6.2.10 IMS end-to-access-edge Media Plane Security

23.3343GPPIP Multimedia Subsystem (IMS) Application Level Gateway (IMS-ALG) - IMS Access Gateway (IMS-AGW) interface: Procedures descriptionsRelease 17TS

6.2.10.1 General

All message sequence charts in this clause are examples.

The H.248 context model is defined in Figure 6.2.1.1.

6.2.10.2 End-to-access-edge security for RTP based media using SDES

This procedure is identical to that of clause 6.2.1 apart from the IMS-ALG optionally requesting the IMS-AGW to provide IMS media plane security in accordance with 3GPP TS 33.328 [12].

The IMS-ALG shall provide the following media plane security related parameters to the IMS-AGW:

– the SDES crypto attributes

6.2.10.3 End-to-access-edge security for TCP-based media using TLS

6.2.10.3.1 End-to-access-edge security for session based messaging (MSRP)

6.2.10.3.1.1 IMS UE originating procedures for e2ae

6.2.10.3.1.1.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

Figure 6.2.10.3.1.1.1.1 shows an example call flow for the originating session set-up procedures for one MSRP media stream using e2ae security, where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.

Figure 6.2.10.3.1.1.1.1: Originating example call flow for e2ae security for MSRP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

The IMS UE A performs an IMS originating session set-up according to 3GPP TS 23.228 [2], with modifications as described in 3GPP TS 33.328 [12].

The procedure in the above figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

1. IMS UE A sends an SDP offer for a media stream containing cryptographic information, together with an "a=3ge2ae:requested" SDP attribute for the MSRP-related SDP m-line, to the P‑CSCF (IMS‑ALG). For e2ae protection of MSRP the cryptographic information contained in the SDP offer consists of the fingerprint of the certificate of IMS UE A in accordance to IETF RFC 4975 [25]. For each media stream that uses transport "TCP/TLS/MSRP", the P‑CSCF (IMS‑ALG) checks for the presence of the "a=3ge2ae:requested" SDP attribute. If that indication is present and the P‑CSCF (IMS‑ALG) indicated support of e2ae-security for MSRP during registration, the P‑CSCF (IMS‑ALG) allocates the required resources, includes the IMS‑AGW in the media path and proceeds as specified in this clause.

NOTE 1: An operator can choose to terminate TLS in the IMS‑AGW according to the following steps for all media streams that are signalled in SIP INVITE messages with transport TCP/TLS/MSRP and a certificate fingerprint attribute, even if the UE did not indicate support for e2ae security during registration and did not indicate usage of e2ae security for the respective media streams in the INVITE. This can lead to session failures for pre-Rel-12 IMS UEs or non-IMS UEs due to a mismatch of security parameters sent by the network and expected by the UE, but on the other hand, it will ensure compatibility with GSMA RCS 5.1 [35, 36], which specifies that TLS for MSRP is always terminated in the network.

2.-4. The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP" media (for application-agnostic interworking) or "TCP/MSRP" media (for application-aware interworking) towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T2 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T2 as a trigger to send a TCP connection establishment on the termination T1.

NOTE 2: If "a=setup:passive" is received in the SDP answer in step 12, the IMS-ALG then needs to set the interlinkage topology on the termination T1 (not depicted).

5.-7. The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP/TLS" media (for application-agnostic interworking) or "TCP/TLS/MSRP" media (for application-aware interworking) towards the access network. In the remote descriptor, it provides the IP address, port and fingerprint attribute received from the UE containing the fingerprint of the UE´s certificate in accordance to IETF RFC 4975 [25]. This instructs the IMS‑AGW to verify during the subsequent TLS handshake with the IMS UE that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P‑CSCF (IMS‑ALG) to the IMS‑AGW. In turn, the IMS‑AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P‑CSCF (IMS‑ALG). To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.

NOTE 3: These steps could be combined with steps 16.-18. This saves H.248 signalling interactions but can delay the TCP connection setup.

8. The P‑CSCF (IMS‑ALG) changes the transport from "TCP/TLS/MSRP" to "TCP/MSRP" in the SDP offer, removes the "a=3ge2ae:requested" SDP attribute and the fingerprint SDP attribute, and inserts the address information received from the IMS-AGW.

9. The P‑CSCF (IMS‑ALG) forwards the SDP offer.

10. The remote peer chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the remote peer.
If the TCP SYN is not answered before a timer expiry, the remote peer will send the TCP SYN a second time (step 10′). The IMS‑AGW will answer a repeated TCP SYN if it is received after step 13 (step 10′).
The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.

11. The IMS-AGW uses the TCP SYN received at the termination T2 (at step 10 or step 10′ if the TCP SYN is dropped at step 10) as a trigger to send a TCP SYN towards the UE to establish a TCP connection (effectively making the IMS-AGW acting as the TCP client towards the UE).. The UE answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.

12. The P‑CSCF (IMS‑ALG) receives the SDP answer.

13.-15. The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the core network with remote address information. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.

NOTE 4: For "a=setup:active" in the SDP answer, these steps could possibly be skipped if the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, as the IMS-AGW will then use the address information in the TCP SYN when replying.

16.-18. The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the access network with the request to establish the TLS session once the TCP connection is established (effectively making the IMS-AGW acting as the TLS client), in accordance with the information in the "a=setup" attribute in the SDP answer.

19. The P‑CSCF (IMS‑ALG) modifies the SDP answer before sending it to the UE A. The P‑CSCF (IMS‑ALG) sets the transport to "TCP/TLS/MSRP" and includes the fingerprint of the IMS‑AGW´s certificate in accordance to IETF RFC 4975 [25].

20. The P-CSCF (IMA-ALG) then sends the updated SDP answer to IMS UE A. After receiving this message IMS UE A completes the media security setup.

21. Upon completion of the TCP connection establishment, the IMS-AGW starts the establishment of the TLS session.

6.2.10.3.1.1.2 IMS-ALG requests sending an outgoing TCP bearer establishment

Figure 6.2.10.3.1.1.2.1 shows an example call flow for the originating session set-up procedures for one MSRP media stream using e2ae security, where the IMS-ALG requests sending an outgoing TCP bearer establishment.

Figure 6.2.10.3.1.1.2.1: Originating example call flow for e2ae security for MSRP where the IMS-ALG requests sending an outgoing TCP bearer establishment

The IMS UE A performs an IMS originating session set-up according to 3GPP TS 23.228 [2], with modifications as described in 3GPP TS 33.328 [12].

The procedure in the above figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

1. As step 1 in figure 6.2.10.3.1.1.1.1.

2.-4. As steps 2-4 in figure 6.2.10.3.1.1.1.1 with the exception that the IMS-ALG does not set the interlinkage topology on the termination T2.

5.-7. As steps 5-7 in figure 6.2.10.3.1.1.1.1.

8. As step 8 in figure 6.2.10.3.1.1.1.1.

9. As step 9 in figure 6.2.10.3.1.1.1.1.

10. As step 10 in figure 6.2.10.3.1.1.1.1.

NOTE: The incoming TCP SYN does not trigger the sending of an outgoing TCP SYN, and step 11 in figure 6.2.10.3.1.1.1.1thus does not apply.

11. As step 12 in figure 6.2.10.3.1.1.1.1.

12.-14. As steps 13-15 in figure 6.2.10.3.1.1.1.1.

15.-17. As steps 16-18 in figure 6.2.10.3.1.1.1.1with the exception that the IMS-ALG uses the "Configure AGW Connection Point" procedure also to configure the termination towards the access network with the request to establish the TCP connection (effectively making the IMS-AGW acting as the TCP client), in accordance with the information in the "a=setup" attribute in the SDP answer.

18. The IMS-AGW sends a TCP SYN towards the UE to establish a TCP connection. The UE answers with a TCP SYN ACK and the IMS‑AGW replies with a TCP ACK, completing the TCP connection establishment.

19. As step 21 in figure 6.2.10.3.1.1.1.1.

20. As step 19 in figure 6.2.10.3.1.1.1.1.

21. As step 20 in figure 6.2.10.3.1.1.1.1.

6.2.10.3.1.2 IMS UE terminating procedures for e2ae

6.2.10.3.1.2.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

Figure 6.2.10.3.1.2.1.1 shows an example call flow for the terminating session set-up procedures for one MSRP media stream using e2ae security, where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.

Figure 6.2.10.3.1.2.1.1: Terminating example call flow for e2ae security for MSRP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

The IMS UE B performs an IMS terminating session set-up according to 3GPP TS 23.228 [2], with modifications as described in 3GPP TS 33.328 [12].

The procedure in the above figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

1. The P‑CSCF (IMS‑ALG) receives an SDP offer for an MSRP media stream. For each MSRP media stream offered with transport "TCP/MSRP", if both the IMS UE and P‑CSCF (IMS‑ALG) indicated support for e2ae-security for MSRP during registration, the P‑CSCF (IMS‑ALG) allocates the required resources, includes the IMS‑AGW in the media path and proceeds as specified in this clause.

