Version Date: 09 December 2004
Network Firewall Configuration
and Control - NFCC
Stage 1 Requirements
3GPP2 and its Organizational Partners claim copyright in this document and individual Organizational Partners
may copyright and issue documents or standards publications in individual Organizational Partner's name based on
this document. Requests for reproduction of this document should be directed to the 3GPP2 Secretariat at
firstname.lastname@example.org. Requests to reproduce individual Organizational Partner's documents should be directed to
that Organizational Partner. See www.3gpp2.org for more information.
1 1 INTRODUCTION
2 This document specifies the system requirements and operation of the Network Firewall
3 Configuration and Control (NFCC) feature, from both the perspective of the subscriber
4 and the system operator. The objective is to define and to standardize the functionality of
5 this feature to be incorporated into the operations of CDMA2000®1 based wireless
6 telecommunications networks.
7 As the cdma2000 network evolves toward All-IP, we can expect a change in the security
8 needs of mobile subscribers, resulting from changes in how subscribers connect to the
10 1. Subscribers may be connected to the Internet for the entire time the mobile station
11 is powered on.
12 2. There will be a greater percentage of mobiles with IP addresses assigned.
13 The IP availability of the mobile station for long periods of time invites direct attack at
14 the network protocol layer.
15 All Internet hosts need protection from malicious traffic, as provided by firewalls.
16 Today’s corporate Internet hosts generally operate with a firewall that prevents certain
17 types of Internet access to hosts behind it. Home subscribers generally cannot depend on
18 their ISP for similar protection, and may run a commercial firewall program of their own
19 to prevent unwanted IP access. Firewall protection in cdma2000 networks is equally
20 essential, but faces new requirements and challenges:
21 • Air interface usage is an expensive resource, hence it is not economically feasible
22 to pass all IP traffic to the mobile without filtering. Even if the mobile discards
23 unwanted packets, most likely the subscriber will still be billed for the transfer.
24 • The problem is compounded by the use of dormancy in data connections.
25 Unsolicited packets cause a dormant connection to become active, thereby
26 utilizing air interface resources for the duration of the dormancy timer, even if the
27 packets are discarded. Moreover, extra load for setting up connections is added to
28 the signaling path each time a connection becomes active from dormancy.
29 The lack of protection against unsolicited IP packets to terminals can have the following
31 • Network capacity is negatively affected.
32 • Additional network resources are consumed (e.g. RF, channel card, etc.) for
33 handling unproductive traffic load. In addition, resources could be consumed at
34 the Wireless infrastructure and Base station as well due to excessive signaling
35 caused by unsolicited packets that wake up dormant mobile stations.
cdma2000® is a trademark for the technical nomenclature for certain specifications and standards of the
Organizational Partners (OPs) of 3GPP2. When applied to goods and services, the cdma2000® mark
certifies their compliance with cdma2000® standards. Geographically (and as of the date of publication),
cdma2000® is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the
1 • In some solutions, MSC/HLR/VLR/AuC may be used for packet data
2 authentication and network resource management. Use of these resources may
3 increase significantly and impact MSC/HLR/VLR/AuC capacity.
4 • AAA server load is increased due to the need to handle authentication,
5 authorization, and accounting for unsolicited unproductive packet data traffic.
6 • There is an increase in data latency; as unsolicited data traffic increases, the
7 network throughput of solicited traffic is reduced.
8 • Incorrect accumulation of billing records occurs.
9 • Mobile station battery life is negatively impacted.
10 • There is increased exposure to malicious hacks on mobile stations, via the Internet
11 or within the home network’s local subnet (e.g. a worm exploiting a hole via
12 ICMP host discovery).
13 • If either the mobile station or the network does not support concurrent voice and
14 data, the incidence of diverting incoming voice calls to voice mail increases.
15 • Receiving undesired unsolicited packets can be irritating to customers. Also, it
16 generates negative impact on the customer to operator relations as discontented
17 customers often blame their operator for the inconvenience of undesired packets.
18 There is significant need to protect subscribers and operators from unwanted IP packets
19 arriving at mobiles with open network data sessions.
20 2 REFERENCES
21  X.S0011 cdma2000 Wireless IP Network Standard
22  RFC 1918 Address Allocation for Private Internets
23 3 DEFINITIONS AND ABBREVIATIONS
24 3.1 Definitions
25 Solicited Packet: Any IP packet sent to a mobile station belonging to an IP flow for
26 which the mobile is configured, or comprising previously established communication
27 with an Internet node. For completeness, solicited packets include those from operator
28 services such as IOTA, and geo-location.
