R.3 Detailed description

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This clause describes how UEs authenticate to NASS and simultaneously also gain service layer authentication using the "single sign on" NASS-IMS-bundled authentication. The sequence diagram is depicted in Figure R.1.

The UE gets network attachment after the authentication at the NASS level. The CLF in the NASS (network attachment subsystem) holds a binding between the IP address and the location information (contains the Line Identifier), which the UE holds per the xDSL connectivity. The selection of the authentication (whether NBA is possible or not) is done at HSS level on IMS user basis.

1-2) The UE sends a new SIP REGISTER message to the P-CSCF. The P-CSCF identifies whether or not a security association is required at this point, based on the presence or absence of Security Client header and the access network / location from where the SIP REGISTER is received. During the SIP registration, the P-CSCF locates the CLF based on the UE’s IP address or/and based on the information of the access network from which the P-CSCF receives the IP packet (P-CSCF may have several logical/physical interfaces toward different Access Networks). P-CSCF performs a "Location Information Query" towards the CLF over the e2 interface. The key for the query is the IP address indicated by the UE.

3) The CLF sends the response to the P-CSCF including the location information of the UE using the given IP address.

4-7) The P-CSCF appends the NASS location information to the SIP REGISTER message and forwards the REGISTER message to the I-CSCF. The I-CSCF contacts the HSS to authorize the UE. In case no explicit IMPI was included in the SIP REGISTER, the I-CSCF behaves according to Annex P.6 of this specification. The HSS responds that the UE is authorized, and the I-CSCF forwards the SIP REGISTER message to the S-CSCF chosen to serve the UE.

8) If the S-CSCF supports both NBA and SIP digest (according to Annex N of this specification), the S-CSCF queries the HSS over the Cx interface, indicating that the authentication method is unknown (see Annex P.4.1, step 3, and Annex P.4.2, step 3, of this specification, and TS 29.228 [39]). If the S-CSCF supports NBA but not SIP digest, it queries the HSS over the Cx interface, indicating that the authentication method is either NBA or unknown.

9) The HSS returns a message with the location information of the UE identified by the IMPI and IMPU (if NASS–IMS-bundled authentication is the preferred authentication scheme). The S-CSCF authenticates the UE by comparing the location info embedded in the REGISTER message with the location information received from the HSS. If they match, the UE is successfully authenticated and the processing continues.

10-11) The S-CSCF sends a message to the HSS, informing that this S-CSCF is going to serve the UE, and the HSS responds which a message providing information that the S-CSCF needs for serving the user.

12-14) The S-CSCF sends 200 OK message to the UE.

Figure R.1: Flow Diagram for successful NASS Bundled Authentication during Registration

The detailed procedures of NASS-IMS-bundled authentication for the CSCF’s are described in TS 24.229 [8]. The details of the extended interface towards the HSS are covered in TS 29.228 [39].

Annex S (Normative):
Application to 3GPP2Access