H.9 Authentication
34.229-13GPPInternet Protocol (IP) multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP)Part 1: Protocol conformance specificationRelease 16TSUser Equipment (UE) conformance specification
H.9.1 SIP digest without TLS – abnormal procedures – 403 Forbidden / Fixed Broadband Access
H.9.1.1 Definition
Test to verify that On receiving a 403 (Forbidden) response, the UE shall consider the registration to have failed.
H.9.1.2 Conformance requirement
[TS 24.229, 5.1.1.1B.1]:
In case the UE contains neither an ISIM nor a USIM, but IMC is present the UE shall use preconfigured parameters in the IMC to initiate the registration to the IM CN subsystem and for authentication.
The following IMS parameters are assumed to be available to the UE:
– a private user identity;
– a public user identity; and
– a home network domain name to address the SIP REGISTER request to.
These parameters may not necessarily reside in a UICC.
The first public user identity in the list stored in the IMC is used in emergency registration requests.
[TS 24.229 Rel‑12, clause 5.1.1.2.1]:
The initial registration procedure consists of the UE sending an unprotected REGISTER request and, if challenged depending on the security mechanism supported for this UE, sending the integrity-protected REGISTER request or other appropriate response to the challenge. The UE can register a public user identity with any of its contact addresses at any time after it has acquired an IP address, discovered a P-CSCF, and established an IP-CAN bearer that can be used for SIP signalling. However, the UE shall only initiate a new registration procedure when it has received a final response from the registrar for the ongoing registration, or the previous REGISTER request has timed out.
When registering any public user identity belonging to the UE, the UE shall either use an already active pair of security associations or a TLS session to protect the REGISTER requests, or register the public user identity via a new initial registration procedure.
When binding any one of its public user identities to an additional contact address via a new initial registration procedure, the UE shall follow the procedures described in RFC 5626 [92]. The set of security associations or a TLS session resulting from this initial registration procedure will have no impact on the existing set of security associations or TLS sessions that have been established as a result of previous initial registration procedures. However, if the UE registers any one of its public user identities with a new contact address via a new initial registration procedure and does not employ the procedures described in RFC 5626 [92], then the new set of security associations or TLS session shall replace any existing set of security association or TLS session.
If the UE detects that the existing security associations or TLS sessions associated with a given contact address are no longer active (e.g., after receiving no response to several protected messages), the UE shall:
– consider all previously registered public user identities bound to this security associations or TLS session that are only associated with this contact address as deregistered; and
– stop processing all associated ongoing dialogs and transactions that were using the security associations or TLS session associated with this contact address, if any (i.e. no further SIP signalling will be sent by the UE on behalf of these transactions or dialogs).
The UE shall send the unprotected REGISTER requests to the port advertised to the UE during the P-CSCF discovery procedure. If the UE does not receive any specific port information during the P-CSCF discovery procedure, or if the UE was pre-configured with the P-CSCF’s IP address or domain name and was unable to obtain specific port information, the UE shall send the unprotected REGISTER request to the SIP default port values as specified in RFC 3261 [26].
NOTE 1: The UE will only send further registration and subsequent SIP messages towards the same port of the P-CSCF for security mechanisms that do not require using negotiated ports for exchanging protected messages.
The UE shall extract or derive a public user identity, the private user identity, and the domain name to be used in the Request-URI in the registration, according to the procedures described in clause 5.1.1.1A or clause 5.1.1.1B. A public user identity may be input by the end user.
On sending an unprotected REGISTER request, the UE shall populate the header fields as follows:
a) a From header field set to the SIP URI that contains:
1) if the UE supports RFC 6140 [191] and performs the functions of an external attached network, the main URI of the UE; else
2) the public user identity to be registered;
b) a To header field set to the SIP URI that contains:
1) if the UE supports RFC 6140 [191] and performs the functions of an external attached network, the main URI of the UE; else
2) the public user identity to be registered;
c) a Contact header field set to include SIP URI(s) containing the IP address or FQDN of the UE in the hostport parameter. If the UE:
1) supports GRUU (see table A.4, item A.4/53);
2) supports multiple registrations;
3) has an IMEI available; or
4) has an MEID available;
the UE shall include a "+sip.instance" header field parameter containing the instance ID. Only the IMEI shall be used for generating an instance ID for a multi-mode UE that supports both 3GPP and 3GPP2 defined radio access networks.
