IPSec Security Associations between the UE and P-CSCF.

The IMS makes it mandatory for the establishment of IP Sec Security associations (SA) between the IMS UE and the Proxy CSCF. These security associations are set up during the two way handshake:

REGISTER , 401, REGISTER and 200 OK, which takes place during IMS registration and authentication procedures.

On the SIP level, there are three headers that are of importance for the setup of these security associations. These are the Security-client, Security-server and Security-verify headers.

As part of the SA establishment at the client side, there are two ports that are negotiated with the P-CSCF. These are the protected client port and the protected server port. When the UE sends the initial ‘unprotected’ REGISTER request to the P-CSCF, it is sent over the default port for SIP (5060). This initial REGISTER request contains the Security-client header which specifies the encryption algorithms that the UE supports, the security schema that the client supports and the parameters needed for SA setup.

This REGISTER request reaches the registrar (S-CSCF). The S-CSCF formulates an authentication challenge in the form of a 401 Unauthorized response back to the UE. This message contains the challenge parameters under the www-authenticate header. Additionally it also contains the Security-server header. The parameters received in this header are used by the UE to setup a temporary set of SAs. The lifetime of these SAs is set to the reg-await-auth timer.

Subsequently, the UE answers the challenge with another REGISTER request. This request contains the Security-verify header that mirrors the Security-server header of the 401 response received earlier. If the authentication answer is successful at the S-CSCF, a 200 ok is received. If the 200 ok is received, then the newly set of SAs are established between the UE and P-CSCF in place of the temporary SAs.

Thus, two protected ports each are negotiated between the UE and the P-CSCF for all subsequent signaling traffic.

Upon re-authentication by the UE, be sending another REGISTER refresh message, another set of SAs are established. The P-CSCF may or may not decide to keep the old set of SAs in lieu of the SAs established due to re-authentication.

To summarize, there are three types of Security Associations:

1) Newly established set of security associations: Two pairs of IPsec security associations that have been created at the UE and/or the P-CSCF after the 200 (OK) response to a REGISTER request was received.

2) Old set of security associations: Two pairs of IPsec security associations still in existence after another set of security associations has been established due to a successful authentication procedure (re-authentication).

3) Temporary set of security associations: Two pairs of IPsec security associations that have been created at the UE and/or the P-CSCF, after an authentication challenge within a 401 (Unauthorized) response to a REGISTER request was received. The SIP level lifetime of such created security associations will be equal to the value of reg-await-auth timer.