Secure Service Provisioning (SSP) Framework for IP Multimedia Subsystem (IMS)

Mit dem Erscheinen mobiler Multimediadienste, wie z. B. Unified Messaging, Click-to-Dial-Applikationen, netzwerkübergeifende Multimedia-Konferenzen und nahtlose Multimedia-Streming-Dienste, begann die Konvergenz von mobilen Kommunikationsetzen und Festnetzen, begleitet von der Integration von Sprach- und Datenkommunikations-Übertragungstechnik Diese Entwicklungen bilden die Voraussetzung für die Verschmelzung des modernen Internet auf der einen Seite mit der Telekommunikation im klassischen Sinne auf der anderen. Das IP Multimedia-Subsystem (IMS) darf hierbei als die entscheidende Next-Generation-Service-Delivery-Plattform in einer vereinheitlichten Kommunikationswelt angesehen werden. Seine Architektur basiert auf einem modularen Design mit offenen Schnittstellen und bietet dedizierte Voraussetzungen zur Unterstützung von Multimedia-Diensten auf der Grundlage der Internet-Protokolle. Einhergehend mit dieser aufkommenden offenen Technologie stellen sich neue Sicherheits-Herausforderungen in einer vielschichtigen Kommunikationsinfrastruktur, im Wesentlichen bestehend aus dem Internet Protokoll (IP), dem SIP-Protokoll (Session Initiation Protocol) und dem Real-time Transport Protokoll (RTP). Die Zielsetzung des Secure Service Provisioning-Systems (SSP) ist, mögliche Angriffsszenarien und Sicherheitslücken in Verbindung mit dem IP Multimedia Subsystem zu erforschen und Sicherheitslösungen, wie sie von IETF, 3GPP und TISPAN vorgeschlagen werden, zu evaluieren. Im Rahmen dieser Forschungsarbeit werden die Lösungen als Teil des SSP-Systems berücksichtigt, mit dem Ziel, dem IMS und der Next-Generation-SDP einen hinreichenden Schutz zu garantieren. Dieser Teil, der als Sicherheitsschutzstufe 1 bezeichnet wird, beinhaltet unter anderem Maßnahmen zur Nutzer- und Netzwerk-Authentifizierung, die Autorisierung der Nutzung von Multimediadiensten und Vorkehrungen zur Gewährleistung der Geheimhaltung und Integrität von Daten im Zusammenhang mit dem Schutz vor Lauschangriffen, Session-Hijacking- und Man-in-the-Middle-Angriffen. Im nächsten Schritt werden die Beschränkungen untersucht, die für die Sicherheitsschutzstufe 1 charakteristisch sind und Maßnahmen zu Verbesserung des Sicherheitsschutzes entwickelt. Die entsprechenden Erweiterungen der Sicherheitsschutzstufe 1 führen zu einem Intrusion Detection and Prevention-System (IDP), das Schutz vor Denial-of-Service- (DoS) / Distributed-Denial-of-Service (DDoS)-Angriffen, missbräuchlicher Nutzung und Täuschungsversuchen in IMS-basierten Netzwerken bietet. Weder 3GPP noch TISPAN haben bisher Lösungen für diesen Bereich spezifiziert. In diesem Zusammenhang können die beschriebenen Forschungs- und Entwicklungsarbeiten einen Beitrag zur Standardisierung von Lösungen zum Schutz vor DoS- und DDoS-Angriffen in IMS-Netzwerken leisten. Der hier beschriebene Ansatz basiert auf der Entwicklung eines (stateful / stateless) Systems zur Erkennung und Verhinderung von Einbruchsversuchen (Intrusion Detection and Prevention System). Aus Entwicklungssicht wurde das IDP in zwei Module aufgeteilt: Das erste Modul beinhaltet die Basisfunktionen des IDP, die sich auf Flooding-Angriffe auf das IMS und ihre Kompensation richten. Ihr Ziel ist es, das IMS-Core-Netzwerk und die IMS-Ressourcen vor DoS- und DDoS-Angriffen zu schützen. Das entsprechende Modul basiert auf einer Online Stateless-Detection-Methodologie und wird aktiv, sobald die CPU-Auslastung der P-CSCF (Proxy-Call State Control Function) einen vordefinierten Grenzwert erreicht oder überschreitet. Das zweite Modul (IDP-AS) hat die Aufgabe, Angriffe, die sich gegen IMS Application Server (AS) richten abzufangen. Hierbei konzentrieren sich die Maßnahmen auf den Schutz des ISC-Interfaces zwischen IMS Core und Application Servern. Das betreffende Modul realisiert eine Stateful Detection Methodologie zur Erkennung missbräuchlicher Nutzungsaktivitäten. Während der Nutzer mit dem Application Server kommuniziert, werden dabei nutzerspezifische Zustandsdaten aufgezeichnet, die zur Prüfung der Legitimität herangezogen werden. Das IDP-AS prüft alle eingehenden Requests und alle abgehenden Responses, die von IMS Application Servern stammen oder die an IMS Application Server gerichtet sind, auf ihre Zulässigkeit im Hinblick auf die