NOTE 2: The requirement placed on the UE to include an instance ID based on the IMEI or the MEID when the UE does not support GRUU and does not support multiple registrations does not imply any additional requirements on the network.
If the UE supports multiple registrations it shall include "reg-id" header field parameter as described in RFC 5626 [92]. The UE shall include all supported ICSI values (coded as specified in clause 7.2A.8.2) in a g.3gpp.icsi-ref media feature tag as defined in clause 7.9.2 and RFC 3840 [62] for the IMS communication services it intends to use, and IARI values (coded as specified in clause 7.2A.9.2), for the IMS applications it intends to use in a g.3gpp.iari-ref media feature tag as defined in clause 7.9.3 and RFC 3840 [62].
if the UE supports RFC 6140 [191] and performs the functions of an external attached network, for the registration of bulk number contacts the UE shall include a Contact URI without a user portion and containing the "bnc" URI parameter;
d) a Via header field set to include the sent-by field containing the IP address or FQDN of the UE and the port number where the UE expects to receive the response to this request when UDPis used. For TCP, the response is received on the TCP connection on which the request was sent. For the UDP, the UE shall also include a "rport" header field parameter with no value in the Via header field. Unless the UE has been configured to not send keep-alives, and unless the UE is directly connected to an IP-CAN for which usage of NAT is not defined, it shall include a "keep" header field parameter with no value in the Via header field, in order to indicate support of sending keep-alives associated with the registration, as described in RFC 6223 [143];
NOTE 3: When sending the unprotected REGISTER request using UDP, the UE transmit the request from the same IP address and port on which it expects to receive the response to this request.
e) a registration expiration interval value of 600 000 seconds as the value desired for the duration of the registration;
NOTE 4: The registrar (S-CSCF) might decrease the duration of the registration in accordance with network policy. Registration attempts with a registration period of less than a predefined minimum value defined in the registrar will be rejected with a 423 (Interval Too Brief) response.
f) a Request-URI set to the SIP URI of the domain name of the home network used to address the REGISTER request;
g) the Supported header field containing the option-tag "path", and
1) if GRUU is supported, the option-tag "gruu"; and
2) if multiple registrations is supported, the option-tag "outbound".
h) if a security association or TLS session exists, and if available to the UE (as defined in the access technology specific annexes for each access technology), a P-Access-Network-Info header field set as specified for the access network technology (see clause 7.2A.4);
i) a Security-Client header field to announce the media plane security mechanisms the UE supports, if any, labelled with the "mediasec" header field parameter specified in clause 7.2A.7;
NOTE 5: The "mediasec" header field parameter indicates that security mechanisms are specific to the media plane.
j) if the UE supports RFC 6140 [191] and performs the functions of an external attached network, for the registration of bulk number contacts the UE shall include a Require header field containing the option-tag "gin"; and
k) if the UE supports RFC 6140 [191] and performs the functions of an external attached network, for the registration of bulk number contacts the UE shall include a Proxy-Require header field containing the option-tag "gin".
On receiving a 401 (Unauthorized) response to the REGISTER request, the UE shall:
a) if available, store the announcement of media plane security mechanisms the P-CSCF (IMS-ALG) supports labelled with the "mediasec" header field parameter specified in clause 7.2A.7 and received in the Security-Server header field, if any. Once the UE chooses a media security mechanism from the list received in the Security-Server header field from the server, the UE may initiate that mechanism on a media level when it initiates new media in an existing session.
NOTE 6: The "mediasec" header field parameter indicates that security mechanisms are specific to the media plane.
