Network Configuration Independence Mechanism



Similar documents
CRs to R99 and older releases on Work Item GPRS

Vendor Rating for Service Desk Selection

Quick Reference Guide: One-time Account Update

AntiSpyware Enterprise Module 8.5

ClearPeaks Customer Care Guide. Business as Usual (BaU) Services Peace of mind for your BI Investment

TSGS#27(05)0115. Technical Specification Group Services and System Aspects Meeting #27, March 2005,Tokyo, Japan

3GPP TSG CN Plenary Meeting #16 5 th - 7 th June Marco Island, USA. 3GPP TSG-CN1 Meeting #24 Tdoc N Budapest, Hungary,

Data replication in mobile computing

Small Business Networking

Engineer-to-Engineer Note

Test Management using Telelogic DOORS. Francisco López Telelogic DOORS Specialist

Polynomial Functions. Polynomial functions in one variable can be written in expanded form as ( )

Morgan Stanley Ad Hoc Reporting Guide

How To Network A Smll Business

Small Business Networking

JaERM Software-as-a-Solution Package

Health insurance exchanges What to expect in 2014

Small Business Networking

Engineer-to-Engineer Note

Small Business Networking

Quick Reference Guide: Reset Password

Health insurance marketplace What to expect in 2014

Version X3450. Version X3510. Features. Release Note Version X3510. Product: 24online Release Number: X3510

trademark and symbol guidelines FOR CORPORATE STATIONARY APPLICATIONS reviewed

FortiClient (Mac OS X) Release Notes VERSION

How To Set Up A Network For Your Business

Small Business Cloud Services

Application Bundles & Data Plans

Use Geometry Expressions to create a more complex locus of points. Find evidence for equivalence using Geometry Expressions.

Math 135 Circles and Completing the Square Examples

Econ 4721 Money and Banking Problem Set 2 Answer Key

Binary Representation of Numbers Autar Kaw

Architecture and Data Flows Reference Guide

ETSI TS V5.1.0 ( )

Advanced SIP Series: SIP and 3GPP Operations

Unleashing the Power of Cloud

New Internet Radio Feature

Warm-up for Differential Calculus

A Network Management System for Power-Line Communications and its Verification by Simulation

Factoring Polynomials

Section 7-4 Translation of Axes

EasyMP Network Projection Operation Guide

CHANGE REQUEST. 2 (GSM Phase 2) A (corresponds to a correction in an earlier release) R96 (Release 1996) B (addition of feature),

Advanced Baseline and Release Management. Ed Taekema

ELECTRONIC DEVELOPMENT APPLICATION (EDA) SYSTEM

Section 5.2, Commands for Configuring ISDN Protocols. Section 5.3, Configuring ISDN Signaling. Section 5.4, Configuring ISDN LAPD and Call Control

Pre-Approval Application


PROF. BOYAN KOSTADINOV NEW YORK CITY COLLEGE OF TECHNOLOGY, CUNY

Application-Level Traffic Monitoring and an Analysis on IP Networks

License Manager Installation and Setup

Reasoning to Solve Equations and Inequalities

QoS Mechanisms C HAPTER Introduction. 3.2 Classification

HP Application Lifecycle Management

EQUATIONS OF LINES AND PLANES

E-Commerce Comparison

LINEAR TRANSFORMATIONS AND THEIR REPRESENTING MATRICES

INJURY MANAGEMENT & REHABILITATION

SyGEMe: Integrated Municipal Facilities Management of Water Ressources Swiss Geoscience Meeting, Neuchâtel, 21 novembre 2009 k

ETSI TS V ( ) Technical Specification

Introducing Kashef for Application Monitoring

Example 27.1 Draw a Venn diagram to show the relationship between counting numbers, whole numbers, integers, and rational numbers.

Helicopter Theme and Variations


5.2. LINE INTEGRALS 265. Let us quickly review the kind of integrals we have studied so far before we introduce a new one.

2 DIODE CLIPPING and CLAMPING CIRCUITS

Novel Methods of Generating Self-Invertible Matrix for Hill Cipher Algorithm

Enterprise Risk Management Software Buyer s Guide

All pay auctions with certain and uncertain prizes a comment

Wireless Wakeups Revisited: Energy Management for VoIP over Wi-Fi Smartphones

Experiment 6: Friction

Protocol Analysis / Analysis of Software Artifacts Kevin Bierhoff

UNITED STATES DEPARTMENT OF AGRICULTURE Washington, D.C ACTION BY: All Divisions and Offices. FGIS Directive 2510.

Prescriptive Program Rebate Application

Pay over time with low monthly payments. Types of Promotional Options that may be available: *, ** See Page 10 for details

THE INTELLIGENT VEHICLE RECOVERY AND FLEET MANAGEMENT SOLUTION

Overview of International Roaming (WORLD WING)

ETSI TS V6.8.0 ( ) Technical Specification

Version 001 Summer Review #03 tubman (IBII ) 1

Graphs on Logarithmic and Semilogarithmic Paper

Operations with Polynomials

5 a LAN 6 a gateway 7 a modem

Engineer-to-Engineer Note

MATH 150 HOMEWORK 4 SOLUTIONS

Mathematics. Vectors. hsn.uk.net. Higher. Contents. Vectors 128 HSN23100

UNLOCKING TECHNOLOGY IVECO

DlNBVRGH + Sickness Absence Monitoring Report. Executive of the Council. Purpose of report

Integration by Substitution

SPECIAL PRODUCTS AND FACTORIZATION

2. Transaction Cost Economics

The Morgan Stanley FTSE Protected Growth Plan. Investor Pack

VoIP for the Small Business

Transcription:

3GPP TSG SA WG3 Security S3#19 S3-010323 3-6 July, 2001 Newbury, UK Source: Title: Document for: AT&T Wireless Network Configurtion Independence Mechnism Approvl 1 Introduction During the lst S3 meeting in Phoenix new work item Security Aspects of Requirement for Network Configurtion Independence ws pproved. This contribution ddresses the Security needs of Configurtion Independence (k Network Hiding). It includes mechnisms needed to route SIP requests nd responses, ensuring tht informtion bout the S-CSCF is not provided to those not uthorized to receive it. A CR to 23.228 is proposed. 2 Discussion Network Configurtion Independence requirement is stted in TS23.228 s follows: It is requirement tht it shll be possible to hide the network topology from other opertors. It shll be possible to restrict the following informtion from being pssed outside of n opertor s network: exct number of S-CSCFs, cpbilities of S-CSCFs, or cpcity of the network. The design for Configurtion Independence hs been discussed in both SA2 nd CN1. The mechnism being studied is to encrypt the S-CSCF ddress in SIP Vi, Record- Route, Route, nd Pth heders t n I-CSCF, nd then decrypt them in hndling the response to the SIP request. Further, the routing informtion given to P-CSCF during Registrtion my contin encrypted informtion, which would be decrypted by n I- CSCF in hndling SIP request. Depending on the opertor s configurtion, the I-CSCF tht encrypts the forementioned heders my or my not be the sme I-CSCF tht needs to decrypt the informtion; ll I- CSCFs of n opertor should hve the bility to decrypt ech other s dt. In the simplest conceivble implementtion, ll I-CSCFs shre key, which is distributed by whtever provisioning mechnisms lredy exist for the purposes of setting up security-relted informtion on the CSCFs. This key could lso be estblished by running ny number of shred-key genertion protocols. This key, which we shll cll Kv, will need to be regenerted periodiclly. When tht hppens, the previous key is lso kept for smll frction of the key lifetime in cse there re still sessions using the old key. With modern lgorithm such s AES, with 128-bit block nd 256-bit key, there is no rel reson to ever rekey during the lifetime of the system, unless, of course, the key gets compromised or otherwise exposed.

The informtion to be encrypted is ppended with rndom 128-bit Initiliztion Vector, nd pdded to multiple of 128 bits. The informtion is encrypted nd MAC-protected with block cipher (e.g., AES), in CBC-MAC mode. One of the proposed new modes for AES is one-pss integrity-protection nd encryption mode, nd tht should be used once it is stndrdized by NIST. All this is bse-64 encoded nd trnsmitted s single entry in the heder. This informtion is treted opquely by the other CSCFs. When n I-CSCF receives this opque heder, it decrypts it with the shred key, verifies the integrity, nd reconstructs the heders. The IV shll be rndom number; it cnnot be counter, becuse multiple CSCFs re using the sme key. With rndom vlue nd 128-bit IV, the probbility of two CSCFs picking the sme IV is roughly 2-64, which is more thn dequte. The informtion does not need to be uthenticted, s the thret model does not include mlicious tmpering of its contents; wht is being protected is the identities of ll the CSCFs of the home network. 3 Proposl It is proposed tht SA3 endorse the encryption bsed mechnism s method of implementing the network configurtion independence requirement nd tht LS to be sent to S2 with the following CR to TS23.228.