29 Standard Stateful Firewall: A network entity that tracks host solicitations under a subnet
30 to hosts outside and within that subnet, subsequently allowing incoming traffic from the
31 solicited hosts in accordance with the protocol and ports of the initial solicitation. Only
32 default firewall rules are applied at the the beginning of an IP session; New rules
33 established during a session are discarded at the end of that IP session.
34 Unsolicited Packet: Any IP Packet sent to a MS that is not a Solicited Packet.
1 3.2 Abbreviations
AuC Authentication Center
BIOS Basic Input-Output System
HLR Home Location Register
ICMP Internet Control and Management Protocol
IMSI International Mobile Station Identity
IP Internet Protocol
ISP Internet Service Provider
IOTA IP-based Over-The-Air service provisioning
MS Mobile Station
MSC Mobile Switching Center
NAI Network Access Identifier
NAT Network Address Translation
NFCC Network Firewall Configuration and Control
PAT Port Address Translation
PDSN Packet Data Serving Node
RFC Request For Comment
SSDP Simple Service Discovery Protocol
VLR Visitor Location Register
VPN Virtual Private Network
1 4 GENERAL FEATURE DESCRIPTION
2 Data services require that mobile stations are reachable at the IP level from Internet
3 routable or proxy IP addresses. This makes the mobile station vulnerable to direct attack
4 (malicious or unintentional) at the network protocol layer. Note that a mobile station
5 cannot effectively perform “firewall” functions, since radio channel establishment is
6 required prior to firewalling decisions being taken. This makes it impractical for the
7 mobile station alone to mitigate impacts due to unsolicited packets, though NFCC does
8 not aim to preclude any supplemental firewall functions in the mobile station in addition
9 to the ones addressed herein. Furthermore, there may be applications or scenarios where a
10 subscriber may need to receive unsolicited incoming requests. Note that this is not the
11 case in current corporate Internet networks, where it is instead assumed that all sessions
12 are initiated from the protected inner nodes.
13 The following categories of unsolicited packets require Network Firewall Configuration
14 and Control:
15 • Stale Session Unsolicited packets: A mobile station has relinquished its dynamic
16 IP address. An IP entity that the mobile station had established communications
17 with can continue sending packets to this same IP address. When this IP address
18 is reassigned to another device, the new device will now receive unsolicited
19 packets. Examples are peer-to-peer file sharing and unterminated VPN sessions.
20 • Inter-subscriber Intra-subnet Unsolicited packets: Subnet-constrained broadcasts
21 or serial unicast from one mobile to another are unsolicited packets. These are
22 effectively unsolicited packets received from other subscribers served by the same
23 operator. Examples are worms exploiting subnet discovery protocols such as
24 ICMP, SSDP, or vulnerabilities caused by wireline approaches to service
25 discovery, such as Microsoft NetBIOS.
26 • Malicious packets.
27 In the wireline ISP model, the mobile station is expected to assume the responsibility for
28 firewalling. The wireless ISP model is inherently different, due to the heavy costs of
29 requiring firewalling at the mobile station, outlined in the introduction. NFCC has the
30 general property of pushing the firewalling decision into the IP core network of the
31 wireless operator.
32 Wireless service providers desire to provide a wireline ISP grade of service, so there is a
33 need to facilitate full Internet access for mobiles, just as landline ISPs. This seems like a
34 contradictory requirement; how can mobiles be allowed full Internet access while being
35 protected from the Internet?
36 Stateful firewall concepts can be used. In common stateful firewalls, all traffic is blocked
37 until the mobile station solicits for particular traffic. Profiles of allowed traffic may also
38 be implemented . However, there are some serious disadvantages to this approach:
1 1 Common stateful firewalls are IP based, and not subscription based, thus a network
2 does not provide the MS a means for persistence of previously established push
3 service relationships.
4 2 Common stateful firewalls may have scaleability issues for carriers that maintain
5 millions of subscribers.
6 3 All unknown traffic is blocked by common stateful firewalls, not giving subscribers
7 a choice in allowing desired traffic.
8 Firewalls are therefore an important part of cdma2000 networks. They are necessary for a
9 secure access to the Internet and other services.
10 While NFCC specifies the adoption and utilization of firewalls in cdma2000 networks,
11 NFCC should ensure its integration in the cdma2000 based wireless networks, since
12 firewalls may present issues with various protocols (such as the Mobile IPv6/IPV4/IPsec
13 protocol) that are adopted into cdma2000 networks.
1 5 DETAILED FUNCTIONALITY REQUIREMENTS
2 5.1 Basic NFCC Requirements
3 NFCC1. The wireless packet data network should provide mobile stations
4 protection against unsolicited packets by preventing unsolicited IP
5 packets from being transmitted on the forward link of the radio
7 NFCC2. NFCC should provide a rudimentary protection against unsolicited
8 packets to legacy mobile stations.
