Download presentation
Presentation is loading. Please wait.
1
D1 - 16/05/2014 Le présent document contient des informations qui sont la propriété de France Télécom. L'acceptation de ce document par son destinataire implique, de la part de ce dernier, la reconnaissance du caractère confidentiel de son contenu et l'engagement de n'en faire aucune reproduction, aucune transmission à des tiers, aucune divulgation et aucune utilisation commerciale sans l'accord préalable écrit de France Télécom R&D A new proposal for bundled access to IMS ETSI TISPAN#7 Sébastien Garcin (France Telecom R&D)
2
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D2 - 16/05/2014 IMS access considerations for fixed IMS (1/2) IPsec protection of SIP signalling shall not be mandatory for all fixed IMS scenarios IPsec need not be used in case of bundled authentication Non ISIM-based SIP end points need to be supported (e.g. AGCF in case of IMS-based PES) P-CSCFs behavior should be unchanged for mobiles
3
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D3 - 16/05/2014 IMS access considerations for fixed IMS (2/2) P-CSCFs need to able to distinguish between Fixed UEs where IPsec is required Fixed UEs where IPsec is not required Possible solutions IPsec-usage indication is stored in the CLF and provided to the P-CSCF at Location-Query phase P-CSCF uses specific IP address/port with differentiated behavior regarding IPsec P-CSCF uses different physical interfaces to discriminate the type behavior
4
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D4 - 16/05/2014 Successful bundled authentication UECLFP-CSCFI-CSCFS-CSCFUPSF REGISTER Authorization=IMPI From: IMPU To: IMPU Location-Req IP @ AF identity Location-Res Location-info REGISTER Authorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Locinfo REGISTER Authorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Loc-info MAR IMPI IMPU Location-Info Auth-sch= Digest-AKA--MD5 MAA IMPI IMPU DIAMETER_SUCCESS_BUNDLE 200 OK From: IMPU To: IMPU 200 OK From: IMPU To: IMPU 200 OK From: IMPU To: IMPU Network attachement & NASS Authentication Check User Profil -> Result=Yes UE registered IPsec required? No
5
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D5 - 16/05/2014 IMS access with IPsec required UECLFP-CSCFI-CSCFS-CSCFUPSF REGISTER Authorization=IMPI From: IMPU To: IMPU Location-Req IP @ AF identity Location-Res Location-info Network attachement & NASS Authentication IPsec required? Yes 421 Extension Required Or 494 Security Agreement Required
6
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D6 - 16/05/2014 Solution description (1/2) UE may or may not provide Sec-client header P-CSCF determines whether IPsec is required If not, P-CSCF does not check the presence or contents of the Sec-client header in the REGISTER If yes, current P-CSCF behavious applies –P-CSCF returns 421 Extension required if Sec-client is not there –P-CSCF S-CSCF launches Cx authentication procedures Content of P-Access-network-Info is sent over Cx Authentication-scheme unchanged
7
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D7 - 16/05/2014 Solution description (2/2) UPSF checks the reference location of the IMS subscriber against the current location Based on IMS subscription rights, the UPSF allows bundled authentication to IMS Subscriber may not at all be allowed bundled-auth Subscriber may be allowed depending on current location A new DIAMETER Result-code is added to notify the S-CSCF that bundled access to IMS is granted P-CSCF forwards 200 OK to the UE (no SA set-up)
8
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D8 - 16/05/2014 IMS access without bundled authentication UECLFP-CSCFI-CSCFS-CSCFUPSF REGISTER Authorizarion=IMPI From: IMPU To: IMPU Sec-client:… Location-Req Location-Res REGISTER Authorizarion=IMPI From: IMPU To: IMPU P-Acc-Net-info=Locinfo REGISTER Authorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Loc-info MAR IMPI IMPU Location-Info Auth-sch= Digest-AKA--MD5 MAA IMPI IMPU Auth-vector DIAMETER_SUCCESS 401 Unauth www-authenticate:… From: IMPU To: IMPU 401 Unauthorized www-authenticate:… From: IMPU To: IMPU 401 Unauthorized www-authenticate:… From: IMPU To: IMPU Sec-server… Network attachement & NASS Authentication Check User Profil ->Result = No IPsec tunnel setup
9
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D9 - 16/05/2014 IMS-based PES registration AGCFI-CSCFS-CSCFUPSF REGISTER Authorization=IMPI From: IMPU To: IMPU P-Access-Net-info=Location-info REGISTER Authorization=IMPI From: IMPU To: IMPU P-Acc-Net-info=Location-info MAR IMPI IMPU (Location-Info) Auth-sch= Digest-AKA--MD5 MAA IMPI IMPU DIAMETER_SUCCESS_BUNDLE 200 OK From: IMPU To: IMPU 200 OK From: IMPU To: IMPU Check User Profil ->Result = Yes Registration complete
10
France Télécom R&D La communication de ce document est soumise à autorisation de France Télécom R&D D10 - 16/05/2014 Impacts on TISPAN&3GPP documentation Changes to TS.24.229 UE Option to support and use RFC3329 and associated procedures P-CSCF verification (IPsec to be enforced or not) S-CSCF (editorial) TS.29.228 (Cx signalling flows and message contents) Contents of MAR/MAA message to be updated Signalling flows to be completed TS.29.229 (Cx protocol details) New vendor specific AVP for Location-info New Exp-Result-Code value for bundled access indication TS.33.203 (Access Security) IPsec requirements need to be updated e2/e4 profil update for IPsec indication ?
Similar presentations
