Content for TS 23.334 Word version: 17.2.0

1… 4… 5… 5.11… 5.12… 5.14… 5.18… 5.19… 5.20… 5.21… 6… 6.1.6… 6.1.11… 6.2… 6.2.10… 6.2.10.3.1.2 6.2.10.3.2 6.2.10.4… 6.2.10.4.3… 6.2.10.5 6.2.10.6… 6.2.10A… 6.2.13… 6.2.14… 6.2.14.3 6.2.14.4… 6.2.15… 6.2.17… 6.2.17.3… 6.2.17.5… 6.2.18… 6.2.20 6.2.21… 6.2.22… 6.2.22.3… 6.2.22.3.2 6.2.23 6.2.24 6.2.25 7 8… 8.3 8.4 8.5… 8.23…

6.2.10.3.1.2 IMS UE terminating procedures for e2ae
...

6.2.10.3.1.2 IMS UE terminating procedures for e2ae p. 99

6.2.10.3.1.2.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment p. 99

Figure 6.2.10.3.1.2.1.1 shows an example call flow for the terminating session set-up procedures for one MSRP media stream using e2ae security, where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.

Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.3.1.2.1.1: Terminating example call flow for e2ae security for MSRP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

Figure 6.2.10.3.1.2.1.1: Terminating example call flow for e2ae security for MSRP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment
(⇒ copy of original 3GPP image)

The IMS UE B performs an IMS terminating session set-up according to TS 23.228, with modifications as described in TS 33.328.

The procedure in the above Figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

Step 1.

The P CSCF (IMS ALG) receives an SDP offer for an MSRP media stream. For each MSRP media stream offered with transport "TCP/MSRP", if both the IMS UE and P CSCF (IMS ALG) indicated support for e2ae-security for MSRP during registration, the P CSCF (IMS ALG) allocates the required resources, includes the IMS AGW in the media path and proceeds as specified in this clause.

Step 2.-4.

The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP/TLS" media (for application-agnostic interworking) or "TCP/TLS/MSRP" media (for application-aware interworking) towards the access network. In turn, the IMS AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P CSCF (IMS ALG). To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T1 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T1 as a trigger to send a TCP connection establishment on the termination T2.

Step 5.-7.

The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP" media (for application-agnostic interworking) or "TCP/ MSRP" media (for application-aware interworking) towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.

Step 8.

The P CSCF (IMS ALG) changes the transport from "TCP/ MSRP" to "TCP/TLS/MSRP" in the SDP offer, adds the "a=3ge2ae:applied" SDP attribute and the fingerprint SDP attribute received from the IMS-AGW, and inserts the address information received from the IMS-AGW.

Step 9.

The P CSCF (IMS ALG) forwards the SDP offer.

Step 10.

The UE B chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the UE.

If the TCP SYN is not answered before a timer expiry, the UE will send the TCP SYN a second time (step 10'). The IMS AGW will answer a repeated TCP SYN if it is received after step 14 (step 10').

The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.

Step 11.

The IMS-AGW uses the TCP SYN received at the termination T1 (at step 10 or step 10' if the TCP SYN is dropped at step 10) as a trigger to send a TCP SYN towards the core network to establish a TCP connection (effectively making the IMS-AGW acting as the TCP client towards the core network). The remote peer answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.

Step 12.

Upon completion of the TCP connection establishment, the UE B starts the establishment of the TLS session. The IMS-AGW needs to wait until step 14 to verify the received fingerprint.

Step 13.

The P CSCF (IMS ALG) receives the SDP answer. It contains the fingerprint attribute with the UE's certificate in accordance to RFC 4975.

Step 14.-16.

The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the UE B with remote address information. In the remote descriptor, it also provides fingerprint attribute received from the UE. This instructs the IMS AGW to verify during the subsequent TLS handshake with the IMS UE that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P CSCF (IMS ALG) to the IMS AGW. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.

Step 17.

The P CSCF (IMS ALG) modifies the SDP answer before sending it to the core network. The P CSCF (IMS ALG) sets the transport to "TCP/ MSRP" and removes the SDP fingerprint attribute.

Step 18.

The P-CSCF (IMA-ALG) then sends the updated SDP answer to core network.

6.2.10.3.1.2.2 IMS-ALG requests sending an outgoing TCP bearer establishment p. 101

Figure 6.2.10.3.1.2.2.1 shows an example call flow for the terminating session set-up procedures for one MSRP media stream using e2ae security, where the IMS-ALG requests sending an outgoing TCP bearer establishment.

Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.3.1.2.2.1: Terminating example call flow for e2ae security for MSRP where the IMS-ALG requests sending an outgoing TCP bearer establishment

Figure 6.2.10.3.1.2.2.1: Terminating example call flow for e2ae security for MSRP where the IMS-ALG requests sending an outgoing TCP bearer establishment
(⇒ copy of original 3GPP image)

The IMS UE B performs an IMS terminating session set-up according to TS 23.228, with modifications as described in TS 33.328.

Step 1.

As step 1 in Figure 6.2.10.3.1.2.1.1.

Step 2.-4.

As steps 2-4 in Figure 6.2.10.3.1.2.1.1 with the exception that the IMS-ALG does not set the interlinkage topology on the termination T1.

Step 5.-7.

As steps 7-7 in Figure 6.2.10.3.1.2.1.1.

Step 8.

As step 8 in Figure 6.2.10.3.1.2.1.1.

Step 9.

As step 9 in Figure 6.2.10.3.1.2.1.1.

Step 10.

As step 10 in Figure 6.2.10.3.1.2.1.1.

Step 11.

As step 12 in Figure 6.2.10.3.1.2.1.1.

Step 12.

As step 13 in Figure 6.2.10.3.1.2.1.1.

Step 13.-15.

As steps 14-16 in Figure 6.2.10.3.1.2.1.1.

Step 16.-18.

The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the core network with the request to establish the TCP connection, in accordance with the information in the "a=setup" attribute in the SDP answer.

Step 19.

The IMS-AGW sends a TCP SYN towards the core network to establish a TCP connection. The remote peer answers with a TCP SYN ACK and the IMS AGW replies with a TCP ACK, completing the TCP connection establishment.

Step 20.

As step 17 in Figure 6.2.10.3.1.2.1.1.

Step 21.

As step 18 in Figure 6.2.10.3.1.2.1.1.