IP Multimedia Subsystem IMS

Rajkiran VelluriRahul Allawadhi

Rahul PareySantosh Kandukuri

History of IMS

IMS first appeared in release 5 of the evolution from 2G to 3G networks for W-CDMA networks (UMTS), when SIP-based multimedia domain was added to NGN networks. Support for older GSM and GPRS networks is also provided.

In 3GPP release 6, interworking with WLAN was added. 3GPP release 7 adds support for fixed networks, together with TISPAN

which allowed adopted a more generalized model able to address a wider variety of network and service requirements. This overall architecture is based upon the concept of cooperating subsystems sharing common components. This subsystem-oriented architecture enables the addition of new subsystems over the time to cover new demands and service classes. .

"Early IMS" was defined for IPv4 networks, and provides a migration path to IPv6

Cellular Networks

1G - Used analog transmission and provided only circuit switched

voice telephony

2G - Fully digital. Offered both voice & CS data services

2.5G - Addition of Packet Switched Data services to 2G Networks.

3G - Provide (or try to) all services over PS (including voice

telephony)

IP Multimedia Subsystem (IMS)

The IP Multimedia subsystem standard defines a generic architecture for offering VoIP and multimedia services.

Internationally recognized standard first specified by the 3GPP ( 3rd generation Partnership Project)

Supports multiple access types: GSM, WCDMA, CDMA2000, Wireline broadband access and WLAN.

Established with the aim of allowing UMTS network to provide all of its services over IP on an end-to-end basis.

Concept of the IP Multimedia Subsystem (IMS)

The IP Multimedia Subsystem is an open, standardized, NGN multi-media architecture for mobile and fixed IP-based services. It's a VoIP implementation based on a 3GPP variant of SIP (Session Initiation Protocol),and runs over the standard Internet protocol. It's used by Telcos in NGNnetworks (which combine voice and data in a single packet switchednetwork),to offer network controlled multimedia services.

The aim of IMS is not only to provide new services but to provide all the services, current and future, that the Internet provides. In addition, users have to be able to execute all their services when roaming as well as from their home networks. To achieve these goals the IMS uses open standard IP protocols, defined by the IETF.

Concept of the IP Multimedia Subsystem (IMS)So, a multi-media session between 2 IMS users,

between an IMS user and a user on the Internet, and between 2 users on the Internet is established using exactly the same protocol. Moreover, the interfaces for service developers are also based in IP protocols. This is why the IMS truly merges the Internet with the cellular world; it uses cellular technologies to provide ubiquitous access and Internet technologies to provide appealing services.

IMS concept

The IMS concept was introduced to address the following network and user requirements:

• Deliver person-to-person real-time IP-based multimedia communications (e.g. voice or video telephony) as well as person-to-machine communications (e.g. gaming service).

• Fully integrate real-time with non-real-time multimedia communications (e.g. live streaming and chat).

Enable different services and applications to interact (e.g. combined use of presence and instant messaging).

• Easy user setup of multiple services in a single session or multiple simultaneous synchronized sessions.

IMS solution overview

Source: Alcatel

IMS Standards

3GPP and 3GPP23GPP and 3GPP2 - 3rd Generation Partnership Project 3rd Generation Partnership Project 2 Have both defined the IP Multimedia Subsystem (IMS) The harmonization effort has kept the definitions as similar as possible.

IETFIETF - Internet Engineering Task Force Provide the definitions for SIP, SDP and other protocols underlying IMS IMS is driving some of the work in IETF

OMAOMA - Open Mobile Alliance Defining services for IMS architecture, e.g. Instant Messaging, Push-to-Talk

ITU ITU - International Telecommunication Union Provides protocol definitions used by IMS H.248 for media control Q.1912.SIP for SIP – ISUP interworking (in conjunction with IETF)

ETSI ETSI - European Telecommunications Standards Institute TISPANTISPAN - TISPAN is merger of TIPHON (VoIP) and SPAN (fixed networks) Agreement on reuse of 3GPP/3GPP2 IMS in comprehensive NGN plans

ANSI ANSI - American National Standards Institute Provides protocol definitions used by IMS

ATISATIS - Alliance for Telecommunications Industry Solutions Addressing end-to-end solutions over wireline and wireless Nearing agreement to use 3GPP/3GPP2 IMS

IMS GOALS

Support of real-time IP- based multimedia communication services (VoIP, Video Conferencing e.t.c). This implies that IMS will replace the CS domain of a UMTS network, providing all the traditional CS services over IP, in PS domain

Provide ability of interactions between services, so that users may combine different services in one session, e.g. group conferencing.

