M.6 Security mechanisms

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

M.6.1 Authentication and key agreement

The text in section 6.1 applies without changes.

M.6.2 Confidentiality mechanisms

If the local policy in P‑CSCF requires the use of IMS specific confidentiality protection mechanism between UE and P‑CSCF, IPsec ESP as specified in RFC 4303 [54] shall provide confidentiality protection of SIP signalling between the UE and the P‑CSCF, protecting all SIP signalling messages at the IP level. IPsec ESP general concepts on Security Policy management, Security Associations and IP traffic processing as described in reference RFC 4301 [53] shall also be considered. ESP confidentiality shall be applied in transport mode between UE and P‑CSCF either in transport mode if no NAT is present, or – if NAT traversal shall be supported – in UDP encapsulated tunnel mode. Dummy packets (Next Header = 59) shall not be sent.

NOTE: For interoperability with 3GPP pre-Release 11 implementations, usage of dummy packets is not allowed.

The method to set up ESP security associations (SAs) during the SIP registration procedure is specified in clause M.7. As a result of an authenticated registration procedure, two pairs of unidirectional SAs between the UE and the P‑CSCF all shared by TCP and UDP, shall be established in the P‑CSCF and later in the UE. One SA pair is for traffic between a client port at the UE and a server port at the P‑CSCF and the other SA is for traffic between a client port at the P‑CSCF and a server port at the UE. For a detailed description of the establishment of these security associations see clause M.7.

The encryption key CK_ESP is the same for the two pairs of simultaneously established SAs. The encryption key CK_ESP is obtained from the key CK_IM established as a result of the AKA procedure, specified in clause M.6.1, using a suitable key expansion function.

The encryption key expansion on the user side is done in the UE. The encryption key expansion on the network side is done in the P‑CSCF.

M.6.3 Integrity mechanisms

IPsec ESP as specified in reference RFC 4303 [54] shall provide integrity protection of SIP signalling between the UE and the P‑CSCF, protecting all SIP signalling messages at the IP level. IPsec ESP general concepts on Security Policy management, Security Associations and IP traffic processing as described in reference RFC 4301 [53] shall also be considered. ESP integrity shall be applied between UE and P‑CSCF either in transport mode if no NAT is present or – if NAT traversal shall be supported – in UDP encapsulated tunnel mode.

The method to set up ESP security associations (SAs) during the SIP registration procedure is specified in clause M.7. As a result of an authenticated registration procedure, two pairs of unidirectional SAs between the UE and the P‑CSCF, all shared by TCP and UDP, shall be established in the P‑CSCF and later in the UE. One SA pair is for traffic between a client port at the UE and a server port at the P‑CSCF and the other SA is for traffic between a client port at the P‑CSCF and a server port at the UE. For a detailed description of the establishment of these security associations see clause M.7.

The integrity key IK_ESP is the same for the two pairs of simultaneously established SAs. The integrity key IK_ESP is obtained from the key IK_IM established as a result of the AKA procedure, specified in clause M.6.1, using a suitable key expansion function. This key expansion function depends on the ESP integrity algorithm and is specified in Annex I of this specification.

The integrity key expansion on the user side is done in the UE. The integrity key expansion on the network side is done in the P‑CSCF.

The anti-replay service shall be enabled in the UE and the P‑CSCF on all established SAs.

M.6.4 Hiding mechanisms

The text in section 6.4 applies without changes.

M.6.5 CSCF interoperating with proxy located in a non-IMS network

The text in section 6.5 applies without changes.