IP Multimedia Subsystem

IMS

Rajkiran Velluri
Rahul Allawadhi
Rahul Parey
Santosh Kandukuri
 History of IMS
IMS first appeared in release 5 of the evolution from 2G to 3G networks
for W-CDMA networks (UMTS), when SIP-based multimedia domain was
added to NGN networks. Support for older GSM and GPRS networks is
also provided.
In 3GPP release 6, interworking with WLAN was added.
3GPP release 7 adds support for fixed networks, together with TISPAN
which allowed adopted a more generalized model able to address a
wider variety of network and service requirements. This overall
architecture is based upon the concept of cooperating subsystems
sharing common components. This subsystem-oriented architecture
enables the addition of new subsystems over the time to cover new
demands and service classes. .
"Early IMS" was defined for IPv4 networks, and provides a migration
path to IPv6
 Cellular Networks

1G
- Used analog transmission and provided only circuit switched
voice telephony
2G
- Fully digital. Offered both voice & CS data services
2.5G
- Addition of Packet Switched Data services to 2G Networks.
3G
- Provide (or try to) all services over PS (including voice telephony)
 IP Multimedia Subsystem (IMS)
The IP Multimedia subsystem standard defines a generic
architecture for offering VoIP and multimedia services.
Internationally recognized standard first specified by the
3GPP ( 3rd generation Partnership Project)
Supports multiple access types: GSM, WCDMA,
CDMA2000, Wireline broadband access and WLAN.
Established with the aim of allowing UMTS network to
provide all of its services over IP on an end-to-end basis.
 Concept of the IP Multimedia Subsystem (IMS)

The IP Multimedia Subsystem is an open, standardized, NGN multi-media

architecture for mobile and fixed IP-based services. It's a VoIP
implementation based on a 3GPP variant of SIP (Session Initiation Protocol),
and runs over the standard Internet protocol. It's used by Telcos in NGN
networks (which combine voice and data in a single packet switched
network),to offer network controlled multimedia services.

The aim of IMS is not only to provide new services but to provide all the
services, current and future, that the Internet provides. In addition, users
have to be able to execute all their services when roaming as well as
from their home networks. To achieve these goals the IMS uses open
standard IP protocols, defined by the IETF.
 Concept of the IP Multimedia Subsystem (IMS)
So, a multi-media session between 2 IMS users,
between an IMS user and a user on the Internet,
and between 2 users on the Internet is established
using exactly the same protocol. Moreover, the
interfaces for service developers are also based in
IP protocols. This is why the IMS truly merges the
Internet with the cellular world; it uses cellular
technologies to provide ubiquitous access and
Internet technologies to provide appealing services.
 IMS concept

The IMS concept was introduced to address the following network and user
requirements:

Deliver person-to-person real-time IP-based multimedia communications

(e.g. voice or video telephony) as well as person-to-machine communications
(e.g. gaming service).

Fully integrate real-time with non-real-time multimedia communications

(e.g. live streaming and chat).

Enable different services and applications to interact (e.g. combined use

of presence and instant messaging).

Easy user setup of multiple services in a single session or multiple

simultaneous synchronized sessions.
IMS solution overview

Source: Alcatel
 IMS Standards
3GPP and 3GPP2 - 3rd Generation Partnership Project
3rd Generation Partnership Project 2
Have both defined the IP Multimedia Subsystem (IMS)
The harmonization effort has kept the definitions as similar as possible.

IETF - Internet Engineering Task Force

Provide the definitions for SIP, SDP and other protocols underlying IMS
IMS is driving some of the work in IETF

OMA - Open Mobile Alliance

Defining services for IMS architecture, e.g. Instant Messaging, Push-to-Talk

ITU - International Telecommunication Union

Provides protocol definitions used by IMS
H.248 for media control
Q.1912.SIP for SIP ISUP interworking (in conjunction with IETF)

ETSI - European Telecommunications Standards Institute

TISPAN - TISPAN is merger of TIPHON (VoIP) and SPAN (fixed networks)
Agreement on reuse of 3GPP/3GPP2 IMS in comprehensive NGN plans