Characteristics of IMS

Takes the concept of horizontal architecture a step further where service enablers and common functions can be reused for multiple applications

Well integrated with existing voice and data networks adopting many of the key benefits of the IT domain

Horizontal architecture specifies interoperability and roaming, and provides bearer control, charging and security

IMS enables services to be delivered in a standardized, well structured manner

The horizontal architecture enables operators to avoid the problems associated with charging, presence, group and list management, routing and provisioning.

Advantages of IMS

Advantages over other existing systems: The core network is independent of a particular access technology Integrated mobility for all network applications Easier migration of applications from fixed to mobile users Faster deployment of new services based on standardized architecture An end to unique or customized applications New applications such as presence information, videoconferencing,

Push to talk over cellular (POC), multiparty gaming, community services and content sharing.

Evolution to combinational services, for example by combining instant messaging and voice

User profiles are stored in a central location

Advantages of IMS

Advantages over free VoIP: It's possible to run free VoIP applications over the regular Internet. Then why do

we need IMS, if all the power of the Internet is already available for 3G users? Quality of Service : The network offers no guarantees about the amount of

bandwidth a user gets for a particular connection or about the delay the packets experience. Consequently, the quality of a VoIP conversation can vary dramatically throughout its duration.

Charging of multimedia services : Videoconferences can transfer a large amount of information, but the telecom operator can't charge separately for this data. Some business models might be more beneficial for the user (for instance: a fixed price per message, not per byte); others might charge extra for better QoS.

Integration of different services : an operator can use services developed by third parties, combine them, integrate them with services they already have, and provide the user with a completely new service. For example: if voicemail and text-to-speech is combined, a voice version of incoming text messages can be provided for blind users.

IMS SERVICES & ARCHITECTURE These basic services can be controlled by external Application

Servers (AS) so as to provide various applications. For example, IMS does not offer a conferencing or chat room

service! It provides

- point-to-point and point to multipoint transmission facilities.

- Group management facilities

- The ability for an external AS to control the group communication

IMS SERVICES & ARCHITECTURE To maximize flexibility IMS organizes ITS functionality in three

layers.

IMS SERVICES & ARCHITECTURE Transport & Endpoint Layer Initiates & terminates the signaling

needed to setup & control sessions, provides bearer services between the endpoints. Media gateways are provided to convert from/to analog/digital voice telephony formats to/from IP packets using RTP. IMS signaling is based on SIP on top of IPv6

The session control layer provides functionality that allows endpoints to be registered with the network and sessions to be setup between them. It also contains the functions that control the media gateways and servers so as to provide the requested services

The application server layer allows sessions to interact with various AS entities. In this layer multiple sessions may be coordinated to provide single application.

IMS SERVICES & ARCHITECTURE Support a wide range of services, both telephony & non-telephony

oriented. All these services are provided over IP, end-to-end. Some of them are the followings:

- Voice & video telephony- Instant Messaging- Chat Rooms- Video Conferencing- Multiparty Gaming

BROADVIEW OF IMS ARCHITECTURE

The IP Multimedia Core Network Subsystem is a collection of different functions, linked by standardized interfaces. A function is not a node (hardware box) : an implementer is free to combine 2 functions in 1 node, or to split a single function into 2 or more nodes. Each node can also be present multiple times in a network, for load balancing or organizational issues.

BROADVIEW OF IMS ARCHITECTURE

BROADVIEW OF IMS ARCHITECTURE

Access Network The user can connect to an IMS network using various methods, all

of which are using the standard Internet Protocol (IP). Direct IMS terminals can register directly into an IMS network. Fixed access, mobile access and wireless access are all supported.

BROADVIEW OF IMS ARCHITECTURE

Access NetworkAccess Network

BROADVIEW OF IMS ARCHITECTURE User Database The HSS (Home Subscriber Server) is the master user database

that supports the IMS network entities that are actually handling the calls/sessions.