definierten Attack Rules. Mit Hilfe der Kriterien Fehlerfreiheit und Processing Delay bei der Identifikation potenzieller Angriffe wird die Leistungsfähigkeit der IDP-Module bewertet. Für die entsprechenden Referenzwerte werden hierbei die Zustände Nomallast und Überlast verglichen. Falls die Leistungsfähigkeit des IDP nicht unter den Erwartungen zurückbleibt, wird ein IDP-Prototyp zur Evaluation im Open IMS Playground des Fokus Fraunhofer 3Gb-Testbeds eingesetzt, um unter realen Einsatzbedingungen z. B. in VoIP-, Videokonferenz- , IPTV-, Presence- und Push-to-Talk-Szenarien getestet werden zu können.With the emergence of mobile multimedia services, such as unified messaging, click to dial, cross network multiparty conferencing and seamless multimedia streaming services, the fixed–mobile convergence and voice–data integration has started, leading to an overall Internet–Telecommunications merger. The IP Multimedia Subsystem (IMS) is considered as the next generation service delivery platform in the converged communication world. It consists of modular design with open interfaces and enables the flexibility for providing multimedia services over IP technology. In parallel this open based emerging technology has security challenges from multiple communication platforms and protocols like IP, Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). The objective of Secure Service Provisioning (SSP) Framework is to cram the potential attacks and security threats to IP Multimedia Subsystem (IMS) and to explore security solutions developed by IETF, 3GPP and TISPAN. This research work incorporates these solutions into SSP Framework to secure IMS and next generation Service Delivery Platform (SDP). We define this part as level 1 security protection which includes user and network authentication, authorization to access multimedia services, providing confidentiality and integrity protection etc. against eavesdropping, session hijacking and man-in-the middle attacks etc. In the next step, we have investigated the limitations and improvements to level 1 security and proposed the enhancement and extension as level 2 security by developing Intrusion Detection and Prevention (IDP) system against Denial-of-Service (DoS)/Distributed DoS (DDoS) flooding attacks, misuses and frauds in IMS-based networks. These security threats recently have been identified by 3GPP and TISPAN but no solution is recommended and developed. Therefore our solution may be considered as recommendation in future. Our approach based on developing both stateless and stateful intrusion detection and prevention system. From development point of view, we have divided the work into two modules: the first module is IDP-Core; addressing and mitigating the flooding attacks in IMS core. Its objective is to protect the IMS resources and IMS-core entities from DoS/DDoS flooding attacks. This module based on online stateless detection methodology and activates when CPU processing load of P-CSCF (Proxy-Call State Control Function) reaches or crosses the defined threshold limit. The second module is IDP-AS; addressing and mitigating the misuse attacks facing to IMS Application Servers (AS). Its focus is to secure the ISC interface between IMS Core and Application Servers. This module is based on stateful misuse detection methodology by creating and comparing user state (partner) when he/she is communicating with application server to check whether user is performing legitimate or illegitimate action with attacks rules. The IDP-AS also compared the incoming request and outgoing response to and from IMS Application Servers with the defined attacks rules. In the performance analysis, the processing delay and attacks detection accuracy of both Intrusion Detection and Prevention (IDP) modules have been measured at Fraunhofer FOKUS IMS Testbed which is developed for research purpose. The performance evaluation based on normal and overload conditions scenarios. The results showed that the processing delay introduced by both IDP modules satisfied the standard requirements and did not cause retransmission of SIP REGISTER and INVITE requests. The developed prototype is under testing phase at Fraunhofer FOKUS 3Gb Testbed for evaluation in real world communication scenarios like VoIP, video conferencing, IPTV, presence, push-to-talk etc