ANSI - American National Standards Institute

Provides protocol definitions used by IMS

ATIS - Alliance for Telecommunications Industry Solutions

Addressing end-to-end solutions over wireline and wireless
Nearing agreement to use 3GPP/3GPP2 IMS
 IMS GOALS

Support of real-time IP- based multimedia

communication services (VoIP, Video Conferencing
e.t.c). This implies that IMS will replace the CS
domain of a UMTS network, providing all the
traditional CS services over IP, in PS domain

Provide ability of interactions between services, so

that users may combine different services in one
session, e.g. group conferencing.
 Characteristics of IMS
Takes the concept of horizontal architecture a step further where
service enablers and common functions can be reused for
multiple applications
Well integrated with existing voice and data networks adopting
many of the key benefits of the IT domain
Horizontal architecture specifies interoperability and roaming,
and provides bearer control, charging and security
IMS enables services to be delivered in a standardized, well
structured manner
The horizontal architecture enables operators to avoid the
problems associated with charging, presence, group and list
management, routing and provisioning.
 Advantages of IMS
Advantages over other existing systems:
The core network is independent of a particular access technology
Integrated mobility for all network applications
Easier migration of applications from fixed to mobile users
Faster deployment of new services based on standardized architecture
An end to unique or customized applications
New applications such as presence information, videoconferencing,
Push to talk over cellular (POC), multiparty gaming, community services
and content sharing.
Evolution to combinational services, for example by combining instant
messaging and voice
User profiles are stored in a central location
 Advantages of IMS
Advantages over free VoIP:
It's possible to run free VoIP applications over the regular Internet. Then why do
we need IMS, if all the power of the Internet is already available for 3G users?
Quality of Service : The network offers no guarantees about the amount of
bandwidth a user gets for a particular connection or about the delay the packets
experience. Consequently, the quality of a VoIP conversation can vary
dramatically throughout its duration.
Charging of multimedia services : Videoconferences can transfer a large amount
of information, but the telecom operator can't charge separately for this data.
Some business models might be more beneficial for the user (for instance: a
fixed price per message, not per byte); others might charge extra for better QoS.
Integration of different services : an operator can use services developed by
third parties, combine them, integrate them with services they already have, and
provide the user with a completely new service. For example: if voicemail and
text-to-speech is combined, a voice version of incoming text messages can be
provided for blind users.
IMS SERVICES & ARCHITECTURE

These basic services can be controlled by external Application

Servers (AS) so as to provide various applications.
For example, IMS does not offer a conferencing or chat room
service!
It provides
- point-to-point and point to multipoint transmission facilities.
- Group management facilities
- The ability for an external AS to control the group communication
IMS SERVICES & ARCHITECTURE

To maximize flexibility IMS organizes ITS functionality in three

layers.
IMS SERVICES & ARCHITECTURE

Transport & Endpoint Layer Initiates & terminates the signaling

needed to setup & control sessions, provides bearer services
between the endpoints. Media gateways are provided to convert
from/to analog/digital voice telephony formats to/from IP packets
using RTP. IMS signaling is based on SIP on top of IPv6
The session control layer provides functionality that allows
endpoints to be registered with the network and sessions to be
setup between them. It also contains the functions that control the
media gateways and servers so as to provide the requested
services
The application server layer allows sessions to interact with
various AS entities. In this layer multiple sessions may be
coordinated to provide single application.
IMS SERVICES & ARCHITECTURE

Support a wide range of services, both telephony & non-telephony

oriented. All these services are provided over IP, end-to-end. Some
of them are the followings:
- Voice & video telephony
- Instant Messaging
- Chat Rooms
- Video Conferencing
- Multiparty Gaming
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

The IP Multimedia Core Network Subsystem is a collection of

different functions, linked by standardized interfaces. A function is
not a node (hardware box) : an implementer is free to combine 2
functions in 1 node, or to split a single function into 2 or more nodes.
Each node can also be present multiple times in a network, for load
balancing or organizational issues.
BROADVIEW OF IMS ARCHITECTURE

Access Network
The user can connect to an IMS network using various methods, all
of which are using the standard Internet Protocol (IP).
Direct IMS terminals can register directly into an IMS network.
Fixed access, mobile access and wireless access are all supported.
BROADVIEW OF IMS ARCHITECTURE

