Internet DRAFT - draft-garcia-sipping-3gpp-reqs
draft-garcia-sipping-3gpp-reqs
Network Working Group M. Garcia / Ericsson
Internet Draft D. Mills / Vodafone
Document: <draft-garcia-sipping-3gpp-reqs-03.txt> G. Bajko / Nokia
Network Working Group G. Mayer / Siemens
Date: March 2002 F. Derome / Alcatel
Expires: September 2002 H. Shieh / AWS
A. Allen / dynamicsoft
S. Chotai / mmO2
K. Drage / Lucent
J. Bharatia / Nortel
K. Hobbis / Hutchison
D. Willis / dynamicsoft
3GPP requirements on SIP
Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
The distribution of this memo is unlimited.
1. Abstract
The 3rd Generation Partnership Project (3GPP) has selected SIP [3] as
the session establishment protocol for the 3GPP IP Multimedia Core
Network Subsystem (IM CN Subsystem). Although SIP is a protocol that
fulfills most of the requirements to establish a session in an IP
network, the SIP protocol suite has never been evaluated against the
specific 3GPP requirements for operation in a cellular network. In
this document we express the requirements identified by 3GPP to
support SIP for IM CN Subsystem in cellular networks.
Network Working Group Expiration 09/30/02 1 �
Garcia et. al. 3GPP requirements on SIP March 2002
2. Conventions used in this document
This document does not specify any protocol of any kind. Therefore,
the use of the key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document, as described in RFC-2119 [2], does not
apply.
3. Table of Contents
Status of this Memo..................................................1
1. Abstract..........................................................1
2. Conventions used in this document.................................2
3. Table of Contents.................................................2
4. Introduction......................................................3
5. Overview of the 3GPP IM CN Subsystem..............................3
6. 3GPP Requirements on SIP..........................................6
6.1 General requirements.............................................6
6.2 SIP outbound proxy in the visited network........................7
6.3 Registration.....................................................8
6.4 De-registration..................................................9
6.5 Compression of SIP signaling....................................10
6.6 QoS requirements related to SIP.................................11
6.7 Prevention of theft of service..................................12
6.8 Radio resource authorization....................................12
6.9 Prevention of denial of service.................................13
6.10 Identification of users........................................13
6.11 Identifiers used for routing...................................15
6.12 Hiding requirements............................................15
6.13 Cell-ID........................................................16
6.14 Release of sessions............................................16
6.15 Routing of SIP messages........................................17
6.16 Emergency sessions.............................................18
6.17 Identities on session establishment............................20
6.18 Charging.......................................................21
6.19 IPv6...........................................................22
6.20 General support of additional capabilities.....................22
6.21 Three-way handshake in the session description negotiation.....23
6.22 Correlation of dialogs.........................................24
6.23 Security Model.................................................24
6.24 Access Domain Security.........................................25
6.25 Network Domain Security........................................31
7. Security considerations..........................................31
8. Author's Addresses...............................................31
9. Acknowledgments..................................................33
10. References......................................................33
11. Changes from previous versions..................................36
11.1 Changes from version -00.......................................36
11.2 Changes from version -01.......................................36
Network Working Group Expiration 09/30/02 2 �
Garcia et. al. 3GPP requirements on SIP March 2002
11.3 Changes from version -02.......................................36
Full Copyright Statement............................................37
4. Introduction
3GPP has selected SIP [3] as the protocol to establish and tear down
multimedia sessions in the IP Multimedia Subsystem (IMS). A
description of the IMS can be found in [4]. A comprehensive set of
session flows can be found in [5].
This document is an effort to define the requirements applicable to
the usage of the SIP protocol suite in cellular networks, and
particularly in the 3GPP IMS.
The rest of this document is structured as follows:
Section 5 offers an overview of the 3GPP IMS. Readers who are not
familiar with it should carefully read this section.
Section 6 contains the 3GPP requirements to SIP. Requirements are
grouped by categories. Some requirements include a statement on
possible solutions that would be able to fulfill the requirement. Note
also that, as a particular requirement might be fulfilled by different
solutions, not all the solutions might have an impact on SIP.
5. Overview of the 3GPP IM CN Subsystem
This section gives the reader an overview of the 3GPP IM CN Subsystem.
It is not intended to be comprehensive. But it provides enough
information to understand the basis of the 3GPP IM CN Subsystem.
Readers are encouraged to find a more detailed description in [4], [5]
and [6].
For a particular cellular device, the 3GPP IM CN Subsystem network is
further decomposed in a home network and a visited network.
An IMS subscriber belongs to his or her home network. Services are
triggered and may be executed in the home network. One or more SIP
servers are deployed in the SIP home network to support the IP
Multimedia Subsystem. Among those SIP servers, there is a SIP serving
proxy, which is also acting as a SIP registrar.
Authentication/Authorization servers may be part of the home network
as well. Users are authenticated in the home network.
The visited network contains a SIP outbound proxy to support the UA.
The SIP outbound proxy in the visited network may translate locally
dialed digits into international format, detect emergency sessions,
maintain security associations between itself and the terminals, and
interwork with the resource management in the packet network.
Network Working Group Expiration 09/30/02 3 �
Garcia et. al. 3GPP requirements on SIP March 2002
The SIP outbound proxy is assigned after the mobile has connected to
the access network. Once this proxy is assigned, it does not change
while the mobile remains connected to the access network. Thus the
mobile can move freely within the access network without SIP outbound
proxy reassignment.
The home network may support also a SIP entry proxy. This node may act
as the first entry point for SIP signaling to the home network and may
decide (with the help of location servers) which SIP registrar server
to assign to a particular user. Typically the address of the home
network SIP entry proxy is configured in DNS in the form of a DNS SRV
record for SIP.
Additionally, home and visited networks may deploy, if required, a SIP
hiding proxy. The main purpose of the SIP hiding proxy is to hide the
network configuration.
The 3GPP IM CN Subsystem is designed to be access independent. Access
is granted from 3GPP cellular terminals or from other terminals that
use other accesses out of the scope of 3GPP.
3GPP cellular IP Multimedia terminals use the existing General Packet
Radio Service (GPRS) [6] as a transport network for IP datagrams. The
terminals first connect to the GPRS network to get an IPv6 address. In
order to do this, the terminals must perform a (GPRS) Attach procedure
followed by a (GPRS) PDP Context Activation procedure. These GPRS
procedures are required to be completed before any IP Multimedia
session can be established.
As a result of the above-mentioned GPRS procedures, the terminal has
obtained an IPv6 address. In the case of non-roaming terminals, the
IPv6 address belongs to the home network address space. In the case of
a roaming terminal, the IPv6 address belongs to the visited network
address space. The address does not change as the mobile terminal
moves while still attached to the same network address space.
If the terminal moves from a GPRS access to another GPRS access, the
above-mentioned GPRS procedures needs to start from the beginning to
allocate an IPv6 address to the terminal.
Figure 1 shows an overview of the 3GPP architecture for IM CN
Subsystem.
Network Working Group Expiration 09/30/02 4 �
Garcia et. al. 3GPP requirements on SIP March 2002
+-------------+ +----------------+ +----------------+
| | | | | |
| | | | | |
| | | | | +------+ |
| | | | | | SIP | |
| | | | | |server| |
| | | | | | +------+ |
+-|+ | | | | | / |
| | | | | +------+ | | +------+ |
| | | | | | SIP | | | | SIP | |
| | ---|-------------|--|----|server|----|---|-|server| |
+--+ | | | +------+ | | +------+ |
| | | | | |
SIP | GPRS access | | Visited Network| | Home Network |
dev. +-------------+ +----------------+ +----------------+
Figure 1: Overview of the 3GPP IM CN Subsystem architecture
Another possible configuration is depicted in Figure 2. In that case,
a general-purpose computer (e.g., a laptop computer) is connected to a
GPRS terminal. The computer hosts the Multimedia application
(comprising SIP, SDP, RTP, etc.). The GPRS terminal handles the radio
access and the GPRS connectivity. Note that, for the sake of clarity,
the home network has not been depicted in the figure.
