admin/geedge-jira
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
geedge-jira/md/OMPUB-301.md

172 lines
5.5 KiB
Markdown
Raw Permalink Normal View History

first
2025-09-14 21:52:36 +00:00
# 福建项目需求鉴于移网流量中IP地址分层TSG能否支持”将GTP头部中的IP地址作为独立可选项下到策略中“
| ID | Creation Date | Assignee | Status |
|----|----------------|----------|--------|
| OMPUB-301 | 2021-12-20T16:13:49.000+0800 | 郑超 | 完成 |
---
*需求:*
鉴于移网流量中IP地址分层TSG能否支持”将GTP头部中的IP地址作为独立可选项下到策略中“
*说明:*
当前TSG安全策略界面中的源、目的IP地址 生效于 GTP内层IP地址对于固网不变 仍使用该选项添加IP对象新增可选项”GTP头部源、目的IP地址“使两部分IP可分别生效互不冲突
*背景:*
福建用户早先下了一批IPv6白名单策略未指定生效范围该策略中的IP地址为运营商境内公网IP地址策略ID=122
近期福建新开局点”厦门海峡5G“测试中发现经过该局点的流量全都无法阻断经过排查发现测试手机流量中的GTP头部的IPv6地址全都命中了 122白名单策略使得阻断策略未生效于是用户提出了该需求。**yangwei** commented on *2021-12-24T14:24:05.102+0800*:
[~zhangzhihan]  建议先问清楚要干嘛,再说要不要改,该怎么改。
用户配v6白名单策略的意图是什么那一批v6地址全allow么
”将GTP头部中的IP地址要作为独立可选项“的意图又是什么
TSG支持L7的策略条件目前用户只用L3的过滤是么这个思路直接给汇聚分流下规则就能实现不需要镜像至TSG
---
**zhangzhihan** commented on *2021-12-27T16:27:15.648+0800*:
[~yangwei] 
1用户在福建采用白名单模式所以配了一堆IPv6地址的白名单该白名单的地址均为{*}运营商境内公网IPv6地址固网{*}全Allow
2这批【公网IPv6地址】与 【”厦门海峡5G“的GTP头部IPv6地址】存在一定程度的冲突所以导致【厦门海峡5G】该局点的流量也全部命中了白名单
3由于业务原因目前用户没有解除白名单而是采取 “在汇聚分流上剥离GTP头部” 的方式,但该方案也只是临时解决的方案
4已经建议用户对白名单策略指定生效范围但是用户并没有这么做。。。。
 
综上所述用户建议”将GTP头部中的IP地址要作为独立可选项“
---
**zhangzhihan** commented on *2021-12-27T17:20:06.991+0800*:
更正一下信息福建的5G网络的GTP头都是IPv6地址且IPv6地址均为公网地址即在基站这一层直接套了公网IPv6地址。
用户认为目前的IP策略模式在移网环境有不方便的地方所以有该建议
---
**zhuwei** commented on *2021-12-28T04:04:04.299+0800*:
我建议:
先拿回该条策略以及相应的Pcap文件检查一下是否是因为白名单IP地址策略配置范围过大导致。为了用户的愚蠢而改系统是不聪明的选择
 
---
**zhangzhihan** commented on *2021-12-28T12:21:26.868+0800*:
[~zhuwei]  策略122 截图对应IP段已上传附件~
!image-2021-12-28-12-19-28-190.png!
 
---
**yangwei** commented on *2021-12-28T14:24:29.880+0800*:
他们配IP白名单的意图就是纯白名单既不是IP+TCP或者IP+UDP的白名单也不是IP+HTTP或者IP+SSL的白名单他们只要配个IP+TCP的白就不会命中GTP的流量
 
这种纯IP的白直接在分流设备上下就行
---
attachment link
2025-09-14 22:26:17 +00:00
# Attachments
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: image-2021-12-28-12-19-28-190.png
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
![image-2021-12-28-12-19-28-190.png](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24285/image-2021-12-28-12-19-28-190.png)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: image-2022-02-15-10-28-14-198.png
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
![image-2022-02-15-10-28-14-198.png](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/25250/image-2022-02-15-10-28-14-198.png)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: 境内电信IPv6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内电信IPv6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24286/境内电信IPv6地址段.txt)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: 境内谷歌IPv6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内谷歌IPv6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24287/境内谷歌IPv6地址段.txt)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: 境内教育网IPV6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内教育网IPV6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24288/境内教育网IPV6地址段.txt)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: 境内科技网IPV6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内科技网IPV6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24289/境内科技网IPV6地址段.txt)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: 境内联通IPV6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内联通IPV6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24290/境内联通IPV6地址段.txt)
first
2025-09-14 21:52:36 +00:00
attachment link
2025-09-14 22:26:17 +00:00
Attachment: 境内鹏博士IPv6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内鹏博士IPv6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24291/境内鹏博士IPv6地址段.txt)
Attachment: 境内铁通IPv6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内铁通IPv6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24292/境内铁通IPv6地址段.txt)
Attachment: 境内移动IPv6地址段.txt
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
[境内移动IPv6地址段.txt](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24293/境内移动IPv6地址段.txt)
Attachment: 微信图片_20211220163507.png
attachment link
2025-09-14 22:27:11 +00:00
attachment link
2025-09-14 22:26:17 +00:00
![微信图片_20211220163507.png](https://gfwleak.exec.li/admin/geedge-jira/raw/branch/master/attachment/24021/微信图片_20211220163507.png)
first
2025-09-14 21:52:36 +00:00
Reference in New Issue Copy Permalink