|
Technical Report
Universal Mobile Telecommunications System (UMTS);
LTE;
Security aspects of early IP Multimedia Subsystem (IMS)
(3GPP TR 33.978 version 8.0.0 Release 8)
---------------------- Page: 1 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 1 ETSI TR 133 978 V8.0.0 (2009-02)
Reference
RTR/TSGS-0333978v800
Keywords
LTE, SECURITY, UMTS
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 2009.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
---------------------- Page: 2 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 2 ETSI TR 133 978 V8.0.0 (2009-02)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI 3rd Generation Partnership Project (3GPP).
The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or
GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables.
The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under
.
ETSI
---------------------- Page: 3 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 3 ETSI TR 133 978 V8.0.0 (2009-02)
Contents
Intellectual Property Rights . 2
Foreword . 2
Foreword . 4
Introduction . 4
1 Scope . 5
2 References . 5
3 Definitions, symbols and abbreviations . 6
3.1 Definitions . 6
3.2 Symbols . 6
3.3 Abbreviations . 6
4 Requirements . 7
5 Threat scenarios . 7
5.1 Impersonation on IMS level using the identity of an innocent user . 7
5.2 IP spoofing . 8
5.3 Combined threat scenario . 8
6 Specification . 8
6.1 Overview . 8
6.1.1 Security mechanism . 8
6.1.2 Restrictions imposed by early IMS security . 9
6.1.3 Early IMS security and logical entities . 10
6.2 Detailed specification . 10
6.2.1 GGSN-HSS interaction . 10
6.2.2 Protection against IP address spoofing in GGSN . 11
6.2.3 Impact on IMS registration and authentication procedures . 11
6.2.3.1 Procedures at the UE . 11
6.2.3.2 Procedures at the P-CSCF . 11
6.2.3.2.1 Registration . 12
6.2.3.2.2 General treatment for all dialogs and standalone transactions excluding REGISTER requests . 12
6.2.3.3 Procedures at the I-CSCF . 12
6.2.3.4 Procedures at the S-CSCF . 12
6.2.3.4.1 Registration . 12
6.2.3.4.2 General treatment for all dialogs and standalone transactions excluding REGISTER requests . 13
6.2.4 Identities and subscriptions . 13
6.2.5 Impact on Cx Interface . 14
6.2.5.1 User registration status query . 14
6.2.5.2 S-CSCF registration/deregistration notification . 14
6.2.5.3 Authentication procedure . 14
6.2.6 Interworking cases . 15
6.2.7 Message flows . 17
6.2.7.1 Successful registration . 17
6.2.7.2 Unsuccessful registration . 19
6.2.7.3 Successful registration for a selected interworking case . 20
6.3 Security mechanism for HTTP services . 21
Annex A: Comparison with an alternative approach - HTTP Digest . 25
Annex B: Change history . 26
History . 27
ETSI
---------------------- Page: 4 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 4 ETSI TR 133 978 V8.0.0 (2009-02)
Foreword
rd
This Technical Report has been produced by the 3 Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an
identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
x the first digit:
1 presented to TSG for information;
2 presented to TSG for approval;
3 or greater indicates TSG approved document under change control.
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
Introduction
3GPP IMS provides an IP-based session control capability based on the SIP protocol. IMS can be used to enable
services such as push-to-talk, instant messaging, presence and conferencing. It is understood that "early"
implementations of these services will exist that are not fully compliant with 3GPP IMS. For example, it has been
recognized that although 3GPP IMS uses exclusively IPv6, as specified in clause 5.1 of TS 23.221 [13], there will exist
IMS implementations based on IPv4 (TR 23.981 [1]).
Non-compliance with IPv6 is not the only difference between early IMS implementations and fully 3GPP compliant
implementations. In particular, it is expected that there will be a need to deploy some IMS-based services before
products are available which fully support the 3GPP IMS security features defined in TS 33.203 [2]. Non-compliance
with TS 33.203 security features is expected to be a problem mainly at the UE side, because of the potential lack of
support of the USIM/ISIM interface (especially in 2G-only devices) and because of the potential inability to support
IPsec on some UE platforms.
Although full support of 3GPP TS 33.203 security features is preferred from a security perspective, it is acknowledged
that early IMS implementations will exist which do not support these features. Therefore, there is a need to ensure that
simple, yet adequately secure, mechanisms are in place to protect against the most significant security threats that will
exist in early IMS implementations.