CHANGE REQUEST 23.228 CR xx rev Current version: 5.1.0 CR-Form-v3 For HELP on using this form, see bottom of this pge or look t the pop-up text over the symbols. Proposed chnge ffects: (U)SIM ME/UE Rdio Access Network Core Network X Title: Source: Network Configurtion Independence AT&T Wireless Work item code: 1515 Dte: 07.07.2001 Ctegory: C Relese: REL-5 Use one of the following ctegories: F (essentil correction) A (corresponds to correction in n erlier relese) B (Addition of feture), C (Functionl modifiction of feture) D (Editoril modifiction) Detiled explntions of the bove ctegories cn be found in 3GPP TR 21.900. Use one of the following releses: 2 (GSM Phse 2) R96 (Relese 1996) R97 (Relese 1997) R98 (Relese 1998) R99 (Relese 1999) REL-4 (Relese 4) REL-5 (Relese 5) Reson for chnge: The mechnism for Network Configurtion Independence ws left open in TS23.228. This CR proposes the encryption-bsed method for Network Configurtion Independence, nd contins the necessry chnges to be pplied to the Registrtion flows in TS23.228. Summry of chnge: This CR modifies the registrtion flows to reflect the encryption-bsed method for Network Configurtion Independence requirement. Consequences if not pproved: Cluses ffected: 5.2.2.3 nd 5.2.2.4 Other specs Other core specifictions ffected: Test specifictions O&M Specifictions Other comments: How to crete CRs using this form: Comprehensive informtion nd tips bout how to crete CRs cn be found t: http://www.3gpp.org/3g_specs/crs.htm. Below is brief summry: 1) Fill out the bove form. The symbols bove mrked contin pop-up help informtion bout the field tht they re closest to.

2) Obtin the ltest version for the relese of the specifiction to which the chnge is proposed. Use the MS Word "revision mrks" feture (lso known s "trck chnges") when mking the chnges. All 3GPP specifictions cn be downloded from the 3GPP server under ftp://www.3gpp.org/specs/ For the ltest version, look for the directory nme with the ltest dte e.g. 2000-09 contins the specifictions resulting from the September 2000 TSG meetings. 3) With "trck chnges" disbled, pste the entire CR form (use CTRL-A to select it) into the specifiction just in front of the cluse contining the first piece of chnged text. Delete those prts of the specifiction which re not relevnt to the chnge request. 5.2.2.3 Registrtion informtion flow User not registered The ppliction level registrtion cn be initited fter the registrtion to the ccess is performed, nd fter IP connectivity for the signlling hs been gined from the ccess network. For the purpose of the registrtion informtion flows, the subscriber is considered to be lwys roming. For subscribers roming in their home network, the home network shll perform the role of the visited network elements nd the home network elements. Visited Network Home Network UE P-CSCF I-CSCF HSS S-CSCF 1. Register 2. Register 3. Cx-Query 4. Cx-Query Resp 5. Cx-Select-pull 6. Cx-Select-pull Resp 7. Register 8. Cx-put 9. Cx-put Resp 10. Cx-Pull 11. Cx-Pull Resp 14. 200 OK 13. 200 OK 12. 200 OK Figure 5.1: Registrtion User not registered 1. After the UE hs obtined signlling chnnel through the ccess network, it cn perform the IM registrtion. To do so, the UE sends the Register informtion flow to the proxy (subscriber identity, home networks domin nme). 2. Upon receipt of the register informtion flow, the P-CSCF shll exmine the home domin nme to discover the entry point to the home network (i.e. the I-CSCF). The proxy shll send the Register informtion flow to the I-CSCF (P-CSCFs nme, subscriber identity, visited network contct nme).

