Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 29.828  Word version:  12.1.0

Top   Top   Up   Prev   None
1…   2…
2 References3 Definitions and abbreviations4 Key issues and Design considerations for Extended IMS media plane security features5 IMS-ALG/ IMS-AGW interface (Iq)6 IBCF/ TrGW interface (Ix)7 MRFC/ MRFP interface (Mp)8 3GPP- ITU-T H.248 requirements gap analysis9 Conclusions and recommendationsA Impacts on existing specificationsB Release 12 requirements and procedures for extended media securityC Interworking between sessmatch and CEMAD Preventing TLS establishment collision without a TLS B2BUAE Example end-to-end network scenarioF Example traffic flow (communication establishment phase)$ Change history

 

2  Referencesp. 8

3  Definitions and abbreviationsp. 11

3.1  Definitionsp. 11

3.2  Abbreviationsp. 12

4  Key issues and Design considerations for Extended IMS media plane security featuresp. 13

4.1  Media security for Session based messaging (MSRP)p. 13

4.1.1  General design considerationsp. 13

4.1.2  Assumptions and limitations for MSRP supportp. 15

4.1.3  Scenarios in scopep. 16

4.1.4  MSRP-agnostic vs. MSRP-aware modep. 19

4.2  Media security for conferencing (BFCP)p. 20

4.2.1  General design considerationsp. 20

4.2.2  Assumptions and limitations for BFCP supportp. 20

4.2.3  Scenarios in scopep. 21

4.2.4  BFCP-agnostic vs. BFCP-aware modep. 21

4.3  TLS proceduresp. 22

4.3.1  Introduction - Media/transport security sessions at Mbp. 22

4.3.2  H.248 bearer type indication "TLS"p. 22

4.3.3  TLS security session establishmentp. 23

4.3.3.1  TLS client/server role assignmentp. 23

4.3.3.1.1  Generalp. 23
4.3.3.1.2  Application agnostic TLS-over-TCPp. 23
4.3.3.1.3  Application aware scenario "MSRP-over-TLS-over-TCP"p. 23
4.3.3.1.4  Application aware scenario "BFCP-over-TLS-over-TCP"p. 24

4.3.3.2  Start of TLS security session establishmentp. 24

4.3.4  TLS security session releasep. 24

4.3.4.1  TLS-to-TCP relationsp. 24

4.3.4.2  MGW: stimuli for TLS security session releasep. 25

4.3.5  TLS protocol profilep. 25

4.3.5.1  Configurationp. 25

4.3.5.2  TLS protocol profile awareness at MGC levelp. 25

4.4  TCP proceduresp. 25

4.4.1  H.248 bearer type indication "TCP"p. 25

4.4.2  TCP connection establishmentp. 25

4.4.2.1  TCP client/server role assignmentp. 25

4.4.2.1.1  SIP level negotiation of TCP server and client role by MGCp. 25
4.4.2.1.2  H.248 control of TCP connection establishment at MGC by MGWp. 30

4.4.2.2  Start of TCP connection establishmentp. 32

4.4.2.3  L3/L4 level NAT traversal supportp. 32

4.4.3  TCP connection releasep. 33

4.4.3.1  TLS-to-TCP relationsp. 33

4.4.3.2  MGW: stimuli for TCP connection releasep. 33

4.4.4  TCP Interworking in the MGWp. 34

4.5  MGC information baseline for gateway control decisionsp. 35

4.6  Media security for T.38 fax over UDPTL/UDP transportp. 35

4.6.1  General design considerationsp. 35

4.6.2  Assumptions and limitations for T.38 fax supportp. 36

4.6.2.1  T.38 transportp. 36

4.6.2.2  Establishment directions of SIP session and DTLS sessionp. 36

4.6.2.3  Framework for e2ae securityp. 36

4.6.3  Scenarios in scopep. 36

4.6.4  Consideration of application awareness of IMS-AGWp. 37

5  IMS-ALG/ IMS-AGW interface (Iq)p. 38

5.1  Requirementsp. 38

5.1.1  End-to-access edge security for TCP-based media using TLSp. 38

5.1.1.1  General requirementsp. 38

5.1.1.2  Specific requirements for session based messaging (MSRP)p. 38

5.1.1.2.1  Generalp. 38
5.1.1.2.2  Certificate fingerprints based solution for TLS and key managementp. 38
5.1.1.2.3  Mutual authentication and authorization of TLS endpointsp. 38
5.1.1.2.4  Functional extension of the Iq interface for e2ae protection for MSRPp. 38
5.1.1.2.5  Specific MSRP based media e2ae protection requirements for IMS-ALGp. 40

5.1.1.3  Specific requirements for conferencing (BFCP)p. 40

5.1.1.3.1  Generalp. 40
5.1.1.3.2  Security for conferencing based on SIP signalling securityp. 40
5.1.1.3.3  Specific BFCP based media e2ae protection requirements for IMS-ALG.p. 41

5.1.2  End-to-end security for TCP-based media using TLSp. 41

5.1.2.1  General requirementsp. 41

5.1.2.2  Specific requirements for session based messaging (MSRP)p. 41

5.1.2.3  Specific requirements for conferencing (BFCP)p. 42

5.1.3  End-to-access edge security for UDP-based media using DTLSp. 42

5.1.3.1  General requirementsp. 42

5.1.3.2  Specific requirements for T.38 fax over UDPTL/UDP transportp. 42

5.1.4  MSRP handlingp. 43

5.1.4.1  Generalp. 43

5.1.4.2  IMS-ALG procedures to support IETF RFC 6714 with application agnostic MSRP handling by the IMS-AGWp. 44

5.1.4.3  IMS-ALG procedures to support IETF draft-ietf-simple-msrp-sessmatch with application agnostic MSRP handling by the IMS-AGWp. 44

