IPSec implementation in IMS Core

September 8, 2009

Recently, in a telco environment implementation, I tried my hands on the

following structure to improvise the Multimedia Subsystem security in IP

Networks and further addition of IPSec to secure the carrier network.

I started with the first interaction and authentication at the User

Equipment level with IMS core through ISIM authorization and used PKINIT for

IKE. At this first interaction interface, I tried to replace PKINIT with

traditional gateway devices for data authentication in both active and

passive mode but PKINIT proved to be a better option.

Entire authentication and authorization here is handled via Serving CSCF but

key generation as theoretically proven by 3GPP TR 33.978 is done primarily

via Home serving network.

Next with Gm interface, I used cavium nitrox plugin cards with the Proxy

CSCF to implement AH as well as ESP. Both the linkage between user equipment

as well as Proxy CSCF as well as the interaction between both parties is

secured via AH and ESP respectively.

For Cx Interface, traditional diameter protocol was used which protected

traditional CSCF interaction all across the ecosystem.

At Za interaction between Proxy and SIP services, both IPsec and any generic

ike was utilized as security at this juncture involve AKA for visitor

networks when UE is roaming. Same with Zb at Proxy interaction with SIP

Services when used is in home network.

Overall, after implementing the following multitier security mechanism at

Multimedia Subsystem Core, can further attacks be simulated and checked

against effectiveness which I will produce as results in my next post

alongwith lab setup details. All these experimental analysis is done

alongwith Sec team at Appin Group.

I need to know any alternative approach to securing IP multimedia subsystem

core with details on CSCF intercommunication security.

regards

Varun Srivastava

Appin Group

varunsrivastava(dot)com

appinlabs(dot)com

Recommended Posts