A nme-ddress resolution mechnism is utilised in order to determine the ddress of the home network from the home domin nme. When the I-CSCF receives the registrtion informtion flow from the proxy, it shll exmine the subscriber identity nd the home domin nme, nd employ the services of nme-ddress resolution mechnism, to determine the HSS ddress to contct. 3. The I-CSCF shll send the Cx-Query informtion flow to the HSS (subscriber identity, visited domin nme). The P-CSCF nme is the contct nme tht the opertor wishes to use for future contct to tht P- CSCF. The HSS shll check whether the user is registered lredy. The HSS shll indicte whether the user is llowed to register in tht visited network ccording to the User subscription nd opertor limittions/restrictions if ny. 4. Cx-Query Resp is sent from the HSS to the I-CSCF. If the checking in HSS ws not successful the Cx-Query Resp shll reject the registrtion ttempt. 5. At this stge, it is ssumed tht the uthentiction of the user hs been completed (lthough it my hve been determined t n erlier point in the informtion flows). The I-CSCF shll send Cx- Select-Pull (subscriber identity) to the HSS to request the informtion relted to the required S- CSCF cpbilities which shll be input into the S-CSCF selection function. 6. The HSS shll send Cx-Select-Pull Resp (required S-CSCF cpbilities) to the I-CSCF. 7. The I-CSCF, using the nme of the S-CSCF, shll determine the ddress of the S-CSCF through nme-ddress resolution mechnism. I-CSCF lso determines the nme of suitble home network contct point, possibly bsed on informtion received from the HSS. The home network contct point my either be the S-CSCF itself, or suitble I-CSCF in cse network configurtion hiding is desired. If n I-CSCF is chosen s the home network contct point, it my be distinct from the I- CSCF tht ppers in this registrtion flow, nd it will be cpble of decrypting the S-CSCF nme from the home contct informtion. I-CSCF shll then send the register informtion flow (P-CSCFs nme, subscriber identity, visited network contct nme, home network contct point in cse network configurtion hiding is desired) to the selected S-CSCF. The home network contct point will be used by the P-CSCF to forwrd session initittion signlling to the home network. 8. The S-CSCF shll send Cx-Put (subscriber identity, S-CSCF nme) to the HSS. The HSS stores the S-CSCF nme for tht subscriber. 9. The HSS shll send Cx-Put Resp to the I-CSCF to cknowledge the sending of Cx-Put. 10. On receipt of the Cx-Put Resp informtion flow, the S-CSCF shll send the Cx-Pull informtion flow (subscriber identity) to the HSS in order to be ble to downlod the relevnt informtion from the subscriber profile to the S-CSCF. The S-CSCF shll store the P-CSCFs nme, s supplied by the visited network. This represents the nme tht the home network forwrds the subsequent terminting session signlling to for the UE. 11. The HSS shll return the informtion flow Cx-Pull Resp (user informtion) to the S-CSCF. The user informtion pssed from the HSS to the S-CSCF shll include one or more nmes/ddresses informtion which cn be used to ccess the pltform(s) used for service control while the user is registered t this S-CSCF. The S-CSCF shll store the informtion for the indicted user. In ddition to the nmes/ddresses informtion, security informtion my lso be sent for use within the S-CSCF. 12. The S-CSCF shll return the 200 OK informtion flow (serving network contct informtion) to the I-CSCF. If n I-CSCF is chosen s the home network contct point, the I-CSCF shll encrypt the S- CSCF ddress in the serving network contct informtion. 13. The I-CSCF shll send informtion flow 200 OK (serving network contct informtion) to the P- CSCF. The I-CSCF shll relese ll registrtion informtion fter sending informtion flow 200 OK.

