Download I-CSCF - Computer Science and Engineering

Document related concepts

Network tap wikipedia , lookup

Computer network wikipedia , lookup

Net bias wikipedia , lookup

Internet protocol suite wikipedia , lookup

Deep packet inspection wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer security wikipedia , lookup

TV Everywhere wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Transcript
IP Multimedia Subsystem
IMS
Rajkiran Velluri
Rahul Allawadhi
Rahul Parey
Santosh Kandukuri
History of IMS




IMS first appeared in release 5 of the evolution from 2G to 3G networks
for W-CDMA networks (UMTS), when SIP-based multimedia domain was
added to NGN networks. Support for older GSM and GPRS networks is
also provided.
In 3GPP release 6, interworking with WLAN was added.
3GPP release 7 adds support for fixed networks, together with TISPAN
which allowed adopted a more generalized model able to address a
wider variety of network and service requirements. This overall
architecture is based upon the concept of cooperating subsystems
sharing common components. This subsystem-oriented architecture
enables the addition of new subsystems over the time to cover new
demands and service classes. .
"Early IMS" was defined for IPv4 networks, and provides a migration
path to IPv6
Cellular Networks

1G
-
Used analog transmission and provided only circuit switched
voice telephony

2G
-
Fully digital. Offered both voice & CS data services

2.5G
-
Addition of Packet Switched Data services to 2G Networks.

3G
-
Provide (or try to) all services over PS (including voice telephony)
IP Multimedia Subsystem (IMS)




The IP Multimedia subsystem standard defines a generic
architecture for offering VoIP and multimedia services.
Internationally recognized standard first specified by the
3GPP ( 3rd generation Partnership Project)
Supports multiple access types: GSM, WCDMA,
CDMA2000, Wireline broadband access and WLAN.
Established with the aim of allowing UMTS network to
provide all of its services over IP on an end-to-end basis.
Concept of the IP Multimedia Subsystem (IMS)
The IP Multimedia Subsystem is an open, standardized, NGN multi-media
architecture for mobile and fixed IP-based services. It's a VoIP
implementation based on a 3GPP variant of SIP (Session Initiation Protocol),
and runs over the standard Internet protocol. It's used by Telcos in NGN
networks (which combine voice and data in a single packet switched
network),to offer network controlled multimedia services.
The aim of IMS is not only to provide new services but to provide all the
services, current and future, that the Internet provides. In addition, users
have to be able to execute all their services when roaming as well as
from their home networks. To achieve these goals the IMS uses open
standard IP protocols, defined by the IETF.
Concept of the IP Multimedia Subsystem (IMS)
So, a multi-media session between 2 IMS users,
between an IMS user and a user on the Internet,
and between 2 users on the Internet is established
using exactly the same protocol. Moreover, the
interfaces for service developers are also based in
IP protocols. This is why the IMS truly merges the
Internet with the cellular world; it uses cellular
technologies to provide ubiquitous access and
Internet technologies to provide appealing services.
IMS concept
The IMS concept was introduced to address the following network and user
requirements:
• Deliver person-to-person real-time IP-based multimedia communications
(e.g. voice or video telephony) as well as person-to-machine communications
(e.g. gaming service).
• Fully integrate real-time with non-real-time multimedia communications
(e.g. live streaming and chat).
Enable different services and applications to interact (e.g. combined use
of presence and instant messaging).

• Easy user setup of multiple services in a single session or multiple
simultaneous synchronized sessions.
IMS solution overview
Source: Alcatel
IMS Standards

3GPP and 3GPP2 

3rd Generation Partnership Project
3rd Generation Partnership Project 2
Have both defined the IP Multimedia Subsystem (IMS)
The harmonization effort has kept the definitions as similar as possible.

IETF - Internet Engineering Task Force

Provide the definitions for SIP, SDP and other protocols underlying IMS

IMS is driving some of the work in IETF

OMA - Open Mobile Alliance

Defining services for IMS architecture, e.g. Instant Messaging, Push-to-Talk

ITU - International Telecommunication Union

Provides protocol definitions used by IMS

H.248 for media control

Q.1912.SIP for SIP – ISUP interworking (in conjunction with IETF)

ETSI - European Telecommunications Standards Institute

TISPAN - TISPAN is merger of TIPHON (VoIP) and SPAN (fixed networks)

Agreement on reuse of 3GPP/3GPP2 IMS in comprehensive NGN plans

ANSI - American National Standards Institute

Provides protocol definitions used by IMS

ATIS - Alliance for Telecommunications Industry Solutions

Addressing end-to-end solutions over wireline and wireless

Nearing agreement to use 3GPP/3GPP2 IMS
IMS GOALS

Support of real-time IP- based multimedia
communication services (VoIP, Video Conferencing
e.t.c). This implies that IMS will replace the CS
domain of a UMTS network, providing all the
traditional CS services over IP, in PS domain

Provide ability of interactions between services, so
that users may combine different services in one
session, e.g. group conferencing.
Characteristics of IMS





Takes the concept of horizontal architecture a step further where
service enablers and common functions can be reused for
multiple applications
Well integrated with existing voice and data networks adopting
many of the key benefits of the IT domain
Horizontal architecture specifies interoperability and roaming,
and provides bearer control, charging and security
IMS enables services to be delivered in a standardized, well
structured manner
The horizontal architecture enables operators to avoid the
problems associated with charging, presence, group and list
management, routing and provisioning.
Advantages of IMS









Advantages over other existing systems:
The core network is independent of a particular access technology
Integrated mobility for all network applications
Easier migration of applications from fixed to mobile users
Faster deployment of new services based on standardized architecture
An end to unique or customized applications
New applications such as presence information, videoconferencing,
Push to talk over cellular (POC), multiparty gaming, community services
and content sharing.
Evolution to combinational services, for example by combining instant
messaging and voice
User profiles are stored in a central location
Advantages of IMS





Advantages over free VoIP:
It's possible to run free VoIP applications over the regular Internet. Then why do
we need IMS, if all the power of the Internet is already available for 3G users?
Quality of Service : The network offers no guarantees about the amount of
bandwidth a user gets for a particular connection or about the delay the packets
experience. Consequently, the quality of a VoIP conversation can vary
dramatically throughout its duration.
Charging of multimedia services : Videoconferences can transfer a large amount
of information, but the telecom operator can't charge separately for this data.
Some business models might be more beneficial for the user (for instance: a
fixed price per message, not per byte); others might charge extra for better QoS.
Integration of different services : an operator can use services developed by
third parties, combine them, integrate them with services they already have, and
provide the user with a completely new service. For example: if voicemail and
text-to-speech is combined, a voice version of incoming text messages can be
provided for blind users.
IMS SERVICES & ARCHITECTURE



These basic services can be controlled by external Application
Servers (AS) so as to provide various applications.
For example, IMS does not offer a conferencing or chat room
service!
It provides
- point-to-point and point to multipoint transmission facilities.
- Group management facilities
- The ability for an external AS to control the group communication
IMS SERVICES & ARCHITECTURE

To maximize flexibility IMS organizes ITS functionality in three
layers.
IMS SERVICES & ARCHITECTURE



Transport & Endpoint Layer Initiates & terminates the signaling
needed to setup & control sessions, provides bearer services
between the endpoints. Media gateways are provided to convert
from/to analog/digital voice telephony formats to/from IP packets
using RTP. IMS signaling is based on SIP on top of IPv6
The session control layer provides functionality that allows
endpoints to be registered with the network and sessions to be
setup between them. It also contains the functions that control the
media gateways and servers so as to provide the requested
services
The application server layer allows sessions to interact with
various AS entities. In this layer multiple sessions may be
coordinated to provide single application.
IMS SERVICES & ARCHITECTURE

-
Support a wide range of services, both telephony & non-telephony
oriented. All these services are provided over IP, end-to-end. Some
of them are the followings:
Voice & video telephony
Instant Messaging
Chat Rooms
Video Conferencing
Multiparty Gaming
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

The IP Multimedia Core Network Subsystem is a collection of
different functions, linked by standardized interfaces. A function is
not a node (hardware box) : an implementer is free to combine 2
functions in 1 node, or to split a single function into 2 or more nodes.
Each node can also be present multiple times in a network, for load
balancing or organizational issues.
BROADVIEW OF IMS ARCHITECTURE

Access Network

The user can connect to an IMS network using various methods, all
of which are using the standard Internet Protocol (IP).
Direct IMS terminals can register directly into an IMS network.
Fixed access, mobile access and wireless access are all supported.


BROADVIEW OF IMS ARCHITECTURE
Access Network
BROADVIEW OF IMS ARCHITECTURE

User Database

The HSS (Home Subscriber Server) is the master user database
that supports the IMS network entities that are actually handling the
calls/sessions.
It contains the subscription-related information, performs
authentication and authorization of the user, and can provide
information about the physical location of user.
A SLF (Subscriber Location Function) is needed when multiple
HSSs are used.


BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

1)
2)
3)
Call/Session Control
Several types of SIP servers, collectively known as CSCF, they are
used to process SIP signaling packets in the IMS.
P-CSCF (Proxy-CSCF)
I-CSCF (Interrogating-CSCF)
S-CSCF (Serving-CSCF)
BROADVIEW OF IMS ARCHITECTURE
Call/Session Control
1) A P-CSCF (Proxy-CSCF)




It is a SIP proxy that is the first point of contact for the IMS
terminal.
It can be located either in the visited network or in the home
network.
It has terminal which will discover its P-CSCF with either DHCP,
or it's assigned in the PDP Context (in GPRS).
BROADVIEW OF IMS ARCHITECTURE





Call/Session Control
2) I-CSCF (Interrogating-CSCF)
It is a SIP proxy located at the edge of an administrative domain.
Its IP address is published in the DNS records of the domain, so
that remote servers can find it, and use it as an entry point for all
SIP packets to this domain.
The I-CSCF queries the HSS using the DIAMETER Cx and Dx
interfaces to retrieve the user location, and then route the SIP
request to its assigned S-CSCF.
It can also be used to hide the internal network from the outside
world, in which case it's called a THIG (Topology Hiding Interface
Gateway).
BROADVIEW OF IMS ARCHITECTURE
Call/Session Control
3) S-CSCF (Serving-CSCF)





It is the central node of the signaling plane.
It's a SIP server, but performs session control as well.
It's always located in the home network. The S-CSCF uses
DIAMETER Cx and Dx interfaces to the HSS to download and
upload user profiles.
It has no local storage of the user.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE

Application Servers

Application servers (AS) host and execute services, and interfaces
with the S-CSCF using SIP.
Depending on the actual service, the AS can operated in SIP proxy
mode, SIP US mode or SIP B2BUA mode.
An AS can be located in the home network or in an external thirdparty network.


BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE




Media Servers
A MRF (Media Resource Function) provides a source of media in
the home network.
It's used for Playing of announcements, Multimedia conferencing,
Text-to-speech conversation (TTS) and speech recognition, Real
time transcoding of multimedia data.
Each MRF is further divided into :
1) A MRFC (Media Resource Function Controller) is a signalling
plane node that acts as a SIP User Agent to the S-CSCF, and which
controls the MRFP with a H.248 interface
2) A MRFP (Media Resource Function Processor) is a media plane
node that implements all media-related functions.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE



Breakout Gateway
A BGCF (Breakout Gateway Control Function) is a SIP server that
includes routing functionality based on telephone numbers.
It's only used when calling from the IMS to a phone in a circuit
switched network, such as the PSTN or the PLMN.
BROADVIEW OF IMS ARCHITECTURE
BROADVIEW OF IMS ARCHITECTURE





PSTN Gateways
A PSTN/CS gateway interfaces with PSTN circuit switched (CS)
networks.
A SGW (Signalling Gateway) interfaces with the signalling plane of
the CS. It transforms lower layer protocols as SCTP into MTP, to
pass ISUP from the MGCF to the CS network.
A MGCF (Media Gateway Controller Function) does call control
protocol conversion between SIP and ISUP, and interfaces with the
SGW over SCTP.
A MGW (Media Gateway) interfaces with the media plane of the CS
network, by converting between RTP and PCM.
BROADVIEW OF IMS ARCHITECTURE




Charging
Definitions: Offline charging is applied to users who pay for their
services periodically whereas Online charging is applied to usera
who pay credit-based charging which is used for prepaid services.
Offline Charging : All the SIP network entities involved in the
session use the DIAMETER Rf interface to send accounting
information to a CCF (Charging Collector Function) located in the
same domain. CCF collects all this information, and build a CDR
(Charging Data Record), which is send to the billing system (BS) of
the domain.
Online charging : The S-CSCF talks to a SCF (Session Charging
Function), which looks like a regular SIP application server. The
SCF can signal the S-CSCF to terminate the session when the user
runs out of credits during a session. The AS and MRFC use the
DIAMETER Ro interface towards a ECF (Event Charging Function),
that also communicates with the SCF.
BROADVIEW OF IMS ARCHITECTURE







