On tir., 09 apr. 2019, Amos Rosenboim <amos@oasis-tech.net> wrote:
On the other hand, allowing only subscriber initiated traffic is mostly achievable using ACLs on the mobile core facing routers, or is it with the growing percentage of UDP traffic ?
BTW – I don’t mention IPv4 traffic on the mobile network as it’s all behind CGNAT which don’t allow internet initiated connections.
Anyway, we are very interested to know hear more opinions, and especially to hear what are other mobile operators do.
In a previous job we did have a stateful Gi firewall and experienced first hand what backscatter does to the radio network. By accident we allowed icmp from the Internet to the subcribers and paging went up by 30%. We all agree that the average amount of backscatter on IPv6 is much less than what we see in IPv4. However active IPv6 adresses are exposed (for instance on IRC!) and will be targeted by attackers. Also half-open TCP sessions can be very long running - for instance a mobile goes offline while downloading a file. Some webservers will keep trying to send data for a long time, and having a stateful device with agressive timeouts on half open sessions will definately reduce paging Also keep in mind that most GGSN/PGW will assign a /64 (and not a /128) so if someone does a scan targeting that specific /64 you might see a lot of traffic to the device. I would strongly suggest deploying a stateful device - purely to protect the radio and signaling network - not the terminal/phone - Jan