9 NFCC3. NFCC shall be compatible with the existing mobile features and
11 5.2 Subscription Identity Based NFCC Requirements
12 NFCC4. NFCC shall apply to the subscriber’s subscription identity (e.g. IMSI or
13 NAI) and may apply the mobile station’s currently assigned IP address..
14 NFCC5. NFCC shall provide a means to persistently store the last known firewall
15 settings when a mobile station relinquishes its IP address. Any state that
16 cannot be automatically regenerated in subsequent IP sessions shall be
17 persistent. Not all firewall states should be persistent (for example
18 automatic inbound firewall rules). MS initiated outbound connections
19 may be persistent.
20 NFCC6. NFCC shall provide a means to apply the last known firewall settings
21 when a mobile station acquires an IP address.
22 5.3 Wireless ISP Grade of Service NFCC Requirements
23 NFCC7. NFCC should allow for IP service to reach the MS without introducing
24 security threats that are not currently possible.
25 NFCC8. NFCC shall provide the capability to individual subscribers (by
26 subscription or by command) to allow any IP node to reach the
27 individual MS without manual intervention where there are no prior
28 firewall rules.
29 NFCC9. NFCC shall maintain a capability to pre-provision firewall rules, for
30 example across all subscribers, or a subscriber profile, or on a per
31 subscriber basis.
32 NFCC10. NFCC shall block any IP packet from reaching the MS where the packet
33 does not meet the rules associated with the MS subscription.
34 NFCC11. NFCC shall be able to infer the rules for a MS that does not have NFCC
1 NFCC12. NFCC shall take no action due to the network not being able to forward
2 packets to the MS.
3 NFCC13. NFCC shall provide protection against unsolicited packets from other
4 subscribers in the same IP subnet.
5 NFCC14. NFCC shall provide the mobile seamless service while roaming across
6 network segments that support NFCC.
7 5.4 Administration of NFCC Profiles
8 NFCC15. NFCC shall allow for changes to firewall subscription profiles.
9 NFCC16. NFCC shall provide a means for network firewall configuration
10 administrative override to allow for certain servers to access the mobile
11 station regardless of the subscriber’s desired configurations (e.g.
12 firewall subscription profiles to allow emergency IP-based services or
13 default push services such as ‘press to talk’).
14 NFCC17. NFCC settings from the home network may be applied when the mobile
15 roams outside its home network. For reasons of home network security,
16 the NFCC feature shall allow NFCC Profile Administration to prevent
17 revision of any firewall settings for a mobile station while roaming. Put
18 differently, it shall be possible for the home network NFCC
19 administrator to preclude importation of NFCC settings established by
20 the mobile station while roaming.
22 NFCC18. The subscriber and operator shall have the ability to set the NFCC
23 parameters for each subscriber or class of subscribers (e.g. NAI domain),
24 with at least the following protection options:
25 • Block unsolicited IP packets except those configured by the
26 subscriber or operator as allowable. Allowable IP addresses can be
27 selected as individual addresses or as subnet addresses. Operators
28 may establish allowable addresses that take precedence over
29 subscriber settings.
30 • Allow all IP packets.
31 NFCC19. NFCC communications with the mobile, wireless infrastructure or other
32 firewalls should take place in an encrypted and authenticated secure
33 manner, including protection against replay attacks, to prevent
34 compromising the subscriber state, as well as prevention of DoS attacks.
35 5.5 NFCC Scalability Requirements
36 NFCC20. NFCC should incorporate a wireless operator mechanism to discard the
37 state of abandoned IP flows after a configurable timeout. In addition to
38 the timeout, all firewall state information associated with the MS IP
39 address is reset.
1 5.6 NFCC Individual Subscriber Configuration Requirements
2 NFCC21. NFCC shall provide a means for an operator to configure the firewall
3 parameters for each subscriber.
4 NFCC22. NFCC shall provide a means for a subscriber to configure any firewall
5 parameters via IP-based signaling. NFCC shall provide a mechanism for
6 the mobile station to discover the address of the firewall. The support of
7 this feature in the mobile station is optional.
8 5.7 NFCC Applicability and Scope
9 NFCC23. NFCC shall apply to private and public IP addresses. NFCC shall apply
10 to SimpleIP and MobileIP. NFCC shall apply to IPv4 and IPv6 packets
11 (See )
12 NFCC24. NFCC shall provide the same capabilities regardless of whether the
13 unsolicited packets originate within or outside of the wireless network.