TR 29.828
CT4
★
Study on
Extended IMS Media Plane Security Features
and TCP-related Network Address Translation (NAT) Traversal support –
IMS H.248 Profiles aspects
use "3GPP‑Page" to get the Word version
for a better overview, the Table of Contents (ToC) is reproduced
for a better overview, the Table of Contents (ToC) is reproduced
V12.1.0 (Wzip)
2015/01 111 p.
Rapporteur: Mr. Landais, Bruno
The present document investigates the IMS H.248 profiles requirements and procedures to support the stage 2
requirements specified in TS 33.328 for Extended IMS media plane security features.
This includes in particular the following aspects:
This study will cover:
The results of this study will be used to identify the changes required in the 3GPP specifications to support Extended
IMS media plane security.
- Provide end-to access edge protection of session based messaging (MSRP) traffic using TLS and certificates fingerprints exchanged over SDP;
- Provide end-to-end protection of session based messaging (MSRP) traffic using TLS;
- Provide end-to access edge protection of BFCP based traffic, using TLS and certificates fingerprints exchanged over SDP;
- Provide optional support of TLS protection of BFCP and MSRP based traffic at the Conference Server.
-
Analyse requirements and procedures for end-to-end TCP bearer connection control and related NAT traversal
support.
NOTE: this aspect is not specific to media security and may result in normative work via another work item. - Provide support of TCP-based IP transport connections for TLS security sessions, which includes possible NAT traversal support during the TCP connection establishment phase, possible correlations between the establishment (and release) events of TCP connections with TLS session establishment (and release).
- Provide end-to access edge protection of T.38 fax using DTLS.
- Identification of the key issues and the main design considerations that should drive the definition of stage 2 requirements and procedures for the Iq, Ix and Mp profiles;
- Identification of the requirements and procedures for the Iq, Ix and Mp profiles for support of end-to-access edge and end-to-end media security for session-based messaging (MSRP) and conferencing (BFCP);
- Identification of the requirements and procedures for the Iq profile for support of end-to-access edge media security for T.38 fax over UDPTL/UDP transport;
- Identification of the ITU-T H.248 extensions necessary to fulfil the 3GPP requirements and identification of potential missing gaps that should be taken into account by ITU-T Q3/16;
- Conclusions and Recommendations for the normative work.
full Table of Contents for TR 29.828 Word version: 12.1.0
1 Scope
2 References
3 Definitions and abbreviations
4 Key issues and Design considerations for Extended IMS media plane security features
5 IMS-ALG/ IMS-AGW interface (Iq)
6 IBCF/ TrGW interface (Ix)
7 MRFC/ MRFP interface (Mp)
8 3GPP- ITU-T H.248 requirements gap analysis
9 Conclusions and recommendations
A Impacts on existing specifications
B Release 12 requirements and procedures for extended media security
C Interworking between sessmatch and CEMA
D Preventing TLS establishment collision without a TLS B2BUA
E Example end-to-end network scenario
F Example traffic flow (communication establishment phase)
G Change history
1 Scope Word-p. 8
2 References
3 Definitions and abbreviations Word-p. 11
4 Key issues and Design considerations for Extended IMS media plane security features Word-p. 13
4.1 Media security for Session based messaging (MSRP)
5 IMS-ALG/ IMS-AGW interface (Iq) Word-p. 38
4.1.1 General design considerations
4.1.2 Assumptions and limitations for MSRP support Word-p. 15
4.1.3 Scenarios in scope Word-p. 16
4.1.4 MSRP-agnostic vs. MSRP-aware mode Word-p. 19
4.2 Media security for conferencing (BFCP) Word-p. 20
4.2.1 General design considerations
4.2.2 Assumptions and limitations for BFCP support
4.2.3 Scenarios in scope Word-p. 21
4.2.4 BFCP-agnostic vs. BFCP-aware mode
4.3 TLS procedures Word-p. 22
4.3.1 Introduction - Media/transport security sessions at Mb
4.3.2 H.248 bearer type indication "TLS"
4.3.3 TLS security session establishment Word-p. 23
4.4 TCP procedures
4.3.3.1 TLS client/server role assignment 
4.3.4 TLS security session release
4.3.5 TLS protocol profile
4.3.3.1.1 General
4.3.3.1.2 Application agnostic TLS-over-TCP
4.3.3.1.3 Application aware scenario "MSRP-over-TLS-over-TCP"
4.3.3.1.4 Application aware scenario "BFCP-over-TLS-over-TCP" Word-p. 24
4.3.3.2 Start of TLS security session establishment
4.4.1 H.248 bearer type indication "TCP"
4.4.2 TCP connection establishment
4.5 MGC information baseline for gateway control decisions Word-p. 35
