Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 23.334  Word version:  18.1.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.11…   5.12…   5.14…   5.18…   5.19…   5.20…   5.21…   6…   6.1.6…   6.1.11…   6.2…   6.2.10…   6.2.10.3.1.2   6.2.10.3.2   6.2.10.4…   6.2.10.4.3…   6.2.10.5   6.2.10.6…   6.2.10A…   6.2.13…   6.2.14…   6.2.14.3   6.2.14.4…   6.2.15…   6.2.17…   6.2.17.3…   6.2.17.5…   6.2.18…   6.2.20   6.2.21…   6.2.22…   6.2.22.3…   6.2.22.3.2   6.2.23   6.2.24   6.2.25   7   8…   8.3   8.4   8.5…   8.23…
6.2.10.5 End-to-access-edge security for RTP based media using DTLS-SRTP
...

 

6.2.10.5  End-to-access-edge security for RTP based media using DTLS-SRTP |R12|p. 129

The procedures are similar to that of clause 6.2.1 apart from the IMS-ALG optionally requesting the eIMS-AGW to provide IMS media plane security using DTLS.
Upon receipt of an SDP offer from the IMS access network, the IMS-ALG shall:
  • check the received value of the setup SDP attribute to determine if the IMS-AGW needs to act as DTLS client or DTLS server. When the received value is equal to:
    1. "active" the IMS-AGW needs to act as DTLS server;
    2. "passive" the IMS-AGW needs to act as DTLS client; or
    3. "actpass" the IMS-ALG shall decide if the IMS-AGW needs to act as DTLS client or DTLS server;
  • if the received SDP offer contains "a=tls-id" media-level SDP attribute (as specified in RFC 8842), create a new DTLS association identity;
  • when reserving the transport addresses/resources towards the IMS access network:
    1. indicate to the IMS-AGW "UDP/TLS/RTP/SAVP" or "UDP/TLS/RTP/SAVPF" as transport protocol;
    2. include the Remote certificate fingerprint information element with the value of the received fingerprint SDP attribute from the UE (IMS UE or WIC);
    3. include the Local certificate fingerprint Request information element to request the certificate fingerprint of the IMS-AGW; and
    4. if the IMS-AGW needs to act as DTLS client, include the Establish (D)TLS session information element to request the IMS-AGW to start the DTLS session setup;
  • indicate to the IMS-AGW "RTP/AVP" or "RTP/AVPF" over UDP as transport protocol when reserving the transport addresses/resources towards the IMS core network; and
  • remove the setup SDP attribute and indicate the transport protocol "RTP/AVP" in the offer towards the IMS core network.
Upon receipt of an SDP answer from the IMS core network, the IMS-ALG shall:
  • in the "m=" line indicating the use of SRTP, change the transport protocol to "UDP/TLS/RTP/SAVP" or "UDP/TLS/RTP/SAVPF";
  • insert the fingerprint SDP attribute with the value of the Local certificate fingerprint information element received from the IMS-AGW; and
  • insert the "a=tls-id" SDP attribute containing a new DTLS association identity; and
  • insert the setup SDP attribute with the value:
    1. "active" if the IMS-ALG requested the IMS-AGW to act as DTLS client; or
    2. "passive" if the IMS-AGW shall take the DTLS server role.
Figure 6.2.10.5.1 shows the message sequence chart example of UE (IMS UE or WIC) originated procedure using DTLS-SRTP.
Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.5.1: UE originated procedure using DTLS-SRTP
Figure 6.2.10.5.1: UE originated procedure using DTLS-SRTP
(⇒ copy of original 3GPP image)
Up
Upon receipt of an SDP offer from the IMS core network using the "RTP/AVP" or "RTP/AVPF" over UDP as transport protocol the IMS-ALG shall:
  • when reserving the transport addresses/resources towards the IMS access network:
    1. indicate to the IMS-AGW "UDP/TLS/RTP/SAVP" or "UDP/TLS/RTP/SAVPF" as transport protocol; and
    2. include the Local certificate fingerprint Request information element to request the certificate fingerprint of the IMS-AGW;
  • when reserving the transport addresses/resources towards the IMS core network indicate to the IMS-AGW "RTP/AVP" or "RTP/AVPF" over UDP as transport protocol; and
  • modify the SDP offer that will be sent to the IMS access network by:
    1. in the "m=" line that is indicating the use of SRTP, changing the transport protocol to "UDP/TLS/RTP/SAVP" or "UDP/TLS/RTP/SAVPF";
    2. inserting the fingerprint SDP attribute with the value of the Local certificate fingerprint information element received from the IMS-AGW;
    3. inserting the "tls-id" SDP attribute with the new DTLS association identity; and
    4. inserting the setup SDP attribute, as defined in RFC 4145, with the value "actpass".
Upon receipt of an SDP answer from the IMS access network containing the use of the "UDP/TLS/RTP/SAVP" or "UDP/TLS/RTP/SAVPF" transport protocol with the associated fingerprint and setup SDP attributes, the IMS-ALG shall:
  • check the value of the received setup SDP attribute to determine if the IMS-AGW needs to act as DTLS client or DTLS server. When the received value is equal to:
    1. "active" the IMS-AGW needs to act as DTLS server; or
    2. "passive" the IMS-AGW needs to act as DTLS client;
  • when modifying the transport addresses/resources towards the IMS access network:
    1. if the IMS-AGW needs to act as DTLS client, include the Establish (D)TLS session information element to request the IMS-AGW to start the DTLS session setup;
    2. include the Remote certificate fingerprint information element with the value of the received fingerprint SDP attribute; and
    3. if not already provided, include the Notify (D)TLS session establishment Failure Event information element to request the IMS-AGW to report the unsuccessful DTLS session setup; and
  • remove the setup SDP attribute and indicate the transport protocol "RTP/AVP" in the SDP answer towards the IMS core network.
The message sequence chart shown in the Figure 6.2.10.5.2 shows the message sequence chart example of UE (IMS UE or WIC) terminated procedure using DTLS-SRTP.
Copy of original 3GPP image for 3GPP TS 23.334, Fig. 6.2.10.5.2: UE terminated procedure using DTLS-SRTP
Figure 6.2.10.5.2: UE terminated procedure using DTLS-SRTP
(⇒ copy of original 3GPP image)
Up

Up   Top   ToC