5.1.4.4  IMS-ALG procedures for application aware MSRP interworking by the IMS-AGWp. 44

5.1.4.5  Application-aware MSRP interworking at the IMS-AGWp. 45

5.2  Proceduresp. 45

5.2.1  End-to-access edge security for TCP-based media using TLSp. 45

5.2.1.1  Generic proceduresp. 45

5.2.1.2  Specific procedures for session based messaging (MSRP)p. 45

5.2.1.2.1  Indicating support of e2ae security during registration.p. 45
5.2.1.2.2  IMS UE originating procedures for e2aep. 46
5.2.1.2.2.1  Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.p. 46
5.2.1.2.2.2  IMS-ALG requests sending an outgoing TCP bearer establishment.p. 49
5.2.1.2.3  IMS UE terminating procedures for e2aep. 51
5.2.1.2.3.1  Incoming TCP bearer establishment triggers an outgoing TCP bearer establishment.p. 51
5.2.1.2.3.2  IMS-ALG requests sending an outgoing TCP bearer establishment.p. 54

5.2.1.3  Specific procedures for conferencing (BFCP)p. 56

5.2.1.3.1  Indicating support of e2ae security during registration.p. 56
5.2.1.3.2  IMS UE originating procedures for e2aep. 56
5.2.1.3.3  IMS UE terminating procedures for e2aep. 59

5.2.2  End-to-end security for TCP-based media using TLSp. 62

5.2.2.1  Generic proceduresp. 62

5.2.2.2  Specific procedures for session based messaging (MSRP)p. 62

5.2.2.3  Specific procedures for conferencing (BFCP)p. 62

5.2.3  End-to-access edge security for UDP-based media using DTLSp. 62

5.2.3.1  Generic proceduresp. 62

5.2.3.1.1  Context modelp. 62

5.2.3.2  Specific procedures for T.38 fax over UDPTL/UDP transportp. 62

5.2.3.2.1  Indicating support of e2ae security during registrationp. 62
5.2.3.2.2  IMS UE originating procedures for e2aep. 63
5.2.3.2.3  IMS UE terminating procedures for e2aep. 65

6  IBCF/ TrGW interface (Ix)p. 67

6.1  Requirementsp. 67

6.1.1  End-to-end security for TCP-based media using TLSp. 67

6.1.1.1  General requirementsp. 67

6.1.1.2  Specific requirements for session based messaging (MSRP)p. 67

6.1.1.3  Specific requirements for conferencing (BFCP)p. 67

6.2  Proceduresp. 67

6.2.1  End-to-end security for TCP-based media using TLSp. 67

6.2.1.1  Generic proceduresp. 67

6.2.1.2  Specific procedures for session based messaging (MSRP)p. 67

6.2.1.3  Specific procedures for conferencing (BFCP)p. 67

7  MRFC/ MRFP interface (Mp)p. 68

7.1  Requirementsp. 68

7.1.1  End-to-end security for TCP-based media using TLSp. 68

7.1.1.1  General requirementsp. 68

7.1.1.2  Specific requirements for session based messaging (MSRP)p. 69

7.1.1.3  Specific requirements for conferencing (BFCP)p. 70

7.2  Proceduresp. 70

7.2.1  End-to-end security for TCP-based media using TLSp. 70

7.2.1.1  Generic proceduresp. 70

7.2.1.1.1  Ad-hoc Conferencesp. 70

7.2.1.2  Specific procedures for session based messaging (MSRP)p. 70

7.2.1.2.1  Generalp. 70
7.2.1.2.2  IMS UE originating procedures ("dial-in" scenario) for e2ep. 71
7.2.1.2.3  IMS UE terminating procedures ("dial-out" scenario) for e2ep. 74

7.2.1.3  Specific procedures for conferencing (BFCP)p. 76

7.2.1.3.1  IMS UE originating procedures ("dial-in" scenario) for e2ep. 76
7.2.1.3.2  IMS UE terminating procedures ("dial-out" scenario) for e2ep. 78

8  3GPP- ITU-T H.248 requirements gap analysisp. 81

8.1  Relevant ITU-T Recommendationsp. 81

8.1.1  Capabilities related to TCP bearer supportp. 81

8.1.2  Capabilities related to NAT-T supportp. 81

8.1.3  Capabilities related to media security supportp. 81

8.1.4  Capabilities related to support of MGW autonomous behaviourp. 81

8.2  Scope of ITU-T "(D)TLS transport security"p. 81

8.3  Status gap analysisp. 81

9  Conclusions and recommendationsp. 82

A  Impacts on existing specificationsp. 83

B  Release 12 requirements and procedures for extended media securityp. 84

C  Interworking between sessmatch and CEMAp. 97

C.1  Scopep. 97

C.2  MSRP Interworking Functionp. 97

C.3  Procedures for SBC without User Plane MSRP B2BUAp. 100

D  Preventing TLS establishment collision without a TLS B2BUAp. 101

E  Example end-to-end network scenariop. 102

E.1  Scopep. 102

E.2  Aspect of IP realmsp. 102

E.3  Aspect of TCP bearer connection establishmentp. 104

E.4  Aspects of TCP flow controlp. 107

E.4.1  Overviewp. 107

E.4.2  TCP flow control during establishment phasep. 107

E.4.2.1  Without early application datap. 107

E.4.2.2  With early application datap. 107

E.4.3  TCP flow control during active data transfer phasep. 107

F  Example traffic flow (communication establishment phase)p. 108

F.1  Scopep. 108

F.2  TCP bearer connection establishment (example)p. 108

F.3  TLS security session establishment (example)p. 110

$  Change historyp. 111

Up   Top