基于GTP协议的状态检测技术的研究
摘要
3G网络的应用越来越广泛,UMTS移动通信系统是3G的标准体制之一,核心网的安全性决定了整个网络及用户数据的安全,GTP协议是核心网中的核心协议,对它进行研究具有重要的意义。
然而针对UMTS核心网GTP协议的攻击屡见不鲜,防火墙的关键技术之一状态检测技术可以有效地保护UMTS核心网。由于GTP协议自身的特点,许多已有的状态检测技术已不适用,因而研究适合GTP协议的状态检测方案显得十分重要。
本文首先通过GTP协议头格式及其工作流程对GTP协议进行了深入的分析,结果表明GTP通信过程中TEID字段决定了GTP数据包当前所处的状态,故该字段是GTP数据包传输过程中状态转换时的关键标识。目前的GTP状态检测技术中,状态表项只增不减,使得状态表存在溢出的可能,既为攻击者提供了安全漏洞,又降低了状态匹配的效率。为了解决这个问题,本文提出了GSITP方案,通过加入超时处理机制,使超时的状态项得到及时有效的处理,从而减缓状态表的溢出,减小GTP状态检测的延迟。
最后,论文通过仿真软件OpenGGSN对GSITP方案进行了实验,结果表明具有超时处理机制的GTP状态检测方案具有较小的延迟,GSITP方案是有效的GTP状态检测方案。
3G is becoming more and more widely used. The UMTS is one of the new‘third generation’. The security of the core network determines the security of the entire network and user data. GTP protocol is a key protocol in the core network, so it’s significant to study with it.
Howerver, the attack for the GTP is often seen. Stateful inspection technology as one of the most important technology of the firewall will protect the core network of the UMTS effectively. Due to the speciality of GTP, the existent stateful inspection technology could not be used for reference. So it’s important to research the proper method of the stateful inspection technology for the GTP protocol.
Firstly, the format of the GTP header and the GTP protocol’s workflow is in-depth analyzed in this thesis, which indicates that the field TEID determines the current state of the GTP data packer during the GTP communications. Thus, this field is a key to identity the state of a GTP packet during the transmissions. The state table entries of the Current GTP stateful inspection technology is only to rise, which will make the state table the possibility of the overflow. This will provide a security vulnerability for the attacker, as well as reduces the efficiency of the state match. It is proposed that the GSITP scheme to solve the problems above in this thesis. By joining the timeout processor, the timeout items will be dealed with in time and effectively. Thereby reduce the overflows of the state table and reduce the delay of the GTP state detection.
At the end, a emulator OpenGGSN to test the GSITP scheme is used, which shows that the latency of the GTP stateful inspection based on the timeout processor is low, and the GSITP scheme is a effective GTP stateful inspection method.
然而针对UMTS核心网GTP协议的攻击屡见不鲜,防火墙的关键技术之一状态检测技术可以有效地保护UMTS核心网。由于GTP协议自身的特点,许多已有的状态检测技术已不适用,因而研究适合GTP协议的状态检测方案显得十分重要。
本文首先通过GTP协议头格式及其工作流程对GTP协议进行了深入的分析,结果表明GTP通信过程中TEID字段决定了GTP数据包当前所处的状态,故该字段是GTP数据包传输过程中状态转换时的关键标识。目前的GTP状态检测技术中,状态表项只增不减,使得状态表存在溢出的可能,既为攻击者提供了安全漏洞,又降低了状态匹配的效率。为了解决这个问题,本文提出了GSITP方案,通过加入超时处理机制,使超时的状态项得到及时有效的处理,从而减缓状态表的溢出,减小GTP状态检测的延迟。
最后,论文通过仿真软件OpenGGSN对GSITP方案进行了实验,结果表明具有超时处理机制的GTP状态检测方案具有较小的延迟,GSITP方案是有效的GTP状态检测方案。
3G is becoming more and more widely used. The UMTS is one of the new‘third generation’. The security of the core network determines the security of the entire network and user data. GTP protocol is a key protocol in the core network, so it’s significant to study with it.
Howerver, the attack for the GTP is often seen. Stateful inspection technology as one of the most important technology of the firewall will protect the core network of the UMTS effectively. Due to the speciality of GTP, the existent stateful inspection technology could not be used for reference. So it’s important to research the proper method of the stateful inspection technology for the GTP protocol.
Firstly, the format of the GTP header and the GTP protocol’s workflow is in-depth analyzed in this thesis, which indicates that the field TEID determines the current state of the GTP data packer during the GTP communications. Thus, this field is a key to identity the state of a GTP packet during the transmissions. The state table entries of the Current GTP stateful inspection technology is only to rise, which will make the state table the possibility of the overflow. This will provide a security vulnerability for the attacker, as well as reduces the efficiency of the state match. It is proposed that the GSITP scheme to solve the problems above in this thesis. By joining the timeout processor, the timeout items will be dealed with in time and effectively. Thereby reduce the overflows of the state table and reduce the delay of the GTP state detection.