On receiving the 200 (OK) response to the REGISTER request, the UE shall:
a) store the expiration time of the registration for the public user identities found in the To header field value and bind it either to the respective contact address of the UE or to the registration flow and the associated contact address (if the multiple registration mechanism is used);
NOTE 7: If the UE supports RFC 6140 [191] and performs the functions of an external attached network, the To header field will contain the main URI of the UE.
b) store as the default public user identity the first URI on the list of URIs present in the P-Associated-URI header field and bind it to the respective contact address of the UE and the associated set of security associations or TLS session;
NOTE 8: When using the respective contact address and associated set of security associations or TLS session, the UE can utilize additional URIs contained in the P-Associated-URI header field and bound it to the respective contact address of the UE and the associated set of security associations or TLS session, e.g. for application purposes.
c) treat the identity under registration as a barred public user identity, if it is not included in the P-Associated-URI header field;
d) store the list of service route values contained in the Service-Route header field and bind the list either to the contact address or to the registration flow and the associated contact address (if the multiple registration mechanism is used), and the associated set of security associations or TLS session over which the REGISTER request was sent;
NOTE 9: When multiple registration mechanism is not used, there will be only one list of service route values bound to a contact address. However, when multiple registration mechanism is used, there will be different list of service route values bound to each registration flow and the associated contact address.
NOTE 10: The UE will use the stored list of service route values to build a proper preloaded Route header field for new dialogs and standalone transactions (other than REGISTER method) when using either the respective contact address or to the registration flow and the associated contact address (if the multiple registration mechanism is used), and the associated set of security associations or TLS session.
e) if the UE indicated support for GRUU in the Supported header field of the REGISTER request then:
– if the UE did not use the procedures specified in RFC 6140 [191] for registration, find the Contact header field within the response that matches the one included in the REGISTER request. If this contains a "pub-gruu" header field parameter or a "temp-gruu" header field parameter or both, then store the value of those parameters as the GRUUs for the UE in association with the public user identity and the contact address that was registered; and
– if the UE used the procedures specified in RFC 6140 [191] for registration then find the Contact header field within the response that matches the one included in the REGISTER request. If this contains a "pub-gruu" header field parameter then store the value of the "pub-gruu" header field parameter for use for generating public GRUUs for registering UAs as specified in RFC 6140 [191]. If this contains a "temp-gruu-cookie" header field parameter then store the value of the "temp-gruu-cookie" header field parameter for use for generating temporary GRUUs for registering UAs as specified in RFC 6140 [191];
NOTE 11: When allocating public GRUUs to registering UAs the functionality within the UE that performs the role of registrar will add an "sg" SIP URI parameter that uniquely identifies that UA to the public GRUU it received in the "pub-gruu" header field parameter. The procedures for generating a temporary GRUU using the "temp-gruu-cookie" header field parameter are specified in clause 7.1.2.2 of RFC 6140 [191].
f) if the REGISTER request contained the "reg-id" and "+sip.instance" Contact header field parameter and the "outbound" option tag in a Supported header field, the UE shall check whether the option-tag "outbound" is present in the Require header field:
– if no option-tag "outbound" is present, the UE shall conclude that the S-CSCF does not support the registration procedure as described in RFC 5626 [92], and the S-CSCF has followed the registration procedure as described in RFC 5627 [93] or RFC 3261 [26], i.e., if there is a previously registered contact address, the S-CSCF replaced the old contact address and associated information with the new contact address and associated information (see bullet e) above). Upon detecting that the S-CSCF does not support the registration procedure as defined in RFC 5626 [92], the UE shall refrain from registering any additional IMS flows for the same private identity as described in RFC 5626 [92]; or
NOTE 12: Upon replaces the old contact address with the new contact address, the S-CSCF performs the network initiated deregistration procedure for the previously registered public user identities and the associated old contact address as described in clause 5.4.1.5. Hence, the UE will receive a NOTIFY request informing the UE about the deregistration of the old contact address.