Advantages:
Advantages over existing systems
The core network is independent of a particular access technology
Integrated mobility for all network applications
Easier migration of applications from fixed to mobile users
Faster deployment of new services based on standardized
architecture
New applications such as presence information, videoconferencing,
Push to talk over cellular (POC), multiparty gaming, community
services and content sharing.
User profiles are stored in a central location
BROADVIEW OF IMS ARCHITECTURE




Advantages:
Advantages over free VoIP
Quality of Service : The network offers no guarantees about the
amount of bandwidth a user gets for a particular connection or about
the delay the packets experience.
Charging of multimedia services : Videoconferences can transfer a
large amount of information. Some business models might be more
beneficial for the user, others might charge extra for better QoS.
Integration of different services : an operator can use services
developed by third parties, combine them, integrate them with
services they already have, and provide the user with a completely
new service.
BROADVIEW OF IMS ARCHITECTURE





Issues
Benefits need to be further articulated in terms of actual savings.
IMS is "operator friendly" which means that it provides the operator
with comprehensive control of content at the expense of the
consumer.
IMS uses the 3GPP variant of SIP, which needs to interoperate with
the IETF SIP.
IMS is an optimization of the network, and investments for such
optimization are questionable.
BROADVIEW OF IMS ARCHITECTURE

Associated Protocols

RFC 1889 Real-time Transport Protocol (RTP)
RFC 2327 Session Description Protocol (SDP)
RFC 2748 Common Open Policy Server protocol (COPS)
RFC 2782 a DNS RR for specifying the location of services (SRV)
RFC 2806 URLs for telephone calls (TEL)
RFC 2915 the naming authority pointer DNS resource record (NAPTR)
RFC 2916 E.164 number and DNS
RFC 3261 Session Initiation Protocol (SIP)
RFC 3262 reliability of provisional responses (PRACK)
RFC 3263 locating SIP servers
RFC 3264 an offer/answer model with the Session Description Protocol
RFC 3310 HTTP Digest Authentication using Authentication and Key Agreement (AKA)
RFC 3311 update method
RFC 3312 integration of resource management and SIP
RFC 3319 DHCPv6 options for SIP servers
RFC 3320 signalling compression (SIGCOMP)
RFC 3323 a privacy mechanism for SIP
RFC 3324 short term requirements for network asserted identity
RFC 3325 private extensions to SIP for asserted identity within trusted networks
RFC 3326 the reason header field
RFC 3327 extension header field for registering non-adjacent contacts (path header)
RFC 3329 security mechanism agreement
RFC 3455 private header extensions for SIP
RFC 3485 SIP and SDP static dictionary for signaling compression
RFC 3574 Transition Scenarios for 3GPP Networks
RFC 3588 DIAMETER base protocol
RFC 3589 DIAMETER command codes for 3GPP release 5 (informational)
RFC 3608 extension header field for service route discovery during registration
RFC 3680 SIP event package for registrations
RFC 3824 using E164 numbers with SIP





























Session Initiation Protocol -SIP



SIP is the core protocol for initiating, managing and
terminating sessions in the Internet
These sessions may be text, voice, video or a
combination of these
SIP sessions involve one or more participants and
can use unicast or multicast communication.
Session Initiation Protocol - SIP





Provides call control for multi-media services
 initiation, modification, and termination of sessions
 terminal-type negotiation and selections
 call holding, forwarding, forking, transfer
 media type negotiation (also mid-call changes)
using Session Description Protocol (SDP)
Provides personal mobility support
Independent of transport protocols (TCP, UDP, SCTP,…)
ASCII format SIP headers
Separation of call signalling and data stream
Application types/examples:





Interactive Voice over IP (VoIP)
Multimedia conferences (multi-party, e.g. voice & video)
Instant messaging
Presence service
Support of location-based services
SIP in IMS




