Professional Documents
Culture Documents
Peter Howard
3GPP SA3 (Security) delegate peter.howard@vodafone.com
HSS
Home
S-CSCF I-CSCF
REGISTER/INVITE REGISTER/INVITE
UA
P-CSCF
REGISTER/INVITE
Visited
SIP-based interfaces PS domain SIP proxy servers
network domain security features to protect signalling links between network elements with the IMS domain
HSS
Home
S-CSCF
GGSN SGSN RAN
I-CSCF
REGISTER/INVITE
REGISTER/INVITE
UA
P-CSCF
REGISTER/INVITE
Visited
HSS
Home
S-CSCF
GGSN SGSN RAN
I-CSCF
REGISTER/INVITE
REGISTER/INVITE
UA
P-CSCF
REGISTER/INVITE
Visited
Authentication check located in S-CSCF Working assumption is to authenticate only at SIP registrations with on-demand re-authentication requiring re-registration Use SIP authentication rather than an outer layer protocol such as TLS or IKE in order to minimise roundtrips
Possible Information Flow for Authentication and Session Key Establishment (from draft 3GPP TS 33.203)
Cx-Put Cx-Pull
EAP TLS
EAP GSM
EAP AKA
EAP ...
EAP Extensions
EAP TLS
EAP GSM
EAP AKA
EAP ...
Uses session key derived during authentication Integration into SIP registration with no new roundtrips
3GPP
IETF
SIPPING WG
TS 24.228 (CN1)
TS 29.228 (CN4)
TS 24.229 (CN1)
TS 29.229 (CN4)
Protocol detail
EAP and session key transport in DIAMETER SIP extensions to support security mode establishment
References
Draft 3GPP TS 33.203, Access security for IP-based services (Release 5). Draft 3GPP TS 33.210, Network domain security; IP network layer security (Release 5). J. Arkko and H. Haverinen, EAP AKA Authentication draft-arkko-pppext-aka-00.txt. V. Torvinen, J. Arkko, A. Niemi, HTTP Authentication with EAP, draft-torvinen-http-eap-00.txt (to appear). L. Blunk, J. Vollbrecht, PPP Extensible Authentication Protocol (EAP), RFC 2284. P. Calhoun et al. DIAMETER NASREQ Extensions, draft-ietf-aaa-diameter-nasreq-06.txt.
Questions?
Peter Howard
peter.howard@vodafone.com
Three party protocol Two-pass mutual authentication protocol between UA and S-CSCF Authentication response Each authentication vector is good for one authentication Distribution of session Authentication vectors can be key to P-CSCF P-CSCF distributed in batches to minimise signalling/load on HSS
Authentication request