| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a6d1dad0-e922-2913-d4c8-592d403ee1cb@tpip.net>
Date: Wed, 20 Sep 2017 17:27:52 +0200
From: Andreas Schultz <aschultz@...p.net>
To: Tom Herbert <tom@...ntonium.net>, davem@...emloft.net
Cc: netdev@...r.kernel.org, pablo@...filter.org, laforge@...monks.org,
rohit@...ntonium.net
Subject: Re: [PATCH net-next 09/14] gtp: Allow configuring GTP interface as
standalone
On 19/09/17 02:38, Tom Herbert wrote:
> Add new configuration of GTP interfaces that allow specifying a port to
> listen on (as opposed to having to get sockets from a userspace control
> plane). This allows GTP interfaces to be configured and the data path
> tested without requiring a GTP-C daemon.
This would imply that you can have multiple independent GTP sockets on
the same IP address.That is not permitted by the GTP specifications.
3GPP TS 29.281, section 4.3 states clearly that there is "only" one GTP
entity per IP address.A PDP context is defined by the destination IP and
the TEID. The destination port is not part of the identity of a PDP context.
Even the source IP and source port are not part of the tunnel identity.
This makes is possible to send traffic from a new SGSN/SGW during
handover before the control protocol has announced the handover.
At this point the usual response is: THAT IS NOT SAFE. Yes, GTP has been
designed for cooperative networks only and should not be used on
hostile/unsecured networks.
On the sending side, using multiple ports is permitted as long as the
default GTP port is always able to receive incoming messages.
Andreas
[...]
Powered by blists - more mailing lists