nanog mailing list archives
Re: Gi Firewall for mobile subscribers
From: Jan Chrillesen <jan () chrillesen dk>
Date: Wed, 10 Apr 2019 20:02:20 +0200
On tir., 09 apr. 2019, Amos Rosenboim <amos () oasis-tech net> wrote:
On the other hand, allowing only subscriber initiated traffic is mostly achievable using ACLs on the mobile core facing routers, or is it with the growing percentage of UDP traffic ? BTW – I don’t mention IPv4 traffic on the mobile network as it’s all behind CGNAT which don’t allow internet initiated connections. Anyway, we are very interested to know hear more opinions, and especially to hear what are other mobile operators do.
In a previous job we did have a stateful Gi firewall and experienced first hand what backscatter does to the radio network. By accident we allowed icmp from the Internet to the subcribers and paging went up by 30%. We all agree that the average amount of backscatter on IPv6 is much less than what we see in IPv4. However active IPv6 adresses are exposed (for instance on IRC!) and will be targeted by attackers. Also half-open TCP sessions can be very long running - for instance a mobile goes offline while downloading a file. Some webservers will keep trying to send data for a long time, and having a stateful device with agressive timeouts on half open sessions will definately reduce paging Also keep in mind that most GGSN/PGW will assign a /64 (and not a /128) so if someone does a scan targeting that specific /64 you might see a lot of traffic to the device. I would strongly suggest deploying a stateful device - purely to protect the radio and signaling network - not the terminal/phone - Jan
Current thread:
- Re: Gi Firewall for mobile subscribers, (continued)
- Re: Gi Firewall for mobile subscribers Dovid Bender (Apr 10)
- Re: Gi Firewall for mobile subscribers Ca By (Apr 10)
- Re: Gi Firewall for mobile subscribers Dovid Bender (Apr 10)
- Re: Gi Firewall for mobile subscribers Dovid Bender (Apr 10)
- Re: Gi Firewall for mobile subscribers Owen DeLong (Apr 10)
- Re: Gi Firewall for mobile subscribers Amos Rosenboim (Apr 10)
- Re: Gi Firewall for mobile subscribers Ross Tajvar (Apr 10)
- Re: Gi Firewall for mobile subscribers Owen DeLong (Apr 11)
- Re: Gi Firewall for mobile subscribers Tore Anderson (Apr 11)
- Re: Gi Firewall for mobile subscribers Mark Milhollan (Apr 13)
- Re: Gi Firewall for mobile subscribers Tore Anderson (Apr 13)
- Re: Gi Firewall for mobile subscribers Mikael Abrahamsson (Apr 10)
- Re: Gi Firewall for mobile subscribers Owen DeLong (Apr 11)
- Re: Gi Firewall for mobile subscribers Fred Baker (Apr 11)
- Re: Gi Firewall for mobile subscribers Owen DeLong (Apr 11)