White Paper - SIP Security and the IMS Core
Executive Summary
Much has been written about the security of SIP-based networks and security of Voice over IP in general, but ultimately good security is a complete architecture, not a single product or protocol. The advent of Fixed/Mobile Convergence and IMS networks has created some widely accepted standards and has equally highlighted architectural differences in the converging networks. Whilst the overall objective of providing a flexible, secure network and secure services is common, the implementation details differ from network to network.
Even within the IMS standards themselves there is sometimes an assumption of trust which may not in reality exist. For example, TISPAN's IMS definition assumes that the signalling elements are able to handle excessive signalling rates and badly formed signalling messages. In reality these elements are designed to process sessions, handling attacks at the same time may not be the best use of the equipment. In a data-centric network we would expect to see servers ringed by Firewalls and Intrusion Detection and Prevention systems, so why would we build a media-centric network any other way?
Fixed/Mobile Differences
The networks that support mobile services have developed their own security and authentication mechanisms that reside primarily in the radio access part of the network. This means that when 3GPP developed their IMS specification there was no need to be overly concerned with those issues. The IMS can assume that the subscriber that is registering has already been authenticated and that the only thing to deal with now is the policies that apply to the caller. In the case of a fixed line service there is no guarantee that the user will be authenticated against a USIM (Universal Subscriber Information Module), thus authentication must rely on other, potentially less secure techniques.
This ability to connect almost any hardware or software device opens the door to other potential problems in the fixed line network - that of device malfunction and malicious attack. The mobile radio access network is a far more controlled environment, with each device having a security association with the network, meaning that any abuse can be tracked back to a particular device. Another consideration is that there is currently a marked difference in the bandwidth available in fixed and mobile networks, thus the fixed line network offers a potentially larger pipe to deliver disruptive traffic. Fixed line networks will support a large population of PC based soft-clients, these require minimal testing and therefore the potential for the presence of badly behaved device is much greater, it also means that a familiar environment is available for creating malicious software.
ETSI's TISPAN architecture takes the 3GPP IMS definition and expands it to include addition elements that help to address some of these concerns. The most noticeable difference is that the 3GPP definition deals only with the signalling path whilst the TISPAN definition includes elements that manage the media path, the BGFs - Border Gateway Functions. There is also a formalised Border Control Function between interconnected networks - the I-BCF.
The 3GPP IMS security architecture is based around IPsec, which works well in the 3G environment which does not have NAT devices. Most NAT devices translate port numbers as well as IP addresses, which due to the way IPsec encodes the packets means that NAPT devices will prevent end-to-end use of IPsec.
However, in TISPAN with client devices typically being connected through broadband access networks NAPT devices are virtually guaranteed. Thus, TISPAN encryption and authentication must take another route. RFC3261 specifies TLS as the secure transport mechanism for use with SIP, and this was considered by TISPAN, however, the selected encryption method is UDP encapsulation of IPsec. This eliminates the problems encountered when using IPsec across NAPT devices. IPsec, NAT traversal and TISPAN's selection of UDP encapsulated IPsec are examined the White Paper "IPsec in VoIP Networks"
|
IPsec and VoIP
