Do we still need Gi Firewall for 3G/UMTS/HSPA network ?

Mikael Abrahamsson swmike at
Thu Apr 9 11:17:09 CDT 2009

On Thu, 9 Apr 2009, Lee, Steven (NSG Malaysia) wrote:

> Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) 
> networks have Gi segment (interface between GGSN & IP Router/firewall). 
> Due to the IP address constraint, operator usually do NAT on the Gi 
> firewall to NAT the private IP to public IP in the past. Looking at the 
> traffic pattern and user access behaviour, does it make sense to have 
> firewall between the GGSN & Public Internet if the public IP addresses 
> are sufficient to cater for mobile subscribers? Especially with 
> 3G/UMTS/HSPA or even LTE in the future.

The only reason I see to have a FW on Gi would be to have a stateful 
device to stop scanning from the Internet towards the mobile devices (I 
don't know how much SYNs you see on a /16 nowadays, it used to be quite a 
lot). I know mobile operators who have been operating with public IPs to 
all customers without FW for a lot of years. Todays GGSN and other devices 
should handle it, even though they didn't do it well 5+ years back.

Mikael Abrahamsson    email: swmike at

More information about the NANOG mailing list