Q.1 General

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

The name “authentication mechanism” is used here synonymously with “mechanism for message origin authentication”. The following three authentication mechanisms for non-registration messages, which can only be used in conjunction with SIP Digest authentication for registrations, are included in Annexes N and O:

TLS:

In this procedure, the P-CSCF associates source IP address and port of the TLS connection with the TLS Session ID, the IMPI and all the successfully registered IMPUs related to that IMPI. The P-CSCF uses this association later, when receiving non-registration messages, to assert identities to the S-CSCF based on the TLS connection over which the packet was received, cf. Annex O.2. For more information on the assertion of identities cf. below. TLS is optional according to Annex O.

IP address check:

In this procedure, the P-CSCF associates IP address and, if managing of client-initiated connections as defined in RFC 5626 [32] is used, also the source port of the packet in which the REGISTER message was received, with the identities of the user during a successful registration. The P-CSCF uses this association later, when receiving non-registration messages, to assert identities to the S-CSCF based on IP address and, if applicable, port of the received packet, cf. Annex N.2.1. The IP address check is mandatory according to Annex N.

SIP Digest proxy-authentication:

In this procedure, the S-CSCF authenticates a non-registration message by verifying the Digest response in the Proxy-Authorization header. If the non-registration message contains no Proxy-Authorization header, or if the nonce is stale, the S-CSCF may challenge the non-registration message by sending a 407 SIP message with a Proxy-authenticate header containing a nonce. This procedure is transparent for the P-CSCF. SIP Digest proxy-authentication is optional according to Annex N.
As RFC 3261 [6] does not specify the Proxy-Authentication-Info header for SIP, the UE cannot authenticate the HN on responses to non-registration requests. If such authentication is needed, other mechanisms may be used, e.g. TLS according to Annex O.