+-------------+ +----------------+
| | | |
| | | |
| | | |
| | | |
| | | |
+-------+ | | | |
| | +-|+ | | | |
| | | | | | | +------+ |
+-------+ | | | | | | SIP | |
/ / --------| | ---|-------------|-------|server|------
/-------/ +--+ | | | +------+ |
| | | |
SIP GPRS | GPRS access | | Visited Network|
client terminal +-------------+ +----------------+
Figure 2: A computer connected to a GPRS terminal
Services are typically executed in an application server. The
interface between the SIP server and the application server is based
on SIP. However, certain operators may want to reuse the existing
technology, and therefore, they may need to interoperate SIP with
Network Working Group Expiration 09/30/02 5 �
Garcia et. al. 3GPP requirements on SIP March 2002
protocols like CAMEL/Intelligent-Network or Open services Architecture
(OSA).
6. 3GPP Requirements on SIP
6.1 General requirements
This section does not specify any particular requirement to SIP.
However, it includes a list of general requirements that must be
considered when developing solutions to particular requirements.
6.1.1 Efficient use of the radio interface
The radio interface is a scarce resource. As such, the exchange of
signaling messages between the UA and the network should be minimized.
All the mechanisms developed should make an efficient use of the radio
interface.
See also the related requirements in section 6.5.
6.1.2 Minimum session setup time
All the procedures and mechanisms should have a minimum impact on the
session setup time as perceived by the user. When there is
a choice between performing tasks at session establishment and in
transactions prior to session establishment, then the tasks should be
performed prior to session establishment.
See also the related requirements in section 6.5.
6.1.3 Minimum support required in the terminal
As terminals could be rather small devices, memory requirements, power
consumption, processing power, etc. should be kept to a minimum.
Mandating support for additional protocols in the terminal must meet
this requirement.
6.1.4 Roaming and non roaming
The developed solutions should work efficiently in roaming and non-
roaming scenarios.
6.1.5 Mobility management
As mobility management is managed by the access network, there is no
need to support mobility management in SIP.
Network Working Group Expiration 09/30/02 6 �
Garcia et. al. 3GPP requirements on SIP March 2002
6.1.6 IP version 6
The IP CN Subsystem is solely designed to use IP version 6 addresses.
6.2 SIP outbound proxy in the visited network
6.2.1 SIP outbound proxy in the visited network
A SIP outbound proxy, typically in the visited network, must be
supported in both roaming and non-roaming case, even when the SIP
serving proxy in the home network is located in the same network as
the SIP outbound proxy.
6.2.2 Discovery of the SIP outbound proxy
There must be a general mechanism to configure the UA with the address
of the SIP outbound proxy in the visited network.
The Internet Draft "DHCP option for SIP servers" [7] may be a good
starting point to meet this requirement. However, there is no support
for IPv6 in this Internet Draft.
3GPP has another mechanism provided by the GPRS access network that
meets this requirement, in addition to the above one.
6.2.3 Removal of headers
Via and Record-Route headers in SIP have no fixed limit and in
practice are very large (hundreds of bytes). These headers may
represent a significant fraction of the total size of a typical SIP
message. 3GPP proposes that the SIP outbound proxy remove and reinsert
these headers on behalf of the mobile terminal, so that the size of
SIP messages transmitted over the radio interface is reduced.
Additionally, the UA is typically a non-trusted element. The operation
of the 3GPP IM CN subsystem requires the signaling to traverse a set
of proxies for various reasons (e.g., to allocate or authorize
resources or generate charging events). It is considered to be a
security risk the fact that a UA may bypass those SIP servers and make
a fraudulent use of the network.
The SIP outbound proxy must be able to remove the network generated
contents of the Via and Record-Route headers of the SIP requests to be
sent to the UA. These contents are reinserted in the appropriate
headers of the responses, as if they would have been included by the
UA. This reduces SIP message sizes and thus transmission delay and
Network Working Group Expiration 09/30/02 7 �
Garcia et. al. 3GPP requirements on SIP March 2002
peak bandwidth requirements over the radio interface and minimizes the
fraudulent use.
6.3 Registration
Note that in SIP, registration is merely the association between SIP
URLs and various Contacts. No additional information is implied by the
existence of such registration data.
6.3.1 Registration required
A user must register to the IMS before he/she can terminate any
sessions. In addition, it is desirable for the user to register before
initiating any sessions. The rationale behind this is that:
1. The user must be reachable for terminating sessions and services;
2. The user is pre-authenticated early, so that authentication does
not contribute to post-dial delay.
3. The user is assigned a particular serving proxy. The serving proxy
downloads the service profile for that user to trigger services.
The procedure should not have a penalty on the session setup time (see
also requirement 6.1.2).
6.3.2 Location of the SIP Registrar
The home network must maintain one or more SIP registrars. The SIP
registrar authenticates the user and registers the IP address where
the user can be located.
Once the terminal is switched on, the UA reads its configuration data.
This data may be stored in a SIM card or any other memory device. The
configuration data contains an identification of the home network. The
device finds the SIP registrar address from the home network domain
name. The terminal sends the registration through the SIP outbound
proxy.
In order to support the search of the registrar, the home network
contains one or more SIP servers that are configured in DNS with the
SRV record of SIP. These are the home network entry proxies. Their
mission is to serve as a first point of contact in the home network,
and decide (with the help of location servers) which SIP registrar
server to assign to a particular user.
The procedures specified in [38] applied to a REGISTER message seems
to be sufficient to meet this requirement.
6.3.3 Efficient registration
Network Working Group Expiration 09/30/02 8 �
Garcia et. al. 3GPP requirements on SIP March 2002
Due to the scarce radio interface resource, a single registration must
be sufficient to insure that the mobile UA is reachable from both the
home and visited networks.
A single REGISTER message, addressed to the registrar, may traverse
the SIP outbound proxy in the visited network. This can install, if
needed, soft registration states in the SIP outbound proxy.
6.3.4 Registration for roaming and non roaming cases
In order to facilitate roaming between different networks, the UA must
be able to register independent of its roaming status. In the interest
of simplicity, it is desirable for the registration procedure to be
the same within both home and visited networks.
6.3.5 Visited domain name
The home network must be able to validate that there is a roaming
agreement between the home and the visited network. The home network
needs to validate that the user is allowed to roam to such a visited
network. Therefore, there must be a mechanism so that the visited
network identity is known at registration time in the home network. As
such, the visited network identity must be transported from the SIP
outbound proxy to the home network.
It is acceptable to represent the visited network identity either as a
visited network domain name or as a string.
6.4 De-registration
6.4.1 De-registration of users
There must be a procedure for a user to de-register from the network.
This procedure may be used, e.g., when the user deactivates the
terminal.
We believe that a REGISTER with an expiration timer of 0 will meet the
requirement.
6.4.2 Network initiated de-registration or re-registration
There are a number of situations where the network needs to de-
register or trigger a re-registration of a previously registered UA.
Examples of usage are described in sections 6.4.3, 6.4.4 and 6.4.5.
This implies a need for a notification mechanism to inform the UA of
the need to re-register.
Network Working Group Expiration 09/30/02 9 �
Garcia et. al. 3GPP requirements on SIP March 2002
We believe this requirement is met by the SIP events [15] and a
registration event package, similar to the one defined in [37].
6.4.3 Network initiated de-registration, network maintenance
The IM CN Subsystem may initiate the network initiated de-registration
procedure due to forced re-registrations from subscribers, e.g. in
case of data inconsistency at node failure, in case of SIM lost, etc.
Canceling the current contexts of the user spread among the network
nodes at registration, and imposing a new SIP registration solves this
condition.
6.4.4 Network initiated de-registration, network/traffic determined
The system must support a mechanism to avoid inconsistent information
storage and remove any redundant registration information. This case
will occur when a subscriber roams to a different network. This case
occurs in normal mobility procedures when the user roams from one
access network to another one, or when imposing new service conditions
to roamers.
6.4.5 Network initiated de-registration, administrative
For different reasons (e.g., subscription termination, lost terminal,
etc.) a home network administrative function may determine a need to
clear a user's SIP registration. This function initiates the de-
registration procedure and may reside in various elements depending on
the exact reason for initiating the de-registration.
There must be a procedure for an entity in the network to de-register
users. The de-registration information must be available at all the
proxies that keep registration state and the UA.
We believe that a procedure based on SIP events [15] and a
registration package [37] will meet the requirement.
6.5 Compression of SIP signaling
As the radio interface is a scarce resource, the transport of SIP
messages over the radio interface must be done efficiently.
Therefore, there must be a mechanism to efficiently transport SIP
signaling packets over the radio interface, by compressing the SIP
signaling messages between the UA and the SIP outbound proxy, and by
compressing the IP and transport layer protocol headers that carry
these SIP messages.
Network Working Group Expiration 09/30/02 10 �
Garcia et. al. 3GPP requirements on SIP March 2002
6.5.1 Extensibility of the SIP compression
The chosen solution(s) must be extensible to facilitate the
incorporation of new and improved compression algorithms in a backward
compatible way, as they become available.
6.5.2 SIP compression and roaming
The chosen solution(s) for SIP compression must work in roaming
scenarios.
6.5.3 Minimal impact of SIP compression on the network
Application specific compression must minimize impacts on existing
3GPP network, e.g. the compression must be defined between the UA at
the SIP terminal and the outbound SIP Proxy in the visited network.
6.5.4 Optionality of SIP compression
It must be possible to leave the usage of compression for SIP
signaling optional. To facilitate mobile terminal roaming between
networks which are using compression, the mobile terminal should
always support ability to compress SIP signaling. If compression is
not supported, communication may continue without compression,
depending on the local policy of the visited network.
6.5.5 Default algorithm for SIP compression
A default algorithm must be supported by the UA and the network
elements involved for compression.
6.5.6 Compression Negotiation
There must be a mechanism to negotiate between the UA and the first
SIP outbound proxy the compression algorithm to be used.
Note: 3GPP is investigating if the compression of SIP signaling is
negotiated on a per call basis, on a per registration basis or
something completely different. More information will be provided in
future versions of this document.
6.6 QoS requirements related to SIP
6.6.1 Independence between QoS signaling and SIP
Network Working Group Expiration 09/30/02 11 �
Garcia et. al. 3GPP requirements on SIP March 2002
The selection of QoS signaling and resource allocation schemes must be
independent of the selected session control protocols. This allows for
independent evolution of QoS control and SIP.
6.6.2 Coordination between SIP and QoS/Resource allocation
6.6.2.1 Allocation before alerting
In establishing a SIP session, it must be possible for an application
to request that the resources needed for bearer establishment are
successfully allocated before the destination user is alerted. Note,
however, that it must be also possible for an SIP application in a
terminal to alert the user before the radio resources are established
(e.g. if the user wants to participate in the media negotiation).
We believe this requirement is met by [8] and [21].
6.6.2.2 Destination user participates in the bearer negotiation
In establishing a SIP session, it must be possible for a terminating
application to allow the destination user to participate in
determining which bearers shall be established.
We believe this requirement is met by the standard SDP negotiation
described in [3] and the extensions described in [8] and [21].
6.6.2.3 Successful bearer establishment
Successful bearer establishment must include the completion of any
required end-to-end QoS signaling, negotiation and resource
allocation.
We believe this requirement is met by the procedures described in [8]
and [21].
6.7 Prevention of theft of service
The possibility for theft of service in the 3GPP IM CN Subsystem shall
be no higher than that for the corresponding GPRS and circuit switched
services.
We believe this requirement is met by the procedures described in [9].
6.8 Radio resource authorization
As radio resources are very valuable the network must be able to
manage these in a controlled manner. The network must be able to
Network Working Group Expiration 09/30/02 12 �
Garcia et. al. 3GPP requirements on SIP March 2002
identify who is using these resources and be able to authorize their
usage.
We believe this requirement is met by the procedures described in [9].
6.9 Prevention of denial of service
The system unavailability due to denial of service attacks in the IM
CN subsystem shall be no greater than that for the corresponding GPRS
and circuit switched services.
6.10 Identification of users
6.10.1 Private user identity
To use the 3GPP IM CN Subsystem, a subscriber must have a private user
identity. The private identity is assigned by the home network
operator, and used, for example, for registration, authorization,
administration, and possibly accounting purposes. This identity shall
take the form of a Network Access Identifier (NAI) as defined in RFC
2486 [10].
The private user identity is not used for routing of SIP messages.
The private user identity is a unique global identity defined by the
Home Network Operator, which may be used within the home network to
uniquely identify the user from a network perspective.
The private user identity is not accessible by the user. Typically
this identity is stored in a SIM card.
The private user identity shall be permanently allocated to a user (it
is not a dynamic identity), and is valid for the duration of the
user’s subscription with the home network.
6.10.1.1 Private user ID in registrations
The UA must deliver the private user identity to the SIP outbound
proxy and the registrar at registration time.
The private user identity is used as the basis for authentication
during registration of the subscriber. The term authentication is used
in this document with the same meaning as it is defined in [36].
The current working assumption is that this requirement is met by
populating the username field of the Authorization: header value of
the REGISTER request with the private user ID.
Network Working Group Expiration 09/30/02 13 �
Garcia et. al. 3GPP requirements on SIP March 2002
6.10.2 Public user identities
To use the 3GPP IM CN Subsystem, a subscriber must have one or more
public user identities. The public user identity/identities are used
by any user for requesting communications to other users. For example,
this might be included on a business card.
Different public user identities may be grouped into a user profile. A
user may have different profiles, each one containing different public
user identities. A public user identity can be part of a single user
profile.
The current working assumption in 3GPP is that this requirement is met
by populating the From: and To: header values of a REGISTER message
with the public user ID.
6.10.2.1 Format of the public user identities
The public user identity/identities must take the form of a SIP URL
(as defined in SIP [3] and RFC 2396 [11]) or the form of a E.164
number [12].
We believe this requirement is met by using SIP URLs and telephone
numbers represented in SIP URLs as described in SIP [3]. In addition,
tel: URLs as specified in [13] can be used to fulfill the requirement.
6.10.2.2 Registration of public user IDs
It must be possible to register globally (i.e. through one single UA
request) a subscriber that has more than one public identity that
belongs to the same user profile, via a mechanism within the IM CN
Subsystem. In this case, the user will be registered with all the
public identities associated to a user profile.
We believe this requirement may be accomplished by external
procedures. For example, the user’s profile may contain a list of
alias identities that the registrar considers active if the primary
identity is registered. The user may get informed of the automatically
registered public user IDs by subscribing to its own registration
state.
6.10.2.3 Authentication of the public user ID
Public user identities are not authenticated by the 3GPP IM CN
Subsystem. However the network authorizes that the public user
identity is associated to the registered private user identity.
There is a list of public user IDs that are associated with each
private user ID within the IM CN Subsystem. The IM CN Subsystem will
Network Working Group Expiration 09/30/02 14 �
Garcia et. al. 3GPP requirements on SIP March 2002
reject attempts to use other public identities with this private user
ID.
6.10.3 Delivery of the dialed public user ID
Typically a UA will be registered under a set of different public user
IDs. As such, terminating sessions can be placed to any of the
registered public user IDs. The serving proxy, application server(s)
in the termination network may apply certain filtering rules or
services based on the public user ID contained in the Request-URI. The
UA may also apply certain filtering rules or services based on the
public user ID.
As such, it must be possible, for all sessions, to deliver the dialed
public user ID to the terminating entities, such as the serving proxy,
application servers and the terminating UA.
6.11 Identifiers used for routing
Routing of SIP signaling within the IM CN Subsystem must use SIP URLs
as defined in [3]. E.164 [12] format public user identities must not
be used for routing within the IM CN Subsystem, and session requests
based upon E.164 format public user identities will require conversion
into SIP URL format for internal IM CN Subsystem usage.
We believe that this requirement is achieved by translating E.164
numbers into SIP URLs. A database, such as ENUM [14] might do the job.
