W.2 Service and Media Reachability for Users over Restrictive Firewalls – Tunneled Firewall Traversal for IMS traffic

33.2033G Security3GPPAccess security for IP-based servicesTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

W.2.0 General

This clause specifies firewall traversal mechanism that can be used for UE access to IMS services. Before using the mechanisms specified in this clause, the UE shall in accordance with normal procedures attempt to use existing NAT/FW traversal mechanisms as specified in TS 23.228 [3] and Annex M of this document. The exact procedure depends on the UE, the access, and operator policy.

This mechanism is called Enhanced Firewall Traversal Function (EFTF).

Editor’s Note: The functions required for this mechanism need to be detailed further, while re-using functions from the mechanism defined in Annex X.2 of 33.402 as much as possible when applicable. The Enhanced Firewall Traversal Function (EFTF) is not required to implement any ePDG functionality not required for IMS firewall traversal (e.g. authentication, ESP, APN handling, mobility protocols like PMIP). For IMS firewall traversal the S2b, Gxb and SWm reference points from 23.402 is not required.

Figure W.1: Protocol stack for IMS firewall traversal

Editor’s note: more textual description of EFTF in line with Figure W.1 is needed to arrive at a complete stage 2 description of the EFTF mechanism.

Legend:

– As a part of Tunnel Creation, allocation of IP address and negotiation of Keep Alive interval is required.

NOTE: The details of how the IP address is allocated and the keep-alive interval is negotiated are in the corresponding stage 3 specification.

W.2.1 Firewall detection procedure

Based on the detection procedure as specified in the following flowchart, it is determined whether it is required to create a TCP/TLS based tunnel to enable the traversal of NIMSFW.

If so, then the TLS profile as defined in TS 33.310 [24] shall be used.

Figure W.2: Flowchart for IMS firewall traversal

Once the TCP/TLS connection is established, the tunnel creation procedure involves negotiating IP address and keep-alive intervals.