– if an option-tag "outbound" is present, the UE may establish additional IMS flows for the same private identity, as defined in RFC 5626 [92];
g) if available, store the announcement of media plane security mechanisms the P-CSCF (IMS-ALG) supports labelled with the "mediasec" header field parameter specified in clause 7.2A.7 and received in the Security-Server header field, if any. Once the UE chooses a media security mechanism from the list received in the Security-Server header field from the server, it may initiate that mechanism on a media level when it initiates new media in an existing session;
NOTE 13: The "mediasec" header field parameter indicates that security mechanisms are specific to the media plane.
h) if the Via header field contains a "keep" header field parameter with a value, unless the UE detects that it is not behind a NAT, start to send keep-alives associated with the registration towards the P-CSCF, as described in RFC 6223 [143];
i) if the 200 (OK) response includes a Feature-Caps header field, as specified in RFC 6809°[190], with "+g.3gpp.icsi-ref" header field parameter, then the UE may consider the values included in the "+g.3gpp.icsi-ref" header field parameter of the Feature-Caps header field of 200 (OK) response as supported by the IM subsystem for the established registration or registration flow (if the multiple registration mechanism is used); and
NOTE 14: The UE and related applications can use the ICSI values received in the Feature-Caps header field of 200 (OK) response to improve the user experience.
j) if the 200 (OK) response includes one or more Feature-Caps header fields containing the capability indicators listed in clause 7.9A.7 that indicate the media capabilities supported by the IMS-AGW then the UE may consider this information when providing media options to the user or determining whether an application communication capability will be successful (e.g. if "sip.video" is not indicated then the UE might not offer the user the option to attempt to add video to the session).
NOTE 15: If media capability indication is not supported, no capability indicators listed in clause 7.9A.7 are included and it can be assumed that all the media capabilities are supported.
On receiving a 305 (Use Proxy) response to the unprotected REGISTER request, unless otherwise specified in access specific annexes (as described in Annex B or Annex L), the UE shall:
a) ignore the contents of the Contact header field if it is included in the received message;
NOTE 16: The 305 response is not expected to contain a Contact header field.
b) release all IP-CAN bearers used for the transport of media according to the procedures in clause 9.2.2;
c) initiate either a new P-CSCF discovery procedure as described in clause 9.2.1, or select a new P-CSCF, if the UE was pre-configured with more than one P-CSCF’s IP addresses or domain names;
d) select a P-CSCF address, which is different from the previously used address, from the address list; and
e) perform the procedures for initial registration as described in clause 5.1.1.2.
On receiving a 423 (Interval Too Brief) response to the REGISTER request, the UE shall:
– send another REGISTER request populating the registration expiration interval value with an expiration timer of at least the value received in the Min-Expires header field of the 423 (Interval Too Brief) response.
On receiving a 408 (Request Timeout) response or 500 (Server Internal Error) response or 504 (Server Time-Out) or 600 (Busy Everywhere) response for an initial registration, the UE may attempt to perform initial registration again.
When the timer F expires at the UE, the UE may:
a) select a different P-CSCF address from the list of P-CSCF addresses discovered during the procedures described in clause 9.2.1 or from its pre-configured list of P-CSCF’s IP addresses or domain names;
b) if no response has been received when attempting to contact all P-CSCFs known by the UE, get a new set of P-CSCF-addresses as described in clause 9.2.1 unless otherwise specified in the access specific annexes (as described in Annex B or Annex L); and
c) perform the procedures for initial registration as described in clause 5.1.1.2.
NOTE 17: It is an implementation option whether these actions are also triggered by other means than expiration of timer F, e.g. based on ICMP messages.
On receiving a 4xx, 5xx or 6xx response to the REGISTER request, whereby the response contains a Retry-After header field, the UE shall not automatically attempt an initial registration via the same IP-CAN and the same P-CSCF for the amount of time indicated in the Retry-After header field. If the UE is power cycled, the UE can attempt an initial registration. If no initial registration occurs within the time period indicated by the Retry-After header field, the counter of unsuccessful initial registration attempts is reset.