6.12 Hiding requirements
6.12.1 Hiding of the network structure
A network operator need not be required to reveal the internal network
structure to another network (in Via, Route, or other headers) that
may contain indication of the number of SIP proxies, domain name of
the SIP proxies, capabilities of the SIP proxies or capacity of the
network. Association of the node names of the same type of entity and
their capabilities and the number of nodes may be kept private within
an operator’s network. However disclosure of the internal architecture
must not be prevented on a per agreement basis.
6.12.2 Hiding of IP addresses
A network need not be required to expose the explicit IP addresses of
the nodes within the network (excluding firewalls and border
gateways).
Network Working Group Expiration 09/30/02 15 �
Garcia et. al. 3GPP requirements on SIP March 2002
6.12.3 SIP hiding proxy
In order to support the hiding requirements, a SIP hiding proxy may be
included in the SIP signaling path. Such additional proxy may be used
to shield the internal structure of a network from other networks.
6.13 Cell-ID
The identity of the cell through which the 3GPP UA is accessing the IM
CN Subsystem (Cell-ID) may be used by either the visited or the home
network to provide localized services or information on the location
of the terminal during an emergency call (see also requirement
6.16.3).
6.13.1 Cell-ID in signaling from the UA to the visited and home
networks
Assuming that the cell-ID is obtained by the UA by other mechanisms
outside the scope or beyond SIP, the cell-ID must be transported at
least in the following procedures:
- Registration
- Session Establishment (Mobile Originated)
- Session Establishment (Mobile Terminated)
- Session Release
The Cell-ID is private information and only of interest in the visited
and home network serving the UA. Therefore, the Cell-ID should be
removed prior to sending the SIP signaling beyond the network of
originating serving proxy.
6.13.2 Format of the cell-ID
The cell-ID must be sent in any of the formats described in [22].
6.14 Release of sessions
In addition to the normal mechanisms to release a SIP session (e.g.
BYE), two cases are considered in this section. The ungraceful release
of the session (e.g., the terminal moves to an out-of-coverage zone)
and the graceful session release ordered by the network (e.g., pre-
paid caller runs out of credit).
We believe this requirement is met by a SIP entity acting as a so-
called transparent back-to-back User Agent.
6.14.1 Ungraceful session release
Network Working Group Expiration 09/30/02 16 �
Garcia et. al. 3GPP requirements on SIP March 2002
If an ungraceful session termination occurs (e.g. flat battery or
mobile leaves coverage), when a call stateful SIP proxy server (such
as the SIP serving proxy at home) is involved in a session, memory
leaks and eventually server failure can occur due to hanging state
machines. To ensure stable server operation and carrier grade service,
a mechanism to handle the ungraceful session termination issue must be
provided. We assume that there is a mechanism by which one of the SIP
proxies in the path is notified of the ungraceful session termination.
This allows transforming the ungraceful session release into a
graceful session release ordered by the network (see next section).
For example, a stateful SIP server in the signaling path could send a
BYE on behalf of the mobile terminal.
6.14.2 Graceful session release
There must be a mechanism so that an entity in the network may order
the release of resources to other entities. This may be used, e.g., in
pre-paid calls when the user runs out of credit.
This release must not involve any request to the UA to send out a
release request (BYE), as the UA might not follow this request. The
receiving entity needs the guarantee that resources are released when
requested by the ordering entity.
The following objectives must be met:
a) Accurately report the termination to the charging subsystem.
b) Release the associated network resources: bearer resources and
signaling resources.
c) Notify other parties to the session, if any, of the session
termination.
Where feasible, this mechanism should be at the SIP protocol level in
order to guarantee access independence for the system.
6.15 Routing of SIP messages
In order to clarify the terminology, we introduce the term vector to
refer to the set of proxies that the INVITE has to traverse.
6.15.1 SIP outbound proxy in the visited network
The 3GPP architecture includes an outbound proxy in the visited
network. This outbound proxy provides local services such as location-
specific internationalization functions. In addition, the outbound
proxy may interact with the media reservation mechanism to provide
authentication and authorization support for media reservation.
6.15.2 SIP serving proxy in the home network
Network Working Group Expiration 09/30/02 17 �
Garcia et. al. 3GPP requirements on SIP March 2002
All session setups must transit the serving proxy in the home network.
This allows services to be triggered in the serving proxy on behalf of
the user (example: speed dial substitution). Both the outbound proxy
in the visited network (see previous paragraph) and the serving proxy
in the home network must be transited for every (non-emergency)
mobile-originated session. This implies a requirement for some sort of
source-routing mechanism to assure these proxies are transited
correctly.
6.15.3 INVITE might follow a different path than REGISTER
The path taken by the INVITE need not be restricted to the specific
path taken by the REGISTER. However, the path taken by the INVITE may
follow the same path taken by the REGISTER (e.g., the INVITE may
traverse just the SIP outbound proxy in the visited network and the
SIP serving proxy in the home network, without passing through any
other proxies).
6.15.4 SIP inbound proxy in the visited network
The visited network may apply certain local policies to incoming
sessions. Therefore, the visited network may contain a SIP inbound
proxy for terminating sessions. In general, the SIP inbound proxy and
the SIP outbound proxy are the same entity in the visited network.
6.15.5 Distribution of the Source Routing Vector
Section 6.15.2 and 6.15.4 assume that a source routing mechanism is
used to effect traversal of the required SIP proxies during session
setup.
There must be some means of dynamically informing the node which adds
the source routing vector (e.g., the outbound proxy or serving proxy)
of what that vector should be.
The hiding requirements expressed in section 6.12 also apply to the
vectors.
6.16 Emergency sessions
3GPP networks already contain alternative procedures to deliver
emergency sessions. The requirements stated in this section are
considered to be long-term requirements for the operation of the IMS.
It must be possible to place an emergency session using the IM CN
Subsystem. Emergency calls will be routed to the emergency services in
Network Working Group Expiration 09/30/02 18 �
Garcia et. al. 3GPP requirements on SIP March 2002
accordance with national regulations for where the subscriber is
located.
6.16.1 Authentication is not required for emergency calls
It must be possible to place an emergency session using SIP,
independently on whether the user is authenticated by the IM CN
Subsystem or not. Note, however, that in certain countries, it might
be possible to reject an emergency call when the user is not
authenticated by the IM CN Subsystem.
6.16.2 SIP outbound proxy support
Emergency sessions must be handled by the SIP outbound proxy in the
visited network.
6.16.3 Cell Global ID in emergency sessions
It is required that location information including Cell Global ID (see
also requirement 6.13) be made available in the initial INVITE and the
BYE message for the purpose of locating the user and routing to the
appropriate Emergency Call Center.
6.16.4 Types of emergency calls
It must be possible to initiated emergency calls to different
emergency call centers, depending on the type of emergency. The
following types of emergency calls are possible:
- Police
- Ambulance
- Fire brigade
- Marine guard
- Mountain rescue
- Spare, at least three different types
6.16.5 Default identifier for emergency calls
In order to support emergency calls in roaming situations, it must be
allowed to establish an emergency call without the need to dial a
dedicated number or SIP URL. This allows to dial an emergency center
based on a menu, "red button" or a linkage to a car air bag control.
Additionally, it is desirable that the user interface for emergency
calls in 3GPP terminals is similar to the one in other SIP networks.
Network Working Group Expiration 09/30/02 19 �
Garcia et. al. 3GPP requirements on SIP March 2002
3GPP is currently investigating the applicability of the Universal
Emergency SIP URL described in [33].
6.17 Identities on session establishment
6.17.1 Remote Party Identification presentation
It must be possible to present to the caller the identity of the party
to which he/she may dial back to return a call.
We believe this requirement is met by the procedures described in
[16].
6.17.2 Remote Party Identification privacy
In addition to the previous requirement, the called party must be able
to request that his/her identity not be revealed to the caller.
We believe this requirement is met by the procedures described in
[16].
6.17.3 Remote Party Identification blocking
Regulatory agencies, as well as subscribers, may require the ability
of a caller to block the display of their caller identification. This
function may be performed by the destination subscriber’s SIP serving
proxy. In this way, the destination subscriber is still able to do a
session-return, session-trace, transfer, or any other supplementary
service.
Therefore, it must be possible that the caller requests to block the
display of his/her identity at the callee's display.
We believe this requirement is met by the procedures described in
[16].
6.17.4 Anonymity
Procedures are required for an anonymous session establishment.
However, sessions are not intended to be anonymous to the originating
or terminating network operators.
Note: 3GPP is still discussing whether the requirement is needed or
not.
6.17.4.1 Anonymous session establishment
Network Working Group Expiration 09/30/02 20 �
Garcia et. al. 3GPP requirements on SIP March 2002
If the caller requests the session to be anonymous, the UAC must not
reveal any identity information to the UAS.
If the caller requests the session to be anonymous, the terminating
network must not reveal any identity or signaling routing information
to the destination endpoint. The terminating network should
distinguish at least two cases, first if the caller intended the
session to be anonymous, and second if the caller’s identity was
deleted by a transit network.
6.18 Charging
The 3GPP charging implications are described in [41].
6.18.1 Support of both prepaid and postpaid models
Operators may choose to offer prepaid and/or postpaid services. The
prepaid model is accomplished with the support of the on-line charging
model. The postpaid model is accomplished by the support of the off-
line charging model.
On-line charging is the process where charging information can affect,
in real-time, the service rendered to the user, such as request for a
graceful release of an existing session. On-line charging interacts
with the SIP signaling.
Off-line charging is the process where charging information does not
affect, in real-time, the service rendered to the user.
6.18.2 Charging correlation levels
The following levels of correlation for IMS charging are considered:
- Correlation within a session. A session may comprise a number of
media components. It must be possible to correlate the charging data
of the different media components belonging to a session.
- Correlation at media component level. For a session comprising
several media components (such as audio and video), charging data is
generated for each media component and needs to be correlated between
network elements. For this, a component identifier shall be unique and
shall clearly identify to which media component of a session this
charging information belongs to. This component identifier is not
exchanged between network elements and is based on the ordering of
media flows in the SDP. This ordering is the same as the one used in
the binding information passed to the GPRS network.
6.18.3 Charging correlation principles
Network Working Group Expiration 09/30/02 21 �
Garcia et. al. 3GPP requirements on SIP March 2002
To support the correlation of charging information, the following
principles apply to both offline and online charging:
- The correlation of charging information for an IMS session is based
on the use of IMS Charging Identifiers (ICID).
- The first IMS network entity within the SIP signaling path is
responsible for assigning an ICID. This ICID shall then be passed
along the whole session path in an end-to-end manner. However, this
shall not preclude further elements (other SIP proxies) along the
session path generating additional identifiers to be passed along.
- The ICID is passed to all IMS network entities in the session
signaling path. This is performed using SIP signaling.
- For the charging correlation between the GPRS network and the IMS,
one or more GPRS Charging IDs, which identify the PDP contexts of the
session, are passed from the GPRS network to the IMS.
- The GPRS Charging IDs are passed by the outbound SIP proxy to the
serving SIP proxy and the Application Servers using SIP signaling.
They are not transferred from one home IMS (e.g. of the A-Party) to
another home IMS (e.g. the one of the B-Party).
6.18.4 Collection of Session Detailed Information
The SIP serving proxy or another SIP server in the home network must
be able to log details of all sessions, such as the duration, source,
and destination of a session, to provide to the charging subsystem.
6.19 IPv6
As the 3GPP architecture is solely based on IP version 6, all
protocols must support IPv6 addresses.
We believe SIP [3] and SDP [17] meet this requirement. However, the
"DHCP option for SIP servers" [7] does not support IPv6.
6.19.1 Interworking IPv6 with IPv4
3GPP IM CN subsystem is based on IPv6. As external networks may be
based on IPv4 addresses, there is a need to interwork with such a
external networks. Therefore, interworking between IPv6 and IPv4 at
the SIP and SDP level (UAs and proxies) must be guaranteed.
6.20 General support of additional capabilities
Network Working Group Expiration 09/30/02 22 �
Garcia et. al. 3GPP requirements on SIP March 2002
6.20.1 Additional capabilities
3GPP is interested on applying and using additional services, like
those described in [19], [34] and [35]. Although 3GPP is not going to
standardize additional services, 3GPP may make sure that the
capabilities that enable those services are granted in the network.
As such we believe that the REFER method [18] and the Replaces header
[20] constitute the enablers in order to meet the above requirement.
6.20.2 DTMF signalling
Support for voice calls must provide a similar level of service to the
existing circuit based voice service. This includes the ability to
utilize DTMF signaling e.g. for control of interactive voice response
systems such as ticket sales lines, timetable information etc.
The transfer of DTMF tones from the mobile terminal to target systems
that may be in the PSTN, or to SIP based solutions (i.e. no PSTN
connection) must be supported.
The transport of DTMF signals may be required for the whole call, just
for the first part, or from some later point in the call i.e. the
start time and duration of such signaling is unpredictable.
We believe that the mechanisms specified in RFC 2833 [40] meet the
requirement.
6.20.3 Early Media
As mobile terminals will frequently interoperate with the PSTN,
support for early media is required.
6.21 Three-way handshake in the session description negotiation
Typically a session description protocol like SDP is used in SIP to
describe the media streams and codecs needed to establish the session.
SIP uses an offer/answer model of the session description where one of
the parties offers his session description and the other answers to
that offer.
In 3GPP IM CN Subsystem, the terminals might have restrictions with
the memory, DSP capacity, etc. As such, it is required that the
Session Description negotiation concludes with one out of many single
codecs per media stream. Both UAC and UAS must know, prior to any
media is sent or received, which codec is used for each media stream.
In 3GPP IM CN Subsystem, an efficient use of the network and radio
resources is an important requirement. As such, the network must know
Network Working Group Expiration 09/30/02 23 �
Garcia et. al. 3GPP requirements on SIP March 2002
in advance which codecs is used for a particular media stream. The
network may use this information to apply the most appropriate error
correction mechanism depending on the selected codec. The network
access control may use this information as well.
Additionally, it is required that the party who pays for the resource
utilization has the opportunity to decide the codecs to use, once both
end parties are aware of the capabilities supported at the remote UA.
Therefore, it is required a three-way handshake model in the session
description negotiation within SIP. This follows the model of
offer/counter-offer/response of the session description. In this model
the person who pays for the resources offers his collection of codecs,
the remote party offers his selection of available codecs, and again
the person who pays decides which codec to use.
6.22 Correlation of dialogs
Typically a serving SIP proxy may invoke service execution in an
Application Server that may be installed as a separate entity. The
protocol in the interface between the SIP proxy server and the
Application Server (AS) is SIP.
The serving SIP proxy in the home network will typically forward a SIP
request to the AS with enough routing information to assure that the
SIP message is routed back to the same serving SIP proxy. The AS will
execute the service, and apply regular SIP routing rules that will
typically result in the message being routed back to the initial SIP
serving proxy.
In applying services, the AS may behave as a Back-to-Back User Agent,
and therefore, it may change the values of the From, To and Call-ID
header fields. As such, the serving SIP proxy, when receiving back the
message from the AS, it may not recognized the original dialog, and it
may consider the request as a completely new dialog.
As such, there is a need for a mechanism that guarantees that the
serving SIP proxy can correlate a dialog with an existing one, even
when the AS modified the dialog identifiers (From, To and Call-ID).
6.23 Security Model
Disclaimer: These requirements are still being considered in 3GPP.
Sections 6.23, 6.24 and 6.25 have been based on the 3GPP documents
[23], [4], and [24], and the work done by Dirk Kroeselberg in the
Internet-Draft [28] (now expired).
The scope for security of the 3GPP IM CN Subsystem is securing the SIP
signaling between the various SIP entities. Protecting the end-to-end
Network Working Group Expiration 09/30/02 24 �
Garcia et. al. 3GPP requirements on SIP March 2002
media streams may be a future extension but is not considered in the
first version of the IM CN Subsystem.
It is expected that security for the underlying GPRS network and the
IM CN Subsystem will be provided independent of each other. Therefore,
SIP signaling security must be provided independently of underlying
access network security mechanisms. In particular, it must be possible
to access the IM CN Subsystem services securely from other accesses
than GPRS.
Each operator providing IM CN Subsystem services acts as its own
domain of trust, and shares a long-term security association with its
subscribers (e.g. pre-shared keys). Operators may enter into roaming
agreements with other operators, in which case a certain level of
trust exists between their respective domains.
SIP user agents must authenticate to their home network before the use
of IM CN Subsystem resources is authorized. The current working
assumption in the 3GPP is to perform authentication during
registration and re-registrations.
Portions of the SIP signaling must be protected hop-by-hop. Looking at
Figure 1 in Chapter 5, we can distinguish two distinct zones where the
required security is unique:
- Access Domain: Between the SIP user device and the visited network.
- Network Domain: Between the visited and the home networks, or inside
the home network.
Characteristics needed in the Access Domain are quite different from
those of the Network Domain because the terminal’s requirements on
mobility, computation restriction, battery limit, bandwidth
conservation and radio interface. SIP entities in the access domain
should be able to maintain security contexts with a large group of
users in parallel. Furthermore, Access Domain provides user specific
security associations while Network Domain provides security
associations between network nodes. Therefore the weight of protocols
and algorithms and the compliance of them with compression mechanisms
are very important to Access Domain Security. It is therefore required
that the security solutions must allow different mechanisms in these
two domains.
6.24 Access Domain Security
6.24.1 General Requirements
6.24.1.2 Scalability and Efficiency
3GPP IM CN Subsystems will be characterized by a large subscriber base
of up to a billion users, all of which must be treated in a secure
manner.
Network Working Group Expiration 09/30/02 25 �
Garcia et. al. 3GPP requirements on SIP March 2002
The security solutions must allow global roaming among a large number
of administrative domains.
6.24.1.2 Bandwidth and Roundtrips
The wireless interface in 3GPP terminals is an expensive resource both
in terms of power consumption and maximum utilization of scarce
spectrum. Furthermore, cellular networks have typically long round-
trip time delays, which must be taken in account in the design of the
security solutions.
Any security mechanism that involves 3GPP terminals should not
unnecessarily increase the bandwidth needs.
All security mechanisms that involve 3GPP terminals should minimize
the number of necessary extra roundtrips. In particular, during normal
call signaling there should not be any additional security related
messages.
For example, once an IPsec security association or a TLS connection is
established, no additional round trips are required during call setup.
However, the roundtrip requirements at IPsec security association and
TLS connection establishment time are particularly hard to satisfy. It
seems that IKE [29] adds a number of roundtrips, particularly if run
together with legacy authentication extensions developed in the IPSRA
WG. TLS [25] uses fewer roundtrips, but on the other hand doesn't
support UDP.
6.24.1.3 Computation
It must be possible for IM CN Subsystem terminals to provide security
without requiring public key cryptography and/or certificates. IM CN
Subsystem may, however, include optional security schemes that employ
these techniques.
Current HTTP authentication methods use only symmetric cryptography as
required here . Lower-layer mechanisms (ex: IKE, TLS) require
implementation of public-key cryptography and/or Diffie-Helman. If
these lower-layer mechanisms were used, the mobile terminal would
authenticate and negotiate session keys with the visited network using
only symmetric methods.
6.24.2 Authentication
Authentication, as used in this context, means entity authentication
that enables two entities to verify the identity of the respective
peer. This is different from message origin verification, which allows
Network Working Group Expiration 09/30/02 26 �
Garcia et. al. 3GPP requirements on SIP March 2002
a receiver to verify the origin of a single message and is provided by
the same means as integrity protection.
6.24.2.1 Authentication Method
As the SIP proxy that terminates message protection (e.g. integrity
protection) may not be the same SIP proxy that terminates
authentication, then there must be a mechanism where the credentials
used for integrity protection are not the same ones as the credentials
used for authentication.
The client and the home network must authenticate before access is
granted. Also, the client and visited proxy must establish a security
association in a manner that ensures that both the client and the home
network have accepted such a security association to be established.
Strong, mutual authentication method must be used.
The authentication method must be able to work when there are zero or
more SIP proxies in the SIP path between the authenticator and the
authenticated user.
It must be possible to support different authentication methods.
Therefore authentication using an extensible authentication framework
is strongly recommended.
Authentication methods must support the secure storage of long-term
authentication keys and the secure execution of authentication
algorithms.
The SIP client’s credentials must not be transferred as plain text.
3GPP intends to reuse UMTS AKA [24], but would prefer to a generic
authentication framework at SIP level that supports UMTS AKA as well
as other authentication mechanisms. UMTS AKA applies a symmetric
cryptographic scheme, provides mutual authentication, and is typically
implemented on a so-called SIM card that provides secure storage on
the user’s side.
Existing SIP security mechanisms do not fulfill these requirements.
HTTP Basic Authentication sends the passwords as plain text, also, it
is neither strong nor does it offer mutual authentication. HTTP Digest
has an option for mutual authentication, and it could be extended to
support UMTS AKA (see [39]). Lower layer security mechanisms (e.g.
IPsec, TLS) are not able to authenticate SIP entities when there are
one or more SIP proxies in the signaling path.
Additional requirements related to message protection that apply to
the authentication method are given in section 6.24.3..
6.24.2.2 Network initiated re-authentication
Network Working Group Expiration 09/30/02 27 �
Garcia et. al. 3GPP requirements on SIP March 2002
Network operators need to authenticate users to ensure that they are
charged appropriately for the services they use. The re-authentication
done when the user initiates a message will not suffice for this
purpose, as described below.
If the duration of the authentication period is set to a relatively
low value to ensure that the user cannot incur a high amount of
charges between two authentications, it may create a lot of
unnecessary authentications of users which have remained largely
inactive, and therefore utilize unnecessary air interface resources.
If the duration of the authentication period is set to a relatively
high value to avoid these unnecessary authentications the risk is then
that some users may incur high charges between authentications.
A user's authentication is automatically invalidated when a certain
threshold for charges (or number, or duration of sessions) is reached
without giving the user a chance to re-authenticate, even if a valid
registration exists. This would not provide an adequate level of
service.
Consequently it must be possible for the network to initiate a
re-authentication process at any time. The triggers must be set within
the network and may include charging thresholds, number of events,
session duration etc.
6.24.3. Message Protection
6.24.3.1 Message Protection Mechanisms
SIP entities (typically a SIP client and a SIP proxy) must be able to
communicate using integrity and replay protection. By integrity, we
mean the ability for receiver of a message to verify that the message
has not been modified in transit. SIP entities should be able to
communicate confidentially. These protection modes must be based on
initial authentication. Integrity protection and confidentiality must
be possible using symmetric cryptographic keys.
It must be possible to handle also error conditions in a satisfactory
manner as to allow recovery (see also 6.4.3 and 6.14).
It must be possible to provide this protection between two adjacent
SIP entities. In future network scenarios it may also be necessary to
provide this protection through proxies, though at the moment 3GPP
does not require this.
The security mechanism should not incur external limitations to any
transport bearers carrying SIP message (for example, UDP).
Network Working Group Expiration 09/30/02 28 �
Garcia et. al. 3GPP requirements on SIP March 2002
All the lower layer security mechanisms offer these services for the
hop-by-hop case, but currently we do not know of any mechanism that
would allow also end-to-end operation.
The security mechanism must be able to protect a complete SIP message.
If header compression/removal or SIP compression is applied to SIP
messages, it must be compatible with message protection.
6.24.3.2 Delegation
Performing authentication on all SIP signaling messages would likely
create bottlenecks in the authentication infrastructure. Therefore, a
distributed implementation of security functions responsible for
authentication and message protection is required.
It must be possible to perform an initial authentication based on
long-term authentication credentials, followed by subsequent protected
signaling that uses short-term authentication credentials, such as
session keys created during initial authentication. The used
authentication mechanisms must be able to provide such session keys.
It must be possible to apply subsequent message protection as soon as
possible, even during the initial authentication period.
