IMS |
||
REGISTER with Authentication and IPSec
As you know all the IMS (SIP) message are carried in the form of IP data through TCP or UDP socket. So, if necessary we can use IP level security for IMS/SIP transaction. In order to enable IP level security (IP Sec), we need to go through SA(Security Association) process and exchange key exchange procedure. This process be done during IMS registration and the information for SA are embedded in IMS registration message. Overall procedure of IP Sec SA process is illustrated as below.
< 36.523-3 Figure 4.2.5.2.3.1-1 Two pairs of SAs >
The 4 step SA setup process can be combined with IMS Registration process in a couple of different variations. One example specified in conformance test is illustrated as below. It seems that the start of SA process may vary. In the following illustration, SA starts from step (3), but in Example 1, you can see the case where UE start SA from Step (1).
< 36.523-3 Figure 4.2.5.2.3.1-2: Usage of ports and SAs in UDP and TCP transport >
Example 1 : Authentication and IPSec ========================================
This example would look a little bit different from the procedures illustrated above in terms of SA starting point, but overall log (4 step SA process = 2 SA establishment) are same. Go through the message and how the port number in RED are associated the port number in BLUE.
Step 1 : REGISTER over TCP ----------------------------------- Transmission Control Protocol, Src Port: 42368 (42368), Dst Port: sip (5060), Seq: 1, Ack: 1, Len: 1314
REGISTER sip:ims.sharetechnote.com SIP/2.0 Max-Forwards: 70 Route: <sip:[2001:0:0:1::2]:5060;lr> Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:5060;branch=z9hG4bK370690ecb-643c9869 Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 1 REGISTER From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370690e30-327b23c6 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org> Supported: path,eventlist,sec-agree,gruu,outbound Require: sec-agree Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE Authorization: Digest username="001010123456789@ims.sharetechnote.com", realm="ims.sharetechnote.com", nonce="", uri="sip:ims.sharetechnote.com", response="", algorithm=AKAv1-MD5 Security-Client: ipsec-3gpp; alg=hmac-md5-96; prot=esp; mod=trans; ealg=null; spi-c=0000565817;spi-s=0000565818; port-c=38003;port-s=39003, ipsec-3gpp; alg=hmac-sha-1-96; prot=esp; mod=trans; ealg=null; spi-c=0000565817;spi-s=0000565818; port-c=38003;port-s=39003 Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>; +g.3gpp.smsip; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000; +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1 Proxy-Require: sec-agree User-Agent: IMS TestClient/4.0.0 H81110t Content-Length: 0
Step 2 : 401 Unauthorized over TCP ----------------------------------- Transmission Control Protocol, Src Port: sip (5060), Dst Port: 42368 (42368), Seq: 1, Ack: 1315, Len: 723
SIP/2.0 401 Unauthorized Max-Forwards: 70 Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:5060;branch=z9hG4bK370690ecb-643c9869 From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370690e30-327b23c6 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=987654321 Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 1 REGISTER WWW-Authenticate: Digest realm="ims.mnc01.mcc001.3gppnetwork.org", nonce="26ohPzgYyy3VFVa4VnXhKgx8Ta1aXYAA27sDDHxNLVo=", qop="auth",opaque="4669e9192b2042d499606fe3e0fa839a", algorithm=AKAv1-MD5 Security-Server: ipsec-3gpp; alg=hmac-md5-96; ealg=null; prot=esp; mod=trans; spi-c=3458785863;spi-s=2821032177; port-c=50717;port-s=50718; q=0.1 Content-Length: 0
Step 3 : REGISTER over TCP ----------------------------------- Transmission Control Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718), Seq: 1347, Ack: 1, Len: 360
REGISTER sip:ims.sharetechnote.com SIP/2.0 Max-Forwards: 70 Route: <sip:[2001:0:0:1::2]:50718;lr> Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK370723a88-32d70d67 Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 2 REGISTER From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org> Supported: path,eventlist,sec-agree,gruu,outbound Require: sec-agree Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>; +g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000; +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1 Security-Client: ipsec-3gpp; alg=hmac-md5-96; prot=esp; mod=trans; ealg=null; spi-c=0000565817;spi-s=0000565818; port-c=38003;port-s=39003, ipsec-3gpp; alg=hmac-sha-1-96; prot=esp; mod=trans; ealg=null; spi-c=0000565817;spi-s=0000565818; port-c=38003;port-s=39003 Security-Verify: ipsec-3gpp; q=0.1; alg=hmac-md5-96; prot=esp; mod=trans; ealg=null; spi-c=3458785863;spi-s=2821032177; port-c=50717;port-s=50718 P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000 Authorization: Digest username="001010123456789@ims.sharetechnote.com", realm="ims.mnc01.mcc001.3gppnetwork.org", nonce="26ohPzgYyy3VFVa4VnXhKgx8Ta1aXYAA27sDDHxNLVo=", uri="sip:ims.sharetechnote.com", response="e089b68060162b5c6a328e5dd2d43133", algorithm=AKAv1-MD5, cnonce="NGNhMTgzMw==", opaque="4669e9192b2042d499606fe3e0fa839a", qop=auth, nc=00000001 User-Agent: IMS TestClient/4.0.0 H81110t Proxy-Require: sec-agree Content-Length: 0
