Hi Vikram,

There isn't too much work to be done to be honest. We actually tested some ipsec prototypes about 2 years ago. The various usrloc modules and their associated DB schemas also already have support for it. What is still required is the code to actually setup the IPSEC SAs using ipsec-tools libraries exposed via the OS. OpenIMS have some scripts that use bash to create the necessary SAs but we thought that it would be better to add via calls directly to the OS libraries as opposed to via bash scripts... The problem is that we've just never got round to doing it.

Re. AKA auth, it is already supported in S-CSCF (ims_auth module) - we already use it in production to authenticate various Samsung and Qualcomm based VoLTE handsets.

Cheers

Jason

On Wed, 29 Jun 2016 at 23:33 Vikram Chhibber <vikram.chhibber@gmail.com> wrote:

Hi All,

I recently asked question on whether the pcscf module supports transport mode ipsec with UE along with AKAv1/v2-MD5 authentication and the answer came no.

I just want to open a discussion on how much effort would be neede to support this or whether this work is already in progress or in roadmap.
Basically, at PCSCF end, we need to support following:
1. RFC 3329 - "Security Mechanism Agreement for SIP" that includes processing of Security-Client, Security-Server and Security-Verify headers.
2. Support for processing of WWW-Authenticate header to extract CK and IK keys for ipsec.
3. Support for creating, updating and deleting ipsec security-associations using setkey or something else.
3. Management of secure sockets for ipsec communication.

and on SCSCF side, support for AKAv1/v2-MD5.

Please let me know the your thoughts.

Thanks

_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev