IMS
REGISTER with Authentication and IPSec

As you know all the IMS (SIP) message are carried in the form of IP data through TCP or UDP socket. So, if necessary we can use IP level security for IMS/SIP transaction.

In order to enable IP level security (IP Sec), we need to go through SA(Security Association) process and exchange key exchange procedure. This process be done during IMS registration and the information for SA are embedded in IMS registration message. Overall procedure of IP Sec SA process  is illustrated as below.

< 36.523-3 Figure 4.2.5.2.3.1-1 Two pairs of SAs >

The 4 step SA setup process can be combined with IMS Registration process in a couple of different variations. One example specified in conformance test is illustrated as below.  It seems that the start of SA process may vary. In the following illustration, SA starts from step (3), but in Example 1, you can see the case where UE start SA from Step (1).

< 36.523-3 Figure 4.2.5.2.3.1-2: Usage of ports and SAs in UDP and TCP transport >

Example 1 : Authentication and IPSec ========================================

This example would look a little bit different from the procedures illustrated above in terms of SA starting point, but overall log (4 step SA process = 2 SA establishment) are same. Go through the message and how the port number in RED are associated the port number in BLUE.

Contents

Step 1 : REGISTER  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: 42368 (42368), Dst Port: sip (5060), Seq: 1, Ack: 1, Len: 1314

    REGISTER sip:ims.sharetechnote.com SIP/2.0

    Max-Forwards: 70

    Route: <sip:[2001:0:0:1::2]:5060;lr>

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:5060;branch=z9hG4bK370690ecb-643c9869

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 REGISTER

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370690e30-327b23c6

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Supported: path,eventlist,sec-agree,gruu,outbound

    Require: sec-agree

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    Authorization:

    This SIP message clip highlights the following parameters: Via, Route, Authorization, CSeq, Call-ID, From, To, Max-Forwards, Supported, Allow, Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      Digest username="001010123456789@ims.sharetechnote.com",

      realm="ims.sharetechnote.com",

      nonce="",

      uri="sip:ims.sharetechnote.com",

      response="",

      algorithm=AKAv1-MD5

      This SIP message clip highlights the following parameters: nonce, response, realm, algorithm. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Security-Client:

    ipsec-3gpp;

    This SIP message clip highlights the following parameters: Security-Client. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      alg=hmac-md5-96;

      prot=esp;

      mod=trans;

      ealg=null;

      spi-c=0000565817;spi-s=0000565818;

      port-c=38003;port-s=39003,

    ipsec-3gpp;

      alg=hmac-sha-1-96;

      prot=esp;

      mod=trans;

      ealg=null;

      spi-c=0000565817;spi-s=0000565818;

      port-c=38003;port-s=39003

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>;

    This SIP message clip highlights the following parameters: Contact. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +g.3gpp.smsip;

      +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000;

      This SIP message clip highlights the following parameters: Expires. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1

    Proxy-Require: sec-agree

    User-Agent: IMS TestClient/4.0.0 H81110t

    Content-Length: 0

    This SIP message clip highlights the following parameters: Content-Length, User-Agent, Proxy-Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

Step 2 : 401 Unauthorized  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: sip (5060), Dst Port: 42368 (42368), Seq: 1, Ack: 1315, Len: 723

    SIP/2.0 401 Unauthorized

    Max-Forwards: 70

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:5060;branch=z9hG4bK370690ecb-643c9869

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370690e30-327b23c6

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=987654321

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 REGISTER

    WWW-Authenticate:

    This SIP message clip highlights the following parameters: Via, WWW-Authenticate, CSeq, Call-ID, From, To, Max-Forwards. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      Digest realm="ims.mnc01.mcc001.3gppnetwork.org",

      nonce="26ohPzgYyy3VFVa4VnXhKgx8Ta1aXYAA27sDDHxNLVo=",

      qop="auth",opaque="4669e9192b2042d499606fe3e0fa839a",

      algorithm=AKAv1-MD5

      This SIP message clip highlights the following parameters: nonce, realm, qop, algorithm, opaque. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Security-Server:

    This SIP message clip highlights the following parameters: Security-Server. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      ipsec-3gpp;

      alg=hmac-md5-96;

      ealg=null;

      prot=esp;

      mod=trans;

      spi-c=3458785863;spi-s=2821032177;

      port-c=50717;port-s=50718;

      q=0.1

    Content-Length: 0

    This SIP message clip highlights the following parameters: Content-Length. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

