol (GTP) signaling messages. Selected messages from GTP Path Management, GTP Tunnel Management, GTP Mobility Management, and GTP Location Management messages are analyzed against a plurality of filtering criteria, and data packets that do not meet the filtering criteria are dropped while data packets that meet the criteria are passed. The data packets may be analyzed to verify that they contain correct source, destination, and mask addresses, and that they contain UDP/TCP port numbers that are consistent with the GTP version number. The packets are also inspected at the GTP level, layer-5, and based on the GTP version, information in the GTP header, and accompanying Information Elements (IEs), selected data packets are dropped.

112 Citations

25 Claims

1. A method of filtering data packets in General Packet Radio Service (GPRS) Tunneling Protocol (GTP) signaling messages between service nodes in a GPRS network, said method comprising the steps of:
- analyzing at least one GTP signaling message against a plurality of filtering criteria; and
  
  responsive to the analyzing step, selectively dropping data packets from the GTP signaling message or allowing the packets to pass.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of filtering data packets of claim 1 wherein the step of analyzing at least one GTP signaling message includes analyzing messages selected from a group consisting of:
    - GTP Path Management messages;
      
      GTP Tunnel Management messages;
      
      GTP Mobility Management messages; and
      
      GTP Location Management messages.
  - 3. The method of filtering data packets of claim 1 wherein the step of analyzing at least one GTP signaling message includes the steps of:
    - verifying that the data packets in the GTP signaling message contain correct source, destination, and mask addresses;
      
      verifying that the data packets in the GTP signaling message contain User Datagram Protocol/Transmission Control Protocol (UDP/TCP) port numbers that are consistent with the GTP version number; and
      
      inspecting the data packets at the GTP level, (Open Systems Interconnect (OSI) layer-5).
  - 4. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes:
    - determining whether a destination node supports the GTP version specified in the data packet header;
      
      determining whether the message type specified in the data packet header is permitted by the network; and
      
      verifying that the message length is within an allowable minimum to maximum message length for the message type.
  - 5. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes determining whether the message is a response message of a particular message type, and if so, determining whether a corresponding request message of the same message type exists.
  - 6. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes allowing selected message types to pass only if the signaling message is being sent between nodes of a specified type.
  - 7. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes determining that an End User Address Information Element has a length that matches an expected length, said expected length being based upon an Access Point Name (APN) specified in a Create Packet Data Protocol (PDP) Context Request Information Element.
  - 8. The method of filtering data packets of claim 7 wherein the step of inspecting the data packets at the GTP level also includes determining that a specified selection mode is permitted by the specified APN.
  - 9. The method of filtering data packets of claim 7 wherein the step of inspecting the data packets at the GTP level also includes determining that a specified Mobile Station Integrated Services Digital Network (MSISDN) value is permitted for the specified APN.
  - 10. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes ensuring that a Packet Data Protocol (PDP) Context exists for an International Mobile Station Identifier (IMSI) specified in the signaling message.
  - 11. The method of filtering data packets of claim 10 wherein the step of ensuring that a PDP Context exists for the IMSI specified in the signaling message includes checking a Tunnel Identifier (TID) or a Tunnel Endpoint Identifier (TEID) to ensure that a PDP Context exists for the IMSI.
  - 12. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes verifying that a Serving GPRS Support Node (SGSN) Address for Signaling Information Element has a valid source address for the message type specified in the data packet header.
  - 13. The method of filtering data packets of claim 12 wherein the step of inspecting the data packets at the GTP level also includes verifying that an SGSN Address for User Traffic Information Element has a valid source address for the message type specified in the data packet header.
  - 14. The method of filtering data packets of claim 3 wherein the step of inspecting the data packets at the GTP level includes the steps of:
    - verifying that a Charging Identification Information Element is present in the data packet header; and
      
      verifying that the Charging Identification is valid.
  - 15. The method of filtering data packets of claim 1 wherein the step of selectively dropping data packets includes dropping data packets that do not meet the filtering criteria.
  - 16. The method of filtering data packets of claim 15 further comprising logging all packets that have been dropped and all packets that have been passed through during the selective dropping step.
  - 17. The method of filtering data packets of claim 1 further comprising performing line rate limiting for the GTP signaling message.

18. A method of filtering data packets in General Packet Radio Service (GPRS) Tunneling Protocol (GTP) signaling messages between service nodes in a GPRS network, said method comprising the steps of:
- analyzing selected messages from GTP Path Management messages, GTP Tunnel Management messages, GTP Mobility Management messages, or GTP Location Management messages against a plurality of filtering criteria; and
  
  responsive to the analyzing step, dropping data packets that do not meet the filtering criteria while allowing data packets that meet the criteria to pass.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of filtering data packets of claim 18 wherein the step of analyzing selected messages includes the steps of:
    - verifying that the data packets in the selected messages contain correct source, destination, and mask addresses;
      
      verifying that the data packets in the selected messages contain User Datagram Protocol/Transmission Control Protocol (UDP/TCP) port numbers that are consistent with the GTP version number; and
      
      inspecting the data packets at the GTP level (Open Systems Interconnect (OSI) layer-5).
  - 20. The method of filtering data packets of claim 19 wherein the step of inspecting the data packets at the GTP level includes:
    - determining whether a destination node supports the GTP version specified in the data packet header;
      
      determining whether the message type specified in the data packet header is permitted by the network;
      
      verifying that the message length is within an allowable minimum to maximum message length for the message type; and
      
      determining whether a particular message is a response message of a particular message type, and if so, determining whether a corresponding request message of the same message type exists.
  - 21. The method of filtering data packets of claim 19 wherein Internet Protocol (IP) packets in the GTP messages include a GTP header, and the step of inspecting the data packets at the GTP level includes:
    - determining from the GTP header;
      
      a source IP address of a selected signaling message;
      
      an identifier for an originating mobile station; and
      
      an Access Point Name (APN) specified by the mobile station; and
      
      determining whether it is permitted for the mobile station having the determined identifier to request the determined APN from the port number and source IP address in the GTP header.
  - 22. The method of filtering data packets of claim 21 wherein a GTP message further comprising the step of limiting access to an APN when the mobile station is roaming in an untrusted network.
  - 23. The method of filtering data packets of claim 19 wherein Internet Protocol (IP) packets in the GTP messages include a GTP header, and the method further comprises binding, in an End User Information Element in the GTP header, a Tunnel Identifier (TID) with the IP address assigned to the mobile station and with a Packet Data Protocol (PDP) Context established to conduct a data session.
  - 24. The method of filtering data packets of claim 19 wherein Internet Protocol (IP) packets in the GTP messages include a GTP header, and the method further comprises binding, in an End User Information Element in the GTP header, a Tunnel Endpoint Identifier (TEID) with the IP address assigned to the mobile station and with a Packet Data Protocol (PDP) Context established to conduct a data session.
  - 25. The method of filtering data packets of claim 19 wherein the step of inspecting the data packets at the GTP level includes inspecting a source address in a request from the mobile station to determine whether the mobile station'"'"'s International Mobile Station Identifier (IMSI) address falls within an appropriate range for the Mobile Network Code (MNC) and Mobile Country Code (MCC) of the network operator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Kavanagh, Alan

Application Number

US10/173,484
Publication Number

US 20030081607A1
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 69/22   Parsing or analysis of headers

H04L 69/327   in the session layer [OSI l...

H04Q 3/0025   Provisions for signalling

H04W 12/12   Detection or prevention of ...

H04W 12/72   Subscriber identity

General packet radio service tunneling protocol (GTP) packet filter

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

112 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

General packet radio service tunneling protocol (GTP) packet filter

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links