1 / 10

A new proposal for bundled access to IMS ETSI TISPAN#7

A new proposal for bundled access to IMS ETSI TISPAN#7. Sébastien Garcin (France Telecom R&D). IMS access considerations for fixed IMS (1/2). IPsec protection of SIP signalling shall not be mandatory for all fixed IMS scenarios IPsec need not be used in case of bundled authentication

weston
Download Presentation

A new proposal for bundled access to IMS ETSI TISPAN#7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A new proposal for bundled access to IMSETSI TISPAN#7 Sébastien Garcin (France Telecom R&D)

  2. IMS access considerations for fixed IMS (1/2) • IPsec protection of SIP signalling shall not be mandatory for all fixed IMS scenarios • IPsec need not be used in case of bundled authentication • Non ISIM-based SIP end points need to be supported (e.g. AGCF in case of IMS-based PES) • P-CSCFs behavior should be unchanged for mobiles

  3. IMS access considerations for fixed IMS (2/2) • P-CSCFs need to able to distinguish between • Fixed UEs where IPsec is required • Fixed UEs where IPsec is not required • Possible solutions • IPsec-usage indication is stored in the CLF and provided to the P-CSCF at Location-Query phase • P-CSCF uses specific IP address/port with differentiated behavior regarding IPsec • P-CSCF uses different physical interfaces to discriminate the type behavior

  4. Successful bundled authentication UE CLF P-CSCF I-CSCF S-CSCF UPSF Network attachement & NASS Authentication REGISTER Authorization=IMPI From: IMPU To: IMPU Location-ReqIP @ AF identity Location-ResLocation-info IPsec required? No REGISTERAuthorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Locinfo REGISTERAuthorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Loc-info MAR IMPI IMPU Location-InfoAuth-sch= Digest-AKA--MD5 Check User Profil -> Result=Yes MAAIMPI IMPU DIAMETER_SUCCESS_BUNDLE 200 OK From: IMPU To: IMPU 200 OK From: IMPU To: IMPU 200 OK From: IMPU To: IMPU UE registered

  5. IMS access with IPsec required UE CLF P-CSCF I-CSCF S-CSCF UPSF Network attachement & NASS Authentication REGISTER Authorization=IMPI From: IMPU To: IMPU Location-ReqIP @ AF identity Location-ResLocation-info IPsec required? Yes 421 Extension Required Or 494 Security Agreement Required

  6. Solution description (1/2) • UE may or may not provide Sec-client header • P-CSCF determines whether IPsec is required • If not, P-CSCF does not check the presence or contents of the Sec-client header in the REGISTER • If yes, current P-CSCF behavious applies • P-CSCF returns 421 Extension required if Sec-client is not there • P-CSCF • S-CSCF launches Cx authentication procedures • Content of P-Access-network-Info is sent over Cx • Authentication-scheme unchanged

  7. Solution description (2/2) • UPSF checks the reference location of the IMS subscriber against the current location • Based on IMS subscription rights, the UPSF allows bundled authentication to IMS • Subscriber may not at all be allowed bundled-auth • Subscriber may be allowed depending on current location • A new DIAMETER Result-code is added to notify the S-CSCF that bundled access to IMS is granted • P-CSCF forwards 200 OK to the UE (no SA set-up)

  8. IMS access without bundled authentication UE CLF P-CSCF I-CSCF S-CSCF UPSF Network attachement & NASS Authentication REGISTER Authorizarion=IMPI From: IMPU To: IMPU Sec-client:… Location-Req Location-Res REGISTERAuthorizarion=IMPI From: IMPU To: IMPU P-Acc-Net-info=Locinfo REGISTERAuthorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Loc-info MAR IMPI IMPU Location-InfoAuth-sch= Digest-AKA--MD5 Check User Profil ->Result = No MAAIMPI IMPU Auth-vector DIAMETER_SUCCESS 401 Unauthorized www-authenticate:… From: IMPU To: IMPU 401 Unauth www-authenticate:… From: IMPU To: IMPU 401 Unauthorized www-authenticate:… From: IMPU To: IMPU Sec-server… IPsec tunnel setup

  9. IMS-based PES registration AGCF I-CSCF S-CSCF UPSF REGISTER Authorization=IMPI From: IMPU To: IMPU P-Access-Net-info=Location-info REGISTERAuthorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Location-info MAR IMPI IMPU (Location-Info)Auth-sch= Digest-AKA--MD5 Check User Profil ->Result = Yes 200 OK From: IMPU To: IMPU MAAIMPI IMPU DIAMETER_SUCCESS_BUNDLE 200 OK From: IMPU To: IMPU Registration complete

  10. Impacts on TISPAN&3GPP documentation • Changes to TS.24.229 • UE Option to support and use RFC3329 and associated procedures • P-CSCF verification (IPsec to be enforced or not) • S-CSCF (editorial) • TS.29.228 (Cx signalling flows and message contents) • Contents of MAR/MAA message to be updated • Signalling flows to be completed • TS.29.229 (Cx protocol details) • New vendor specific AVP for Location-info • New Exp-Result-Code value for bundled access indication • TS.33.203 (Access Security) • IPsec requirements need to be updated • e2/e4 profil update for IPsec indication ?

More Related