ETSI
---------------------- Page: 5 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 5 ETSI TR 133 978 V8.0.0 (2009-02)
1 Scope
The present document documents an interim security solution for early IMS implementations that are not fully
compliant with the IMS security architecture specified in TS 33.203 [2]. For security reasons, the provisions in this TR
only apply to IMS procedures used over the 3GPP PS domain.
2 References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
• References are either specific (identified by date of publication, edition number, version number, etc.) or
non-specific.
• For a specific reference, subsequent revisions do not apply.
• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same
Release as the present document.
[1] 3GPP TR 23.981: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Interworking aspects and migration scenarios for IPv4 based IMS
Implementations".
[2] 3GPP TS 33.203: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G security; Access security for IP-based services".
[3] 3GPP TS 23.228: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; IP Multimedia Subsystem (IMS); Stage ".
[4] 3GPP TS 29.061: "3rd Generation Partnership Project; Technical Specification Group Core
Network; Interworking between the Public Land Mobile Network (PLMN) supporting packet
based services and Packet Data Networks (PDN)".
[5] 3GPP TS 23.060: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; General Packet Radio Service (GPRS); Service description; Stage 2".
[6] IETF RFC 3261: "Session Initiation Protocol".
[7] 3GPP TS 24.229: "3rd Generation Partnership Project; Technical Specification Group Core
Network; IP Multimedia Call Control Protocol based on Session Initiation Protocol (SIP) and
Session Description Protocol (SDP); Stage 3".
[8] 3GPP TS 23.003: "3rd Generation Partnership Project; Technical Specification Group Core
Network; Numbering, addressing and identification".
[9] 3GPP TS 21.905: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Vocabulary for 3GPP Specifications".
[10] 3GPP TS 29.228: "3rd Generation Partnership Project; Technical Specification Group Core
Network; IP Multimedia (IM) Subsystem Cx and Dx interfaces; Signalling flows and message
contents".
[11] IETF RFC 4005 "Diameter Network Access Server Application",.
[12] 3GPP TS 29.229: "3rd Generation Partnership Project; Technical Specification Group Core
Network; Cx and Dx interfaces based on the Diameter protocol; Protocol details".
[13] 3GPP TS 23.221: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Architectural requirements".
ETSI
---------------------- Page: 6 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 6 ETSI TR 133 978 V8.0.0 (2009-02)
[14] 3GPP TS 33.141: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Presence service; security ".
[15] 3GPP TS 29.328 "3rd Generation Partnership Project; Technical Specification Group Core
Network;IP Multimedia (IM) Subsystem Sh interface; signalling flows and message contents"
[16] 3GPP TS 29.329 "3rd Generation Partnership Project; Technical Specification Group Core
Network;IP Multimedia (IM) Subsystem Sh interface; Protocol details "
[17] 3GPP TS 24.109 "3rd Generation Partnership Project; Technical Specification Group Core
Network and Terminals; Bootstrapping interface (Ub) and network application function interface
(Ua); Protocol details "
3 Definitions, symbols and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in TS 21.905 [9] and the following apply.
Early IMS: a UE or network element implementing the early IMS security solution specified in the present document.
Fully compliant IMS: a UE or network element implementing the IMS security solution specified in TS 33.203 [2].
3.2 Symbols
For the purposes of the present document, the following symbols apply:
Cx Reference Point between a CSCF and an HSS.
Gi Reference point between GPRS and an external packet data network
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication Authorisation Accounting
ABNF Augmented Backus-Naur Form
APN Access Point Name
AVP Attribute-Value Pair
CSCF Call/Session Control Function
GGSN Gateway GPRS Support Node
HSS Home Subscriber Server
I-CSCF Interrogating CSCF
ICID IM CN subsystem Charging Identifier
IM IP Multimedia
IMPI IM Private Identity
IMPU IM Public Identity
IMS IP Multimedia Subsystem
IP Internet Protocol
IPSec IP Security protocol
ISIM IMS Subscriber Identity Module
NAT Network Address Translation
P-CSCF Proxy-CSCF
PDP Packet Data Protocol
RFC Request For Comments
S-CSCF Serving-CSCF
SGSN Serving GPRS Support Node
SIP Session Initiation Protocol
SLF Server Locator Function
ETSI
---------------------- Page: 7 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 7 ETSI TR 133 978 V8.0.0 (2009-02)
UE User Equipment
URI Uniform Resource Identifier
4 Requirements
Low impact on existing entities: Any early IMS security mechanisms should be such that impacts on existing entities,
especially on the UE, are minimised and would be quick to implement. It is especially important to minimise impact on
the UE to maximise interoperability with early IMS UEs. The mechanisms should be quick to implement so that the
window of opportunity for the early IMS security solution is not missed.
