Radio Access Technology; Routing Area Identity And User Location Information; Apn Restriction; Imsi Prefix Filtering - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Radio Access Technology

Routing Area Identity and User Location Information

APN Restriction

IMSI Prefix Filtering

IMEI-SV

408
In 3GPP R6, the following new IEs have been added:
Radio Access Technology on page 408
Routing Area Identity and User Location Information on page 408
APN Restriction on page 408
IMSI Prefix Filtering on page 408
IMEI-SV on page 408
The Radio Access Technology (RAT) information element provides ways to stimulate
Wideband Code Division Multiple Access (WCDMA) and to perform reporting through
billing information systems.
Some countries restrict subscriber access to certain types of network content. To comply
with these regulatory demands, network operators need to be able to police subscriber's
requested content before allowing a content download. NSM gives network operators
the ability to screen content based on the Routing Area Identity (RAI) and User Location
Information (ULI) IEs.
Multiple concurrent primary packet data protocol (PDP) contexts, and an MS/UE capable
of routing between these two access points, can put IP security at risk for corporate users
who have both private and a public APN. The APN Restriction IE, added to the GTP create
PDP context response message, ensures the mutual exclusivity of a PDP context if
requested by a GGSN (or rejected if this condition cannot be met), and thus avoids the
security threat.
A GPRS support node (GSN) identifies a mobile station (MS) by its International Mobile
Station Identity (IMSI). An IMSI comprises three elements: the Mobile Country Code
(MCC), the Mobile Network Code (MNC), and the Mobile Subscriber Identification Number
(MSIN). The MCC and MNC combined constitute the IMSI prefix and identify the mobile
subscriber's home network, or Public Land Mobile Network (PLMN). By setting IMSI
prefixes, you can configure the security device to deny GTP traffic coming from nonroaming
partners. By default, a security device does not perform IMSI prefix filtering on GTP
packets. By setting IMSI prefixes, you can configure the security device to filter create
pdp request messages and permit only GTP packets with IMSI prefixes that match the
ones you set. For more information on IMSI prefix filtering, see the Concepts & Examples
ScreenOS Reference Guide.
The International Mobile Equipment Identity-Software Version (IMEI-SV) IE provides
ways to adapt content to the terminal type and client application whenever a proxy server
for this purpose is not present. This IE is also useful in reports generated from the GGSN,
AAA, and/or Wireless Application Protocol gateway (WAP). The GTP-aware security
Copyright © 2010, Juniper Networks, Inc.