Initial authentication is performed between the SIP UA and the
authenticating SIP serving proxy in the home network. However, the
authentication mechanism must not require access to the long-term
authentication credentials in these nodes. In the home network, the
authenticating SIP serving proxy must support interaction with a
dedicated authentication server in order to accomplish the
authentication task. At the client side a secured (tamper-proof)
device storing the long-term credentials of the user must perform the
authentication.
Additionally, the SIP serving proxy that performed the initial
authentication must be able to securely delegate subsequent SIP
signaling protection (e.g. session keys for integrity or encryption)
to an authorized SIP proxy further downstream. The tamper-proof device
at the client side must be able to securely delegate the session keys
to the SIP user agent.
Initial authentication can be performed with existing mechanisms such
as HTTP Digest [3], but there exists no method to allow subsequent
protection of the SIP signaling messages. There are also no proposals
to allow secure delegation of signaling protection task. Currently the
use of SIP together with an authentication server is difficult and
limited in scope, though several proposals are under way to extend
this [30, 31, 32]. However, the purpose of this document is not to
discuss AAA requirements. They are discussed elsewhere.
Network Working Group Expiration 09/30/02 29 �
Garcia et. al. 3GPP requirements on SIP March 2002
6.24.4 Negotiation of mechanisms
A method must be provided to securely negotiate the security services
to be used in the access domain.
This method must at least support the negotiation of different
security services providing integrity protection and encryption,
algorithms used within these services and additional parameters they
require to be exchanged.
The negotiation mechanism must protect against attackers who do not
have access to authentication credentials. In particular, it must not
be possible for man-in-the-middle attackers to influence the
negotiation result such that services with lower or no security are
negotiated.
A negotiation mechanism is generally required in all secure protocols
to decide which security services to use and when they should be
started. This security mechanism serves algorithm and protocol
development as well as interoperability. Often, the negotiation is
handled within a security service. For example, the HTTP
authentication scheme includes a selection mechanism for choosing
among appropriate authentication methods and algorithms. Note that
when referring to negotiation we mean just the negotiation, not all
functions in protocols like IKE. For instance, we expect the session
key generation is to be a part of the initial authentication.
SIP entities may use the same security mode parameters to protect
several SIP sessions without re-negotiation. For example, security
mode parameters may be assumed to be valid within the lifetime of a
registration. Note that it is necessary to amortize the cost of SA
setup and parameter negotiation over several INVITEs during the
registration period. However, as clients move around, it may not be
possible to keep SA state beyond the registration period.
Existing lower-layer security mechanisms provide the above
functionality. We do not currently know of any mechanism that would
allow this also at the SIP layer. The mechanism described in [27]
might perhaps be extended to perform secure negotiation. On the other
hand, some existing SIP headers, like "Require" and "Supported", could
be re-used.
Note that such a mechanism is required not only for negotiation of
security mechanisms, but for other services as well, e.g. for
compression (see section 6.5.6). Although negotiation of security
mechanisms is different due to the need for secure negotiation, all
negotiation mechanisms could operate in a similar fashion.
6.24.5 Verification of messages
6.24.5.1 Verification at the SIP outbound proxy
Network Working Group Expiration 09/30/02 30 �
Garcia et. al. 3GPP requirements on SIP March 2002
The SIP outbound proxy must be able to guarantee the message origin
and verify that the message has not been changed (e.g., it is
integrity protected).
6.24.5.2 Verification at the SIP serving proxy
The serving SIP proxy needs to receive an indication if the outbound
proxy was able to verify the message origin and, in the case of a
REGISTER request, whether it was integrity protected or not.
6.25 Network Domain Security
Message authentication, key agreement, integrity and replay
protection, and confidentiality must be provided for communications
between SIP network entities such as proxies and servers.
Network domain security mechanisms must be scalable up to a large
number of network elements.
The 3GPP intends to make it mandatory to have the protection discussed
above at least between two operators, and optional within an
operator’s own network. Security gateways exist between operator’s
networks.
We believe the above requirements to be fulfilled by applying security
mechanisms as specified in the current IP Security standards [26].
7. Security considerations
This document does not define a protocol, but still presents some
security requirements to protocols. The main security requirements are
in sections 6.23 "Security Model", 6.24 "Access Domain Security" and
6.25 "Network Domain Security". Additional security-related issues are
discussed under 6.7 "Prevention of theft of service", 6.8 "Radio
resource authorization", 6.9 "Prevention of denial of service", 6.12
"Hiding requirements" and 6.10 "Identification of users".
8. Author's Addresses
Miguel A. Garcia
Ericsson
FIN-02420, Jorvas, Finland
Tel: +358 9299 3553
e-mail: miguel.a.garcia@ericsson.com
Duncan Mills
Vodafone UK Ltd.
Network Working Group Expiration 09/30/02 31 �
Garcia et. al. 3GPP requirements on SIP March 2002
The Courtyard, Newbury, Berkshire, RG14 1JX, UK
Tel: +44 1635 676074
Fax: +44 1635 234445
e-mail: duncan.mills@vf.vodafone.co.uk
Gabor Bajko
Nokia
H-1096 Budapest, Koztelek 6, Hungary
Tel: +36 20 9849259
e-mail: gabor.bajko@nokia.com
Georg Mayer
Siemens
Hofmannstr. 51, 81359 Munich, Germany
Tel: +49-172-5371233
e-mail: georg.mayer@icn.siemens.de
Francois-Xavier Derome
Alcatel
10 rue latecoere, F-78141
tel: +33 130 773 834
e-mail: francois-xavier.derome@alcatel.fr
Hugh Shieh
AT&T Wireless
PO Box 97061, Redmond, WA 98073
Tel: +1 425 580 6898
e-mail: hugh.shieh@attws.com
Andrew Allen
dynamicsoft Inc.
5100 Tennyson Parkway
Suite 1200
Plano, TX 75024
Phone: +1 972 473 5507
e-mail: aallen@dynamicsoft.com
Sunil Chotai
mmO2
Adastral Park, Ipswich, UK.
Tel: +44 1473 605603
e-mail: sunil.chotai@o2.com
Keith Drage
Lucent Technologies
Tel: +44 1793 776249
e-mail: drage@lucent.com
Jayshree Bharatia
Nortel Networks
2201 Lakeside Blvd.
Richardson, Texas 75082
Network Working Group Expiration 09/30/02 32 �
Garcia et. al. 3GPP requirements on SIP March 2002
Tel: +1 972 684 5767
e-mail: jayshree@nortelnetworks.com
Kevan Hobbis
Hutchison 3G UK Ltd
Star House
20 Grenfell Road
Maidenhead
Berkshire, UK
Tel: +44 1628 765252
e-mail: kevan.hobbis@hutchison3g.com
Dean Willis
dynamicsoft Inc.
5100 Tennyson Parkway
Plano,TX 75024
email: dwillis@dynamicsoft.com
9. Acknowledgments
The authors will like to thank Rohan Mahy, Jari Arkko, Vesa Torvinen
and the members of the 3GPP CN1 and SA3 mailing lists for their
collaborative effort.
10. References
1. S. Bradner, "The Internet Standards Process -- Revision 3", BCP 9,
RFC 2026, October 1996.
2. S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
3. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J.
Peterson, R. Sparks, M. Handley, E. Schooler: "SIP, Session
Initiation Protocol", draft-ietf-sip-rfc2543bis-08.txt, February
2002, work in progress.
4. 3GPP TS 23.228 "IP Multimedia Subsystem (IMS) (Stage 2) - Release
5". Version 5.3.0 is available at ftp://ftp.3gpp.org/Specs/2001-
12/Rel-5/23_series/23228-530.zip
5. 3GPP TS 24.228: "Signaling flows for the IP Multimedia call control
based on SIP and SDP". Version 1.10.0 is available at
ftp://ftp.3gpp.org/tsg_cn/WG1_mm-cc-sm/TSGN1_22bis/Docs/N1-
020535_24228-1_10_0.zip
6. 3GPP TS 23.060: "General Packet Radio Service (GRPS); Service
Description; Stage 2". Version 5.0.0 is available at
ftp://ftp.3gpp.org/Specs/2001-12/Rel-5/23_series/23060-500.zip
Network Working Group Expiration 09/30/02 33 �
Garcia et. al. 3GPP requirements on SIP March 2002
7. H. Schulzrinne, G. Nair. "DHCP Option for SIP Servers", draft-ietf-
sip-dhcp-05.txt, November 2001, work in progress.