Access Network
BROADVIEW OF IMS ARCHITECTURE

User Database
The HSS (Home Subscriber Server) is the master user database
that supports the IMS network entities that are actually handling the
calls/sessions.
It contains the subscription-related information, performs
authentication and authorization of the user, and can provide
information about the physical location of user.
A SLF (Subscriber Location Function) is needed when multiple
HSSs are used.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

Call/Session Control
Several types of SIP servers, collectively known as CSCF, they are
used to process SIP signaling packets in the IMS.
1) P-CSCF (Proxy-CSCF)
2) I-CSCF (Interrogating-CSCF)
3) S-CSCF (Serving-CSCF)
BROADVIEW OF IMS ARCHITECTURE

Call/Session Control
1) A P-CSCF (Proxy-CSCF)
It is a SIP proxy that is the first point of contact for the IMS
terminal.
It can be located either in the visited network or in the home
network.
It has terminal which will discover its P-CSCF with either DHCP,
or it's assigned in the PDP Context (in GPRS).
BROADVIEW OF IMS ARCHITECTURE

Call/Session Control
2) I-CSCF (Interrogating-CSCF)
It is a SIP proxy located at the edge of an administrative domain.
Its IP address is published in the DNS records of the domain, so
that remote servers can find it, and use it as an entry point for all
SIP packets to this domain.
The I-CSCF queries the HSS using the DIAMETER Cx and Dx
interfaces to retrieve the user location, and then route the SIP
request to its assigned S-CSCF.
It can also be used to hide the internal network from the outside
world, in which case it's called a THIG (Topology Hiding Interface
Gateway).
BROADVIEW OF IMS ARCHITECTURE

Call/Session Control
3) S-CSCF (Serving-CSCF)
It is the central node of the signaling plane.
It's a SIP server, but performs session control as well.
It's always located in the home network. The S-CSCF uses
DIAMETER Cx and Dx interfaces to the HSS to download and
upload user profiles.
It has no local storage of the user.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

Application Servers
Application servers (AS) host and execute services, and interfaces
with the S-CSCF using SIP.
Depending on the actual service, the AS can operated in SIP proxy
mode, SIP US mode or SIP B2BUA mode.
An AS can be located in the home network or in an external third-
party network.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

Media Servers
A MRF (Media Resource Function) provides a source of media in
the home network.
It's used for Playing of announcements, Multimedia conferencing,
Text-to-speech conversation (TTS) and speech recognition, Real
time transcoding of multimedia data.
Each MRF is further divided into :
1) A MRFC (Media Resource Function Controller) is a signalling
plane node that acts as a SIP User Agent to the S-CSCF, and which
controls the MRFP with a H.248 interface
2) A MRFP (Media Resource Function Processor) is a media plane
node that implements all media-related functions.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

Breakout Gateway
A BGCF (Breakout Gateway Control Function) is a SIP server that
includes routing functionality based on telephone numbers.
It's only used when calling from the IMS to a phone in a circuit
switched network, such as the PSTN or the PLMN.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

PSTN Gateways
A PSTN/CS gateway interfaces with PSTN circuit switched (CS)
networks.
A SGW (Signalling Gateway) interfaces with the signalling plane of
the CS. It transforms lower layer protocols as SCTP into MTP, to
pass ISUP from the MGCF to the CS network.
A MGCF (Media Gateway Controller Function) does call control
protocol conversion between SIP and ISUP, and interfaces with the
SGW over SCTP.
A MGW (Media Gateway) interfaces with the media plane of the CS
network, by converting between RTP and PCM.
BROADVIEW OF IMS ARCHITECTURE

Charging
Definitions: Offline charging is applied to users who pay for their
services periodically whereas Online charging is applied to usera
who pay credit-based charging which is used for prepaid services.
Offline Charging : All the SIP network entities involved in the
session use the DIAMETER Rf interface to send accounting
information to a CCF (Charging Collector Function) located in the
same domain. CCF collects all this information, and build a CDR
(Charging Data Record), which is send to the billing system (BS) of
the domain.
Online charging : The S-CSCF talks to a SCF (Session Charging
Function), which looks like a regular SIP application server. The
SCF can signal the S-CSCF to terminate the session when the user
runs out of credits during a session. The AS and MRFC use the
DIAMETER Ro interface towards a ECF (Event Charging Function),
that also communicates with the SCF.
BROADVIEW OF IMS ARCHITECTURE