Mandatory existence of P-CSCF as first point of contact
Network initiated call release (e.g. due to missing coverage or
administrative reasons)
 Proxies are able to send BYE
Network Control of Media Types
 P/S-CSCF checks the SDP in the SIP body
 If SDP contains invalid parameters (e.g. not supported
codecs), P/S-CSCF rejects the SIP request by sending a 488
(“not acceptable here”) response that contains a SDP body
indicating parameters that would be acceptable by the network
Network Hiding (Encryption of Route and Via Headers)
SIP in IMS



Additional Signaling Information
 For example Cell-ID, Mobile Network/Country Code,
Charging-IDs
 Information transported P-header based solution
Compression
 SIP Compression is mandatory as radio interface is a
scarce resource
 Compression / decompression of SIP will be performed by
the UE and the P-CSCF
Authentication & Integrity protection
 S-CSCF performs the Authentication using AKA
 P-CSCF checks the integrity of messages received via the
air interface via IPsec ESP
SIP based session management
SIP Architecture
Location
Server
User Agent
Proxy
Server
Redirect
Server
Registrar
Server
Proxy Server
User Agent
SIP Entities

User Agent
User Agent Client
User Agent Server



Proxy Server
Redirect Server
Registrar Server
SIP Message Types
Requests – Sent from client to server
 INVITE
 ACK
 REFER
 OPTIONS
 BYE
 CANCEL
 REGISTER
 SUBSCRIBE
 NOTIFY
 MESSAGE
SIP Message Types (Contd.)
Responses – Sent from server to the client
 Success
 Redirection
 Forwarding
 Request failure
 Server failure
 Global failure
SIP Session Establishment and Call
Termination
SIP Call Redirection
Call Proxying
Instant messaging based on SIP




SIMPLE – IM protocol based on SIP
SIP promises interoperability between various IM
vendors
SIP has unique user tracking features.
SIP addressing
IMS – Security Challenges
Contents







Security Evolution of a new Architecture /
Protocol
– Today: Advanced Mobile OSs Cellular Viruses
– Tomorrow: Additional IMS Services ????
3GPP IMS Security Specifications
Mobile to Mobile Security
GSM-SIP Security
Third Party Involvement increases
Today Cellular Viruses










SKULLS – infects by Bluetooth
Mosquito – constantly sends SMSs
to premium service
Reasons for threat increase:
– Smart Phone OS are sophisticated, Open Platforms
– Multi Connectivity: MMS, Bluetooth, Phone browsers (HTTP), Infra Red,
Mail
Reasons for threat reduction:
– Phones not “Always connected”
– Phones don’t have server applications (like Microsoft RPC – Blaster worm)
– Signature Mechanisms are being developed
– Infection paths for attachments are not fully automatic: MMS, Bluetooth–
question asked before opening attachment
Tommorrow IMS











IMS Increases GPRS/UMTS Connectivity:
– Mobile to Mobile
– Mobile to ADSL/Cables
– GPRS/UMTS Mobile to CDMA-2000 Mobile
IMS introduces new protocols
IMS – always connected
– IMS should not introduce “server” like application on the Mobile
phones,
that are constantly listening for input
IMS involves third parties - supplying content
IMS is a clear “umbrella” type standard for Cellular Multi Media:
easier to protect, but ….. much easier to attack
IMS operator backbone – new “hacking targets”
3GPP IMS Security Specifications










UMTS Security is designed in Multi layers
– Attachment level security
– Network level security (IP, PDP Context)
– IMS service level security (GSM-SIP Security)
Network Level uses IETF well
known security: IKE & IPSEC
– Authentication
– Encryption (optional)
– Data Integrity
GSM-SIP security
IMS - Mobile 2 Mobile Security





3GPP did not account for it in the design,
GSMA identified the problem:
IMS introduces Mobile to Mobile traffic.
GPRS was not intended for that
The problem : difficult to control M2M traffic
IMS- New Protocols- New Threats




IPv6
– IMS is a main driver of IPv6 deployment
• IPv6 Land attack
• Cisco IOS IPv6 heap overflow attack
Diameter, SCTP (Cx interface)
Internal CSCF to HSS traffic – less
vulnerable, but data is very sensitive
Testing Typologies
1. Functional Testing
• check the correct handling of
the system end-to-end
functionalities verifing protocols
and procedures
2. Conformance Test
check the functional blocks
compatibility
• typically carry out in test plant
3. Load & Capacity testing
• check the performances
declared by supplier
• check the correct working in
limit load conditions
4. Live Testing
check the correct handling of the
system’s functionalities in a real
context
Scope of Testing
Verify the IMS core-network through the usage of a set of reference
end-to-end scenarios (including roaming users) and the analysis of
signalling on the network interfaces that are involved: Gm, Cx, Mw,
Mi, Mj, Mk, Mg, Mn, Rf, Go.