8. W. Marshall et al. "Integration of Resource Management and SIP",
draft-ietf-sip-manyfolks-resource-03.txt, November 2001, work in
progress.
9. W. Marshall et al. "SIP Extensions for Media Authorization", draft-
ietf-sip-call-auth-03.txt, November 2001, work in progress.
10. B. Aboba, M. Beadles, "The Network Access Identifier", RFC 2486,
January 1999.
11. T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource
Identifiers (URI): Generic Syntax", RFC 2396, August 1998.
12. ITU-T Recommendation E.164 (05/97): "The international public
telecommunication numbering plan".
13. A. Vaha-Sipila, "URLs for Telephone calls", RFC 2806, April 2000.
14. P. Faltstrom, "E.164 number and DNS", RFC 2916, September 2000.
15. A. Roach, "SIP-Specific Event Notification", draft-ietf-sip-
events-03.txt, February 2002, work in progress.
16. W. Marshall et al, "SIP Extensions for Caller Identity and
Privacy", draft-ietf-sip-privacy-03.txt, November 2001, work in
progress.
17. M. Handley, V. Jacobson, C. Perkins: "SDP: Session Description
Protocol", draft-ietf-mmusic-sdp-new-05.txt, February 2002, work in
progress.
18. R. Sparks: "The REFER method", draft-ietf-sip-refer-02.txt,
October 2001, work in progress.
19. R. Sparks: "SIP Call Control - Transfer", draft-ietf-sip-cc-
transfer-05.txt, July 2001, work in progress.
20. B. Biggs, R. Dean, R. Mahy: "The SIP Replaces Header", draft-
ietf-sip-replaces-00.txt, January 2002, work in progress.
21. J. Rosenberg, H. Schulzrinne: "Reliability of Provisional
Responses in SIP", draft-ietf-sip-100rel-05.txt, February 2002, work
in progress.
22. 3GPP TS 23.003, "Numbering, addressing and identification
(Release 5)". Version 5.2.0 is available is available at
ftp://ftp.3gpp.org/Specs/2001-12/Rel-5/23_series/23003-520.zip
Network Working Group Expiration 09/30/02 34 �
Garcia et. al. 3GPP requirements on SIP March 2002
23. 3GPP TS 33.203 "Access Security for IP-Based Services", Version
1.1.0 is available at
ftp://www.3gpp.org/tsg_sa/WG3_Security/TSGS3_22_Bristol/Docs/PDF/S3-
020078.pdf
24. 3GPP TR 33.210 "Network Domain Security", Version 0.6.0.
25. T. Dierks, C. Allen. "The TLS Protocol Version 1.0", RFC 2246,
January 1999.
26. S. Kent, R. Atkinson. "Security Architecture for the Internet
Protocol", RFC 2401, November 1998.
27. S. Parameswar, B. Stucker. "The SIP NEGOTIATE Method", draft-
spbs-sip-negotiate-00.txt, September 2001, work in progress,.
28. D. Kroeselberg. "SIP security requirements from 3G wireless
networks", draft-kroeselberg-sip-3g-security-req-00.txt, January
2001, work in progress.
29. D. Harkins, D. Carrel: "The Internet Key Exchange (IKE)", RFC
2409, November 1998.
30. Srinivas, Chan, Sengodan, Costa-Requena: "Mapping of Basic and
Digest Authentication to DIAMETER AAA Messages", draft-srinivas-aaa-
basic-digest-00.txt, July 2001, work in progress.
31. B. Sterman: "Digest Authentication in SIP using RADIUS", draft-
sterman-sip-radius-00.txt, February 2001, work in progress.
32. P. R. Calhoun, W. Bulley, A.C. Rubens, J. Haag, G. Zorn:
"Diameter NASREQ Application", draft-ietf-aaa-diameter-nasreq-
08.txt, November 2001, work in progress.
33. H. Schulzrinne: "Universal Emergency Address for SIP-based
Internet Telephony", draft-schulzrinne-sipping-sos-01.txt, February
2002, work in progress.
34. A. Johnston, S. Donovan, R. Sparks, C. Cunningham, D. Willis, J.
Rosenberg, K. Summers, H. Schulzrinne: "SIP Call Flow Examples",
draft-ietf-sip-call-flows-05.txt, June 2001, work in progress.
35. A. Johnston, R. Sparks, C. Cunningham, S. Donovan, K. Summers:
"SIP Service Examples", draft-ietf-sip-service-examples-03.txt,
November 2001, work in progress.
36. R. Shirey: "Internet Security Glossary", RFC 2828, May 2000.
37. H. Sugano, S. Fujimoto, G. Klyne, A. Bateman: "CPIM Presence
Information Data Format", draft-ietf-impp-cpim-pidf-01.txt, October
2001, work in progress.
Network Working Group Expiration 09/30/02 35 �
Garcia et. al. 3GPP requirements on SIP March 2002
38. J. Rosenberg, H. Schulzrinne, "SIP: locating SIP servers", draft-
ietf-sip-srv-04.txt, January 2002, work in progress.
39. A. Niemi, J. Arkko, V. Torvinen: "HTTP Digest Authentication
Using AKA", draft-niemi-sipping-digest-aka-00.txt. February 2002,
work in progress.
40. H. Schulzrinne, S. Petrack: "RTP Payload for DTMF Digits,
Telephony Tones and Telephony Signals", RFC 2833, May 2000.
41. 3GPP TR 23.815: "Charging implications of IMS architecture".
Version 1.2.0 is available at
ftp://ftp.3gpp.org/tsg_sa/WG2_Arch/TSGS2_23/tdocs/s2-020670.zip
11. Changes from previous versions
11.1 Changes from version -00
- Reference section is updated.
- Added new section 6.21.2 on DTMF signaling.
- Added new section 6.23.5 on Network initiated re-authentication.
- Section 6.13.1 clarifies that the Cell-ID is not sent beyond the
network of the originating serving proxy.
- Section 6.4.2 is rewritten to clarify the need for the requirement.
- Section 6.9 says that the requirement is only partly covered by [9],
as this document only covers the media aspects of a denial of service,
but not the signaling aspects.
- Sections 6.10.2.2 and 6.10.2.3 are clarified.
- Sections 6.14 are 6.15 are rewritten in the sake of clarity.
11.2 Changes from version -01
This version is an effort to clarify many of the requirements.
- Among others, section 6.2.3, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4,
6.14.1, 6.15.4, 6.16.1, 6.21, 6.22, 6.23.2.1, 6.23.2.2 and 6.23.6 have
been modified or re-written.
- Old section 6.4.5, network initiated de-registration (application
layer determined) has been removed.
- Added a couple of new charging related requirements under sections
6.18.1 and 6.18.2.
- Added a requirement for Early Media in section 6.20.3.
11.3 Changes from version -02
- References are updated
- Added a references to draft-ietf-sip-srv-04.txt
- Clarified that the private user ID is not sent in the From header of
the REGISTER request.
Network Working Group Expiration 09/30/02 36 �
Garcia et. al. 3GPP requirements on SIP March 2002
- Added a suggestion about how the user is notified of the implicitly
registered public user identities.
- Clarified that emergency sessions are a long term requirement.
- The charging requirements have been completed.
- The security requirements don't refer to HTTP EAP AKA, but to Digest
AKA instead.
- New verification requirements explicitly stated in 6.24.5
- Added a reference to RFC 2833
- Added a new requirements related to correlation of dialogs in 6.23
- General consistency check in order to distinguish requirements from
solutions.
Full Copyright Statement
"Copyright (C) The Internet Society (2000). All Rights Reserved. This
document and translations of it may be copied and furnished to others,
and derivative works that comment on or otherwise explain it or assist
in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English. The limited
permissions granted above are perpetual and will not be revoked by the
Internet Society or its successors or assigns. This document and the
information contained herein is provided on an "AS IS" basis and THE
INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Network Working Group Expiration 09/30/02 37 �
