Re: Gi Firewall for mobile subscribers

[Mikael Abrahamsson <swmike () swm pp se>]

On Wed, 10 Apr 2019, Jan Chrillesen wrote:

> Also keep in mind that most GGSN/PGW will assign a /64 (and not a /128)

All 3GPP devices assign /64 per bearer because that's what's in the 3GPP 
spec. I've been told 3GPP went to IETF and asked what to do, IETF said 
"assign /64 per device" and that's what ended up in the specs.

> so if someone does a scan targeting that specific /64 you might see a 
> lot of traffic to the device. I would strongly suggest deploying a 
> stateful device - purely to protect the radio and signaling network - 
> not the terminal/phone

If they scan the /64 then this won't cause excessive paging traffic as the 
device will already be out of low power mode.

The balanced solution is to have a stateful device that typically does 
nothing but has some kind of "abuse detection" which triggers filtering 
certain Internet sources when it decides that this device is performing 
scans of larger IP spaces. This protects the mobile network from paging 
storms but also allows users to be reachable from the Internet.

--
Mikael Abrahamsson    email: swmike () swm pp se