2008-10-07

Mercuro IMS Client and IPSec using Security Agreement (in 3GPP R5)

In this post I will try to explain how security mechanisms are negotiated between Mercuro IMS Client and the Proxy CSCF (only SIP headers) and how to setup SAs using Linux IPSec tools.

It’s important to keep in mind that the main purpose of Security agreement is to agree on which mechanisms, algorithms or security parameters to use.

Full version of Mercuro IMS Client support five mechanisms used in VoIP networks:

  1. Digest (fully tested)
  2. Tls (fully tested)
  3. ipsec-ike (under development)
  4. ipsec-man (under development)
  5. ipsec-3gpp (partially tested)

Mercuro IMS Client is specially focused on 3GPP IPSec because the IMS makes it mandatory. To enable IPSec feature you have to purchase a specific license. You can also get a private version with IPSec, TLS and Digest mechanisms if you are one of our technical partners.

When the Security Agreement feature is activated the mechanism to use is known after the negotiation between Mercuro IMS Client and the Proxy CSCF succeeds. This negotiation is performed during the IMS registration and authentication procedures.

Three new SIP header fields have been defined in Mercuro IMS Client, namely Security-Client, Security-Server and Security-Verify.

Call Flow

Mercuro IMS Client      Proxy CSCF        Serving CSCF
|                    |                  |
|----(1)REGISTER---->|                  |
|                    |                  |
|                    |---(2)REGISTER--->|
|                    |                  |
|                    |<-----(3) 401 ----|
|                    |                  |
|<----(4) 494/401----|                  |
|                    |                  |
|<==IPSec in place==>|                  |
|                    |                  |
|----(5)REGISTER---->|                  |
|                    |----(6)REGISTER-->|
|                    |                  |
|                    |<---(7) 200 OK----|
|<---(8) 200 OK------|                  |
|                    |                  |

In step (1) Mercuro IMS Client sends an unprotected registration request including the security-client header. Mercuro IMS Client indicates that it is able to negotiate security mechanism by adding “Require” and “Proxy-Require” headers. The security-client header includes two ports (client and server ports) that Mercuro IMS Client wants to negotiate with the proxy CSCF.

In step (2) the Proxy CSCF forwards the request to the Serving CSCF.

In step (3) the Serving CSCF (registrar) challenges the Proxy CSCF. The 401 response is sent to the Proxy CSCF (challenge parameters are under WWW-Authenticated header). The Serving CSCF must include the security-server header.

In step (4) the Proxy CSCF forwards the 401/494 response to Mercuro IMS Client. At this stage the Proxy CSCF opens the IPsec security association (SA) for Mercuro. Mercuro IMS Client also setup a SA (this is a temporary SA).

The lifetime of the created SA (between Mercuro IMS Client and the Proxy CSCF) is equal to the value of reg-await-auth timer (which guards the receipt of the next REGISTER request).

In step (5) Mercuro IMS Client sends a new registration (to the Proxy CSCF) request including its credentials and copies the content of security-server header to the security-verify header. Before forwarding the request to the Serving CSCF, the Proxy CSCF will check that the previous security-server header and the security-verify headers (added by Mercuro IMS Client) are identical. If these values are different, the Proxy CSCF sends an error message to Mercuro IMS Client and terminates the created SAs.

In step (6) the Proxy CSCF forwards the request to the Serving CSCF.

In step (7) the Serving CSCF authenticates Mercuro IMS Client, and responds with 200 OK.

In step (8) the Proxy CSCF forwards the response to Mercuro. At this step new SAs will be created. The temporary SAs will be destroyed (or not) by the Proxy CSCF.