At the end, a emulator OpenGGSN to test the GSITP scheme is used, which shows that the latency of the GTP stateful inspection based on the timeout processor is low, and the GSITP scheme is a effective GTP stateful inspection method.
引文
[1]庞韶敏,李亚波,沈宇超等编著.3G核心网技术揭秘——CS,PS,IMS.北京:电子工业出版社,2008:4-5页
[2] GPP TS 23.101 v9.0.0. General UMTS Architecture. http://www. 3gpp. org, 2009
[3] GPP TS 21.133 v4.1.0. 3G Security, Security Threats and Requirements. http://www. 3gpp.org, 2001
[4] A.Prasad, H.Wang, P.Schoo. Infrastructure Security for Future Mobile Communications System. Proc. of WPMC 2003, Yokosuka, Japan, 2003: 19-22P
[5] K.Boman, G.Horn, P.Howard, V.Niemi. UMTS security. Electronics & Communication Engineering Journal, 2002, 14(5): 191-204P
[6] Günter Schafer. Research Challenges in Security for Next Generation Mobile Networks. Workshop on Pioneering Advanced Mobile Privacy and Security (PAMPAS). Royal Holloway University of London, Egham, Surrey, United Kingdom, 2002
[7] Xiaoming Fu, Hannes Tschofenigetc. Security Implications of the Session Identifier. Technical Report No. TB-IFI-2005-08, Institute for Informatics, University of Goettingen, Germany, 2005, 11
[8]闻英友,喻嘉,赵博,赵宏.3G核心网络安全体系及GTP协议分析过滤技术研究.全国网络与信息安全技术研讨会论文集(下册),2007年
[9]单广玉,张振涛,杨义先.MAP信令的安全保护研究.无线电工程,2004年,34卷(8):1-3页
[10]何韦伟,季新生,刘彩霞.基于MAPsec的MAP信令安全机制研究.现代电信科技,2008年,(3):34-37页
[11] Zhenyu Liu, Shengli Xie, Yuli Fu. Cryptographic Method of 3G Firewall Based on IXA2850. 2007 IEEE International Workshop on Anti-counterfeiting, Security, Identification, 2007: 280-283P
[12] Xiaoli Zhang,Yue Lai,Shengli Xie. A GTP Stateful Inspection Method Based on Network Processor. ICCS 2008. 11th IEEE Singapore International Conference on Communication Systems, 2008: 994-998P
[13] Zhen Yu Liu, Weijun Li, Yue Lai. Application of Bloom Filter for GTP Stateful Inspection in Network Processor. IAS '09. Fifth International Conference on Information Assurance and Security, 2009: 589-592P
[14] Check Point. Stateful Inspection Technology. http://www. checkpoint. com. 2000
[15] Check Point FireWall-1 Technical Overview. http://www. checkpoint. com. 2001
[16] NetScreen Technologies Inc. Stateful-Inspection Firewall: The Netscreen Way. http://www.firewall-reviews.com/documents/netscreen_firewall_wp. pdf
[17] David W, Chapman Jr. Cisco Secure PIX Firewalls. Cisco press, 2001
[18] 3COM Office connect cable/DSL secure gateway data sheet, http://www.3com.com/other/pdfs/products/en_US/400742. pdf. 2002
[19] Noureldien A.Noureldien, Izzeldin M. Osman. A Stateful Inspection Module Architecture. 2000 TENCON Proceedings. Intelligent Systems and Technologies for the New Millennium, 2000: 24-27P
[20] Inhye Kang, Hyogon Kim. Determining Embryonic Connection Timeout in Stateful Inspection. IEEE International Conference on Communications. 2003, 1: 458-462P
[21] Xin Li,Zheng-Zhou Ji,and Ming-Zeng Hu. Stateful Inspection Firewall Session Table Processing. ITCC 2005 International Conference on Codingand Computing, 2005, 2: 615-620P
[22] Javier Verdu, Mario Nemirovsky, Mateo Valero. MultiLayer Processing-An execution model for parallel stateful packet processing. Proceeding of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2008: 79-88P
[23]李俊娥,王婷,雷公武.UDP状态检测防火墙及实现算法.武汉大学学报,2004,37(2):69-73页
[24]阎波,李广军.一种状态检测防火墙的攻击防御机制.电子科技大学学报,2005,34(4):509-512页
[25]辜丽川,倪志伟,张敞,朱纪中.一种基于状态检测的嵌入式防火墙.计算机应用与软件,2008,25(6):275-276,285页
[26] RICHARDSON, K.W. UMTS overview. Electron.Commun, Eng.J., 2000,12(3): 93-100P
