Tech-invite   3GPPspecs   Glossaries   IETFRFCs   Groups   SIP   ABNFs   Ti+   Search in Tech-invite
Top   in Index   Prev   Next

TR 29.828 (CT4)
Study on Extended IMS Media Plane Security Features
and TCP-related Network Address Translation (NAT) Traversal support –
IMS H.248 Profiles aspects

3GPP‑Page   full‑ToC    
use "3GPP‑Page" to get the Word version
for a better overview, the Table of Contents (ToC) is reproduced
V12.1.0 (Wzip)  2015/01  111 p.

Rapporteur:  Mr. Landais, Bruno
The present document investigates the IMS H.248 profiles requirements and procedures to support the stage 2 requirements specified in TS 33.328 for Extended IMS media plane security features.

This includes in particular the following aspects:
  • Provide end-to access edge protection of session based messaging (MSRP) traffic using TLS and certificates fingerprints exchanged over SDP;
  • Provide end-to-end protection of session based messaging (MSRP) traffic using TLS;
  • Provide end-to access edge protection of BFCP based traffic, using TLS and certificates fingerprints exchanged over SDP;
  • Provide optional support of TLS protection of BFCP and MSRP based traffic at the Conference Server.
  • Analyse requirements and procedures for end-to-end TCP bearer connection control and related NAT traversal support.
    NOTE:  this aspect is not specific to media security and may result in normative work via another work item.
  • Provide support of TCP-based IP transport connections for TLS security sessions, which includes possible NAT traversal support during the TCP connection establishment phase, possible correlations between the establishment (and release) events of TCP connections with TLS session establishment (and release).
  • Provide end-to access edge protection of T.38 fax using DTLS.
This study will cover:
  • Identification of the key issues and the main design considerations that should drive the definition of stage 2 requirements and procedures for the Iq, Ix and Mp profiles;
  • Identification of the requirements and procedures for the Iq, Ix and Mp profiles for support of end-to-access edge and end-to-end media security for session-based messaging (MSRP) and conferencing (BFCP);
  • Identification of the requirements and procedures for the Iq profile for support of end-to-access edge media security for T.38 fax over UDPTL/UDP transport;
  • Identification of the ITU-T H.248 extensions necessary to fulfil the 3GPP requirements and identification of potential missing gaps that should be taken into account by ITU-T Q3/16;
  • Conclusions and Recommendations for the normative work.
The results of this study will be used to identify the changes required in the 3GPP specifications to support Extended IMS media plane security.

full Table of Contents for  TR 29.828  Word version:   12.1.0

 

Here   Top

 

1 Scope2 References3 Definitions and abbreviations4 Key issues and Design considerations for Extended IMS media plane security features5 IMS-ALG/ IMS-AGW interface (Iq)6 IBCF/ TrGW interface (Ix)7 MRFC/ MRFP interface (Mp)8 3GPP- ITU-T H.248 requirements gap analysis9 Conclusions and recommendationsA Impacts on existing specificationsB Release 12 requirements and procedures for extended media securityC Interworking between sessmatch and CEMAD Preventing TLS establishment collision without a TLS B2BUAE Example end-to-end network scenarioF Example traffic flow (communication establishment phase)G Change history

 