Advantages:
Advantages over existing systems
The core network is independent of a particular access technology
Integrated mobility for all network applications
Easier migration of applications from fixed to mobile users
Faster deployment of new services based on standardized
architecture
New applications such as presence information, videoconferencing,
Push to talk over cellular (POC), multiparty gaming, community
services and content sharing.
User profiles are stored in a central location
BROADVIEW OF IMS ARCHITECTURE

Advantages:
Advantages over free VoIP
Quality of Service : The network offers no guarantees about the
amount of bandwidth a user gets for a particular connection or about
the delay the packets experience.
Charging of multimedia services : Videoconferences can transfer a
large amount of information. Some business models might be more
beneficial for the user, others might charge extra for better QoS.
Integration of different services : an operator can use services
developed by third parties, combine them, integrate them with
services they already have, and provide the user with a completely
new service.
BROADVIEW OF IMS ARCHITECTURE

Issues
Benefits need to be further articulated in terms of actual savings.
IMS is "operator friendly" which means that it provides the operator
with comprehensive control of content at the expense of the
consumer.
IMS uses the 3GPP variant of SIP, which needs to interoperate with
the IETF SIP.
IMS is an optimization of the network, and investments for such
optimization are questionable.
BROADVIEW OF IMS ARCHITECTURE

Associated Protocols
RFC 1889 Real-time Transport Protocol (RTP)
RFC 2327 Session Description Protocol (SDP)
RFC 2748 Common Open Policy Server protocol (COPS)
RFC 2782 a DNS RR for specifying the location of services (SRV)
RFC 2806 URLs for telephone calls (TEL)
RFC 2915 the naming authority pointer DNS resource record (NAPTR)
RFC 2916 E.164 number and DNS
RFC 3261 Session Initiation Protocol (SIP)
RFC 3262 reliability of provisional responses (PRACK)
RFC 3263 locating SIP servers
RFC 3264 an offer/answer model with the Session Description Protocol
RFC 3310 HTTP Digest Authentication using Authentication and Key Agreement (AKA)
RFC 3311 update method
RFC 3312 integration of resource management and SIP
RFC 3319 DHCPv6 options for SIP servers
RFC 3320 signalling compression (SIGCOMP)
RFC 3323 a privacy mechanism for SIP
RFC 3324 short term requirements for network asserted identity
RFC 3325 private extensions to SIP for asserted identity within trusted networks
RFC 3326 the reason header field
RFC 3327 extension header field for registering non-adjacent contacts (path header)
RFC 3329 security mechanism agreement
RFC 3455 private header extensions for SIP
RFC 3485 SIP and SDP static dictionary for signaling compression
RFC 3574 Transition Scenarios for 3GPP Networks
RFC 3588 DIAMETER base protocol
RFC 3589 DIAMETER command codes for 3GPP release 5 (informational)
RFC 3608 extension header field for service route discovery during registration
RFC 3680 SIP event package for registrations
RFC 3824 using E164 numbers with SIP
 Session Initiation Protocol -SIP
SIP is the core protocol for initiating, managing and
terminating sessions in the Internet
These sessions may be text, voice, video or a
combination of these
SIP sessions involve one or more participants and
can use unicast or multicast communication.
 Session Initiation Protocol - SIP
Provides call control for multi-media services
initiation, modification, and termination of sessions
terminal-type negotiation and selections
call holding, forwarding, forking, transfer
media type negotiation (also mid-call changes)
using Session Description Protocol (SDP)
Provides personal mobility support
Independent of transport protocols (TCP, UDP, SCTP,)
ASCII format SIP headers
Separation of call signalling and data stream

Application types/examples:

Interactive Voice over IP (VoIP)

Multimedia conferences (multi-party, e.g. voice & video)
Instant messaging
Presence service
Support of location-based services
 SIP in IMS
Mandatory existence of P-CSCF as first point of contact
Network initiated call release (e.g. due to missing coverage or
administrative reasons)
Proxies are able to send BYE

