Content for TS 23.334 Word version: 17.2.0

1… 4… 5… 5.11… 5.12… 5.14… 5.18… 5.19… 5.20… 5.21… 6… 6.1.6… 6.1.11… 6.2… 6.2.10… 6.2.10.3.1.2 6.2.10.3.2 6.2.10.4… 6.2.10.4.3… 6.2.10.5 6.2.10.6… 6.2.10A… 6.2.13… 6.2.14… 6.2.14.3 6.2.14.4… 6.2.15… 6.2.17… 6.2.17.3… 6.2.17.5… 6.2.18… 6.2.20 6.2.21… 6.2.22… 6.2.22.3… 6.2.22.3.2 6.2.23 6.2.24 6.2.25 7 8… 8.3 8.4 8.5… 8.23…

6.2.10 IMS end-to-access-edge Media Plane Security 6.2.10.1 General 6.2.10.2 End-to-access-edge security for RTP based media using SDES 6.2.10.3 End-to-access-edge security for TCP-based media using TLS 6.2.10.3.1 End-to-access-edge security for session based messaging (MSRP) 6.2.10.3.1.1 IMS UE originating procedures for e2ae
...

6.2.10 IMS end-to-access-edge Media Plane Security p. 93

6.2.10.1 General |R12| p. 93

All message sequence charts in this clause are examples.

The H.248 context model is defined in Figure 6.2.1.1.

6.2.10.2 End-to-access-edge security for RTP based media using SDES |R12| p. 93

This procedure is identical to that of clause 6.2.1 apart from the IMS-ALG optionally requesting the IMS-AGW to provide IMS media plane security in accordance with TS 33.328.

The IMS-ALG shall provide the following media plane security related parameters to the IMS-AGW:

the SDES crypto attributes

6.2.10.3 End-to-access-edge security for TCP-based media using TLS |R12| p. 93

6.2.10.3.1 End-to-access-edge security for session based messaging (MSRP) p. 93

6.2.10.3.1.1 IMS UE originating procedures for e2ae p. 93

6.2.10.3.1.1.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment p. 93

Figure 6.2.10.3.1.1.1.1 shows an example call flow for the originating session set-up procedures for one MSRP media stream using e2ae security, where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.

Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.3.1.1.1.1: Originating example call flow for e2ae security for MSRP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

Figure 6.2.10.3.1.1.1.1: Originating example call flow for e2ae security for MSRP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment
(⇒ copy of original 3GPP image)

The IMS UE A performs an IMS originating session set-up according to TS 23.228, with modifications as described in TS 33.328.

The procedure in the above Figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

Step 1.

IMS UE A sends an SDP offer for a media stream containing cryptographic information, together with an "a=3ge2ae:requested" SDP attribute for the MSRP-related SDP m-line, to the P CSCF (IMS ALG). For e2ae protection of MSRP the cryptographic information contained in the SDP offer consists of the fingerprint of the certificate of IMS UE A in accordance to RFC 4975. For each media stream that uses transport "TCP/TLS/MSRP", the P CSCF (IMS ALG) checks for the presence of the "a=3ge2ae:requested" SDP attribute. If that indication is present and the P CSCF (IMS ALG) indicated support of e2ae-security for MSRP during registration, the P CSCF (IMS ALG) allocates the required resources, includes the IMS AGW in the media path and proceeds as specified in this clause.

Step 2.-4.

The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP" media (for application-agnostic interworking) or "TCP/MSRP" media (for application-aware interworking) towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T2 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T2 as a trigger to send a TCP connection establishment on the termination T1.

Step 5.-7.

The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP/TLS" media (for application-agnostic interworking) or "TCP/TLS/MSRP" media (for application-aware interworking) towards the access network. In the remote descriptor, it provides the IP address, port and fingerprint attribute received from the UE containing the fingerprint of the UE's certificate in accordance to RFC 4975. This instructs the IMS AGW to verify during the subsequent TLS handshake with the IMS UE that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P CSCF (IMS ALG) to the IMS AGW. In turn, the IMS AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P CSCF (IMS ALG). To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.

Step 8.

The P CSCF (IMS ALG) changes the transport from "TCP/TLS/MSRP" to "TCP/MSRP" in the SDP offer, removes the "a=3ge2ae:requested" SDP attribute and the fingerprint SDP attribute, and inserts the address information received from the IMS-AGW.

Step 9.

The P CSCF (IMS ALG) forwards the SDP offer.

Step 10.

The remote peer chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the remote peer.

If the TCP SYN is not answered before a timer expiry, the remote peer will send the TCP SYN a second time (step 10'). The IMS AGW will answer a repeated TCP SYN if it is received after step 13 (step 10').

The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.

Step 11.

The IMS-AGW uses the TCP SYN received at the termination T2 (at step 10 or step 10' if the TCP SYN is dropped at step 10) as a trigger to send a TCP SYN towards the UE to establish a TCP connection (effectively making the IMS-AGW acting as the TCP client towards the UE).. The UE answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.

Step 12.

The P CSCF (IMS ALG) receives the SDP answer.

Step 13.-15.

The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the core network with remote address information. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.

Step 16.-18.

The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the access network with the request to establish the TLS session once the TCP connection is established (effectively making the IMS-AGW acting as the TLS client), in accordance with the information in the "a=setup" attribute in the SDP answer.

Step 19.

The P CSCF (IMS ALG) modifies the SDP answer before sending it to the UE A. The P CSCF (IMS ALG) sets the transport to "TCP/TLS/MSRP" and includes the fingerprint of the IMS AGW's certificate in accordance to RFC 4975.

Step 20.

The P-CSCF (IMA-ALG) then sends the updated SDP answer to IMS UE A. After receiving this message IMS UE A completes the media security setup.

Step 21.

Upon completion of the TCP connection establishment, the IMS-AGW starts the establishment of the TLS session.

6.2.10.3.1.1.2 IMS-ALG requests sending an outgoing TCP bearer establishment p. 96

Figure 6.2.10.3.1.1.2.1 shows an example call flow for the originating session set-up procedures for one MSRP media stream using e2ae security, where the IMS-ALG requests sending an outgoing TCP bearer establishment.

Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.3.1.1.2.1: Originating example call flow for e2ae security for MSRP where the IMS-ALG requests sending an outgoing TCP bearer establishment

Figure 6.2.10.3.1.1.2.1: Originating example call flow for e2ae security for MSRP where the IMS-ALG requests sending an outgoing TCP bearer establishment
(⇒ copy of original 3GPP image)

The IMS UE A performs an IMS originating session set-up according to TS 23.228, with modifications as described in TS 33.328.

Step 1.

As step 1 in Figure 6.2.10.3.1.1.1.1.

Step 2.-4.

As steps 2-4 in Figure 6.2.10.3.1.1.1.1 with the exception that the IMS-ALG does not set the interlinkage topology on the termination T2.

Step 5.-7.

As steps 5-7 in Figure 6.2.10.3.1.1.1.1.

Step 8.

As step 8 in Figure 6.2.10.3.1.1.1.1.

Step 9.

As step 9 in Figure 6.2.10.3.1.1.1.1.

Step 10.

As step 10 in Figure 6.2.10.3.1.1.1.1.

Step 11.

As step 12 in Figure 6.2.10.3.1.1.1.1.

Step 12.-14.

As steps 13-15 in Figure 6.2.10.3.1.1.1.1.

Step 15.-17.

As steps 16-18 in Figure 6.2.10.3.1.1.1.1 with the exception that the IMS-ALG uses the "Configure AGW Connection Point" procedure also to configure the termination towards the access network with the request to establish the TCP connection (effectively making the IMS-AGW acting as the TCP client), in accordance with the information in the "a=setup" attribute in the SDP answer.

Step 18.

The IMS-AGW sends a TCP SYN towards the UE to establish a TCP connection. The UE answers with a TCP SYN ACK and the IMS AGW replies with a TCP ACK, completing the TCP connection establishment.

Step 19.

As step 21 in Figure 6.2.10.3.1.1.1.1.

Step 20.

As step 19 in Figure 6.2.10.3.1.1.1.1.

Step 21.

As step 20 in Figure 6.2.10.3.1.1.1.1.