29 Jun
2016
29 Jun
'16
11:33 p.m.
Hi All,
I recently asked question on whether the pcscf module supports transport
mode ipsec with UE along with AKAv1/v2-MD5 authentication and the answer
came no.
I just want to open a discussion on how much effort would be neede to
support this or whether this work is already in progress or in roadmap.
Basically, at PCSCF end, we need to support following:
1. RFC 3329 - "Security Mechanism Agreement for SIP" that includes
processing of Security-Client, Security-Server and Security-Verify headers.
2. Support for processing of WWW-Authenticate header to extract CK and IK
keys for ipsec.
3. Support for creating, updating and deleting ipsec security-associations
using setkey or something else.
3. Management of secure sockets for ipsec communication.
and on SCSCF side, support for AKAv1/v2-MD5.
Please let me know the your thoughts.
Thanks
29 Jun
29 Jun
11:48 p.m.
There is work in progress on this . We have an ipsec module which handles points 1. and
2. We have a daemon that talks with the kamailio module which handles point 3 and is
managing SAs via XFRM . Last point is a little bit harder without NAT, but possible, and
likely we'll have that too.When the ipsec module is ready we plan to release it but
the manager which handles ipsec states and policies might be closed source. The protocol
to communicate with the ipsec manger will be open and based on simple json queries .
One of the problems we ran into is that we don't have any good UE to reference to and
to test our implementation with, both the iPhone and the Android are full of bugs and
don't respect the specs .
Regards,Dragos
From: Vikram Chhibber <vikram.chhibber(a)gmail.com>
To: sr-dev(a)lists.sip-router.org
Sent: Wednesday, June 29, 2016 11:33 PM
Subject: [sr-dev] Gm interface ipsec support
Hi All,
I recently asked question on whether the pcscf module supports transport mode ipsec with
UE along with AKAv1/v2-MD5 authentication and the answer came no.
I just want to open a discussion on how much effort would be neede to support this or
whether this work is already in progress or in roadmap.Basically, at PCSCF end, we need to
support following:1. RFC 3329 - "Security Mechanism Agreement for SIP" that
includes processing of Security-Client, Security-Server and Security-Verify headers.2.
Support for processing of WWW-Authenticate header to extract CK and IK keys for ipsec.3.
Support for creating, updating and deleting ipsec security-associations using setkey or
something else.3. Management of secure sockets for ipsec communication.
and on SCSCF side, support for AKAv1/v2-MD5.
Please let me know the your thoughts.
Thanks
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
30 Jun
30 Jun
9:56 a.m.
Hi Vikram,
There isn't too much work to be done to be honest. We actually tested some
ipsec prototypes about 2 years ago. The various usrloc modules and their
associated DB schemas also already have support for it. What is still
required is the code to actually setup the IPSEC SAs using ipsec-tools
libraries exposed via the OS. OpenIMS have some scripts that use bash to
create the necessary SAs but we thought that it would be better to add via
calls directly to the OS libraries as opposed to via bash scripts... The
problem is that we've just never got round to doing it.
Re. AKA auth, it is already supported in S-CSCF (ims_auth module) - we
already use it in production to authenticate various Samsung and Qualcomm
based VoLTE handsets.
Cheers
Jason
On Wed, 29 Jun 2016 at 23:33 Vikram Chhibber <vikram.chhibber(a)gmail.com>
wrote:
Hi All,
I recently asked question on whether the pcscf module supports transport
mode ipsec with UE along with AKAv1/v2-MD5 authentication and the answer
came no.
I just want to open a discussion on how much effort would be neede to
support this or whether this work is already in progress or in roadmap.
Basically, at PCSCF end, we need to support following:
1. RFC 3329 - "Security Mechanism Agreement for SIP" that includes
processing of Security-Client, Security-Server and Security-Verify headers.
2. Support for processing of WWW-Authenticate header to extract CK and IK
keys for ipsec.
3. Support for creating, updating and deleting ipsec security-associations
using setkey or something else.
3. Management of secure sockets for ipsec communication.
and on SCSCF side, support for AKAv1/v2-MD5.
Please let me know the your thoughts.
Thanks
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
3046
days inactive
3047
days old
2 comments
3 participants
participants (3)
-
Dragos Oancea -
Jason Penton -
Vikram Chhibber