1  ScopeWord-p. 8
2  References
3  Definitions and abbreviationsWord-p. 11
3.1  Definitions
3.2  AbbreviationsWord-p. 12
4  Key issues and Design considerations for Extended IMS media plane security featuresWord-p. 13
4.1  Media security for Session based messaging (MSRP)
4.1.1  General design considerations
4.1.2  Assumptions and limitations for MSRP supportWord-p. 15
4.1.3  Scenarios in scopeWord-p. 16
4.1.4  MSRP-agnostic vs. MSRP-aware modeWord-p. 19
4.2  Media security for conferencing (BFCP)Word-p. 20
4.2.1  General design considerations
4.2.2  Assumptions and limitations for BFCP support
4.2.3  Scenarios in scopeWord-p. 21
4.2.4  BFCP-agnostic vs. BFCP-aware mode
4.3  TLS proceduresWord-p. 22
4.3.1  Introduction - Media/transport security sessions at Mb
4.3.2  H.248 bearer type indication "TLS"
4.3.3  TLS security session establishmentWord-p. 23
4.3.3.1  TLS client/server role assignmentUp
4.3.3.1.1  General
4.3.3.1.2  Application agnostic TLS-over-TCP
4.3.3.1.3  Application aware scenario "MSRP-over-TLS-over-TCP"
4.3.3.1.4  Application aware scenario "BFCP-over-TLS-over-TCP"Word-p. 24
4.3.3.2  Start of TLS security session establishment
4.3.4  TLS security session release
4.3.4.1  TLS-to-TCP relations
4.3.4.2  MGW: stimuli for TLS security session releaseWord-p. 25
4.3.5  TLS protocol profile
4.3.5.1  ConfigurationUp
4.3.5.2  TLS protocol profile awareness at MGC level
4.4  TCP procedures
4.4.1  H.248 bearer type indication "TCP"
4.4.2  TCP connection establishment
4.4.2.1  TCP client/server role assignment
4.4.2.1.1  SIP level negotiation of TCP server and client role by MGC
4.4.2.1.2  H.248 control of TCP connection establishment at MGC by MGWWord-p. 30
4.4.2.2  Start of TCP connection establishmentWord-p. 32
4.4.2.3  L3/L4 level NAT traversal support
4.4.3  TCP connection releaseWord-p. 33
4.4.3.1  TLS-to-TCP relations
4.4.3.2  MGW: stimuli for TCP connection release
4.4.4  TCP Interworking in the MGWWord-p. 34
4.5  MGC information baseline for gateway control decisionsWord-p. 35
4.6  Media security for T.38 fax over UDPTL/UDP transport
4.6.1  General design considerations
4.6.2  Assumptions and limitations for T.38 fax supportWord-p. 36
4.6.2.1  T.38 transport
4.6.2.2  Establishment directions of SIP session and DTLS session
4.6.2.3  Framework for e2ae securityUp
4.6.3  Scenarios in scope
4.6.4  Consideration of application awareness of IMS-AGWWord-p. 37
5  IMS-ALG/ IMS-AGW interface (Iq)Word-p. 38
5.1  Requirements
5.1.1  End-to-access edge security for TCP-based media using TLS
5.1.1.1  General requirements
5.1.1.2  Specific requirements for session based messaging (MSRP)
5.1.1.2.1  General
5.1.1.2.2  Certificate fingerprints based solution for TLS and key management
5.1.1.2.3  Mutual authentication and authorization of TLS endpointsUp
5.1.1.2.4  Functional extension of the Iq interface for e2ae protection for MSRP
5.1.1.2.5  Specific MSRP based media e2ae protection requirements for IMS-ALGWord-p. 40
5.1.1.3  Specific requirements for conferencing (BFCP)
5.1.1.3.1  General
5.1.1.3.2  Security for conferencing based on SIP signalling security
5.1.1.3.3  Specific BFCP based media e2ae protection requirements for IMS-ALG.Word-p. 41
5.1.2  End-to-end security for TCP-based media using TLS
5.1.2.1  General requirements
5.1.2.2  Specific requirements for session based messaging (MSRP)
5.1.2.3  Specific requirements for conferencing (BFCP)Word-p. 42
5.1.3  End-to-access edge security for UDP-based media using DTLS
5.1.3.1  General requirements
5.1.3.2  Specific requirements for T.38 fax over UDPTL/UDP transport
5.1.4  MSRP handlingWord-p. 43
5.1.4.1  General
5.1.4.2  IMS-ALG procedures to support IETF RFC 6714 with application agnostic MSRP handling by the IMS-AGWWord-p. 44
5.1.4.3  IMS-ALG procedures to support IETF draft-ietf-simple-msrp-sessmatch with application agnostic MSRP handling by the IMS-AGW
5.1.4.4  IMS-ALG procedures for application aware MSRP interworking by the IMS-AGW
5.1.4.5  Application-aware MSRP interworking at the IMS-AGWWord-p. 45
5.2  ProceduresUp
5.2.1  End-to-access edge security for TCP-based media using TLS
5.2.1.1  Generic procedures
