Note not all sip messages necessarily contain public

Info icon This preview shows pages 66–67. Sign up to view the full content.

View Full Document Right Arrow Icon
NOTE: Not all SIP messages necessarily contain public or private identities, e.g. subsequent messages in a dialogue. Other information, e.g. a dialogue identifier, may be used to associate the message with a user at SIP level. 5. For each unidirectional SA which has been established and has not expired, the SIP application at the UE stores at least the following data: (UE_IP_address, UE_protected_port, P-CSCF_protected_port, SPI, lifetime, mode) in an "SA_table". The pair (UE_protected_port, P-CSCF_protected_port) equals either ( port_uc, port_ps ) or ( port_us, port_pc ). NOTE: The SPI is only required to initiate and delete SAs in the UE. The SPI is not exchanged between IPsec and the SIP layer for incoming or outgoing SIP messages. 6. When establishing a new pair of SAs (cf. clause 6.3) the SIP application at the UE shall ensure that the selected numbers for the protected ports do not correspond to an entry in the "SA_table". Furthermore, the UE should select port numbers (pseudo-)randomly from a sufficiently large set of numbers not yet allocated at the UE. When the UE receives an error message indicating a collision of a pair (IP address, port), according to rule 3 above, the UE may retry the registration with differently selected port numbers. NOTE: The UE should select port numbers (pseudo-)randomly for two reasons: 1) to avoid collisions of pairs (IP address, port) at the P-CSCF, cf. rule 3 above. 2) to thwart a limited form of a Denial of Service attack. UMTS/LTE PS access link security also helps to thwart this attack. NOTE: The (pseudo-)randomization of port numbers is meant for both initial registrations and re-registrations 7. For each incoming protected message the SIP application at the UE shall verify that the correct inbound SA according to clause M.7.4 on SA handling has been used. The SA is identified by the pair (UE_protected_port, P-CSCF_protected_port) in the "SA table". NOTE: If the integrity check of a received packet fails then IPsec will automatically discard the packet. M.7.2 Set-up of security associations (successful case) The set-up of security associations is based on RFC 3329 [21]. Annex H of this specification shows how to use RFC 3329 [21] for the set-up of security associations. In this clause the normal case is specified i.e. when no failures occurs. Note that for simplicity some of the nodes and messages have been omitted. Hence there are gaps in the numbering of messages, as the I-CSCF is omitted. For the purpose of the description of the message processing in case UDP encapsulated tunnel mode is used, a conceptual functional element called "UDP encapsulation function" is used. The UDP encapsulation function handles all tasks relevant to the UDP encapsulation processing, i.e. the addition and removal of UDP headers to packets. In that sense it does not perform any IPsec processing as such. From an implementation point of view, it is immaterial whether the UDP encapsulation function and the IPsec processing are combined or kept separate. On the network side, the UDP encapsulation function may reside on the P-CSCF or in a separate device.
Image of page 66

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 67
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern