The IMS UE A performs an IMS originating session set-up according to TS 23.228, with modifications as described in TS 33.328.
The procedure in the above Figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.
IMS UE A sends an SDP offer for a media stream containing cryptographic information, together with an "a=3ge2ae:requested" SDP attribute for the BFCP-related SDP m-line, to the P CSCF (IMS ALG). For e2ae protection of BFCP the cryptographic information contained in the SDP offer consists of the fingerprint of the certificate of IMS UE A in accordance to RFC 4975. For each media stream that uses transport "TCP/TLS/BFCP", the P CSCF (IMS ALG) checks for the presence of the "a=3ge2ae:requested" SDP attribute. If that indication is present and the P CSCF (IMS ALG) indicated support of e2ae-security for BFCP during registration, the P CSCF (IMS ALG) allocates the required resources, includes the IMS AGW in the media path and proceeds as specified in this clause.
The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP" media towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T2 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T2 as a trigger to send a TCP connection establishment on the termination T1.
The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP/TLS" media towards the access network. In the remote descriptor, it provides the IP address, port and fingerprint attribute received from the UE containing the fingerprint of the UE's certificate in accordance to RFC 4975. This instructs the IMS AGW to verify during the subsequent TLS handshake with the IMS UE that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P CSCF (IMS ALG) to the IMS AGW. In turn, the IMS AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P CSCF (IMS ALG). To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.
The P CSCF (IMS ALG) changes the transport from "TCP/TLS/BFCP" to "TCP/BFCP" in the SDP offer, removes the "a=3ge2ae:requested" SDP attribute and the fingerprint SDP attribute, and inserts the address information received from the IMS-AGW.
The remote peer chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the remote peer.
If the TCP SYN is not answered before a timer expiry, the remote peer will send the TCP SYN a second time (step 10'). The IMS AGW will answer a repeated TCP SYN if it is received after step 14 (step 10').
The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.
The IMS-AGW uses the TCP SYN received at the termination T2 (at step 10 or step 10' if the TCP SYN is dropped at step 10) as a trigger to send a TCP SYN towards the UE to establish a TCP connection (effectively making the IMS-AGW acting as the TCP client towards the UE). The UE answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.
Upon completion of the TCP connection establishment, the UE B starts the establishment of the TLS session. The IMS-AGW needs to wait until step 14 to verify the received fingerprint.
The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the core network with remote address information. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.
The P CSCF (IMS ALG) modifies the SDP answer before sending it to the UE A. The P CSCF (IMS ALG) sets the transport to "TCP/TLS/BFCP" and includes the fingerprint of the IMS AGW's certificate in accordance to RFC 4975.
The IMS UE B performs an IMS terminating session set-up according to TS 23.228, with modifications as described in TS 33.328.
The procedure in the above Figure for requesting e2ae security for a media stream is described step-by-step with an emphasis on the additional aspects for IMS-ALG and IMS-AGW of media protection using TLS.
The P CSCF (IMS ALG) receives an SDP offer for an MSRP media stream. For each BFCP media stream offered with transport "TCP/BFCP", if both the IMS UE and P CSCF (IMS ALG) indicated support for e2ae-security for BFCP during registration, the P CSCF (IMS ALG) allocates the required resources, includes the IMS AGW in the media path and proceeds as specified in this clause.
The IMS-ALG uses the "Reserve AGW Connection Point" procedure to request a termination for "TCP/TLS" media towards the access network. The IMS-ALG configures the IMS-AGW with the request to start the establishment of the TLS session once the TCP connection is established (effectively making the IMS-AGW acting as the TLS client). . To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute. The IMS-ALG sets the interlinkage topology on the termination T1 to configure the IMS-AGW to use the TCP connection establishment request (TCP SYN) received at the termination T1 as a trigger to send a TCP connection establishment on the termination T2.
The IMS AGW communicates the fingerprint of the certificate it is going to use for setting up protection for this media stream to the P CSCF (IMS ALG).
The IMS-ALG uses the "Reserve And Configure AGW Connection Point" procedure to request a termination for "TCP" media towards the core network. To indicate that the IMS-AGW shall operate in TCP Proxy mode, the IMS-ALG provides "a=setup:actpass" attribute.
The P CSCF (IMS ALG) changes the transport from "TCP/ BFCP" to "TCP/TLS/BFCP" in the SDP offer, adds the "a=3ge2ae:applied" SDP attribute and the fingerprint SDP attribute received from the IMS-AGW, and inserts the address information received from the IMS-AGW.
The UE B chooses to become the active party in the TCP connection establishment and sends a TCP SYN to establish the TCP connection. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), e.g. to enable a remote source transport address filtering, or if the P-CSCF (IMS-ALG) did not indicate to the IMS-AGW at step 2 that it shall latch onto the required destination address via the source address/port of the incoming media, the IMS-AGW shall drop the TCP SYN received from the UE.
If the TCP SYN is not answered before a timer expiry, the UE will send the TCP SYN a second time (step 10'). The IMS AGW will answer a repeated TCP SYN if it is received after step 14 (step 10').
The IMS-AGW answers the TCP SYN and the remote peer completes the TCP connection establishment.
The IMS-AGW sends a TCP SYN towards the core network to establish a TCP connection. The remote peer answers the TCP SYN and the IMS-AGW completes the TCP connection establishment.
Upon completion of the TCP connection establishment, the IMS-AGW starts the establishment of the TLS session. The IMS-AGW needs to wait until step 14 to verify the received fingerprint.
The IMS-ALG uses the "Configure AGW Connection Point" procedure to configure the termination towards the UE B with remote address information. In the remote descriptor, it also provides fingerprint attribute received from the UE. This instructs the IMS AGW to verify during the TLS handshake with the IMS UE (see step 12) that the fingerprint of the certificate passed by the IMS UE during this TLS handshake matches the fingerprint passed by the P CSCF (IMS ALG) to the IMS AGW. If the P-CSCF (IMS-ALG) indicated to the IMS-AGW at step 2 that it shall ignore any incoming TCP connection establishment requests (TCP SYN), the IMS-ALG indicates to the IMS-AGW to accept incoming TCP connection establishment (TCP SYN) only from the indicated remote transport address.
The P CSCF (IMS ALG) modifies the SDP answer before sending it to the core network. The P CSCF (IMS ALG) sets the transport to "TCP/ BFCP" and removes the SDP fingerprint attribute.