Network Control of Media Types

P/S-CSCF checks the SDP in the SIP body

If SDP contains invalid parameters (e.g. not supported

codecs), P/S-CSCF rejects the SIP request by sending a 488
(not acceptable here) response that contains a SDP body
indicating parameters that would be acceptable by the network
Network Hiding (Encryption of Route and Via Headers)
 SIP in IMS
Additional Signaling Information
For example Cell-ID, Mobile Network/Country Code,
Charging-IDs
Information transported P-header based solution

Compression
SIP Compression is mandatory as radio interface is a
scarce resource
Compression / decompression of SIP will be performed by
the UE and the P-CSCF
Authentication & Integrity protection
S-CSCF performs the Authentication using AKA

P-CSCF checks the integrity of messages received via the

air interface via IPsec ESP
SIP based session management
 SIP Architecture

Location Redirect Registrar

Server Server Server

User Agent Proxy Proxy Server User Agent

Server
 SIP Entities
User Agent
User Agent Client
User Agent Server
Proxy Server
Redirect Server
Registrar Server
SIP Message Types
Requests Sent from client to server
INVITE

ACK

REFER

OPTIONS

BYE

CANCEL

REGISTER

SUBSCRIBE

NOTIFY

MESSAGE
SIP Message Types (Contd.)

Responses Sent from server to the client

Success

Redirection

Forwarding

Request failure

Server failure

Global failure
SIP Session Establishment and Call
Termination
SIP Call Redirection
Call Proxying
Instant messaging based on SIP

SIMPLE IM protocol based on SIP

SIP promises interoperability between various IM
vendors
SIP has unique user tracking features.
SIP addressing
IMS Security Challenges
 Contents
Security Evolution of a new Architecture /
Protocol
Today: Advanced Mobile OSs Cellular Viruses
Tomorrow: Additional IMS Services ????
3GPP IMS Security Specifications
Mobile to Mobile Security
GSM-SIP Security
Third Party Involvement increases
Today Cellular Viruses
SKULLS infects by Bluetooth
Mosquito constantly sends SMSs
to premium service
Reasons for threat increase:
Smart Phone OS are sophisticated, Open Platforms
Multi Connectivity: MMS, Bluetooth, Phone browsers (HTTP), Infra Red,
Mail
Reasons for threat reduction:
Phones not Always connected
Phones dont have server applications (like Microsoft RPC Blaster worm)
Signature Mechanisms are being developed
Infection paths for attachments are not fully automatic: MMS, Bluetooth
question asked before opening attachment
Tommorrow IMS
IMS Increases GPRS/UMTS Connectivity:
Mobile to Mobile
Mobile to ADSL/Cables
GPRS/UMTS Mobile to CDMA-2000 Mobile
IMS introduces new protocols
IMS always connected
IMS should not introduce server like application on the Mobile
phones,
that are constantly listening for input
IMS involves third parties - supplying content
IMS is a clear umbrella type standard for Cellular Multi Media:
easier to protect, but .. much easier to attack
IMS operator backbone new hacking targets
3GPP IMS Security Specifications

UMTS Security is designed in Multi layers

Attachment level security
Network level security (IP, PDP Context)
IMS service level security (GSM-SIP Security)
Network Level uses IETF well
known security: IKE & IPSEC
Authentication
Encryption (optional)
Data Integrity
GSM-SIP security
IMS - Mobile 2 Mobile Security

3GPP did not account for it in the design,

GSMA identified the problem:
IMS introduces Mobile to Mobile traffic.
GPRS was not intended for that
The problem : difficult to control M2M traffic
IMS- New Protocols- New Threats

IPv6
IMS is a main driver of IPv6 deployment
IPv6 Land attack
Cisco IOS IPv6 heap overflow attack
Diameter, SCTP (Cx interface)
Internal CSCF to HSS traffic less
vulnerable, but data is very sensitive
Testing Typologies

2. Conformance Test
1. Functional Testing
check the functional blocks
check the correct handling of compatibility
the system end-to-end
functionalities verifing protocols
and procedures
typically carry out in test plant

3. Load & Capacity testing 4. Live Testing

check the performances
declared by supplier
check the correct working in
limit load conditions
check the correct handling of the
systems functionalities in a real
context
 Scope of Testing

Verify the IMS core-network through the usage of a set of reference

end-to-end scenarios (including roaming users) and the analysis of
signalling on the network interfaces that are involved: Gm, Cx, Mw,
Mi, Mj, Mk, Mg, Mn, Rf, Go.

