VoLTE Security in NG PRDs

Similar documents
NG40 IMS Emulator. Key features: IMS Registration VoLTE Basic SRVCC (one-way HO of single active speech session from 4G PS to 3G CS)

ETSI TR V (201

Agenda. Introduction Roaming Scenarios. Other considerations. Data SMS Voice IMS

Delivery of Voice and Text Messages over LTE 13 年 5 月 27 日星期 一

Delivery of Voice and Text Messages over LTE

Timmins Training Consulting

MSF Architecture for 3GPP Evolved Packet System (EPS) Access MSF-LTE-ARCH-EPS-002.FINAL

Communication and Distributed Systems Seminar on : LTE Security. By Anukriti Shrimal May 09, 2016

Private Network Traffic Management

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Leveraging Wi-Fi Calling To Reduced Operator Costs and Improve the Customer Experience

PCC (Policy and Charging Control) In Mobile Data. EFORT

DAY 2. HSPA Systems Architecture and Protocols

VoLTE is the mainstream solution

3GPP TR V ( )

Simulation of LTE Signaling

Test-king QA

Agenda. LTE Data Roaming. Role of IPX as defined by i3forum Manpreet Singh ibasis Inc., a KPN Company.

Timmins Training Consulting Sdn. Bhd. VoLTE Core Network

CS8 Mobile Device Test System. CS8-TS-LTE-NAS User Manual

3GPP TSG SA WG3 Security SA3#35 S St. Paul s Bay, Malta, 5 8 October, 2004

HSS-based P-CSCF Restoration


Spirent Landslide VoLTE

GTP-based S2b Interface Support on the P-GW and SAEGW

Modern IP Communication bears risks

VoLTE with OpenEPC and OpenIMS

Quality of Service, Policy and Charging

Sh Gy. Ro Gx. Cx Ici. Mr Mj

5G Non Standalone for SAEGW

4A0-M02. Alcatel-Lucent. Alcatel-Lucent Mobile Gateways for the LTE Evolved Packet Core

7/27/2010 LTE-WIMAX BLOG HARISHVADADA.WORDPRESS.COM. QOS over 4G networks Harish Vadada

ETSI TS V ( )

Procedures for unified authentication in Wireless LAN/PAN using 3G credentials

Implementing Cisco Service Provider Mobility LTE Networks ( )

Voice Over LTE (VoLTE) - A Core Perspective Comprehensive hands-on workshop

Temporary Document Page 2 - switches off, the allocated resources and PCC rules information of PDN GWs used by the UE in non- network will not be dele

awaves academy EPS/LTE Training Program In cooperation with GreenlightPM and TheSpecTool TheSpecTool

AMERICAN NATIONAL STANDARD

LTE Training LTE (Long Term Evolution) Training Bootcamp, Crash Course

Understanding TETRA Security

Taking Over Telecom Networks

Overview of GPRS and UMTS

Next Generation Core Networks Summit 2011 Standardisation and Developments within SAE

ARCHITECTING THE NETWORK FOR THE MOBILE IPV6 TRANSITION. Gary Hauser Sr. Marketing Mgr. Mobility Sector Member 3GPP RAN3 WG

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

WIDESTAR II Satellite Core Network System. any Access Point Name (APN) *2 available. APNs in any way. A FAX gateway. the existing satellite system.

NGN Security standards for Fixed-Mobile Convergence

3GPP TS V ( )

NTT DOCOMO Technical Journal

The leader in session border control. for trusted, first class interactive communications

STIR and SHAKEN Framework Overview. IIT Real-Time Conference 2016 Chris Wendt

Rx Services. Overview. VoLTE

Allstream NGNSIP Security Recommendations

REFERENCE ARCHITECTURE FOR END-TO-END QOS IN HETEROGENEOUS WIRELESS NETWORK ENVIRONMENTS

Mavenir Keynote. Think Smarter Secure communication Innovate Services. By Mohamed Issa Regional Head of Africa Sales

CONTENTS. Subscriber denial of service...9 Causes of vulnerabilities Recommendations for protection Conclusion... 13

ETSI TS V ( )

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

DRAFT - QoS Sensitive Roaming Principles 1.0 August 2004

Rx Services. Overview

ETSI TS V ( )

3GPP TS V ( )

ETSI TS V9.3.0 ( ) Technical Specification

3GPP TS V ( )

Application Note. Establish LTE & 2G/3G connections to HEAD acoustics equipment via Anritsu MD8475A

All-IP System MMD Roaming Technical Report

HRPD Serving Gateway Overview

Quality of Service in 4G/5G networks

Why Firewalls? Firewall Characteristics

All-IP Core Network Multimedia Domain

Convergence of IP and Mobile Communications. Albert Coronel RedLink Communications Co., Ltd. MMNOG, November 21, 2015

3GPP security. Valtteri Niemi 3GPP SA3 (Security) chairman Nokia

S-GW Event Reporting

VoLTE Core Network. VENUE: UniKL, Jalan Sultan Ismail, KL DATE: March 18-20, TIME: 9 AM - 5 PM DURATION: 3 days

