C.2 Protection of IMS protocols and interfaces

33.2103GPPIP network layer securityNetwork Domain Security (NDS)Release 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

IMS control plane traffic within the IMS core network shall be routed via a SEG when it takes place between different security domains (in particular over those interfaces that may exist between different IMS operator domains). In order to do so, IMS operators shall operate NDS/IP Za-interface between SEGs as described in clause 5.6.2.

When SEGs are deployed to secure a Za reference point potentially carrying IMS session keys (i.e. in IMS roaming scenarios, when SEGs are deployed between a P-CSCF and I-CSCF located in different security domains), IPsec ESP shall be used with both encryption and integrity protection for all SIP signalling traversing inter-security domain boundaries.

It will be for the IMS operator to decide whether and where to deploy Zb-interfaces in order to protect the IMS control plane traffic over those IMS interfaces within the same security domain.

Annex D (normative):
Security protection of UTRAN/GERAN IP transport protocols