A modern mobile cellular telephony/data network includes several cooperating nodes and/or gateways to authenticate a user device's attachment to the network, authorize services, and establish data and voice paths for the user device through the network to other mobile users, other mobile networks, and the Internet. In a third-generation (3G) network, a data path for a user device is provided by specialized routers, such as serving GPRS support nodes (SGSNs) for the radio edge and gateway GPRS support nodes (GGSNs) for the Internet edge. In a fourth-generation (4G) network (e.g., evolved packet system (EPS), long-term evolution (LTE)), serving gateways (SGWs) (for radio edge) and packet data network gateways (PGWs) (for Internet and international mobile subscriber (IMS) voice core edge) provide a similar voice and data path through a visited (roaming) network and a home network for a user device.
The authentication and subscription information of a subscriber is maintained by a home location register (HLR) for a 3G network or a home subscriber server (HSS) for a 4G network. Alternate network paths (e.g., signaling system no. 7 (SS7) for 3G, diameter signaling for 4G) may be provided to the user device using the authentication and subscription information of the subscriber obtained from the HLR or the HSS.
A GTP tunnel is established between a serving node (e.g., SGSN, SGW) and a gateway node (e.g., GGSN, PGW) to allow a user device to move from one location to another location within a home network while continuing to connect to an external packet switched network such as the Internet. The GTP is divided into two separate planes, GTP-U and GTP-C. GTP-U is used to carry user-data traffic, i.e., the network traffic generated from a user device when accessing the Internet (e.g., email, web surfing, gaming). GTP-C is used to carry signals within a GPRS-based core network for signaling between GGSN and SGSN. When a user device is connected or disconnected to a mobile network, or hops inside the mobile network, the SGSN or SGW detects the move of the user device and sends appropriate connect/disconnect signals to the GGSN or PGW that serves the user device. The GGSN or PGW provides a public IP address for the user device in response to requests from the user device through various SGSN or SGWs that connect the user device. GTP-C messages may further include a phone number, a cell that the user device is connected to (or the user device's physical location), the access point name (APNs), and the manufacture and model of the user device. GTP-C messages are used to negotiate the IDs of the GTP tunnel that carries the user traffic.
Security holes exist in a GTP because the GTP tunnel established between the serving node and the gateway node has no authentication or authorization facilities. In a 3G network, a GGSN receives connection requests from a user device and accepts all Create Session Request messages regardless of international mobile subscriber identity (IMSI) of the user device. A GTP tunnel is established to a requesting subscriber based on the Create Session Request messages. Attackers may exploit these GTP security holes.