IMS AKA Protected traffic and Authentication
AKA Services include:
AKA protected traffic with IPsec
AKA requires all traffic between a UE (3G/4G/LTE terminal) and a P-CSCF during a session to be sent on specific IPsec protected channels.
AKA uses the IMS Gm interface (SIP protocol) for communication between a UE and a P-CSCF. Both sides have a Client port and a Server port.
Session registrations are performed with the SIP REGISTER request message.
The UE starts the AKA session registration on an unprotected channel between the UE and the P-CSCF.
The AKA session registration establishes two IPsec protected channels between the UE and the P-CSCF.
Figure F-24: IPsec channels for IMS AKA protected traffic (UDP or TCP)
The Security-Client, Security-Server, and Security-Verify headers are used to establish protected port pairs between UE and P-CSCF.
The information about port numbers etc. on the UE side is passed to the P-CSCF side in the Security-Client header.
The information about port numbers etc. on the P-CSCF side is passed to the UE side in the Security-Server header.
The UE calculates the keys used by IPsec based on the challenge information in the WWW-Authenticate header from the S-CSCF and long term secret (K).
The Security settings (keys etc) are stored in a Security Associations (SA) and identified by Security Parameters Indexes (SPI).
The IMS Gm interface supports two alternative transports protocols TCP and UDP.
The IPsec protected channels are used differently depending on used transport protocol.
AKA protected traffic using TCP protocol
Figure F-25: IMS AKA protected traffic using TCP
For the TCP protocol IPsec channel 1 is used for request messages from UE to P-CSCF and response messages from P-CSCF to UE.
IPsec channel 2 is used for request messages from P-CSCF to UE and response messages from UE to P-CSCF.
AKA protected traffic using UDP protocol
Figure F-26: IMS AKA protected traffic using UDP
For the UDP protocol IPsec channel 1 is used for all traffic from UE to P-CSCF. IPsec channel 2 is used for all traffic from P-CSCF to UE.
Authentication with AKA
AKA provides mutual authentication of UE and the servicing IMS system.
The UE authenticates the S-CSCF based on information in the 401 response message headers and locally stored information.
The UE acknowledges authentication of the S-CSCF with an authenticated Register message.
The UE gets authenticated by the S-CSCF based on information in the authenticated Register message and information stored in the HSS.
The S-CSCF acknowledges authentication of the UE with the 200 OK response message.
The IPsec protected channels replace the need for authentication of subsequent SIP request messages from the UE during a registration (except for Register), since they are transmitted on secured channels only open to the authenticated UE.