Content for  TS 23.334  Word version:  17.2.0

The IMS-ALG and the IMS-AGW may support e2ae security for the UDP based media using DTLS and certificate fingerprints. The following clauses describe extensions to the Iq signalling procedures and their interactions with SIP signalling in the control plane and with user plane procedures if the e2ae security for the UDP based media using DTLS and certificate fingerprints is supported by the IMS-ALG and the IMS-AGW and if the IMS-ALG indicated support of e2ae security for the UDPTL using DTLS and certificate fingerprints during registration.

Upon receipt of an SDP offer from the IMS access network containing T.38 fax media using the "UDP/TLS/UDPTL" transport protocol with the associated:

• 3ge2ae SDP attribute, as defined in TS 24.229, with a value "requested";
• fingerprint SDP attribute(s) as defined in RFC 8122;
• DTLS association identity SDP attribute "a=tls-id" defined in RFC 8842; and
• setup SDP attribute as defined in RFC 4145;

the IMS-ALG shall:

• check the received value of the setup SDP attribute to determine if the IMS-AGW needs to act as DTLS client or DTLS server. When the received value is equal to:
  1. "active" the IMS-AGW needs to act as DTLS server;
  2. "passive" the IMS-AGW needs to act as DTLS client; or
  3. "actpass" the IMS-ALG shall decide if the IMS-AGW needs to act as DTLS client or DTLS server;
• when reserving the transport addresses/resources towards the IMS access network:
  1. indicate to the IMS-AGW "UDP/DTLS" as transport protocol;
  2. if the IMS-AGW needs to act as DTLS client, include the Establish (D)TLS session information element to request the IMS-AGW to start the DTLS session setup;
  3. include the Notify (D)TLS session establishment Failure Event information element to request the IMS-AGW to report the unsuccessful DTLS session setup;
  4. include the Remote certificate fingerprint information element with the value of the received fingerprint SDP attribute(s); and
  5. include the Local certificate fingerprint Request information element to request the certificate fingerprint of the IMS-AGW;
• indicate to the IMS-AGW "UDP" as transport protocol when reserving the transport addresses/resources towards the IMS core network; and
• remove the setup SDP attribute and indicate the transport protocol "UDPTL" in the SDP offer towards the IMS core network.

Upon receipt of an SDP answer from the IMS core network, the IMS-ALG shall:

• in the "m=" line indicating T.38 fax using UDPTL, change the transport protocol to "UDP/TLS/UDPTL";
• insert the fingerprint SDP attribute with the value of the Local certificate fingerprint information element received from the IMS-AGW;
• insert the "a=tls-id" SDP attribute containing a new DTLS association identity; and
• insert the setup SDP attribute with the value:
  1. "active" if the IMS-ALG requested the IMS-AGW to act as DTLS client; or
  2. "passive" if the IMS-AGW shall take the DTLS server role.

The message sequence chart shown in the Figure 6.2.10.4.2.1 gives an example of a session establishment from the IMS access network with an emphasis on the additional aspects for the IMS-ALG and the IMS-AGW for the e2ae protection of the T.38 fax media using UDPTL over DTLS.