GPRS billing: getting ready for UMTS

Technical White Paper for NAT Traversal

on QoS/QoE measurements

Quality-of-Service Option for Proxy Mobile IPv6

3GPP TS V9.3.0 ( )

VoLTE: The Next Generation of Voice

ETSI TR V1.1.1 ( )

Real-time Communications Security and SDN

ETSI TS V ( )

WIT VoWiFi. Leverage Wi-Fi for voice calling. vowifi.wit-software.com

Version LTE Emulators v10.2 Release Notes - Page 1 of 16 - Release Date: Aug 28, Resolved Issues

Policy Control Configuration Mode Commands

5G NSA for MME. Feature Summary and Revision History

ETSI TS V ( )

This sequence diagram was generated with EventStudio System Designer (

2. SA1 Release 11 Standardization Trends

COPYRIGHTED MATERIAL. Contents. 1 Short Message Service and IP Network Integration 1. 2 Mobility Management for GPRS and UMTS 39

MOBILE NETWORK SECURITY

This sequence diagram was generated with EventStudio System Designer (

Improved One-Pass IP Multimedia Subsystem Authentication for UMTS

ETSI TS V (201

Routing Behind the Mobile Station on an APN

ETSI TS V ( )

IPv6 in 2G and 3G Networks. John Loughney. North American IPv6 Forum 2004

5G Non Standalone. Feature Summary and Revision History

Transcription:

Background A number of different audits and security analysis of various VoLTE networks have been performed. - See also FSAG WP VoLTE Security Threats and Attacks The observation from the audits were in the following areas from a network perspective (listing the most critical issues): - IMS Authentication and signalling protection was not used by some operators - Media allowed to be sent between terminals prior the call has been answered - Operators allowed direct communication between terminals - Phone could access internet over IMS APN In addition, a number of Smartphone issues has been observed: - It can be observed that not all the Smartphone issues are VoLTE specific. In contrary, many things such as making unwanted (premium) calls and replacing voice media with data, are equally applicable to 2G/3G CS as it is for VoLTE. Revised: Page: 1 of 5

Threats and UE countermeasures Source: VoLTE Security Threats and Attacks Threats: - Free Data on signalling bearer - Overbilling - Pre-emptive data - Data DoS - Muted Voice (DoS) - Other than voice in RTP - Spoofing - Mobile User Battery Drain - Service Halt UE countermeasures Prevent UE from being hackable, even if rooted Use embedded SIP stack and not downloadable Prevent RTP stack being hackable on the UE (use embedded stack). Network countermeasures Apply correct traffic policies at the P-GW for IMS signalling bearer Use of IMS-ALG/IMS-AGW to rate control signalling and filter SIP signalling messages Restriction on simultaneous calls within the IMS core Dynamic allocation of IP addresses to UEs Revised: Page: 2 of 5

Firewalls at edge of operator s network Dedicated bearer is strictly rate controlled Use IMS-AKA mutual authentication at IMS registration Apply IMS level encryption or integrity protection between P-CSCF and UE Use SIP P-Asserted-Id header Input data validation to avoid misconfiguration of Network nodes Lack of proving/hardening of Network node Some more details on potential problems and countermeasures: I- Problem: In some networks, authentication and signaling protection has not been enabled. Risk for call spoofing / fraud etc. Observation: GSMA IR.92 mandates IMS AKA with IPsec (with at least integrity protection). How can this be solved? From GSMA perspective, the currently mandated signaling security for VoLTE is considered enough to handle the problems listed Revised: Page: 3 of 5

II Problem Media allowed to be sent between terminals prior the call has been answered over IMS signaling bearer Operators allowed direct communication between terminals over IMS signaling bearer Phone could access internet over IMS signaling bearer All of these can result in implications on charging (bypass), fraud, and risk of overloading the IMS signaling bearer (which is the high priority bearer) Observation: There may also be implications on visited network in case of IMS Roaming using S8HR if allowing other traffic than SIP (to P-CSCF) GSMA had discussed other issues of allowing e.g., media over the IMS signaling bearer, and agreed CRs preventing media on the IMS signaling bearer. How can this be solved? : Only allow SIP traffic on IMS signaling bearer, and have strict policing of the dedicated bearers for media (both connectivity and bandwidth) Revised: Page: 4 of 5

Conclusion and Recommendation - GSMA PRD IR.92 has already addressed a number of the more high risk issues identified, including charging and avoiding media on QCI-5. - In addition, 3GPP has defined the basic framework to allow policing of SIP signaling bearer as well as of the default bearers to avoid that direct communication and unauthorized usage can be done. - GSMA PRD IR.65 has been updated to describe Gate Control and Traffic Policing using the IMS Application Level Gateway (IMS-ALG) and IMS Access Media Gateway (IMS-AGW) covering Policing of SIP signaling bearer and of dedicated bearers, e.g. to avoid direct communication between UEs, and unauthorized usage. Uplink and downlink service level gating control by the PDN GW Ensuring that all traffic via the PDN connection to the IMS well-known APN is only between the PDN-GW and the P-CSCF / IMS-AGW; and Preventing downlink media via the signalling bearer on the PDN connection to the IMS APN. - Prevent UE from being hackable, even if rooted - Follow the 3GPP and GSMA guidelines. Revised: Page: 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback