A new proposal for bundled access to ims etsi tispan 7
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

A new proposal for bundled access to IMS ETSI TISPAN#7 PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on
  • Presentation posted in: General

A new proposal for bundled access to IMS ETSI TISPAN#7. Sébastien Garcin (France Telecom R&D). IMS access considerations for fixed IMS (1/2). IPsec protection of SIP signalling shall not be mandatory for all fixed IMS scenarios IPsec need not be used in case of bundled authentication

Download Presentation

A new proposal for bundled access to IMS ETSI TISPAN#7

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A new proposal for bundled access to ims etsi tispan 7

A new proposal for bundled access to IMSETSI TISPAN#7

Sébastien Garcin (France Telecom R&D)


Ims access considerations for fixed ims 1 2

IMS access considerations for fixed IMS (1/2)

  • IPsec protection of SIP signalling shall not be mandatory for all fixed IMS scenarios

  • IPsec need not be used in case of bundled authentication

  • Non ISIM-based SIP end points need to be supported (e.g. AGCF in case of IMS-based PES)

  • P-CSCFs behavior should be unchanged for mobiles


Ims access considerations for fixed ims 2 2

IMS access considerations for fixed IMS (2/2)

  • P-CSCFs need to able to distinguish between

    • Fixed UEs where IPsec is required

    • Fixed UEs where IPsec is not required

  • Possible solutions

    • IPsec-usage indication is stored in the CLF and provided to the P-CSCF at Location-Query phase

    • P-CSCF uses specific IP address/port with differentiated behavior regarding IPsec

    • P-CSCF uses different physical interfaces to discriminate the type behavior


Successful bundled authentication

Successful bundled authentication

UE

CLF

P-CSCF

I-CSCF

S-CSCF

UPSF

Network attachement & NASS Authentication

REGISTER

Authorization=IMPI

From: IMPU

To: IMPU

Location-ReqIP @

AF identity

Location-ResLocation-info

IPsec required? No

REGISTERAuthorization=IMPI

From: IMPU

To: IMPU

P-Acc-Net-info=Locinfo

REGISTERAuthorization=IMPI

From: IMPU

To: IMPU

P-Acc-Net-info=Loc-info

MAR

IMPI

IMPU

Location-InfoAuth-sch= Digest-AKA--MD5

Check User Profil

-> Result=Yes

MAAIMPI

IMPU

DIAMETER_SUCCESS_BUNDLE

200 OK

From: IMPU

To: IMPU

200 OK

From: IMPU

To: IMPU

200 OK

From: IMPU

To: IMPU

UE registered


Ims access with ipsec required

IMS access with IPsec required

UE

CLF

P-CSCF

I-CSCF

S-CSCF

UPSF

Network attachement & NASS Authentication

REGISTER

Authorization=IMPI

From: IMPU

To: IMPU

Location-ReqIP @

AF identity

Location-ResLocation-info

IPsec required? Yes

421 Extension Required

Or

494 Security Agreement Required


Solution description 1 2

Solution description (1/2)

  • UE may or may not provide Sec-client header

  • P-CSCF determines whether IPsec is required

    • If not, P-CSCF does not check the presence or contents of the Sec-client header in the REGISTER

    • If yes, current P-CSCF behavious applies

      • P-CSCF returns 421 Extension required if Sec-client is not there

      • P-CSCF

  • S-CSCF launches Cx authentication procedures

    • Content of P-Access-network-Info is sent over Cx

    • Authentication-scheme unchanged


Solution description 2 2

Solution description (2/2)

  • UPSF checks the reference location of the IMS subscriber against the current location

  • Based on IMS subscription rights, the UPSF allows bundled authentication to IMS

    • Subscriber may not at all be allowed bundled-auth

    • Subscriber may be allowed depending on current location

  • A new DIAMETER Result-code is added to notify the S-CSCF that bundled access to IMS is granted

  • P-CSCF forwards 200 OK to the UE (no SA set-up)


Ims access without bundled authentication

IMS access without bundled authentication

UE

CLF

P-CSCF

I-CSCF

S-CSCF

UPSF

Network attachement & NASS Authentication

REGISTER

Authorizarion=IMPI

From: IMPU

To: IMPU

Sec-client:…

Location-Req

Location-Res

REGISTERAuthorizarion=IMPI

From: IMPU

To: IMPU

P-Acc-Net-info=Locinfo

REGISTERAuthorization=IMPI

From: IMPU

To: IMPU

P-Acc-Net-info=Loc-info

MAR

IMPI

IMPU

Location-InfoAuth-sch= Digest-AKA--MD5

Check User Profil

->Result = No

MAAIMPI

IMPU

Auth-vector

DIAMETER_SUCCESS

401 Unauthorized

www-authenticate:…

From: IMPU

To: IMPU

401 Unauth

www-authenticate:…

From: IMPU

To: IMPU

401 Unauthorized

www-authenticate:…

From: IMPU

To: IMPU

Sec-server…

IPsec tunnel setup


Ims based pes registration

IMS-based PES registration

AGCF

I-CSCF

S-CSCF

UPSF

REGISTER

Authorization=IMPI

From: IMPU

To: IMPU

P-Access-Net-info=Location-info

REGISTERAuthorization=IMPI

From: IMPU

To: IMPU

P-Acc-Net-info=Location-info

MAR

IMPI

IMPU

(Location-Info)Auth-sch= Digest-AKA--MD5

Check User Profil

->Result = Yes

200 OK

From: IMPU

To: IMPU

MAAIMPI

IMPU

DIAMETER_SUCCESS_BUNDLE

200 OK

From: IMPU

To: IMPU

Registration complete


Impacts on tispan 3gpp documentation

Impacts on TISPAN&3GPP documentation

  • Changes to TS.24.229

    • UE Option to support and use RFC3329 and associated procedures

    • P-CSCF verification (IPsec to be enforced or not)

    • S-CSCF (editorial)

  • TS.29.228 (Cx signalling flows and message contents)

    • Contents of MAR/MAA message to be updated

    • Signalling flows to be completed

  • TS.29.229 (Cx protocol details)

    • New vendor specific AVP for Location-info

    • New Exp-Result-Code value for bundled access indication

  • TS.33.203 (Access Security)

    • IPsec requirements need to be updated

  • e2/e4 profil update for IPsec indication ?


  • Login