M.1 Scope

33.2033G Security3GPPAccess security for IP-based servicesTS

It is assumed for the purposes of this annex that a NAT device may be located between the UE and the P-CSCF. Only NATs outside the borders of an IMS network are considered, i.e. NATs are assumed to be located at the subscriber’s site or in the access network. If there are multiple NATs in either of these locations, it is assumed that their effect sums up in such a way that they can be treated as a single NAT so that the mechanisms described below are still valid.

In this annex enhancements to sections 4 through 8 of this specification are specified that allow a UE and a P-CSCF to detect whether they are located behind a NAT device, to inform each other about their NAT traversal capabilities, and, if there is a NAT present, to securely communicate. If there is no NAT device present, the procedures of sections 6, 7 and 8 apply. Examples of subscribers who are, in general, located behind a NAT device include subscribers accessing IMS via a DSL line.

Furthermore, this specification is restricted to the treatment of NAT traversal for signalling messages. Measures required for NAT traversal of media data are not considered in this specification. The general handling of NAT traversal for signalling messages is specified in TS 23.228 [3] and TS 24.229 [8]. Additional procedures for NAT traversal for protected signalling messages are specified in this specification.

It should be noted that many NAT routers in residential sites do also apply port translation, which is typically denoted as Network Address and Port Translation (NAPT). For reasons of simplicity the term NAT is used, no matter whether only address or address and port translation is actually applied.

NOTE: this annex is fully compliant with RFC 3948 [28], but only partially compliant with RFC 3947 [27] because 3GPP IMS security, as specified in this specification (main body and annexes), does not use IKE as the key management protocol for IPsec.