S.3 Application of clauses 5 through 9

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

The user’s subscription is authenticated by the S-CSCF (home service provider). The security association between the UE and the first access point into the operator’s network (P-CSCF) is negotiated based on the protocol defined in RFC 3329 [21]. The options that may be negotiated using RFC 3329 [21], which are defined in 3GPP specifications, are: tls and ipsec-3gpp. If the negotiated protocol is ipsec-3gpp and no NAT device is present between the UE and the P-CSCF then clauses 5 through 9 of the main body of the present document shall apply. If the negotiated mechanism is “ipsec-3gpp” and a NAT device is present between the UE and the P-CSCF, then Annex M of this specification shall apply. If the negotiated mechanism is tls then Annex O of this specification shall apply.

NOTE1: RFC 3329 [21] also allows to negotiate the mechanisms digest, ipsec-ike, and ipsec-man for use between UE and P-CSCF. They are defined in SIP RFC 3261 [6].

NOTE2: RFC 3329 only defines the security mechanisms between the SIP client and the next-hop SIP entity, i.e. the P-CSCF. In particular, if SIP Digest is negotiated by means of RFC 3329 then Digest has to be run between UE and P-CSCF, with the P-CSCF acting as the server. So, RFC 3329 cannot be used to negotiate SIP Digest authentication in IMS, which occurs between UE and S-CSCF.

When using security mechanisms or protocols specified in the present document (including ipsec-3gpp), the following exceptions shall apply:

– The clause 8 on ISIM is replaced with the clause S.4 on 3GPP2 AKA Credentials.

– Any references to ISIM or USIM in clause 5 to 7 and clause M.5 to M.7 are replaced with 3GPP2 AKA Credential.

– The references to TS 33.210 are replaced with a reference to clause S.5 of this specification.