Step 3 : REGISTER  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718), Seq: 1347, Ack: 1, Len: 360

    REGISTER sip:ims.sharetechnote.com SIP/2.0

    Max-Forwards: 70

    Route: <sip:[2001:0:0:1::2]:50718;lr>

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK370723a88-32d70d67

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 2 REGISTER

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Supported: path,eventlist,sec-agree,gruu,outbound

    Require: sec-agree

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>;

    This SIP message clip highlights the following parameters: Via, Route, Contact, CSeq, Call-ID, From, To, Max-Forwards, Supported, Allow, Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000;

      This SIP message clip highlights the following parameters: Expires. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1

    Security-Client:

    This SIP message clip highlights the following parameters: Security-Client. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      ipsec-3gpp;

        alg=hmac-md5-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=0000565817;spi-s=0000565818;

        port-c=38003;port-s=39003,

      ipsec-3gpp;

        alg=hmac-sha-1-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=0000565817;spi-s=0000565818;

        port-c=38003;port-s=39003

    Security-Verify:

      ipsec-3gpp;

        q=0.1;

        alg=hmac-md5-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=3458785863;spi-s=2821032177;

        port-c=50717;port-s=50718

    P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000

    Authorization:

    This SIP message clip highlights the following parameters: Authorization, P-Access-Network-Info. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      Digest username="001010123456789@ims.sharetechnote.com",

      realm="ims.mnc01.mcc001.3gppnetwork.org",

      nonce="26ohPzgYyy3VFVa4VnXhKgx8Ta1aXYAA27sDDHxNLVo=",

      uri="sip:ims.sharetechnote.com",

      response="e089b68060162b5c6a328e5dd2d43133",

      algorithm=AKAv1-MD5,

      cnonce="NGNhMTgzMw==",

      opaque="4669e9192b2042d499606fe3e0fa839a",

      qop=auth,

      nc=00000001

      This SIP message clip highlights the following parameters: nonce, response, realm, qop, algorithm, opaque. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    User-Agent: IMS TestClient/4.0.0 H81110t

    Proxy-Require: sec-agree

    Content-Length: 0

    This SIP message clip highlights the following parameters: Content-Length, User-Agent, Proxy-Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

Step 4 : 200 OK  over TCP -----------------------------------

    Transmission Control Protocol, Src Port: 50718 (50718), Dst Port: 38003 (38003), Seq: 1, Ack: 1707, Len: 781

    SIP/2.0 200 OK

    Max-Forwards: 70

    Via: SIP/2.0/TCP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK370723a88-32d70d67

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=54467370723a6a-0be8e1f8

    Call-ID: 37067dd33-6b8b4567@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 2 REGISTER

    Date: Thu, 25 Aug 2016 11:37:08 GMT

    Require: sec-agree

    P-Associated-URI: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003>;

    This SIP message clip highlights the following parameters: Via, Contact, CSeq, Call-ID, From, To, Max-Forwards, P-Associated-URI, Date, Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +g.3gpp.smsip;

      +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";video;expires=600000;

      This SIP message clip highlights the following parameters: Expires. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +sip.instance="<urn:gsma:imei:35910506-000422-0>";reg-id=1

    Content-Length: 0

    This SIP message clip highlights the following parameters: Content-Length. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Path: <sip:[2001:0:0:1::2];lr>

Step 5 : SUBSCRIBE  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718)

    SUBSCRIBE sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org SIP/2.0

    Max-Forwards: 70

    Route: <sip:[2001:0:0:1::2]:50718;lr>

    Via: SIP/2.0/UDP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK3707d1f14-46487f22

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 SUBSCRIBE

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>

    This SIP message clip highlights the following parameters: Via, Route, CSeq, Call-ID, From, To, Max-Forwards. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Accept: application/reginfo+xml

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    This SIP message clip highlights the following parameters: Allow. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Security-Verify:

      ipsec-3gpp;

        q=0.1;

        alg=hmac-md5-96;

        prot=esp;

        mod=trans;

        ealg=null;

        spi-c=3458785863;spi-s=2821032177;

        port-c=50717;port-s=50718

    Require: sec-agree

    P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000

    This SIP message clip highlights the following parameters: P-Access-Network-Info, Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Event: reg

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob>;

