Content for TS 23.334 Word version: 17.2.0

1… 4… 5… 5.11… 5.12… 5.14… 5.18… 5.19… 5.20… 5.21… 6… 6.1.6… 6.1.11… 6.2… 6.2.10… 6.2.10.3.1.2 6.2.10.3.2 6.2.10.4… 6.2.10.4.3… 6.2.10.5 6.2.10.6… 6.2.10A… 6.2.13… 6.2.14… 6.2.14.3 6.2.14.4… 6.2.15… 6.2.17… 6.2.17.3… 6.2.17.5… 6.2.18… 6.2.20 6.2.21… 6.2.22… 6.2.22.3… 6.2.22.3.2 6.2.23 6.2.24 6.2.25 7 8… 8.3 8.4 8.5… 8.23…

6.2.10.4.3 Session establishment towards IMS access network for T.38 fax using "UDP/TLS/UDPTL" 6.2.10.4.4 IMS-AGW procedure for e2ae security of T.38 fax using "UDP/TLS/UDPTL" 6.2.10.4.5 DTLS session establishment failure indication
...

6.2.10.4.3 Session establishment towards IMS access network for T.38 fax using "UDP/TLS/UDPTL" p. 112

Upon receipt of an SDP offer from the IMS core network containing T.38 fax media using the "UDPTL" transport protocol the IMS-ALG shall:

when reserving the transport addresses/resources towards the IMS access network:
1. indicate to the IMS-AGW "UDP/DTLS" as transport protocol;
2. include the Notify (D)TLS session establishment Failure Event information element to request the IMS-AGW to report the unsuccessful DTLS session setup; and
  
  NOTE 1:
  The IMS-ALG may omit this information element when reserving resources and instead send it to the IMS-AGW when modifying the resources towards the IMS access network.
3. include the Local certificate fingerprint Request information element to request the certificate fingerprint of the IMS-AGW; and
when reserving the transport addresses/resources towards the IMS core network indicate to the IMS-AGW "UDP" as transport protocol.
modify the SDP offer that will be sent to the IMS access network by:
in the "m=" line indicating T.38 fax using UDPTL, changing the transport protocol to "UDP/TLS/UDPTL";
inserting the 3ge2ae SDP attribute, as defined in TS 24.229, with a value "applied";
inserting the fingerprint SDP attribute, as defined in RFC 8122, with the value of the Local certificate fingerprint information element received from the IMS-AGW;
inserting the "tls-id" SDP attribute with the new DTLS association identity; and
inserting the setup SDP attribute, as defined in RFC 4145, e.g. with the value "actpass".

Upon receipt of an SDP answer from the IMS access network containing T.38 fax media using the "UDP/TLS/UDPTL" transport protocol with the associated fingerprint and setup SDP attributes, the IMS-ALG shall:

check the value of the received setup SDP attribute to determine if the IMS-AGW needs to act as DTLS client or DTLS server. When the received value is equal to:
1. "active" the IMS-AGW needs to act as DTLS server; or
2. "passive" the IMS-AGW needs to act as DTLS client;
when modifying the transport addresses/resources towards the IMS access network:
1. if the IMS-AGW needs to act as DTLS client, include the Establish (D)TLS session information element to request the IMS-AGW to start the DTLS session setup;
2. include the Remote certificate fingerprint information element with the value of the received fingerprint SDP attribute(s); and
3. if not already provided, include the Notify (D)TLS session establishment Failure Event information element to request the IMS-AGW to report the unsuccessful DTLS session setup; and
remove the setup SDP attribute and indicate the transport protocol "UDPTL" in the SDP answer sent towards the IMS core network.

The message sequence chart shown in the Figure 6.2.10.4.3.1 gives an example of a session establishment towards the IMS access network with an emphasis on the additional aspects for the IMS-ALG and the IMS-AGW for the e2ae protection of the T.38 fax media using UDPTL over DTLS.

Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.4.3.1: Session setup towards the IMS access network with e2ae protection of T.38 fax

Figure 6.2.10.4.3.1: Session setup towards the IMS access network with e2ae protection of T.38 fax
(⇒ copy of original 3GPP image)

6.2.10.4.4 IMS-AGW procedure for e2ae security of T.38 fax using "UDP/TLS/UDPTL" p. 114

The IMS-AGW shall:

upon reception of the Local certificate fingerprint Request information element, select an own certificate for the T.38 fax media stream, uniquely associate the own certificate with the T.38 media stream, and send to the IMS-ALG the Local certificate fingerprint information element with the fingerprint of the own certificate;
uniquely associate the value of the Remote certificate fingerprint information element, received from the IMS-ALG, with the corresponding T.38 fax media stream;
take a DTLS server role and be prepared to receive a DTLS ClientHello message from the served UE;
upon reception of the Establish (D)TLS session information element, take a DTLS client role and start DTLS session establishment by sending the DTLS ClientHello message to the served UE; and
verify during the subsequent DTLS handshake with the served UE (as described in RFC 7345 and RFC 8842) that the fingerprint of the certificate passed by the served UE during DTLS handshake matches the value of the Remote certificate fingerprint information element received from the IMS-ALG:
1. if the verification fails, the IMS-AGW shall regard the remote DTLS endpoint as not authenticated, terminate the DTLS session and as specified in clause 6.2.10.4.5, shall report the unsuccessful DTLS session setup to the IMS-ALG; or
2. if the verification succeeds, the IMS-AGW shall continue with DTLS session setup and when the DTLS session is established, the IMS-AGW shall be prepared to receive and convert the protected media from the served UE to the unprotected media to be sent to the core network and vice versa.

6.2.10.4.5 DTLS session establishment failure indication p. 114

The IMS-AGW shall use a Notify (D)TLS session establishment Failure Indication procedure to report DTLS session establishment related failures.

The Figure 6.2.10.4.5.1 shows the message sequence chart example when the IMS-AGW reports the unsuccessful DTLS session setup to the IMS-ALG.

Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.4.5.1: DTLS session establishment failure indication

Figure 6.2.10.4.5.1: DTLS session establishment failure indication
(⇒ copy of original 3GPP image)