It contains the subscription-related information, performs authentication and authorization of the user, and can provide information about the physical location of user.

A SLF (Subscriber Location Function) is needed when multiple

HSSs are used.

BROADVIEW OF IMS ARCHITECTURE

BROADVIEW OF IMS ARCHITECTURE Call/Session Control

Several types of SIP servers, collectively known as CSCF, they are used to process SIP signaling packets in the IMS.

1) P-CSCF (Proxy-CSCF)

2) I-CSCF (Interrogating-CSCF)

3) S-CSCF (Serving-CSCF)

BROADVIEW OF IMS ARCHITECTURE

Call/Session Control 1) A P-CSCF (Proxy-CSCF) It is a SIP proxy that is the first point of contact for the IMS

terminal. It can be located either in the visited network or in the home

network. It has terminal which will discover its P-CSCF with either DHCP,

or it's assigned in the PDP Context (in GPRS).

BROADVIEW OF IMS ARCHITECTURE Call/Session Control 2) I-CSCF (Interrogating-CSCF) It is a SIP proxy located at the edge of an administrative domain. Its IP address is published in the DNS records of the domain, so

that remote servers can find it, and use it as an entry point for all SIP packets to this domain.

The I-CSCF queries the HSS using the DIAMETER Cx and Dx interfaces to retrieve the user location, and then route the SIP request to its assigned S-CSCF.

It can also be used to hide the internal network from the outside world, in which case it's called a THIG (Topology Hiding Interface Gateway).

BROADVIEW OF IMS ARCHITECTURE Call/Session Control

3) S-CSCF (Serving-CSCF) It is the central node of the signaling plane. It's a SIP server, but performs session control as well. It's always located in the home network. The S-CSCF uses

DIAMETER Cx and Dx interfaces to the HSS to download and upload user profiles.

It has no local storage of the user.

BROADVIEW OF IMS ARCHITECTURE

BROADVIEW OF IMS ARCHITECTURE Application Servers Application servers (AS) host and execute services, and interfaces

with the S-CSCF using SIP. Depending on the actual service, the AS can operated in SIP proxy

mode, SIP US mode or SIP B2BUA mode. An AS can be located in the home network or in an external third-

party network.

BROADVIEW OF IMS ARCHITECTURE

BROADVIEW OF IMS ARCHITECTURE Media Servers A MRF (Media Resource Function) provides a source of media in

the home network. It's used for Playing of announcements, Multimedia conferencing,

Text-to-speech conversation (TTS) and speech recognition, Real time transcoding of multimedia data.

Each MRF is further divided into : 1) A MRFC (Media Resource Function Controller) is a signalling

plane node that acts as a SIP User Agent to the S-CSCF, and which controls the MRFP with a H.248 interface

2) A MRFP (Media Resource Function Processor) is a media plane node that implements all media-related functions.

BROADVIEW OF IMS ARCHITECTURE

BROADVIEW OF IMS ARCHITECTURE Breakout Gateway A BGCF (Breakout Gateway Control Function) is a SIP server that

includes routing functionality based on telephone numbers. It's only used when calling from the IMS to a phone in a circuit

switched network, such as the PSTN or the PLMN.

BROADVIEW OF IMS ARCHITECTURE

BROADVIEW OF IMS ARCHITECTURE PSTN Gateways A PSTN/CS gateway interfaces with PSTN circuit switched (CS)

networks. A SGW (Signalling Gateway) interfaces with the signalling plane of

the CS. It transforms lower layer protocols as SCTP into MTP, to pass ISUP from the MGCF to the CS network.

A MGCF (Media Gateway Controller Function) does call control protocol conversion between SIP and ISUP, and interfaces with the SGW over SCTP.

A MGW (Media Gateway) interfaces with the media plane of the CS network, by converting between RTP and PCM.

BROADVIEW OF IMS ARCHITECTURE Charging Definitions: Offline charging is applied to users who pay for their

services periodically whereas Online charging is applied to usera who pay credit-based charging which is used for prepaid services.