Verify the procedures conformity to the standard
Reduce the time to market of new network solutions
P-CSCF discovery
End-to-End Methodology
HSS
DNS
RNC
ULTRAN
P-CSCF
GGSN
BSS
GERAN
Um
Cx
Gm
Gn
SGSN
DHCP
Iu-PS
UE
IMS network configuration only for testing P-CSCF
discovery procedure.
Cx
S-CSCF
I-CSCF
Mw
Mw
Session Initiation & Control between different network operator
End-to-End Methodology
HSS
Um
UE1
Originating
Network
Cx
I-CSCF
P-CSCF1
Terminating
Network
Mw
Mw
Um
Um
Mw
P-CSCF2
S-CSCF2
S-CSCF1
Mw
Mw
IMS configuration requiring two user located in different home
network to test interoperability in case of Session setup and control
procedures.
UE2
Type of Intrusions and General
annoyances.



Virus – Spread from computer to computer
SPAM – Unwanted email
Denial of Service Attack – send thousands of
requests to a critical machine.
How most attacks work.





A vendor either finds or has an error
in code reported. This code
involves a vulnerability.
The vendor alerts their users as to
vulnerability and the patch (a
computer word for a fix).
Hackers learn of these vulnerability
and write a program that exploits it.
Some system managers ignore the
patch.
They start scanning networks for
computers that have not applied the
patch.
The fun begins.
Scanning





All computers have a network address.
TAMU for example uses the addresses
128.194.000.001 to 128.194.254.254 (about 65,000)
computers
A computer program is written that starts at 1 and
goes to 65,000 sequentially.
Any time that it finds a vulnerable computer it takes
over the computer.
User may not even know that it is happening.
Protecting yourself and your computer Passwords

PASSWORD protection – this is first and formost.
 NEVER use easy to guess passwords.
 NEVER share a password.
 NEVER write your password on a sticky next to
the screen
 All passwords should include letters and numbers.
Protection by IMS, Campus and Internet

Virus Protection




On most computers or filtered at server.
Firewall for critical computers – both TAMU and four
in Physical Plant
SPAM filters - one on campus and one at Physical
Plant.
Intrusion detection – Campus and through CERT
(Computer Emergency Response Team at CMU
University http://www.cert.org/)
Security Components
Internet
Web Server
EMAIL
Server
PPFS4
SPAM Filter
Campus
LAN
Tracy
Vaughn
Les
Swick
AssetWorks
Server
Bubba
McCartney
Other Security TIPS





Virus Protection – Set for frequent update
NEVER open attachments from unknown addresses
(I don’t open attachments from most known
addresses)
Most virus notices are hoaxes. “Do not ignore this
warning – your mouse could explode” – Check with
IMS
Use email rules (example)
NEVER unsubscribe from a SPAM email
More applications are moving to WEB
access for convenience. Be sure to work
with IMS on security issues before you put
info online
Web Applications





Camera security http://165.91.187.68
Door Access
UPS power
Voice Mail Server
All Web Applications are reviewed by Lauri
Brender for Info Security and Lee McCleskey
for general security before we will put them
online.
3GPP IP Multimedia Subsystem (Release 5)
Cx interface based on
Diameter
SIP proxies get authorisation and
authentication information
HSS
Home
S-CSCF
I-CSCF
GGSN
SGSN
RAN
UA
REGISTER/INVITE
REGISTER/INVITE
P-CSCF
REGISTER/INVITE
Visited
PS domain
SIP-based interfaces
SIP proxy servers
3GPP Release 5 Security

