M71 security association parameters for protecting

Info icon This preview shows pages 62–64. Sign up to view the full content.

View Full Document Right Arrow Icon
M.7.1 Security association parameters For protecting IMS signalling between the UE and the P-CSCF it is necessary to agree on shared keys that are provided by IMS AKA, and a set of parameters specific to a protection method. The security mode setup (cf. clause M.7.2) is used to negotiate the SA parameters required for IPsec ESP with authentication and confidentiality, in accordance with the provisions in clauses 5.1.3, 5.1.4, M.6.2, and M.6.3. The SA parameters that shall be negotiated between UE and P-CSCF in the security mode set-up procedure are: - Encryption algorithm cf. clause 7.1 - Integrity algorithm cf. clause 7.1 - Mode The IPsec SA mode of operation shall depend on whether the UE is located behind a NAT device or not. If the UE is located behind a NAT device UDP encapsulated tunnel mode according to RFC 3948 [28] shall be used. Otherwise transport mode shall be used. The set-up of security associations (cf. clause M.7.2) allows the P- CSCF to detect whether the UE is located behind a NAT or not. - SPI (Security Parameter Index) cf. clause 7.1 The following SA parameters are not negotiated: cf. clause 7.1 Selectors if no NAT is present: Cf. section 7.1 Selectors if a NAT is present: The security associations (SA) have to be bound to specific parameters (selectors) of the SIP flows between UE and P-CSCF, i.e. source and destination IP addresses, transport protocols that share the SA, and source and destination ports. 3GPP 3GPP TS 33.203 V12.67.0 (2014-0609) 62 Release 12
Image of page 62

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
- IP addresses are bound If a NAT is present, it is assumed that the UE is configured locally with a (e.g. private) IP address. When the UE communicates with the P-CSCF via the NAT device, the NAT allocates a binding, mapping the local IP address to two pairs of SAs, asa publicly routable IP address (called public IP address in the sequel) and perhaps also mapping the source port used in clause 6.3, as follows:the UDP or TCP packet to another port number. In the following, the term UE_IP_address always denotes the public IP address of the UE. NOTE: The IP addresses and ports used as selectors in IPsec tunnel mode are those of the inner IP header, in accordance with RFC 4301 [53]. The inner IP addresses are always the public IP addresses. Please also note that the terminology used here may differ from that used in other scenarios, e.g. in VPN access to a corporate network, as in the latter scenario the inner IP address is not publicly routable in general. - IP addresses: - inbound SA at the P-CSCF: The source and destination IP addresses associated with the SA are identical to those in the header of the IP packet in which the initial SIP REGISTER message was received by the P-CSCF. - outbound SA at the P-CSCF: the The source IP address bound to the outbound SA equals the destination IP address bound to the inbound SA; the destination IP address bound to the outbound SA equals the source IP address bound to the inbound SA.
Image of page 63
Image of page 64
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern