IMS

 

 

 

 

REGISTER with Authentication and IPSec

 

As you know all the IMS (SIP) message are carried in the form of IP data through TCP or UDP socket. So, if necessary we can use IP level security for IMS/SIP transaction.

In order to enable IP level security (IP Sec), we need to go through SA(Security Association) process and exchange key exchange procedure. This process be done during IMS registration and the information for SA are embedded in IMS registration message. Overall procedure of IP Sec SA process  is illustrated as below.

 

< 36.523-3 Figure 4.2.5.2.3.1-1 Two pairs of SAs >

 

 

The 4 step SA setup process can be combined with IMS Registration process in a couple of different variations. One example specified in conformance test is illustrated as below.  It seems that the start of SA process may vary. In the following illustration, SA starts from step (3), but in Example 1, you can see the case where UE start SA from Step (1).

 

< 36.523-3 Figure 4.2.5.2.3.1-2: Usage of ports and SAs in UDP and TCP transport >

 

 

 

Example 1 : Authentication and IPSec ========================================

 

This example would look a little bit different from the procedures illustrated above in terms of SA starting point, but overall log (4 step SA process = 2 SA establishment) are same. Go through the message and how the port number in RED are associated the port number in BLUE.

 

Step 1 : REGISTER  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: 42368 (42368), Dst Port: sip (5060), Seq: 1, Ack: 1, Len: 1314

     

    REGISTER sip:ims.sharetechnote.com SIP/2.0

    Max-Forwards: 70

    Route: <sip:[2001:0:0:1::2]:5060;lr>

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:5060;branch=z9hG4bK370690ecb-643c9869

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 REGISTER

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370690e30-327b23c6

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Supported: path,eventlist,sec-agree,gruu,outbound

    Require: sec-agree

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    Authorization:

      Digest username="001010123456789@ims.sharetechnote.com",

      realm="ims.sharetechnote.com",

      nonce="",

      uri="sip:ims.sharetechnote.com",

      response="",

      algorithm=AKAv1-MD5

    Security-Client:

    ipsec-3gpp;

      alg=hmac-md5-96;

      prot=esp;

      mod=trans;

      ealg=null;

      spi-c=0000565817;spi-s=0000565818;

      port-c=38003;port-s=39003,

    ipsec-3gpp;

      alg=hmac-sha-1-96;

      prot=esp;

      mod=trans;

      ealg=null;

      spi-c=0000565817;spi-s=0000565818;

      port-c=38003;port-s=39003

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>;

      +g.3gpp.smsip;

      +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000;

      +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1

    Proxy-Require: sec-agree

    User-Agent: IMS TestClient/4.0.0 H81110t

    Content-Length: 0

 

 

Step 2 : 401 Unauthorized  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: sip (5060), Dst Port: 42368 (42368), Seq: 1, Ack: 1315, Len: 723

     

    SIP/2.0 401 Unauthorized

    Max-Forwards: 70

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:5060;branch=z9hG4bK370690ecb-643c9869

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370690e30-327b23c6

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=987654321

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 REGISTER

    WWW-Authenticate:

      Digest realm="ims.mnc01.mcc001.3gppnetwork.org",

      nonce="26ohPzgYyy3VFVa4VnXhKgx8Ta1aXYAA27sDDHxNLVo=",

      qop="auth",opaque="4669e9192b2042d499606fe3e0fa839a",

      algorithm=AKAv1-MD5

    Security-Server:

      ipsec-3gpp;

      alg=hmac-md5-96;

      ealg=null;

      prot=esp;

      mod=trans;

      spi-c=3458785863;spi-s=2821032177;

      port-c=50717;port-s=50718;

      q=0.1

    Content-Length: 0

 

 

Step 3 : REGISTER  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718), Seq: 1347, Ack: 1, Len: 360

     

    REGISTER sip:ims.sharetechnote.com SIP/2.0

    Max-Forwards: 70

    Route: <sip:[2001:0:0:1::2]:50718;lr>

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK370723a88-32d70d67

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 2 REGISTER

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Supported: path,eventlist,sec-agree,gruu,outbound

    Require: sec-agree

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>;

      +g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000;

      +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1

    Security-Client:

      ipsec-3gpp;

        alg=hmac-md5-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=0000565817;spi-s=0000565818;

        port-c=38003;port-s=39003,

      ipsec-3gpp;

        alg=hmac-sha-1-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=0000565817;spi-s=0000565818;

        port-c=38003;port-s=39003

    Security-Verify:

      ipsec-3gpp;

        q=0.1;

        alg=hmac-md5-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=3458785863;spi-s=2821032177;

        port-c=50717;port-s=50718

    P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000

    Authorization:

      Digest username="001010123456789@ims.sharetechnote.com",

      realm="ims.mnc01.mcc001.3gppnetwork.org",

      nonce="26ohPzgYyy3VFVa4VnXhKgx8Ta1aXYAA27sDDHxNLVo=",

      uri="sip:ims.sharetechnote.com",

      response="e089b68060162b5c6a328e5dd2d43133",

      algorithm=AKAv1-MD5,

      cnonce="NGNhMTgzMw==",

      opaque="4669e9192b2042d499606fe3e0fa839a",

      qop=auth,

      nc=00000001

    User-Agent: IMS TestClient/4.0.0 H81110t

    Proxy-Require: sec-agree

    Content-Length: 0

 

 

Step 4 : 200 OK  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: 50718 (50718), Dst Port: 38003 (38003), Seq: 1, Ack: 1707, Len: 781

     

    SIP/2.0 200 OK

    Max-Forwards: 70

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK370723a88-32d70d67

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 2 REGISTER

    Date: Thu, 25 Aug 2016 11:37:08 GMT

    Require: sec-agree

    P-Associated-URI: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>;

      +g.3gpp.smsip;

      +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000;

      +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1

    Content-Length: 0

    Path: <sip:[2001:0:0:1::2];lr>

 

 

Step 5 : SUBSCRIBE  over UDP -----------------------------------

 

    User Datagram Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718)

     

    SUBSCRIBE sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org SIP/2.0

    Max-Forwards: 70

    Route: <sip:[2001:0:0:1::2]:50718;lr>

    Via: SIP/2.0/UDP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK3707d1f14-46487f22

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 SUBSCRIBE

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Accept: application/reginfo+xml

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    Security-Verify:

      ipsec-3gpp;

        q=0.1;

        alg=hmac-md5-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=3458785863;spi-s=2821032177;

        port-c=50717;port-s=50718

    Require: sec-agree

    P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000

    Event: reg

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob>;

      +sip.instance="<urn:gsma:imei:35910506-000422-0>"

    Expires: 600000

    Proxy-Require: sec-agree

    User-Agent: IMS TestClient/4.0.0 H81110t

    Content-Length: 0

 

 

Step 6 : 200 OK  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 50717 (50717), Dst Port: 39003 (39003)

     

    SIP/2.0 200 OK

    Max-Forwards: 70

    Via: SIP/2.0/UDP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK3707d1f14-46487f22

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 SUBSCRIBE

    Expires: 600000

    Contact: <sip:[2001:0:0:1::2]:50718;transport=udp>

    Record-Route: <sip:[2001:0:0:1::2]:50718;lr>

    Content-Length: 0

 

 

Step 7 : NOTIFY  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 50717 (50717), Dst Port: 39003 (39003)

     

    NOTIFY sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob SIP/2.0

    Via: SIP/2.0/UDP [2001:0:0:1::2]:50718;branch=z9hG4bK0a0d0d34d4d84c91b07959b6fcb7e3e914;transport=udp

    Max-Forwards: 69

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 NOTIFY

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    Contact: <sip:[2001:0:0:1::2]:50718;transport=udp>

    Event: reg

    Subscription-State: active;expires=600000

    Content-Type: application/reginfo+xml

    Content-Length: 740

    Record-Route: <sip:[2001:0:0:1::2]:50718;lr>

     

    <?xml version="1.0" encoding="utf-8"?>

    <reginfo version="0" state="full" xmlns="urn:ietf:params:xml:ns:reginfo">

      <registration aor="sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org" id="12345" state="active">

        <contact id="100" state="active" event="registered">

          <uri>sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003</uri>

          <unknown-param name="+g.3gpp.smsip" />

          <unknown-param name="+g.3gpp.icsi-ref">"urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"</unknown-param>

          <unknown-param name="video" />

          <unknown-param name="+sip.instance">"&lt;urn:gsma:imei:35910506-000422-0&gt;"</unknown-param>

          <unknown-param name="reg-id">1</unknown-param>

        </contact>

      </registration>

    </reginfo>

 

 

Step 8 : 200 OK  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718)

     

    SIP/2.0 200 OK

    Via: SIP/2.0/UDP [2001:0:0:1::2]:50718;branch=z9hG4bK0a0d0d34d4d84c91b07959b6fcb7e3e914;transport=udp

    Record-Route: <sip:[2001:0:0:1::2]:50718;lr>

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 NOTIFY

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob>;

      +sip.instance="<urn:gsma:imei:35910506-000422-0>"

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000

    Server: IMS TestClient/4.0.0 H81110t

    Content-Length: 0