Messages

(1)
REGISTER sip:pcscf.open-ims.test SIP/2.0
Security-Client: ipsec-3gpp; alg=hmac-md5-96; spi-c=1111; spi-s=2222; port-c=5062; port-s=5064
Require: sec-agree
Proxy-Require: sec-agree

(4)
SIP/2.0 [494 Security Agreement Required / 401 Unauthorized]
Security-Server: ipsec-3gpp; q=0.1; alg=hmac-md5-96; spi-c=3333; spi-s=4444; port-c=5066; port-s=5068

(5)
REGISTER sip:pcscf.open-ims.test SIP/2.0
Security-Client: ipsec-3gpp; alg=hmac-md5-96; spi-c=1111; spi-s=2222; port-c=5062; port-s=5064
Security-Verify: ipsec-3gpp; q=0.1; alg=hmac-md5-96; spi-c=3333; spi-s=4444; port-c=5066; port-s=5068
Require: sec-agree
Proxy-Require: sec-agree

Setting up SAs using Linux Tools

Here we suppose that:
- We are using Ubuntu (Linux Kernel 2.6 + KAME-tools)
- the Proxy-CSCF address is '192.168.0.10' and Mercuro IMS Client address is '192.168.0.11'
- for secure ports see above SIP capture
- protocol is esp
- algorithm is 'hmac-md5'
- encrypt-algorithm is 'des-ede3-cbc'
- mode is 'transport'
- confidentiality key is '123456789012123456789012' (see function f2345 in 3GPP milenage algorithms)
- integrity key is '1234567890123456' (see function f2345 in 3GPP milenage algorithms)

1. Install the tools

sudo apt-get install ipsec-tools

2. Edit /etc/ipsec-tools file and add the following script

#Incoming Requests [US <- PC]

spdadd 192.168.0.10/32[5066] 192.168.0.11/32[5064] udp -P in ipsec esp/transport//require;
add 192.168.0.10 192.168.0.11 esp 2222 -m transport -E des-ede3-cbc "123456789012123456789012" -A hmac-md5 "1234567890123456";

#Incoming Replies [UC <- PS]
spdadd 192.168.0.10/32[5068] 192.168.0.11/32[5062] udp -P in ipsec esp/transport//require;
add 192.168.0.10 192.168.0.11 esp 1111 -m transport -E des-ede3-cbc "123456789012123456789012" -A hmac-md5 "1234567890123456";

#Outgoing Requests [UC -> PS]
spdadd 192.168.0.11/32[5062] 192.168.0.10/32[5068] udp -P out ipsec esp/transport//unique:1;
add 192.168.0.11 192.168.0.10 esp 4444 -m transport -u 1 -E des-ede3-cbc "123456789012123456789012" -A hmac-md5 "1234567890123456";

#Outgoing Replies [US -> PC]
spdadd 192.168.0.11/32[5064] 192.168.0.10/32[5066] udp -P out ipsec esp/transport//unique:2;
add 192.168.0.11 192.168.0.10 esp 3333 -m transport -u 2 -E des-ede3-cbc "123456789012123456789012" -A hmac-md5 "1234567890123456";


3. Run the script

sudo /etc/init.d/setkey start

The same can be done under Windows vista using WFP(Windows Filtering Platform) API. For more information on How IPSec (in IMS context) feature could be implemented under Windows you can contact Mercuro Team at [tech dot mercuro -at- inexbee dot com].

For more information about Mercuro IMS Client visit http://www.mercuro.net

For more in formation about Secury Agreement see:

http://www.ietf.org/rfc/rfc3329.txt
http://www.arib.or.jp/IMT-2000/V310Sep02/T63/Rel5/33/A33203-520.pdf
http://www.arib.or.jp/IMT-2000/V310Sep02/S3g/Rel5/24/24229-510.pdf

3 comments:

Stuart said...

Why do the ipsec rules above specify "transport" not "tunnel"?

Mamadou DIOP said...

Hi Stuart,

Because it's the default mode (and mandatory) for 3GPP IMS networks.

Thanks.

SmartKid said...

hi,
From my understanding the SPD entries are updated in P-CSCF by running the setkey script as given in blog.

Also, on the client side ( UAC/UAS) also the same kind of SPD entries should be present. Is it taken care in Mercuro of we have to set it using setkey ?