Offline Charging : All the SIP network entities involved in the session use the DIAMETER Rf interface to send accounting information to a CCF (Charging Collector Function) located in the same domain. CCF collects all this information, and build a CDR (Charging Data Record), which is send to the billing system (BS) of the domain.

Online charging : The S-CSCF talks to a SCF (Session Charging Function), which looks like a regular SIP application server. The SCF can signal the S-CSCF to terminate the session when the user runs out of credits during a session. The AS and MRFC use the DIAMETER Ro interface towards a ECF (Event Charging Function), that also communicates with the SCF.

BROADVIEW OF IMS ARCHITECTURE Advantages: Advantages over existing systems The core network is independent of a particular access technology Integrated mobility for all network applications Easier migration of applications from fixed to mobile users Faster deployment of new services based on standardized

architecture New applications such as presence information, videoconferencing,

Push to talk over cellular (POC), multiparty gaming, community services and content sharing.

User profiles are stored in a central location

BROADVIEW OF IMS ARCHITECTURE Advantages: Advantages over free VoIP Quality of Service : The network offers no guarantees about the

amount of bandwidth a user gets for a particular connection or about the delay the packets experience.

Charging of multimedia services : Videoconferences can transfer a large amount of information. Some business models might be more beneficial for the user, others might charge extra for better QoS.

Integration of different services : an operator can use services developed by third parties, combine them, integrate them with services they already have, and provide the user with a completely new service.

BROADVIEW OF IMS ARCHITECTURE Issues Benefits need to be further articulated in terms of actual savings. IMS is "operator friendly" which means that it provides the operator

with comprehensive control of content at the expense of the consumer.

IMS uses the 3GPP variant of SIP, which needs to interoperate with the IETF SIP.

IMS is an optimization of the network, and investments for such optimization are questionable.

BROADVIEW OF IMS ARCHITECTURE Associated Protocols RFC 1889 Real-time Transport Protocol (RTP) RFC 2327 Session Description Protocol (SDP) RFC 2748 Common Open Policy Server protocol (COPS) RFC 2782 a DNS RR for specifying the location of services (SRV) RFC 2806 URLs for telephone calls (TEL) RFC 2915 the naming authority pointer DNS resource record (NAPTR) RFC 2916 E.164 number and DNS RFC 3261 Session Initiation Protocol (SIP) RFC 3262 reliability of provisional responses (PRACK) RFC 3263 locating SIP servers RFC 3264 an offer/answer model with the Session Description Protocol RFC 3310 HTTP Digest Authentication using Authentication and Key Agreement (AKA) RFC 3311 update method RFC 3312 integration of resource management and SIP RFC 3319 DHCPv6 options for SIP servers RFC 3320 signalling compression (SIGCOMP) RFC 3323 a privacy mechanism for SIP RFC 3324 short term requirements for network asserted identity RFC 3325 private extensions to SIP for asserted identity within trusted networks RFC 3326 the reason header field RFC 3327 extension header field for registering non-adjacent contacts (path header) RFC 3329 security mechanism agreement RFC 3455 private header extensions for SIP RFC 3485 SIP and SDP static dictionary for signaling compression RFC 3574 Transition Scenarios for 3GPP Networks RFC 3588 DIAMETER base protocol RFC 3589 DIAMETER command codes for 3GPP release 5 (informational) RFC 3608 extension header field for service route discovery during registration RFC 3680 SIP event package for registrations RFC 3824 using E164 numbers with SIP

Session Initiation Protocol -SIP SIP is the core protocol for initiating, managing and

terminating sessions in the Internet These sessions may be text, voice, video or a

combination of these SIP sessions involve one or more participants and

can use unicast or multicast communication.

