No entity aside from the home P-CSCF and I-CSCF functions should
be allowed direct access to the S-CSCF in the network, to prevent against masquerading
and other forms of attacks. The P-CSCF protects the S-CSCF and the HSS.
One of the P-CSCF functions is verifying the integrity key (IK) each time a registered
device accesses the network. If the IK is invalid, the P-CSCF discards the message,
preventing the device from getting any further.
The device and the P-CSCF maintain two security associations, one for incoming and
one for outgoing ports. These security associations are established after registration
and are reserved for all communications between the registered device and the concerned
P-CSCF. By maintaining a security association, the P-CSCF can prevent attacks
from other devices masquerading as legitimate subscribers.
An association begins once registration has been completed using the SIP port 5060
(or 5061). These are the commonly used ports called out in operating systems for all
SIP sessions. However, in the IMS, these ports are only used for registration. Once registration
is completed, the device is assigned a different port known only to the device
itself and the P-CSCF.
IPsec manages the associations on these ports. When the security association is established
at registration time, the IP address at the IPsec layer and the IP address
at the SIP level are compared to ensure they are the same.
Pages:
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318