[27] GPP TS 23.121 v3.0.0.Architectural Requirements for Release 1999. http://www. 3gpp.org. 1999
[28] GPP TS 24.008 v3.20.0. Core Network Protocols. http://www. 3gpp.org. 2005
[29] GPP TS 29.060 v8.8.0. GPRS Tunnelling protocol(GTP) across the Gn and Gp interface. http://www. 3gpp.org. 2009
[30] iGillottResearch, Inc. Mobile network security white paper. http://www.igr- inc.com/html/downloads/free_white_papers/3G_MobileSecurity_Jan07.pdf. 2007
[31] Yang H, Ricciato F, Wu S, et al. Securing a wireless world. Proceedings of the IEEE, 2006, 94(2): 442-454P
[32] Ricciato F. Unwanted traffic in 3G networks. ACM SIGCOMM Computer Communication Review, 2006, 35(2): 53-56P
[33] Alan Bavosa. GPRS Security Threats and Solution Recommendations.Sunnyvale CA USA: Juniper Network Inc., 2004
[34] R.Hunt,T.Verwoerd.Reactive firewalls—A new technique.Computer Communications,2003,26(12): 1302-1317P
[35] Lance Spitezner. Understanding the FW-1 State Table. http://www. windowsecurity.com/whitepapers/Understanding_the_FW1_State_Table. html?printversion. 2002
[36] Lisa Senner. Anatomy of a Stateful Firewall. http://www.sans.org/ rr/firewall/anatomy. php, 2001
[37] Vulnerability Note VU #539363. State-based firewalls fail to effectively manage session table resource exhaustion. http://www. kb. cert. org/ vuls/id/539363, 2003
[38]严蔚敏,吴伟民编著.数据结构(C语言版).北京:清华大学出版社,2004:251-262页
[39] Cormen T.H等著,潘金贵等译.算法导论(原书第2版).北京:机械工业出版社,2009:73-80页
[40]田大新,刘衍珩,李永丽,唐怡.数据包过滤规则的快速匹配算法和冲突检测.计算机研究与发展,2005,42(7):1128-1135页
[41] DONALD g. MORRISON. PATRICIA--Practical Algorithm To Retrieve Information. Journal of the ACM(JACM), 1968, 15(4): 514-534P
[42] J.W.J.Williams. Algorithm 232(HEAPSORT). Communications of the ACM, 1964, 7: 347-348P
[43] http://sourceforge.net/projects/ggsn/
[44] Esa Tikkala, Mikko Rapeli, Kaarina Karppinen, HannuHonkanen. Security Testing OpenGGSN: a Case Study. the 6th Annual Security Conference, 2007: 50-1-50-10P
[2] GPP TS 23.101 v9.0.0. General UMTS Architecture. http://www. 3gpp. org, 2009
[3] GPP TS 21.133 v4.1.0. 3G Security, Security Threats and Requirements. http://www. 3gpp.org, 2001
[4] A.Prasad, H.Wang, P.Schoo. Infrastructure Security for Future Mobile Communications System. Proc. of WPMC 2003, Yokosuka, Japan, 2003: 19-22P
[5] K.Boman, G.Horn, P.Howard, V.Niemi. UMTS security. Electronics & Communication Engineering Journal, 2002, 14(5): 191-204P
[6] Günter Schafer. Research Challenges in Security for Next Generation Mobile Networks. Workshop on Pioneering Advanced Mobile Privacy and Security (PAMPAS). Royal Holloway University of London, Egham, Surrey, United Kingdom, 2002
[7] Xiaoming Fu, Hannes Tschofenigetc. Security Implications of the Session Identifier. Technical Report No. TB-IFI-2005-08, Institute for Informatics, University of Goettingen, Germany, 2005, 11
[8]闻英友,喻嘉,赵博,赵宏.3G核心网络安全体系及GTP协议分析过滤技术研究.全国网络与信息安全技术研讨会论文集(下册),2007年
[9]单广玉,张振涛,杨义先.MAP信令的安全保护研究.无线电工程,2004年,34卷(8):1-3页
[10]何韦伟,季新生,刘彩霞.基于MAPsec的MAP信令安全机制研究.现代电信科技,2008年,(3):34-37页
[11] Zhenyu Liu, Shengli Xie, Yuli Fu. Cryptographic Method of 3G Firewall Based on IXA2850. 2007 IEEE International Workshop on Anti-counterfeiting, Security, Identification, 2007: 280-283P
[12] Xiaoli Zhang,Yue Lai,Shengli Xie. A GTP Stateful Inspection Method Based on Network Processor. ICCS 2008. 11th IEEE Singapore International Conference on Communication Systems, 2008: 994-998P
[13] Zhen Yu Liu, Weijun Li, Yue Lai. Application of Bloom Filter for GTP Stateful Inspection in Network Processor. IAS '09. Fifth International Conference on Information Assurance and Security, 2009: 589-592P
