By Tsahi Levent-Levi
Remember my post about
IMS access?
I talked about how a user is authenticated on the network using a key exchange mechanism (AKA-MD5 or IKE) and IPSec to ensure privacy.
We were left with this one nagging issue derived from the fact that IPSec is used differently with different types of access. These are:
- Transport mode, when we use IPSec with AKA-MD5, and we have a USIM.
- Tunnel mode, when we use IPSec with IKE, and we don’t have a USIM.
- Transport over tunnel mode, when we use IPSec twice, since we’re outside an operator network.
Why is there a difference? Why not have IPSec in a single mode (like IP VPN) and be done with it?
Well, let’s start with tunnel mode. In tunnel mode, the data that you want to send is going to be passed “as is”, with the key exchange done using either IKE or MOBIKE. That’s not good enough for our USIM (the one that requires AKA-MD5, as it makes more sense to manage the data in front of the operator’s HSS). AKA requires exchanging keys and tweaking some internal parameters of IPSec. So we need to use a different mode for IPSec in this case. The problem is, some of the operating systems most commonly used in mobile handsets do not support this mode. So there is no real solution today for developers. Hopefully, solutions will become available soon.
Doing IPSec twice is sort of like peeling the layers of an onion. The external layer is tunnel mode, where you use IKE in front of your wireless network’s access, but then tunnel the IPSec packets generated using transport mode, which were generated with AKA-MD5 to authenticate the USIM you have with the mobile network (since you don’t have direct access to it) inside it.
So IPSec alone is also an issue.
Do you think this post was written just to make you developers despair? Nah… I know you guys. I am one of you. We developers love challenges. We thrive on them. And IMS is a doozie!
Technorati Tags: IMS, SIP, IPSec, Tsahi Levent-Levi
No comments:
Post a Comment