Session Initiation Protocol - SIP Provides call control for multi-media services

initiation, modification, and termination of sessions terminal-type negotiation and selections call holding, forwarding, forking, transfer media type negotiation (also mid-call changes) using Session Description Protocol (SDP)

Provides personal mobility support Independent of transport protocols (TCP, UDP, SCTP,…) ASCII format SIP headers Separation of call signalling and data stream

Application types/examples:

Interactive Voice over IP (VoIP) Multimedia conferences (multi-party, e.g. voice & video) Instant messaging Presence service Support of location-based services

SIP in IMS

Mandatory existence of P-CSCF as first point of contact Network initiated call release (e.g. due to missing coverage or

administrative reasons) Proxies are able to send BYE

Network Control of Media Types P/S-CSCF checks the SDP in the SIP body If SDP contains invalid parameters (e.g. not supported

codecs), P/S-CSCF rejects the SIP request by sending a 488 (“not acceptable here”) response that contains a SDP body indicating parameters that would be acceptable by the network

Network Hiding (Encryption of Route and Via Headers)

SIP in IMS Additional Signaling Information

For example Cell-ID, Mobile Network/Country Code, Charging-IDs

Information transported P-header based solution Compression

SIP Compression is mandatory as radio interface is a scarce resource

Compression / decompression of SIP will be performed by the UE and the P-CSCF

Authentication & Integrity protection S-CSCF performs the Authentication using AKA P-CSCF checks the integrity of messages received via the

air interface via IPsec ESP

SIP based session management

SIP Architecture

Redirect Server

Location Server

Registrar Server

User Agent Proxy ServerProxy Server

User Agent

SIP Entities User Agent

User Agent Client

User Agent Server Proxy Server Redirect Server Registrar Server

SIP Message Types Requests – Sent from client to server INVITE ACK REFER OPTIONS BYE CANCEL REGISTER SUBSCRIBE NOTIFY MESSAGE

SIP Message Types (Contd.)

Responses – Sent from server to the client Success Redirection Forwarding Request failure Server failure Global failure

SIP Session Establishment and Call Termination

SIP Call Redirection

Call Proxying

Instant messaging based on SIP SIMPLE – IM protocol based on SIP SIP promises interoperability between various IM

vendors SIP has unique user tracking features. SIP addressing

IMS – Security Challenges

Contents Security Evolution of a new Architecture / Protocol – Today: Advanced Mobile OSs Cellular Viruses – Tomorrow: Additional IMS Services ???? 3GPP IMS Security Specifications Mobile to Mobile Security GSM-SIP Security Third Party Involvement increases

Today Cellular Viruses

SKULLS – infects by Bluetooth Mosquito – constantly sends SMSs to premium service Reasons for threat increase: – Smart Phone OS are sophisticated, Open Platforms – Multi Connectivity: MMS, Bluetooth, Phone browsers (HTTP), Infra Red, Mail Reasons for threat reduction: – Phones not “Always connected” – Phones don’t have server applications (like Microsoft RPC – Blaster worm) – Signature Mechanisms are being developed – Infection paths for attachments are not fully automatic: MMS, Bluetooth– question asked before opening attachment

Tommorrow IMS

IMS Increases GPRS/UMTS Connectivity: – Mobile to Mobile – Mobile to ADSL/Cables – GPRS/UMTS Mobile to CDMA-2000 Mobile IMS introduces new protocols IMS – always connected – IMS should not introduce “server” like application on the Mobile

phones, that are constantly listening for input IMS involves third parties - supplying content IMS is a clear “umbrella” type standard for Cellular Multi Media: easier to protect, but ….. much easier to attack IMS operator backbone – new “hacking targets”

3GPP IMS Security Specifications UMTS Security is designed in Multi layers – Attachment level security – Network level security (IP, PDP Context) – IMS service level security (GSM-SIP Security) Network Level uses IETF well known security: IKE & IPSEC – Authentication – Encryption (optional) – Data Integrity GSM-SIP security

IMS - Mobile 2 Mobile Security 3GPP did not account for it in the design, GSMA identified the problem: IMS introduces Mobile to Mobile traffic. GPRS was not intended for that The problem : difficult to control M2M traffic

IMS- New Protocols- New Threats IPv6 – IMS is a main driver of IPv6 deployment

• IPv6 Land attack

• Cisco IOS IPv6 heap overflow attack Diameter, SCTP (Cx interface) Internal CSCF to HSS traffic – less

vulnerable, but data is very sensitive

Testing Typologies

4. Live Testingcheck the correct handling of the system’s functionalities in a real context

2. Conformance Testcheck the functional blocks compatibility

3. Load & Capacity testing• check the performances declared by supplier

• check the correct working in limit load conditions

1. Functional Testing• check the correct handling of the system end-to-end functionalities verifing protocols and procedures

• typically carry out in test plant

Scope of Testing

Verify the IMS core-network through the usage of a set of reference end-to-end scenarios (including roaming users) and the analysis of signalling on the network interfaces that are involved: Gm, Cx, Mw, Mi, Mj, Mk, Mg, Mn, Rf, Go.