Adequate level of security: Although it is recognised that the early IMS security solution will be simpler than the fully
compliant IMS security solution, it should still provide an adequate level of security to protect against the most
significant security threats that will exist in early IMS implementations. As a guide, the strength of subscriber
authentication should be comparable to the level of authentication provided for existing chargeable services in mobile
networks.
Smooth and cost effective migration path to fully compliant solution: Clearly, any security mechanisms developed
for early IMS systems will provide a lower level of protection compared with that offered by the fully compliant IMS
security solution. The security mechanisms developed for early IMS systems should therefore be considered as an
interim solution and migration to the fully compliant IMS security solution should take place as soon as suitable
products become available at an acceptable cost. In particular, the early IMS security solution should not be used as a
long-term replacement for the fully compliant IMS security solution. It is important that the early IMS security solution
allows a smooth and cost-effective migration path to the fully compliant IMS security solution.
Co-existence with fully compliant solution: It is clear that UEs supporting the early IMS security solution will need to
be supported even after fully compliant IMS UEs are deployed. The early IMS security solution should therefore be
able to co-exist with the fully compliant IMS security solution. In particular, it shall be possible for the SIP/IP core to
differentiate between a subscription using early IMS security mechanisms and a subscription using the fully compliant
IMS security solution.
Protection against bidding down: It should not be possible for an attacker to force the use of the early IMS security
solution when both the UE and the network support the fully compliant IMS security solution.
No restrictions on the type of charging model: Compared with fully compliant IMS security solution, the early IMS
security solution should not impose any restrictions on the type of charging model that can be adopted.
A single early IMS security solution: Interfaces that are impacted by the early IMS security solution should be
adequately documented to ensure interoperability between vendors.
Support access over 3GPP PS domain: It is a requirement is to support secure access over the 3GPP PS domain
(including GSM/GPRS and UMTS access).
Low impact on provisioning: The impact on provisioning should be low compared with the fully compliant IMS
security solution.
5 Threat scenarios
To understand what controls are needed to address the security requirements, it is useful to describe some of the threat
scenarios.
NOTE: There are many other threats, which are outside the scope of this TR.
5.1 Impersonation on IMS level using the identity of an innocent
user
The scenario proceeds as follows:
- Attacker A attaches to GPRS, GGSN allocates IP address, IP
A
ETSI
---------------------- Page: 8 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 8 ETSI TR 133 978 V8.0.0 (2009-02)
- Attacker A registers in the IMS using his IMS identity, ID
A
- Attacker A sends SIP invite using his own source IP address (IP ) but with the IMS identity of B (ID ).
A B
If the binding between the IP address on the bearer level, and the public and private user identities is not checked then
the attacker will succeed, i.e. A pays for IP connectivity but IMS service is fraudulently charged to B. The fraud
situation is made worse if IP flow based charging is used to 'zero rate' the IP connectivity.
The major problem is however that without this binding multiple users within a group "of friends" could sequentially
(or possibly simultaneously) share B's private/public user identities, and thus all get (say) the push-to-talk service by
just one of the group paying a monthly subscription. Without protection against this attack, operators could be restricted
to IP connectivity based tariffs and, in particular, would be unable to offer bundled tariffs. This is unlikely to provide
sufficiently flexibility in today's market place.
5.2 IP spoofing
The scenario proceeds as follows:
- User B attaches to GPRS, GGSN allocates IP address, IP
B
- User B registers in the IMS using his IMS identity, ID
B
- Attacker A sends SIP messages using his own IMS identity (ID ) but with the source IP address of B (IP )
A B
If the binding between the IP address that the GGSN allocated the UE in the PDP context activation and the source IP
address in subsequent packets is not checked then the attacker will succeed, i.e. A pays for IMS service but IP
connectivity is fraudulently charged to B. Note that this attack only makes sense for IMS services with outgoing traffic
only because the attacker will not receive any incoming packets addressed to the IMS identity that he is impersonating.