After a first unsuccessful initial registration attempt, if the Retry-After header field was not present and the initial registration was not performed as a consequence of a failed reregistration, the UE shall not wait more than 5 minutes before attempting a new registration.
After a maximum of 2 consecutive unsuccessful initial registration attempts, if the Retry-After header field was not present in failure responses of those unsuccessful initial registration attempts, the UE shall implement the mechanism defined in clause 4.5 of RFC 5626 [92] for new registration attempts. The UE shall use the values of the parameters max-time and base-time, of the algorithm defined in clause 4.5 of RFC 5626 [92]. If no values of the parameters max-time and base-time have been provided to the UE by the network, the default values defined in clause 4.5 of RFC 5626 [92] shall be used.
The values of max-time and base-time may be provided by the network to the UE using OMA-DM with the management objects specified in 3GPP TS 24.167 [8G]. Other mechanisms may be used as well and are outside the scope of the present specification.
[TS 24.229, clause 5.1.1.2.3]:
On sending a REGISTER request, as defined in clause 5.1.1.2.1, the UE shall additionally populate the header fields as follows:
a) an Authorization header field as defined in RFC 2617 [21] unless otherwise specified in the access specific annexes, with:
– the "username" header field parameter, set to the value of the private user identity;
– the "realm" header field parameter, set to the domain name of the home network;
– the "uri" header field directive, set to the SIP URI of the domain name of the home network;
– the "nonce" header field parameter, set to an empty value; and
– the "response" header field parameter, set to an empty value;
b) the hostport parameter in the Contact header field with the port value of an unprotected port where the UE expects to receive subsequent requests; and
c) the sent-by field in the Via header field with the port value of an unprotected port where the UE expects to receive responses to the request.
The UE shall use the locally available public user identity, the private user identity, and the domain name to be used in the Request-URI in the registration. The method whereby the public user identity and private user identity are made available to the UE is outside the scope of this document (e.g. a public user identity could be input by the end user).
[TS 24.229, 5.1.1.5.5]:
On receiving a 403 (Forbidden) response, the UE shall consider the registration to have failed.
Reference(s)
TS 24.229[10], clauses 5.1.1.1B.1, 5.1.1.2.1, 5.1.1.2.3 and 5.1.1.5.5.
H.9.1.3 Test purpose
To verify that after receiving a 403 (Forbidden) the UE registration fails.
H.9.1.4 Method of test
Initial conditions
UE is configured with the home domain name, public and private user identities and SIP Digest Credentials.
SS is configured with the home domain name, public and private user identities and SIP Digest Credentials. SS is listening to SIP default port 5060 for both UDP and TCP protocols. SS is able to perform MD5 authentication algorithm for that IMPI, according to TS 33.203 [14] clause 6.1 and RFC 3310 [17].
Expected sequence
|
Step |
Direction |
Message |
Comment |
|
|
UE |
SS |
|||
|
1 |
🡪 |
REGISTER |
UE sends initial registration for IMS services. |
|
|
2 |
🡨 |
403 FORBIDDEN |
The SS responds with a 403 FORBIDDEN message including a Retry-After header set to 20 seconds. |
|
|
3 |
SS waits 18 seconds |
|||
Specific Message Contents
REGISTER (Step 1)
Use the default message "REGISTER" in annex A.1.1 with condition A14 "Initial REGISTER over Fixed Access Broadband".
403 Forbidden (Step 2)
Use the default message “403 Forbidden” in Annex A.3.2 and include a Retry-After header set to 20 seconds.
H.9.1.5 Test requirements
If the UE is preconfigured with the home domain name, public and private user identities and SIP Digest Credentials
Step 1: SS shall check that in accordance to the TS 24.229 [10] clause 5.1.1.3 the UE sends a REGISTER.
Step 3: SS shall check that the UE does not re-attempt an IMS registration within the time period indicated by the Retry-After header field.