T.7 Interworking cases

33.2033G Security3GPPAccess security for IP-based servicesTS

For the purposes of the interworking considerations in this clause, it is assumed that the IMS entities P‑CSCF, I‑CSCF, S‑CSCF and HSS reside in the home network and all support the same variants of IMS, i.e. all support either only GIBA, or only fully compliant IMS security, or both.

NOTE 1: It is compatible with the considerations in the document that the UE uses different APNs to indicate the IMS variant currently used by the UE, in case the P-CSCF functionality is split over several physical entities.

It is expected that both fully compliant UEs implementing the security mechanisms in the main body of this specification (denoted "fully compliant IMS security" in the following) and UEs implementing GIBA specified in this Annex (denoted "GIBA security" in the following) will access the same IMS. In addition, IMS networks will support only fully compliant IMS UEs, GIBA UEs, or both. Both UEs and IMS networks must therefore be able to properly handle the different possible interworking cases.

Since GIBA security does not require the security headers specified for fully compliant IMS UEs, these headers shall not be used for GIBA security. The REGISTER request sent by an early IMS UE security to the IMS network shall not contain the security headers specified by the main body of this specification (Authorization and Security-Client).

As a result, GIBA security UEs shall not add an explicit indication for the security used to the IMS signaling. An IMS network supporting both GIBA security and fully compliant IMS security UEs shall use GIBA security for authenticating the UE during registrations that do not contain the security headers specified by the main body of this specification (Authorization and Security-Client).

Without sending an Authorization Header in the initial REGISTER request, GIBA UEs only provide the IMS public identity (IMPU), but not the IMS private identity (IMPI) to the network (this is only present in the Authorization header for fully compliant IMS security UEs).

During the process of user registration for GIBA security, the Cx interface carries the privateuser identity in Cx-UAR requests (sent by I-CSCF) and Cx-MAR as well as Cx-SAR requests (sent by S-CSCF). The private user identity within these requests is derived in accordance to TS 24.229 [8] (clause 5.3.1.2 and 5.4.1.2.1E).

If the S-CSCF receives an indication that the UE is an GIBA UE, then it shall be able to select the GIBA in the Cx-MAR request.

For interworking between GIBA security and fully compliant IMS security implementations during IMS registration, an ME that implements the full IMS security solution as specified in the main body of this specification (or both GIBA and full IMS security) shall not attempt to register using the full IMS security solution if neither a USIM nor a ISIM is present. The following cases shall be supported:

1. Both ME and IMS network support GIBA security only.

IMS registration shall take place as described by the present document. This applies regardless of whether SIM or USIM/ISIM is in use.

2. ME supports GIBA security only, IMS network supports both GIBA security and fully compliant IMS security.

IMS registration shall take place as described by the present document. This applies regardless of whether SIM or USIM/ISIM is in use.

3. ME supports both, IMS network supports GIBA security only.

The ME shall check the smartcard application in use.

If a SIM is in use, then it shall start with a GIBA security procedure, else it shall start with the fully compliant IMS Registration procedure.

In the second case, the GIBA P-CSCF shall answer with a 420 (Bad Extension) failure, since it does not recognize the method mandated by the Proxy-Require header that is sent by the UE in the initial REGISTER request.

NOTE 2: The Proxy-Require header cannot be ignored by the P-CSCF.

The UE shall, after receiving the error response, send a GIBA registration, i.e., shall send a new REGISTER request without the fully compliant IMS security headers.

NOTE 3: If the UE already has knowledge about the IMS network capabilities (which could for example be preconfigured in the UE), the appropriate authentication method can be chosen. The UE can use fully compliant IMS security, if the network supports this, otherwise the UE can use GIBA security.

4. ME and IMS network support both.

The ME shall check the smartcard application in use.

If a USIM/ISIM application is in use, then the ME shall start with the fully compliant IMS security registration procedure. The network, with receiving the initial REGISTER request, receives indication that the IMS UE is fully compliant and shall continue as specified by the main body of this specification.

If a SIM is in use, then the ME shall start with the GIBA security registration procedure. If the ME starts with the fully compliant IMS security registration procedure when a SIM is in use, this is an error case to be handled as follows: when the S-CSCF requests authentication vectors from the HSS, the HSS will discover that a SIM is in use and returns an error. The S-CSCF shall answer with a 403 (Forbidden). After receiving the 403 response, the UE shall stop the attempt to register with this network.

5. ME supports GIBA security only, IMS network supports fully compliant IMS security only.

The UE sends a REGISTER request to the IMS network that does not contain the security headers required by fully compliant IMS security. The fully compliant IMS security P-CSCF will detect that the Security-Client header is missing and return a 4xx response, as described in clause 5.2.2 of TS 24.229 [8]. This applies regardless of whether SIM or USIM/ISIM is in use.

6. ME supports fully compliant IMS security only, IMS network supports GIBA security only.

A ME supporting Full IMS security only is not aware of GIBA security, so its behaviour is expected to be compliant with the procedures defined in the main body of this specification. Based on this, if a SIM is in use, the ME should not attempt to register using the full IMS security solution. Whatever attempt would fail anyway, as Full IMS security requires ISIM/USIM.

If a USIM/ISIM application is in use, then the ME shall start with the fully compliant IMS security registration procedure. The GIBA P-CSCF shall answer with a 420 (Bad Extension) failure, since it does not recognize the method mandated by the Proxy-Require header that is sent by the UE in the initial REGISTER request. After receiving the error response, the UE shall stop the attempt to register with this network, since the fully compliant IMS security is not supported.

7. ME supports fully compliant IMS access security only, IMS network supports both.

A ME supporting Full IMS security only is not aware of GIBA security, so its behaviour is expected to be compliant with the procedures in the main body of this specification. Based on this, if a SIM is in use, the ME should not attempt to register using the full IMS security solution. Whatever attempt would fail anyway, as Full IMS security requires ISIM/USIM.

If a USIM/ISIM application is in use, then the ME shall start with the fully compliant IMS registration procedure. The network, with receiving the initial REGISTER request, receives indication that the IMS UE is fully compliant and shall continue as specified by the main body of this specification.

8. ME supports both, IMS network supports fully compliant IMS access security only.

The ME shall check the smartcard application in use.

If a USIM/ISIM application is in use, then the ME shall start with the fully compliant IMS registration procedure. The network, with receiving the initial REGISTER request, receives indication that the IMS UE is fully compliant and shall continue as specified by the main body of this specification.

If a SIM is in use, then the ME shall start with the GIBA security registration procedure (in this case the IMS authentication procedure will fail). In this context, if the ME starts with the fully compliant IMS security registration procedure, this is an error case: when the S-CSCF requests authentication vectors from the HSS, the HSS will discover that the SIM is in use and return an error. The S-CSCF shall answer with a 403 (Forbidden). After receiving the 403 response, the UE shall stop the attempt to register with this network.

9. Both ME and IMS network support fully compliant IMS access security only.

A ME supporting Full IMS security only is not aware of GIBA security, so its behaviour is expected to be compliant with the procedures specified in the main body of this specification. Based on this, if a SIM is in use, the UE should not attempt to register using the full IMS security solution. If the UE starts with the fully compliant IMS security registration procedure when a SIM is in use, this is an error case to be handled as follows: the HSS will discover that a SIM is in use and return an error to the S-CSCF. The S-CSCF shall answer with a 403 (Forbidden). After receiving the 403 response, the UE shall stop the attempt to register with this network.

If the USIM/ISIM application is in use, IMS registration shall take place as described by the main body of this specification.