4.6 Media security for T.38 fax over UDPTL/UDP transport
4.4.2.1 TCP client/server role assignment
4.4.3 TCP connection release Word-p. 33
4.4.4 TCP Interworking in the MGW Word-p. 34
4.4.2.1.1 SIP level negotiation of TCP server and client role by MGC
4.4.2.1.2 H.248 control of TCP connection establishment at MGC by MGW Word-p. 30
4.4.2.2 Start of TCP connection establishment Word-p. 32
4.4.2.3 L3/L4 level NAT traversal support
4.6.1 General design considerations
4.6.2 Assumptions and limitations for T.38 fax support Word-p. 36
4.6.2.1 T.38 transport
4.6.2.2 Establishment directions of SIP session and DTLS session
4.6.2.3 Framework for e2ae security
4.6.3 Scenarios in scope
4.6.4 Consideration of application awareness of IMS-AGW Word-p. 37
5.1 Requirements
6 IBCF/ TrGW interface (Ix) Word-p. 67
7 MRFC/ MRFP interface (Mp) Word-p. 68
5.1.1 End-to-access edge security for TCP-based media using TLS
5.2 Procedures
5.1.1.1 General requirements
5.1.1.2 Specific requirements for session based messaging (MSRP)
5.1.2 End-to-end security for TCP-based media using TLS
5.1.1.2.1 General
5.1.1.2.2 Certificate fingerprints based solution for TLS and key management
5.1.1.2.3 Mutual authentication and authorization of TLS endpoints
5.1.1.2.4 Functional extension of the Iq interface for e2ae protection for MSRP
5.1.1.2.5 Specific MSRP based media e2ae protection requirements for IMS-ALG Word-p. 40
5.1.1.3 Specific requirements for conferencing (BFCP)
5.1.1.2.4 Functional extension of the Iq interface for e2ae protection for MSRP
5.1.1.2.5 Specific MSRP based media e2ae protection requirements for IMS-ALG Word-p. 40
5.1.2.1 General requirements
5.1.2.2 Specific requirements for session based messaging (MSRP)
5.1.2.3 Specific requirements for conferencing (BFCP) Word-p. 42
5.1.3 End-to-access edge security for UDP-based media using DTLS
5.1.4 MSRP handling Word-p. 43
5.1.4.1 General
5.1.4.2 IMS-ALG procedures to support IETF RFC 6714 with application agnostic MSRP handling by the IMS-AGW Word-p. 44
5.1.4.3 IMS-ALG procedures to support IETF draft-ietf-simple-msrp-sessmatch with application agnostic MSRP handling by the IMS-AGW
5.1.4.4 IMS-ALG procedures for application aware MSRP interworking by the IMS-AGW
5.1.4.5 Application-aware MSRP interworking at the IMS-AGW Word-p. 45
5.2.1 End-to-access edge security for TCP-based media using TLS
5.2.1.1 Generic procedures
5.2.1.2 Specific procedures for session based messaging (MSRP)
5.2.2 End-to-end security for TCP-based media using TLS Word-p. 62
5.2.1.2.1 Indicating support of e2ae security during registration.
5.2.1.2.2 IMS UE originating procedures for e2ae Word-p. 46
5.2.1.3 Specific procedures for conferencing (BFCP) Word-p. 56
5.2.1.2.2.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.
5.2.1.2.2.2 IMS-ALG requests sending an outgoing TCP bearer establishment. Word-p. 49
5.2.1.2.3 IMS UE terminating procedures for e2ae Word-p. 51
5.2.2.1 Generic procedures
5.2.2.2 Specific procedures for session based messaging (MSRP)
5.2.2.3 Specific procedures for conferencing (BFCP)
5.2.3 End-to-access edge security for UDP-based media using DTLS
7.1 Requirements
7.2 Procedures
8 3GPP- ITU-T H.248 requirements gap analysis Word-p. 81
7.2.1 End-to-end security for TCP-based media using TLS
7.2.1.1 Generic procedures
7.2.1.2 Specific procedures for session based messaging (MSRP)
7.2.1.2.1 General
7.2.1.2.2 IMS UE originating procedures ("dial-in" scenario) for e2e Word-p. 71
7.2.1.2.3 IMS UE terminating procedures ("dial-out" scenario) for e2e Word-p. 74
7.2.1.3 Specific procedures for conferencing (BFCP) Word-p. 76
8.1 Relevant ITU-T Recommendations
8.3 Status gap analysis
9 Conclusions and recommendations Word-p. 82
A Impacts on existing specifications Word-p. 83
B Release 12 requirements and procedures for extended media security Word-p. 84
C Interworking between sessmatch and CEMA Word-p. 97
8.1.1 Capabilities related to TCP bearer support
8.1.2 Capabilities related to NAT-T support
8.1.3 Capabilities related to media security support
8.1.4 Capabilities related to support of MGW autonomous behaviour
8.2 Scope of ITU-T "(D)TLS transport security"
8.3 Status gap analysis
C.1 Scope
C.2 MSRP Interworking Function
C.3 Procedures for SBC without User Plane MSRP B2BUA Word-p. 100
D Preventing TLS establishment collision without a TLS B2BUA Word-p. 101
E Example end-to-end network scenario Word-p. 102
E.1 Scope
E.2 Aspect of IP realms
E.3 Aspect of TCP bearer connection establishment Word-p. 104
E.4 Aspects of TCP flow control Word-p. 107
F Example traffic flow (communication establishment phase) Word-p. 108
F.1 Scope
F.2 TCP bearer connection establishment (example)
F.3 TLS security session establishment (example) Word-p. 110
G Change history Word-p. 111