Verify the procedures conformity to the standard Reduce the time to market of new network solutions

P-CSCF discovery

IMS network configuration only for testing P-CSCF discovery procedure.

End-to-End Methodology

P-CSCF I-CSCF

UE

S-CSCF

Um

Mw Mw

Cx Cx

SGSN

GmGn

Iu-PS

HSS

DNS

DHCP

GGSN

RNCULTRAN

RNCULTRAN

BSSGERAN

BSSGERAN

Session Initiation & Control between different network operator

End-to-End Methodology

UE1

Um Um

UE2S-CSCF1

Mw

S-CSCF2

Originating Network

Terminating Network Um

Cx

Mw

P-CSCF2

Mw

MwMw

P-CSCF1

HSS

I-CSCF

IMS configuration requiring two user located in different home network to test interoperability in case of Session setup and control procedures.

Type of Intrusions and General annoyances. Virus – Spread from computer to computer SPAM – Unwanted email Denial of Service Attack – send thousands of

requests to a critical machine.

How most attacks work.

A vendor either finds or has an error in code reported. This code involves a vulnerability.

The vendor alerts their users as to vulnerability and the patch (a computer word for a fix).

Hackers learn of these vulnerability and write a program that exploits it. Some system managers ignore the patch.

They start scanning networks for computers that have not applied the patch.

The fun begins.

Scanning

All computers have a network address. TAMU for example uses the addresses

128.194.000.001 to 128.194.254.254 (about 65,000) computers

A computer program is written that starts at 1 and goes to 65,000 sequentially.

Any time that it finds a vulnerable computer it takes over the computer.

User may not even know that it is happening.

Protecting yourself and your computer - Passwords PASSWORD protection – this is first and formost.

NEVER use easy to guess passwords. NEVER share a password. NEVER write your password on a sticky next to

the screen All passwords should include letters and numbers.

Protection by IMS, Campus and Internet Virus Protection

On most computers or filtered at server. Firewall for critical computers – both TAMU and four

in Physical Plant SPAM filters - one on campus and one at Physical

Plant. Intrusion detection – Campus and through CERT

(Computer Emergency Response Team at CMU University http://www.cert.org/)

Security Components

Web Server

Internet

CampusLAN

AssetWorksServer

EMAILServerPPFS4

SPAM Filter

LesSwick

BubbaMcCartney

TracyVaughn

Other Security TIPS

Virus Protection – Set for frequent update NEVER open attachments from unknown addresses

(I don’t open attachments from most known addresses)

Most virus notices are hoaxes. “Do not ignore this warning – your mouse could explode” – Check with IMS

Use email rules (example) NEVER unsubscribe from a SPAM email

More applications are moving to WEB access for convenience. Be sure to work with IMS on security issues before you put info online

Web Applications

Camera security http://165.91.187.68 Door Access UPS power Voice Mail Server All Web Applications are reviewed by Lauri

Brender for Info Security and Lee McCleskey for general security before we will put them online.

3GPP IP Multimedia Subsystem (Release 5)

Visited

HomeHSS

RANSGSNGGSN

Cx interface based on Diameter

SIP proxies get authorisation and authentication information

P-CSCFREGISTER/INVITE

I-CSCFREGISTER/INVITE

S-CSCF

REGISTER/INVITE

SIP proxy serversSIP-based interfaces

PS domain

UA

3GPP Release 5 Security

Packet Switched (PS) domain access security features retained from 3GPP Release 99

specifications IP Multimedia Subsystem (IMS) domain

new access security features to be specified to protect the access link to the IMS domain independent of underlying PS domain security features

network domain security features to protect signalling links between network elements with the IMS domain

