Gi Firewall for mobile subscribers

Thu Apr 11 15:43:53 UTC 2019

> On Apr 10, 2019, at 10:39 PM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> 
> On Wed, 10 Apr 2019, Jan Chrillesen wrote:
> 
>> Also keep in mind that most GGSN/PGW will assign a /64 (and not a /128)
> 
> All 3GPP devices assign /64 per bearer because that's what's in the 3GPP spec. I've been told 3GPP went to IETF and asked what to do, IETF said "assign /64 per device" and that's what ended up in the specs.
> 
>> so if someone does a scan targeting that specific /64 you might see a lot of traffic to the device. I would strongly suggest deploying a stateful device - purely to protect the radio and signaling network - not the terminal/phone
> 
> If they scan the /64 then this won't cause excessive paging traffic as the device will already be out of low power mode.

If they scan the entire /64, I’ll be impressed.

Let’s assume a maximum packet rate of 10,000 packets per second.

A /64 contains 18,446,744,073,709,551,616 addresses.

If we ping continuously and only count one of the two packets required for each ping attempt, that’s 184,467,440,737,096
seconds. Putting this in perspective, that’s 3,074,457,345,619 minutes or 51,240,955,761 hours or 2,135,039,824 days
or 5,849,424 years.

I’m pretty sure that no matter how good your power management is, any cell phone’s battery will die long before its /64 can be scanned.

> The balanced solution is to have a stateful device that typically does nothing but has some kind of "abuse detection" which triggers filtering certain Internet sources when it decides that this device is performing scans of larger IP spaces. This protects the mobile network from paging storms but also allows users to be reachable from the Internet.

+1

Owen