5.2.1.2  Specific procedures for session based messaging (MSRP)
5.2.1.2.1  Indicating support of e2ae security during registration.
5.2.1.2.2  IMS UE originating procedures for e2aeWord-p. 46
5.2.1.2.2.1  Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.
5.2.1.2.2.2  IMS-ALG requests sending an outgoing TCP bearer establishment.Word-p. 49
5.2.1.2.3  IMS UE terminating procedures for e2aeWord-p. 51
5.2.1.2.3.1  Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.
5.2.1.2.3.2  IMS-ALG requests sending an outgoing TCP bearer establishment.Word-p. 54
5.2.1.3  Specific procedures for conferencing (BFCP)Word-p. 56
5.2.1.3.1  Indicating support of e2ae security during registration.
5.2.1.3.2  IMS UE originating procedures for e2ae
5.2.1.3.3  IMS UE terminating procedures for e2aeWord-p. 59
5.2.2  End-to-end security for TCP-based media using TLSWord-p. 62
5.2.2.1  Generic procedures
5.2.2.2  Specific procedures for session based messaging (MSRP)
5.2.2.3  Specific procedures for conferencing (BFCP)
5.2.3  End-to-access edge security for UDP-based media using DTLS
5.2.3.1  Generic proceduresUp
5.2.3.1.1  Context model
5.2.3.2  Specific procedures for T.38 fax over UDPTL/UDP transport
5.2.3.2.1  Indicating support of e2ae security during registration
5.2.3.2.2  IMS UE originating procedures for e2aeWord-p. 63
5.2.3.2.3  IMS UE terminating procedures for e2aeWord-p. 65
6  IBCF/ TrGW interface (Ix)Word-p. 67
6.1  Requirements
6.1.1  End-to-end security for TCP-based media using TLS
6.1.1.1  General requirements
6.1.1.2  Specific requirements for session based messaging (MSRP)Up
6.1.1.3  Specific requirements for conferencing (BFCP)
6.2  Procedures
6.2.1  End-to-end security for TCP-based media using TLS
6.2.1.1  Generic procedures
6.2.1.2  Specific procedures for session based messaging (MSRP)
6.2.1.3  Specific procedures for conferencing (BFCP)
7  MRFC/ MRFP interface (Mp)Word-p. 68
7.1  Requirements
7.1.1  End-to-end security for TCP-based media using TLS
7.1.1.1  General requirementsUp
7.1.1.2  Specific requirements for session based messaging (MSRP)Word-p. 69
7.1.1.3  Specific requirements for conferencing (BFCP)Word-p. 70
7.2  Procedures
7.2.1  End-to-end security for TCP-based media using TLS
7.2.1.1  Generic procedures
7.2.1.1.1  Ad-hoc Conferences
7.2.1.2  Specific procedures for session based messaging (MSRP)
7.2.1.2.1  General
7.2.1.2.2  IMS UE originating procedures ("dial-in" scenario) for e2eWord-p. 71
7.2.1.2.3  IMS UE terminating procedures ("dial-out" scenario) for e2eWord-p. 74
7.2.1.3  Specific procedures for conferencing (BFCP)Word-p. 76
7.2.1.3.1  IMS UE originating procedures ("dial-in" scenario) for e2e
7.2.1.3.2  IMS UE terminating procedures ("dial-out" scenario) for e2eWord-p. 78
8  3GPP- ITU-T H.248 requirements gap analysisWord-p. 81
8.1  Relevant ITU-T Recommendations
8.1.1  Capabilities related to TCP bearer support
8.1.2  Capabilities related to NAT-T support
8.1.3  Capabilities related to media security support
8.1.4  Capabilities related to support of MGW autonomous behaviour
8.2  Scope of ITU-T "(D)TLS transport security"Up
8.3  Status gap analysis
9  Conclusions and recommendationsWord-p. 82
A  Impacts on existing specificationsWord-p. 83
B  Release 12 requirements and procedures for extended media securityWord-p. 84
C  Interworking between sessmatch and CEMAWord-p. 97
C.1  Scope
C.2  MSRP Interworking Function
C.3  Procedures for SBC without User Plane MSRP B2BUAWord-p. 100
D  Preventing TLS establishment collision without a TLS B2BUAWord-p. 101
E  Example end-to-end network scenarioWord-p. 102
E.1  Scope
E.2  Aspect of IP realms
E.3  Aspect of TCP bearer connection establishmentWord-p. 104
E.4  Aspects of TCP flow controlWord-p. 107
E.4.1  Overview
E.4.2  TCP flow control during establishment phase
E.4.2.1  Without early application data
E.4.2.2  With early application data
E.4.3  TCP flow control during active data transfer phase
F  Example traffic flow (communication establishment phase)Word-p. 108
F.1  Scope
F.2  TCP bearer connection establishment (example)
F.3  TLS security session establishment (example)Word-p. 110
G  Change historyWord-p. 111

Up   Top