NOTE 1: An operator can choose to terminate TLS in the IMS‑AGW according to the following steps for all media streams that are signalled in SIP INVITE messages with transport TCP/MSRP, even if the UE did not indicate support for e2ae security during registration. This can lead to session failures for pre-Rel-12 IMS UEs or non-IMS UEs due to a mismatch of security parameters sent by the network and expected by the UE, but on the other hand, it will ensure compatibility with GSMA RCS 5.1 [35, 36], which recommends to always use e2ae security for MSRP on the terminating leg.

2.-4. The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP/TLS" media (for application-agnostic interworking) or "TCP/TLS/MSRP" media (for application-aware interworking) towards the access network. In turn, the IMS‑AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P‑CSCF (IMS‑ALG). To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T1 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T1 as a trigger to send a TCP connection establishment on the termination T2.

NOTE 2: If "a=setup:passive" is received in the SDP answer in step 13, the IMS-ALG then needs to sets the interlinkage topology on the termination T2 (not depicted)

5.-7. The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP" media (for application-agnostic interworking) or "TCP/ MSRP" media (for application-aware interworking) towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.

8. The P‑CSCF (IMS‑ALG) changes the transport from "TCP/ MSRP" to "TCP/TLS/MSRP" in the SDP offer, adds the "a=3ge2ae:applied" SDP attribute and the fingerprint SDP attribute received from the IMS-AGW, and inserts the address information received from the IMS-AGW.

9. The P‑CSCF (IMS‑ALG) forwards the SDP offer.

10. The UE B chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the UE.
If the TCP SYN is not answered before a timer expiry, the UE will send the TCP SYN a second time (step 10′). The IMS‑AGW will answer a repeated TCP SYN if it is received after step 14 (step 10′).
The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.

11. The IMS-AGW uses the TCP SYN received at the termination T1 (at step 10 or step 10′ if the TCP SYN is dropped at step 10) as a trigger to send a TCP SYN towards the core network to establish a TCP connection (effectively making the IMS-AGW acting as the TCP client towards the core network). The remote peer answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.

12. Upon completion of the TCP connection establishment, the UE B starts the establishment of the TLS session. The IMS-AGW needs to wait until step 14 to verify the received fingerprint.

13. The P‑CSCF (IMS‑ALG) receives the SDP answer. It contains the fingerprint attribute with the UE´s certificate in accordance to IETF RFC 4975 [25].

14.-16. The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the UE B with remote address information. In the remote descriptor, it also provides fingerprint attribute received from the UE. This instructs the IMS‑AGW to verify during the subsequent TLS handshake with the IMS UE that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P‑CSCF (IMS‑ALG) to the IMS‑AGW. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.

17. The P‑CSCF (IMS‑ALG) modifies the SDP answer before sending it to the core network. The P‑CSCF (IMS‑ALG) sets the transport to "TCP/ MSRP" and removes the SDP fingerprint attribute.

18. The P-CSCF (IMA-ALG) then sends the updated SDP answer to core network.

6.2.10.3.1.2.2 IMS-ALG requests sending an outgoing TCP bearer establishment

Figure 6.2.10.3.1.2.2.1 shows an example call flow for the terminating session set-up procedures for one MSRP media stream using e2ae security, where the IMS-ALG requests sending an outgoing TCP bearer establishment.

Figure 6.2.10.3.1.2.2.1: Terminating example call flow for e2ae security for MSRP where the IMS-ALG requests sending an outgoing TCP bearer establishment

The IMS UE B performs an IMS terminating session set-up according to 3GPP TS 23.228 [2], with modifications as described in 3GPP TS 33.328 [12].

The procedure in the above figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

1. As step 1 in figure 6.2.10.3.1.2.1.1.

2.-4. As steps 2-4 in figure 6.2.10.3.1.2.1.1 with the exception that the IMS-ALG does not set the interlinkage topology on the termination T1.

5.-7. As steps 7-7 in figure 6.2.10.3.1.2.1.1.

8. As step 8 in figure 6.2.10.3.1.2.1.1.

9. As step 9 in figure 6.2.10.3.1.2.1.1.

10. As step 10 in figure 6.2.10.3.1.2.1.1.

NOTE: The incoming TCP SYN does not trigger the sending of an outgoing TCP SYN, and step 11 in figure 6.2.10.3.1.2.1.1 thus does not apply.

11. As step 12 in figure 6.2.10.3.1.2.1.1.

12. As step 13 in figure 6.2.10.3.1.2.1.1.

13.-15. As steps 14-16 in figure 6.2.10.3.1.2.1.1.

16.-18. The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the core network with the request to establish the TCP connection, in accordance with the information in the "a=setup" attribute in the SDP answer.