Packet Switched (PS) domain


access security features retained from 3GPP Release 99
specifications
IP Multimedia Subsystem (IMS) domain

new access security features to be specified



to protect the access link to the IMS domain
independent of underlying PS domain security features
network domain security features to protect signalling
links between network elements with the IMS domain
IP Multimedia Subsystem: Access Security
1. Distribution of
authentication information
Draft 3GPP TS 33.203
4. Protection of SIP signalling
using agreed session key
HSS
Home
S-CSCF
I-CSCF
GGSN
SGSN
RAN
UA
REGISTER/INVITE
REGISTER/INVITE
P-CSCF
REGISTER/INVITE
Visited
3. Session key distribution
2. Mutual authentication and session key agreement
IP Multimedia Subsystem: Network Domain Security
Draft 3GPP TS 33.210
HSS
Home
S-CSCF
I-CSCF
GGSN
SGSN
RAN
UA
REGISTER/INVITE
REGISTER/INVITE
P-CSCF
REGISTER/INVITE
Visited
Per-hop protection of
signalling using IPsec/IKE
Access Security: Authentication Principles

3GPP authentication protocol (3GPP AKA)




based on secret key stored in UA’s tamper-proof subscriber
identity module (SIM) and in the HSS
Authentication check located in S-CSCF
Working assumption is to authenticate only at SIP
registrations with on-demand re-authentication
requiring re-registration
Use SIP authentication rather than an outer layer
protocol such as TLS or IKE in order to minimise
roundtrips
Integration of Authentication Protocol into
DIAMETER and SIP

Distribution of authentication information to S-CSCF
using DIAMETER


distribution of authentication vectors for 3GPP AKA
Integration of authentication protocol into SIP
registration


3GPP AKA protocol between UA and S-CSCF
distribution of session key to P-CSCF
Possible Information Flow for Authentication and Session Key Establishment (from draft
3GPP TS 33.203)
Changed to 407 Proxy
Authentication
Required
Cx-Put
Cx-Pull
Access Security: Security Mode Establishment between
UA and P-CSCF

Determines when to start applying protection and
which algorithm to use



includes secure algorithm negotiation
Uses session key derived during authentication
Integration into SIP registration with no new
roundtrips
Access security: Protection of SIP signalling between
UA and P-CSCF




Integrity protection of SIP signalling between UA and
P-CSCF
Uses session key derived during authentication
Symmetric scheme because of efficiency concerns
Candidate mechanisms include modified CMS and
ESP
IP Multimedia Subsystem:
Access Security Documentation
High level
architecture
Protocol detail
3GPP
TS 23.228
(SA2)
TS 33.203
(SA3)
TS 24.228
(CN1)
TS 29.228
(CN4)
TS 24.229
(CN1)
TS 29.229
(CN4)
Other specs
(e.g. AKA)
(SA3)
IETF
SIPPING
WG
AAA, PPPEXT, IPsec, …
Authentication and Key Agreement Protocol (3GPP
AKA)
ISIM/UA
S-CSCF
HSS
Authentication vector request
Authentication vector response
• Three party protocol
• Two-pass mutual authentication
protocol between UA and S-CSCF
Authentication response
• Each authentication vector is good for
one authentication
• Authentication vectors can be distributed
Distribution of session
in batches to minimise signalling/load on
key to P-CSCF
HSS
Authentication request
P-CSCF
Other IP Multimedia Subsystem Security Issues (1)

Hide caller’s public ID from called party



by encrypting remote party ID header at caller’s S-CSCF
and decrypting by same S-CSCF
is there a requirement to hide caller’s IP addresses that are
dynamically assigned?
Network configuration hiding

mechanism being developed to hide host domain name of
CSCFs and number of CSCFs within one operator’s
network
Other IP Multimedia Subsystem Security Issues (2)

Session transfer

guidance on security aspects based on GSM call transfer
feature





authorisation and accounting of transferred leg needs to
involve transferring party who has dropped out of session
should there be a limit to the number of transferred sessions?
should final destination be hidden from calling party?
Security aspects of other IP multimedia subsystem
services?
End-to-end security
References






Draft 3GPP TS 33.203, Access security for IP-based services (Release
5).
Draft 3GPP TS 33.210, Network domain security; IP network layer
security (Release 5).
J. Arkko and H. Haverinen, “EAP AKA Authentication” draft-arkkopppext-aka-00.txt.
V. Torvinen, J. Arkko, A. Niemi, “HTTP Authentication with EAP”, drafttorvinen-http-eap-00.txt (to appear).
L. Blunk, J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP)”,
RFC 2284.
P. Calhoun et al. “DIAMETER NASREQ Extensions”, draft-ietf-aaadiameter-nasreq-06.txt.
•Is IMS increasing the threats for cellular
security?
QUESTIONS???