Step 4 : 200 OK over TCP ----------------------------------- Transmission Control Protocol, Src Port: 50718 (50718), Dst Port: 38003 (38003), Seq: 1, Ack: 1707, Len: 781
SIP/2.0 200 OK Max-Forwards: 70 Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK370723a88-32d70d67 From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8 Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 2 REGISTER Date: Thu, 25 Aug 2016 11:37:08 GMT Require: sec-agree P-Associated-URI: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org> Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>; +g.3gpp.smsip; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000; +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1 Content-Length: 0 Path: <sip:[2001:0:0:1::2];lr>
Step 5 : SUBSCRIBE over UDP -----------------------------------
User Datagram Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718)
SUBSCRIBE sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org SIP/2.0 Max-Forwards: 70 Route: <sip:[2001:0:0:1::2]:50718;lr> Via: SIP/2.0/UDP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK3707d1f14-46487f22 Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 1 SUBSCRIBE From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org> Accept: application/reginfo+xml Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE Security-Verify: ipsec-3gpp; q=0.1; alg=hmac-md5-96; prot=esp; mod=trans; ealg=null; spi-c=3458785863;spi-s=2821032177; port-c=50717;port-s=50718 Require: sec-agree P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000 Event: reg Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob>; +sip.instance="<urn:gsma:imei:35910506-000422-0>" Expires: 600000 Proxy-Require: sec-agree User-Agent: IMS TestClient/4.0.0 H81110t Content-Length: 0
Step 6 : 200 OK over UDP ----------------------------------- User Datagram Protocol, Src Port: 50717 (50717), Dst Port: 39003 (39003)
SIP/2.0 200 OK Max-Forwards: 70 Via: SIP/2.0/UDP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK3707d1f14-46487f22 From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 1 SUBSCRIBE Expires: 600000 Contact: <sip:[2001:0:0:1::2]:50718;transport=udp> Record-Route: <sip:[2001:0:0:1::2]:50718;lr> Content-Length: 0
Step 7 : NOTIFY over UDP ----------------------------------- User Datagram Protocol, Src Port: 50717 (50717), Dst Port: 39003 (39003)
NOTIFY sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob SIP/2.0 Via: SIP/2.0/UDP [2001:0:0:1::2]:50718;branch=z9hG4bK0a0d0d34d4d84c91b07959b6fcb7e3e914;transport=udp Max-Forwards: 69 Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 1 NOTIFY To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 Contact: <sip:[2001:0:0:1::2]:50718;transport=udp> Event: reg Subscription-State: active;expires=600000 Content-Type: application/reginfo+xml Content-Length: 740 Record-Route: <sip:[2001:0:0:1::2]:50718;lr>
<?xml version="1.0" encoding="utf-8"?> <reginfo version="0" state="full" xmlns="urn:ietf:params:xml:ns:reginfo"> <registration aor="sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org" id="12345" state="active"> <contact id="100" state="active" event="registered"> <uri>sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003</uri> <unknown-param name="+g.3gpp.smsip" /> <unknown-param name="+g.3gpp.icsi-ref">"urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"</unknown-param> <unknown-param name="video" /> <unknown-param name="+sip.instance">"<urn:gsma:imei:35910506-000422-0>"</unknown-param> <unknown-param name="reg-id">1</unknown-param> </contact> </registration> </reginfo>
Step 8 : 200 OK over UDP ----------------------------------- User Datagram Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718)
SIP/2.0 200 OK Via: SIP/2.0/UDP [2001:0:0:1::2]:50718;branch=z9hG4bK0a0d0d34d4d84c91b07959b6fcb7e3e914;transport=udp Record-Route: <sip:[2001:0:0:1::2]:50718;lr> Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0 CSeq: 1 NOTIFY From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161 Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob>; +sip.instance="<urn:gsma:imei:35910506-000422-0>" Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000 Server: IMS TestClient/4.0.0 H81110t Content-Length: 0
|
||