19. The IMS-AGW sends a TCP SYN towards the core network to establish a TCP connection. The remote peer answers with a TCP SYN ACK and the IMS‑AGW replies with a TCP ACK, completing the TCP connection establishment.

20. As step 17 in figure 6.2.10.3.1.2.1.1.

21. As step 18 in figure 6.2.10.3.1.2.1.1.

6.2.10.3.2 End-to-access-edge security for conferencing (BFCP)

6.2.10.3.2.1 IMS UE originating procedures for e2ae

6.2.10.3.2.1.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

Figure 6.2.10.3.2.1.1.1 shows the originating session set-up procedures for one or more BFCP media stream(s) using e2ae security.

Figure 6.2.10.3.2.1.1.1: Originating example call flow for e2ae security for BFCP where an incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

The IMS UE A performs an IMS originating session set-up according to 3GPP TS 23.228 [2], with modifications as described in 3GPP TS 33.328 [12].

The procedure in the above figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.

1. IMS UE A sends an SDP offer for a media stream containing cryptographic information, together with an "a=3ge2ae:requested" SDP attribute for the BFCP-related SDP m-line, to the P‑CSCF (IMS‑ALG). For e2ae protection of BFCP the cryptographic information contained in the SDP offer consists of the fingerprint of the certificate of IMS UE A in accordance to IETF RFC 4975 [25]. For each media stream that uses transport "TCP/TLS/BFCP", the P‑CSCF (IMS‑ALG) checks for the presence of the "a=3ge2ae:requested" SDP attribute. If that indication is present and the P‑CSCF (IMS‑ALG) indicated support of e2ae-security for BFCP during registration, the P‑CSCF (IMS‑ALG) allocates the required resources, includes the IMS‑AGW in the media path and proceeds as specified in this clause.

2.-4. The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP" media towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T2 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T2 as a trigger to send a TCP connection establishment on the termination T1.

NOTE 1: If "a=setup:passive" is received in the SDP answer in step 13, the IMS-ALG then needs to set the interlinkage topology on the termination T1 (not depicted).

5.-7. The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP/TLS" media towards the access network. In the remote descriptor, it provides the IP address, port and fingerprint attribute received from the UE containing the fingerprint of the UE´s certificate in accordance to IETF RFC 4975 [25]. This instructs the IMS‑AGW to verify during the subsequent TLS handshake with the IMS UE that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P‑CSCF (IMS‑ALG) to the IMS‑AGW. In turn, the IMS‑AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P‑CSCF (IMS‑ALG). To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.

8. The P‑CSCF (IMS‑ALG) changes the transport from "TCP/TLS/BFCP" to "TCP/BFCP" in the SDP offer, removes the "a=3ge2ae:requested" SDP attribute and the fingerprint SDP attribute, and inserts the address information received from the IMS-AGW.

9. The P‑CSCF (IMS‑ALG) forwards the SDP offer.

10. The remote peer chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the remote peer.
If the TCP SYN is not answered before a timer expiry, the remote peer will send the TCP SYN a second time (step 10′). The IMS‑AGW will answer a repeated TCP SYN if it is received after step 14 (step 10′).
The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.

11. The IMS-AGW uses the TCP SYN received at the termination T2 (at step 10 or step 10′ if the TCP SYN is dropped at step 10) as a trigger to send a TCP SYN towards the UE to establish a TCP connection (effectively making the IMS-AGW acting as the TCP client towards the UE). The UE answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.

12. Upon completion of the TCP connection establishment, the UE B starts the establishment of the TLS session. The IMS-AGW needs to wait until step 14 to verify the received fingerprint.

13. The P‑CSCF (IMS‑ALG) receives the SDP answer.

14.-16. The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the core network with remote address information. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.

NOTE 2: For "a=setup:active" in the SDP answer, these steps could possibly be skipped if the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, as the IMS-AGW will then use the address information in the TCP SYN when replying.

17. The P‑CSCF (IMS‑ALG) modifies the SDP answer before sending it to the UE A. The P‑CSCF (IMS‑ALG) sets the transport to "TCP/TLS/BFCP" and includes the fingerprint of the IMS‑AGW´s certificate in accordance to IETF RFC 4975 [25].

18. The P-CSCF (IMA-ALG) then sends the updated SDP answer to IMS UE A. After receiving this message IMS UE A completes the media security setup.

6.2.10.3.2.2 IMS UE terminating procedures for e2ae

6.2.10.3.2.2.1 Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment

Figure 6.2.10.3.2.2.1.1 shows the terminating session set-up procedures for one or more BFCP media stream(s) using e2ae security.