IP Multimedia Subsystem: Access Security

Visited

HomeHSS

RANSGSNGGSN

P-CSCFREGISTER/INVITE

I-CSCFREGISTER/INVITE

S-CSCF

REGISTER/INVITE

4. Protection of SIP signalling using agreed session key

2. Mutual authentication and session key agreement

3. Session key distribution

1. Distribution of authentication information

UA

Draft 3GPP TS 33.203

IP Multimedia Subsystem: Network Domain Security

Visited

HomeHSS

RANSGSNGGSN

P-CSCFREGISTER/INVITE

I-CSCFREGISTER/INVITE

S-CSCF

REGISTER/INVITE

Per-hop protection of signalling using IPsec/IKE

UA

Draft 3GPP TS 33.210

Access Security: Authentication Principles

3GPP authentication protocol (3GPP AKA) based on secret key stored in UA’s tamper-proof subscriber

identity module (SIM) and in the HSS Authentication check located in S-CSCF Working assumption is to authenticate only at SIP

registrations with on-demand re-authentication requiring re-registration

Use SIP authentication rather than an outer layer protocol such as TLS or IKE in order to minimise roundtrips

Integration of Authentication Protocol into DIAMETER and SIP

Distribution of authentication information to S-CSCF using DIAMETER distribution of authentication vectors for 3GPP AKA

Integration of authentication protocol into SIP registration 3GPP AKA protocol between UA and S-CSCF distribution of session key to P-CSCF

Possible Information Flow for Authentication and Session Key Establishment (from draft 3GPP TS 33.203)

Cx-Put

Cx-Pull

Changed to 407 Proxy Authentication

Required

Access Security: Security Mode Establishment between UA and P-CSCF

Determines when to start applying protection and which algorithm to use includes secure algorithm negotiation

Uses session key derived during authentication Integration into SIP registration with no new

roundtrips

Access security: Protection of SIP signalling between UA and P-CSCF

Integrity protection of SIP signalling between UA and P-CSCF

Uses session key derived during authentication Symmetric scheme because of efficiency concerns Candidate mechanisms include modified CMS and

ESP

IP Multimedia Subsystem: Access Security Documentation

TS 23.228(SA2)

TS 24.228(CN1)

TS 29.228(CN4)

TS 29.229(CN4)

3GPP IETF

SIPPINGWG

TS 33.203(SA3)

TS 24.229(CN1)

AAA, PPPEXT, IPsec, …

Other specs (e.g. AKA)

(SA3)

High level architecture

Protocol detail

Authentication and Key Agreement Protocol (3GPP AKA)

ISIM/UA S-CSCF HSS

Authentication vector request

Authentication request

Authentication response

Authentication vector response

• Three party protocol• Two-pass mutual authentication

protocol between UA and S-CSCF• Each authentication vector is good for

one authentication• Authentication vectors can be distributed

in batches to minimise signalling/load on HSS

Distribution of session key to P-CSCF

P-CSCF

Other IP Multimedia Subsystem Security Issues (1)

Hide caller’s public ID from called party by encrypting remote party ID header at caller’s S-CSCF

and decrypting by same S-CSCF is there a requirement to hide caller’s IP addresses that are

dynamically assigned? Network configuration hiding

mechanism being developed to hide host domain name of CSCFs and number of CSCFs within one operator’s network

Session transfer guidance on security aspects based on GSM call transfer

feature authorisation and accounting of transferred leg needs to

involve transferring party who has dropped out of session should there be a limit to the number of transferred sessions? should final destination be hidden from calling party?

Security aspects of other IP multimedia subsystem services?

End-to-end security

Other IP Multimedia Subsystem Security Issues (2)

References

Draft 3GPP TS 33.203, Access security for IP-based services (Release 5).

Draft 3GPP TS 33.210, Network domain security; IP network layer security (Release 5).

J. Arkko and H. Haverinen, “EAP AKA Authentication” draft-arkko-pppext-aka-00.txt.

V. Torvinen, J. Arkko, A. Niemi, “HTTP Authentication with EAP”, draft-torvinen-http-eap-00.txt (to appear).

L. Blunk, J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP)”, RFC 2284.

P. Calhoun et al. “DIAMETER NASREQ Extensions”, draft-ietf-aaa-diameter-nasreq-06.txt.

•Is IMS increasing the threats for cellular security?

QUESTIONS???