Summary Data

Revision History

The P-GW supports packet source validation on the control-Plane. Configuration from Control Plane gets pushed to User Plane and based on that information, User Plane acts on the source violated packet.

Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network. Source validation requires the source address of received packets to match the IP address that is assigned to the subscriber either statically or dynamically during the session.

In the StarOS 21.28.0 and later releases the ip source-violation command, which is part of the APN configuration mode is used to track the behavior of IP source violation for IPv4 and IPv6 addresses.

Use the following configuration to enable or disable packet source validation for a given APN:

configure 
   context context_name 
      apn apn_name 
         ip source-violation { ignore | check [ drop-limit limit ] [ exclude-from-accounting ][ drop-count-timeout time-interval ] }[ traffic-type { ipv4 | ipv6 } ] 
         default ip source-violation 
         end 

NOTES:

• default : Enables the checking of source addresses received from subscribers for violations, with a drop limit of 10 invalid packets that can be received from a subscriber prior to their session being deleted.

• ignore : Disables source address checking for the APN.

• check [ drop-limit limit ] : Default: Enabled, limit = 10.

  Enables the checking of source addresses received from subscribers for violations. A drop-limit can be configured to set a limit on the number of invalid packets that can be received from a subscriber prior to their session being deleted.

  limit : can be configured to any integer value between 0 and 10000. A value of 0 indicates that all invalid packets will be discarded, but the session will never be deleted by the system.

• exclude-from-accounting : Excludes the packets identified with IP source violation from the statistics generated for accounting records.

• check [ drop-count-timeout time-interval ] : The drop-count-timeout is used to configure the time interval for violation drop count update timer. This specifies in which time interval drop counter value should be updated. Time interval should be specified in minutes. Default value is 120 seconds (2 minutes).

• check [ traffic-type { ipv4 | ipv6 } ] : Specifies the packet traffic type as IPv4 or ipv6. By default configurations will be common for both IPv4 and IPv6. If CLI is configured with a "traffic-type" then "ip source violation" cli for that traffic-type takes priority than the CLI configured w/o "traffic-type".

  Note	The violation count increments even if the drop limit and timer values are zero. The session is not deleted, but the violated packets gets dropped.

This section provides information regarding monitoring and troubleshooting the IP Source Violation feature.