5.3 Combined threat scenario
The scenario proceeds as follows:
- User B attaches to GPRS, GGSN allocates IP address, IP
B
- User B registers in the IMS using his IMS identity, ID
B
- Attacker A sends SIP messages using IMS identity (ID ) and source IP address (IP )
B B
If the bindings mentioned in the scenarios in clause 5.1 and 5.2 are not checked then the attacker will succeed, i.e. A
fraudulently charges both IP connectivity and the IMS service to B. Note this attack only makes sense for IMS services
with outgoing traffic only because the attacker will not receive any incoming packets addressed to the IMS identity that
he is impersonating.
6 Specification
6.1 Overview
6.1.1 Security mechanism
The early IMS security solution works by creating a secure binding in the HSS between the public/private user identity
(SIP-level identity) and the IP address currently allocated to the user at the GPRS level (bearer/network level identity).
Therefore, IMS level signaling, and especially the IMS identities claimed by a user, can be connected securely to the PS
domain bearer level security context.
When using IPv6, stateless autoconfiguration is the only IP address allocation method mandatorily supported by the
terminal in GPRS. With this method, a primary PDP context is bound only to the 64-bit prefix of the 128-bit IPv6
address, not the full address. This needs to be taken into account in Early IMS procedures.
ETSI
---------------------- Page: 9 ----------------------
3GPP TR 33.978 version 8.0.0 Release 8 9 ETSI TR 133 978 V8.0.0 (2009-02)
The GGSN terminates each user's PDP context and has assurance that the IMSI used within this PDP context is
authenticated. The GGSN shall provide the user's IP address (or the prefix in the case of IPv6 stateless
autoconfiguration), IMSI and MSISDN to a RADIUS server in the HSS over the Gi interface when a PDP context is
activated towards the IMS system. The HSS has a binding between the IMSI and/or MSISDN and the IMPI and
IMPU(s), and is therefore able to store the currently assigned IP address (or the prefix in the case of IPv6 stateless
autoconfiguration) from the GGSN against the user's IMPI and/or IMPU(s). The precise way of the handling of these
identities in the HSS is outside the scope of standardization. The GGSN informs the HSS when the PDP context is
deactivated/modified so that the stored IP address (or the prefix in the case of IPv6 stateless autoconfiguration) can be
updated in the HSS. When the S-CSCF receives a SIP registration request or any subsequent requests for a given IMPU,
it checks that the IP address (or the prefix in the case of IPv6 stateless autoconfiguration) in the SIP header (verified by
the network) matches the IP address (or the prefix in the case of IPv6 stateless autoconfiguration) that was stored
against that subscriber's IMPU in the HSS.
The mechanism assumes that the GGSN does not allow a UE to successfully transmit an IP packet with a source IP
address (or the prefix in the case of IPv6 stateless autoconfiguration) that is different to the one assigned during PDP
context activation. In other words, the GGSN must prevent "source IP spoofing". The mechanism also assumes that the
P-CSCF checks that the source IP address in the SIP header is the same as the source IP address in the IP header
received from the UE (the assumption here, as well as for the full security solution, is that no NAT is present between
the GGSN and the P-CSCF).
The mechanism prevents an attacker from using his own IP address in the IP header but spoofing someone else's IMS
identity or IP address in the SIP header, so that he pays for GPRS level charges, but not for IMS level charges. The
mechanism also prevents an attacker spoofing the address in the IP header so that he does not pay for GPRS charges. It
therefore counters the threat scenarios given in clause 5 above.
The early IMS security solution may also be re-used to protect HTTP traffic in order to provide user access to various
potential self-customization services, e.g. to Presence Server.
6.1.2 Restrictions imposed by early IMS security
The mechanism assumes that only one contact IP address is associated with one IMPI. Furthermore, the mechanism
supports the case that there may be several IMPUs associated with one IMPI, but one IMPU is associated with only one
IMPI.
In early IMS security the IMS user authentication is performed by linking the IMS registration (based on an IMPI) to a
PDP context (based on an authenticated IMSI). The mechanism here assumes that there is a one-to-one relationship
between the IMSI for bearer access and the IMPI for IMS access.
For the purposes of this present document, an APN, which is used for IMS services, is called an IMS APN. An IMS
APN may be also used for non-IMS services. The mechanism described in this present document further adds the
requirement on the UE that it allows only one APN for accessing IMS for a PLMN and that all active PDP contexts, for
a single UE, associated with that IMS APN use the same IP address at any given time.
The early IMS security mechanism relies on the Via header remaining unchanged between the UE and the S-CSCF for
requests and responses sent in the direction fr
...