[14] Check Point. Stateful Inspection Technology. http://www. checkpoint. com. 2000
[15] Check Point FireWall-1 Technical Overview. http://www. checkpoint. com. 2001
[16] NetScreen Technologies Inc. Stateful-Inspection Firewall: The Netscreen Way. http://www.firewall-reviews.com/documents/netscreen_firewall_wp. pdf
[17] David W, Chapman Jr. Cisco Secure PIX Firewalls. Cisco press, 2001
[18] 3COM Office connect cable/DSL secure gateway data sheet, http://www.3com.com/other/pdfs/products/en_US/400742. pdf. 2002
[19] Noureldien A.Noureldien, Izzeldin M. Osman. A Stateful Inspection Module Architecture. 2000 TENCON Proceedings. Intelligent Systems and Technologies for the New Millennium, 2000: 24-27P
[20] Inhye Kang, Hyogon Kim. Determining Embryonic Connection Timeout in Stateful Inspection. IEEE International Conference on Communications. 2003, 1: 458-462P
[21] Xin Li,Zheng-Zhou Ji,and Ming-Zeng Hu. Stateful Inspection Firewall Session Table Processing. ITCC 2005 International Conference on Codingand Computing, 2005, 2: 615-620P
[22] Javier Verdu, Mario Nemirovsky, Mateo Valero. MultiLayer Processing-An execution model for parallel stateful packet processing. Proceeding of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2008: 79-88P
[23]李俊娥,王婷,雷公武.UDP状态检测防火墙及实现算法.武汉大学学报,2004,37(2):69-73页
[24]阎波,李广军.一种状态检测防火墙的攻击防御机制.电子科技大学学报,2005,34(4):509-512页
[25]辜丽川,倪志伟,张敞,朱纪中.一种基于状态检测的嵌入式防火墙.计算机应用与软件,2008,25(6):275-276,285页
[26] RICHARDSON, K.W. UMTS overview. Electron.Commun, Eng.J., 2000,12(3): 93-100P
[27] GPP TS 23.121 v3.0.0.Architectural Requirements for Release 1999. http://www. 3gpp.org. 1999
[28] GPP TS 24.008 v3.20.0. Core Network Protocols. http://www. 3gpp.org. 2005
[29] GPP TS 29.060 v8.8.0. GPRS Tunnelling protocol(GTP) across the Gn and Gp interface. http://www. 3gpp.org. 2009
[30] iGillottResearch, Inc. Mobile network security white paper. http://www.igr- inc.com/html/downloads/free_white_papers/3G_MobileSecurity_Jan07.pdf. 2007
[31] Yang H, Ricciato F, Wu S, et al. Securing a wireless world. Proceedings of the IEEE, 2006, 94(2): 442-454P
[32] Ricciato F. Unwanted traffic in 3G networks. ACM SIGCOMM Computer Communication Review, 2006, 35(2): 53-56P
[33] Alan Bavosa. GPRS Security Threats and Solution Recommendations.Sunnyvale CA USA: Juniper Network Inc., 2004
[34] R.Hunt,T.Verwoerd.Reactive firewalls—A new technique.Computer Communications,2003,26(12): 1302-1317P
[35] Lance Spitezner. Understanding the FW-1 State Table. http://www. windowsecurity.com/whitepapers/Understanding_the_FW1_State_Table. html?printversion. 2002
[36] Lisa Senner. Anatomy of a Stateful Firewall. http://www.sans.org/ rr/firewall/anatomy. php, 2001
[37] Vulnerability Note VU #539363. State-based firewalls fail to effectively manage session table resource exhaustion. http://www. kb. cert. org/ vuls/id/539363, 2003
[38]严蔚敏,吴伟民编著.数据结构(C语言版).北京:清华大学出版社,2004:251-262页
[39] Cormen T.H等著,潘金贵等译.算法导论(原书第2版).北京:机械工业出版社,2009:73-80页
[40]田大新,刘衍珩,李永丽,唐怡.数据包过滤规则的快速匹配算法和冲突检测.计算机研究与发展,2005,42(7):1128-1135页
[41] DONALD g. MORRISON. PATRICIA--Practical Algorithm To Retrieve Information. Journal of the ACM(JACM), 1968, 15(4): 514-534P
[42] J.W.J.Williams. Algorithm 232(HEAPSORT). Communications of the ACM, 1964, 7: 347-348P
[43] http://sourceforge.net/projects/ggsn/
[44] Esa Tikkala, Mikko Rapeli, Kaarina Karppinen, HannuHonkanen. Security Testing OpenGGSN: a Case Study. the 6th Annual Security Conference, 2007: 50-1-50-10P