14. The P-CSCF shll store the serving network contct informtion, nd shll send informtion flow 200 OK to the UE. 5.2.2.4 Re-Registrtion informtion flow User currently registered Editor s Note: the definition of re-registrtion timers requires further study, however it is noted tht the timers in the UE re shorter thn the registrtion relted timers in the network. Periodic ppliction level re-registrtion is initited by the UE either to refresh n existing registrtion or in response to chnge in the registrtion sttus of the UE. Re-registrtion follows the sme process s defined in subcluse 5.2.2.3 Registrtion Informtion Flow User not registered. Visited Network Home Network UE P-CSCF I-CSCF HSS S-CSCF 1. Register 2. Register 3. Cx-Query 4. Cx-Query Resp 5. Register 6. Cx-put 7. Cx-put Resp 8. Cx-Pull 9. Cx-Pull Resp 12. 200 OK 11. 200 OK 10. 200 OK Figure 5.2: Re-registrtion - user currently registered 1. Prior to expiry of the greed registrtion timer, the UE initites re-registrtion. To re-register, the UE sends new REGISTER request. The UE sends the REGISTER informtion flow to the proxy (subscriber identity, home networks domin nme). 2. Upon receipt of the register informtion flow, the P-CSCF shll exmine the home domin nme to discover the entry point to the home network (i.e. the I-CSCF). The proxy does not use the entry point cched from prior registrtions. The proxy shll send the Register informtion flow to the I- CSCF (P-CSCFs nme, subscriber identity, visited network contct nme). A nme-ddress resolution mechnism is utilised in order to determine the ddress of the home network from the home domin nme. When the I-CSCF receives the registrtion informtion flow from the proxy, it shll exmine the subscriber identity nd the home domin nme, nd employ the services of nme-ddress resolution mechnism, to determine the HSS ddress to contct.

3. The I-CSCF shll send the Cx-Query informtion flow to the HSS (subscriber identity, visited domin nme). 4. The HSS shll check whether the user is registered lredy nd return n indiction indicting tht n S-CSCF is ssigned. The Cx-Query Resp (indiction of entry contct point, e.g. S-CSCF) is sent from the HSS to the I-CSCF. 5. At this stge, it is ssumed tht the uthentiction of the user hs been completed (lthough it my hve been determined t n erlier point in the informtion flows). The I-CSCF, using the nme of the S-CSCF, shll determine the ddress of the S-CSCF through nme-ddress resolution mechnism. I-CSCF lso determines the nme of suitble home network contct point, possibly bsed on informtion received from the HSS. The home network contct point my either be the S- CSCF itself, or suitble I-CSCF in cse network configurtion hiding is desired. If n I-CSCF is chosen s the home network contct point, it my be distinct from the I-CSCF tht ppers in this registrtion flow, nd it will be cpble of decrypting the S-CSCF nme from the home contct informtion. I-CSCF shll then send the register informtion flow (P-CSCFs nme, subscriber identity, visited network contct nme, home network contct point in cse network configurtion hiding is desired) to the selected S-CSCF. The home network contct point will be used by the P- CSCF to forwrd session initittion signlling to the home network. 6. The S-CSCF shll send Cx-Put (subscriber identity, S-CSCF nme) to the HSS. The HSS stores the S-CSCF nme for tht subscriber. Note: Optionlly s n optimistion, the S-CSCF cn detect tht this is re-registrtion nd omit the Cx-Put request. 7. The HSS shll send Cx-Put Resp to the S-CSCF to cknowledge the sending of Cx-Put. 8. On receipt of the Cx-Put Resp informtion flow, the S-CSCF shll send the Cx-Pull informtion flow (subscriber identity) to the HSS in order to be ble to downlod the relevnt informtion from the subscriber profile to the S-CSCF. The S-CSCF shll store the P-CSCFs nme, s supplied by the visited network. This represents the nme tht the home network forwrds the subsequent terminting session signlling to for the UE. Note: Optionlly s n optimistion, the S-CSCF cn detect tht this re-registrtion nd omit the Cx-Pull request. 9. The HSS shll return the informtion flow Cx-Pull-Resp (user informtion) to the S-CSCF. The S- CSCF shll store the user informtion for tht indicted user. 10. The S-CSCF shll return the 200 OK informtion flow (serving network contct informtion) to the I-CSCF. If n I-CSCF is chosen s the home network contct point, the I-CSCF shll encrypt the S- CSCF ddress in the serving network contct informtion. 11. The I-CSCF shll send informtion flow 200 OK (serving network contct informtion) to the P- CSCF. The I-CSCF shll relese ll registrtion informtion fter sending informtion flow 200 OK. 12. The P-CSCF shll store the serving network contct informtion, nd shll send informtion flow 200 OK to the UE.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information