Verify the procedures conformity to the standard

Reduce the time to market of new network solutions
 P-CSCF discovery

End-to-End Methodology

HSS
DNS
Cx Cx

GGSN P-CSCF I-CSCF S-CSCF

BSS
Gm Mw Mw
GERAN Gn

Um RNC
SGSN DHCP
ULTRAN
Iu-PS
UE

IMS network configuration only for testing P-CSCF

discovery procedure.
Session Initiation & Control between different network operator

End-to-End Methodology

HSS

I-CSCF Cx Terminating
P-CSCF1
Network Um
Um Um
Mw Mw
Originating
Mw
UE1
Network
S-CSCF1 S-CSCF2 P-CSCF2 UE2
Mw Mw

IMS configuration requiring two user located in different home

network to test interoperability in case of Session setup and control
procedures.
Type of Intrusions and General
annoyances.
Virus Spread from computer to computer
SPAM Unwanted email
Denial of Service Attack send thousands of
requests to a critical machine.
How most attacks work.

A vendor either finds or has an error

in code reported. This code
involves a vulnerability.
The vendor alerts their users as to
vulnerability and the patch (a
computer word for a fix).
Hackers learn of these vulnerability
and write a program that exploits it.
Some system managers ignore the
patch.
They start scanning networks for
computers that have not applied the
patch.
The fun begins.
Scanning

All computers have a network address.

TAMU for example uses the addresses
128.194.000.001 to 128.194.254.254 (about 65,000)
computers
A computer program is written that starts at 1 and
goes to 65,000 sequentially.
Any time that it finds a vulnerable computer it takes
over the computer.
User may not even know that it is happening.
Protecting yourself and your computer -
Passwords
PASSWORD protection this is first and formost.
NEVER use easy to guess passwords.

NEVER share a password.

NEVER write your password on a sticky next to

the screen
All passwords should include letters and numbers.
Protection by IMS, Campus and Internet

Virus Protection
On most computers or filtered at server.
Firewall for critical computers both TAMU and four
in Physical Plant
SPAM filters - one on campus and one at Physical
Plant.
Intrusion detection Campus and through CERT
(Computer Emergency Response Team at CMU
University http://www.cert.org/)
Security Components
Internet
Web Server

EMAIL
Server
SPAM Filter
PPFS4
Campus
LAN

Tracy
Vaughn

Les
Swick
Bubba
McCartney

AssetWorks
Server
Other Security TIPS

Virus Protection Set for frequent update

NEVER open attachments from unknown addresses
(I dont open attachments from most known
addresses)
Most virus notices are hoaxes. Do not ignore this
warning your mouse could explode Check with
IMS
Use email rules (example)
NEVER unsubscribe from a SPAM email
More applications are moving to WEB
access for convenience. Be sure to work
with IMS on security issues before you put
info online
Web Applications

Camera security http://165.91.187.68

Door Access
UPS power
Voice Mail Server
All Web Applications are reviewed by Lauri
Brender for Info Security and Lee McCleskey
for general security before we will put them
online.
 3GPP IP Multimedia Subsystem (Release 5)

Cx interface based on
Diameter
HSS

SIP proxies get authorisation and Home

authentication information
S-CSCF
GGSN I-CSCF
SGSN REGISTER/INVITE REGISTER/INVITE
RAN

P-CSCF
UA REGISTER/INVITE
Visited
SIP-based interfaces SIP proxy servers

PS domain
3GPP Release 5 Security

Packet Switched (PS) domain

access security features retained from 3GPP Release 99
specifications
IP Multimedia Subsystem (IMS) domain
new access security features to be specified
to protect the access link to the IMS domain
independent of underlying PS domain security features
network domain security features to protect signalling
links between network elements with the IMS domain
 IP Multimedia Subsystem: Access Security