    This SIP message clip highlights the following parameters: Contact. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +sip.instance="<urn:gsma:imei:35910506-000422-0>"

    Expires: 600000

    Proxy-Require: sec-agree

    User-Agent: IMS TestClient/4.0.0 H81110t

    Content-Length: 0

    This SIP message clip highlights the following parameters: Expires, Content-Length, User-Agent, Proxy-Require. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

Step 6 : 200 OK  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 50717 (50717), Dst Port: 39003 (39003)

    SIP/2.0 200 OK

    Max-Forwards: 70

    Via: SIP/2.0/UDP [2001::1:d1ae:bb37:d9c9:81d0]:39003;branch=z9hG4bK3707d1f14-46487f22

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 SUBSCRIBE

    Expires: 600000

    Contact: <sip:[2001:0:0:1::2]:50718;transport=udp>

    This SIP message clip highlights the following parameters: Via, Contact, Expires, CSeq, Call-ID, From, To, Max-Forwards. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Record-Route: <sip:[2001:0:0:1::2]:50718;lr>

    Content-Length: 0

    This SIP message clip highlights the following parameters: Content-Length. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

Step 7 : NOTIFY  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 50717 (50717), Dst Port: 39003 (39003)

    NOTIFY sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob SIP/2.0

    Via: SIP/2.0/UDP [2001:0:0:1::2]:50718;branch=z9hG4bK0a0d0d34d4d84c91b07959b6fcb7e3e914;transport=udp

    Max-Forwards: 69

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 NOTIFY

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    Contact: <sip:[2001:0:0:1::2]:50718;transport=udp>

    This SIP message clip highlights the following parameters: Via, Contact, CSeq, Call-ID, From, To, Max-Forwards. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Event: reg

    Subscription-State: active;expires=600000

    Content-Type: application/reginfo+xml

    Content-Length: 740

    This SIP message clip highlights the following parameters: Content-Type, Content-Length. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Record-Route: <sip:[2001:0:0:1::2]:50718;lr>

    <?xml version="1.0" encoding="utf-8"?>

    <reginfo version="0" state="full" xmlns="urn:ietf:params:xml:ns:reginfo">

      <registration aor="sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org" id="12345" state="active">

        <contact id="100" state="active" event="registered">

          <uri>sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003</uri>

          <unknown-param name="+g.3gpp.smsip" />

          <unknown-param name="+g.3gpp.icsi-ref">"urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"</unknown-param>

          <unknown-param name="video" />

          <unknown-param name="+sip.instance">"&lt;urn:gsma:imei:35910506-000422-0&gt;"</unknown-param>

          <unknown-param name="reg-id">1</unknown-param>

        </contact>

      </registration>

    </reginfo>

Step 8 : 200 OK  over UDP -----------------------------------

    User Datagram Protocol, Src Port: 38003 (38003), Dst Port: 50718 (50718)

    SIP/2.0 200 OK

    Via: SIP/2.0/UDP [2001:0:0:1::2]:50718;branch=z9hG4bK0a0d0d34d4d84c91b07959b6fcb7e3e914;transport=udp

    This SIP message clip highlights the following parameters: Via. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Record-Route: <sip:[2001:0:0:1::2]:50718;lr>

    Call-ID: 3707d1e50-445f44a7@2001::1:d1ae:bb37:d9c9:81d0

    CSeq: 1 NOTIFY

    From: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    To: <sip:001010123456789@ims.mnc01.mcc001.3gppnetwork.org>;tag=544673707d1e7d-3d740161

    Contact: <sip:001010123456789@[2001::1:d1ae:bb37:d9c9:81d0]:39003;ob>;

    This SIP message clip highlights the following parameters: Contact, CSeq, Call-ID, From, To. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

      +sip.instance="<urn:gsma:imei:35910506-000422-0>"

    Allow: INVITE,BYE,CANCEL,ACK,NOTIFY,UPDATE,REFER,PRACK,INFO,MESSAGE

    P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100000000000

    This SIP message clip highlights the following parameters: P-Access-Network-Info, Allow. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.

    Server: IMS TestClient/4.0.0 H81110t

    Content-Length: 0

    This SIP message clip highlights the following parameters: Content-Length. Use these fields to correlate routing, dialog identity, transaction sequencing, registration/session state, security context, and media negotiation for this part of the procedure.