1. Distribution of
Draft 3GPP TS 33.203 authentication information

4. Protection of SIP signalling

using agreed session key HSS
Home

S-CSCF
GGSN I-CSCF REGISTER/INVITE
SGSN REGISTER/INVITE
RAN

P-CSCF
UA REGISTER/INVITE
Visited 3. Session key distribution

2. Mutual authentication and session key agreement

 IP Multimedia Subsystem: Network Domain Security

Draft 3GPP TS 33.210

HSS
Home

S-CSCF
GGSN I-CSCF REGISTER/INVITE
SGSN REGISTER/INVITE
RAN

P-CSCF
UA REGISTER/INVITE
Visited Per-hop protection of
signalling using IPsec/IKE
 Access Security: Authentication Principles

3GPP authentication protocol (3GPP AKA)

based on secret key stored in UAs tamper-proof subscriber
identity module (SIM) and in the HSS
Authentication check located in S-CSCF
Working assumption is to authenticate only at SIP
registrations with on-demand re-authentication
requiring re-registration
Use SIP authentication rather than an outer layer
protocol such as TLS or IKE in order to minimise
roundtrips
Integration of Authentication Protocol into
DIAMETER and SIP

Distribution of authentication information to S-CSCF

using DIAMETER
distribution of authentication vectors for 3GPP AKA
Integration of authentication protocol into SIP
registration
3GPP AKA protocol between UA and S-CSCF
distribution of session key to P-CSCF
Possible Information Flow for Authentication and Session Key Establishment (from draft
3GPP TS 33.203)

Changed to 407 Proxy

Authentication
Required

Cx-Put
Cx-Pull
Access Security: Security Mode Establishment between
UA and P-CSCF

Determines when to start applying protection and

which algorithm to use
includes secure algorithm negotiation
Uses session key derived during authentication
Integration into SIP registration with no new
roundtrips
Access security: Protection of SIP signalling between
UA and P-CSCF

Integrity protection of SIP signalling between UA and

P-CSCF
Uses session key derived during authentication
Symmetric scheme because of efficiency concerns
Candidate mechanisms include modified CMS and
ESP
 IP Multimedia Subsystem:
Access Security Documentation

High level 3GPP IETF

architecture

Other specs
TS 23.228 TS 33.203 SIPPING
(e.g. AKA)
(SA2) (SA3) WG
(SA3)

TS 24.228 TS 29.228
(CN1) (CN4)

TS 24.229 TS 29.229 AAA, PPPEXT, IPsec,

(CN1) (CN4)

Protocol detail
 Authentication and Key Agreement Protocol (3GPP
AKA)

ISIM/UA S-CSCF HSS

Authentication vector request

Authentication vector response

Authentication request Three party protocol

Two-pass mutual authentication
protocol between UA and S-CSCF
Authentication response Each authentication vector is good for
one authentication
Authentication vectors can be distributed
Distribution of session in batches to minimise signalling/load on
key to P-CSCF HSS
P-CSCF
 Other IP Multimedia Subsystem Security Issues (1)

Hide callers public ID from called party

by encrypting remote party ID header at callers S-CSCF
and decrypting by same S-CSCF
is there a requirement to hide callers IP addresses that are
dynamically assigned?
Network configuration hiding
mechanism being developed to hide host domain name of
CSCFs and number of CSCFs within one operators
network
 Other IP Multimedia Subsystem Security Issues (2)

Session transfer
guidance on security aspects based on GSM call transfer
feature
authorisation and accounting of transferred leg needs to
involve transferring party who has dropped out of session
should there be a limit to the number of transferred sessions?
should final destination be hidden from calling party?
Security aspects of other IP multimedia subsystem
services?
End-to-end security
References

Draft 3GPP TS 33.203, Access security for IP-based services (Release

5).
Draft 3GPP TS 33.210, Network domain security; IP network layer
security (Release 5).
J. Arkko and H. Haverinen, EAP AKA Authentication draft-arkko-
pppext-aka-00.txt.
V. Torvinen, J. Arkko, A. Niemi, HTTP Authentication with EAP, draft-
torvinen-http-eap-00.txt (to appear).
L. Blunk, J. Vollbrecht, PPP Extensible Authentication Protocol (EAP),
RFC 2284.
P. Calhoun et al. DIAMETER NASREQ Extensions, draft-ietf-aaa-
diameter-nasreq-06.txt.
Is IMS increasing the threats for cellular
security?
QUESTIONS???