Improved internet protocol multimedia subsystem authentication for long term evolution

Long Term Evolution (LTE) is a major technology to be used in the 4th generation (4G) mobile network and the core network is evolving towards a converged packet based framework for all services. As a part of the evolved core network, Internet Protocol (IP) Multimedia Subsystem (IMS) provides multimedia services (data, voice, video and variations) over packet switched networks. LTE and IMS are both defined by the 3rd Generation Partnership Project (3GPP) group, and the specification identifies that a LTE user device has to carry out two authentication steps to access IP multimedia services. The first authentication step is used to gain LTE network admission and the second authentication step is the IMS authentication used to gain access to the multimedia services. It is observed that the 4G standardized authentication protocols include double execution of the Authentication and Key Agreement (AKA) which increases the system’s complexity, results in significant authentication delay and high terminal energy consumption. Authentication is very important for a terminal to gain access to a network and therefore considerable previous research into this topic has occurred. However a common limitation of previously proposed authentication systems is either a lack of security or significant system modification. This research proposes the Improved AKA (IAKA) authentication protocol which binds the two layer’s authentication procedures by using the unified IP Multimedia Private-user Identity (IMPI). The proposed IAKA only executes the AKA protocol once in the network layer and generates authentication credentials which would be used in the second IMS service layer authentication. This research work included providing IAKA authentication protocol, developing a LTE IMS integrated network by using OPNET Modeller, simulation of the IAKA and the legacy 3GPP defined 4G LTE AKA authentication protocol under different environments, and in-depth analysis of the system performance, security and terminal’s energy consumption. It is shown that the proposed IAKA carries out terminal authentication correctly, improves security, reduces IMS layer authentication delay by up to 38%, and provides an 81.82% terminal energy consumption saving

Developing a cross platform IMS client using the JAIN SIP applet phone

Since the introduction of the IP Multimedia Subsystem (IMS) by the Third Generation Partnership Project (3GPP) in 2002, a lot of research has been conducted aimed at designing and implementing IMS capable clients and network elements. Though considerable work has been done in the development of IMS clients, there is no single, free and open source IMS client that provides researchers with all the required functionality needed to test the applications they are developing. For example, several open and closed source SIP/IMS clients are used within the Rhodes University Conver- gence Research Group (RUCRG) to test applications under development, as a result of the fact that the various SIP/IMS clients support different subsets of SIP/IMS features. The lack of a single client and the subsequent use of various clients comes with several problems. Researchers have to know how to deploy, configure, use and at times adapt the various clients to suit their needs. This can be very time consuming and, in fact, contradicts the IMS philosophy (the IMS was proposed to support rapid service creation). This thesis outlines the development of a Java-based, IMS compliant client called RUCRG IMS client, that uses the JAIN SIP Applet Phone (JSAP) as its foundation. JSAP, which originally offered only basic voice calling and instant messaging (IM) capabilities, was modified to be IMS compliant and support video calls, IM and presence using XML Configuration Access Protocol (XCAP)

Design and implementation aspects of open source next generation networks (NGN) test-bed software toolkits

Informations- und Kommunikationstechnologien bilden seit langem das immer wichtiger werdende Rückgrat der weltweiten Wirtschaft und Telekommunikation, in der speziell Telekommunikationsnetze und -dienste einen elementaren Anteil tragen. Durch die Konvergenz von Telekommunikations- und Internettechnologien hat sich die Telekommunikationslandschaft in der letzten Dekade drastisch verändert. Bislang geschlossene Telekommunikationsumgebungen haben sich imWandel zum sogenannten Next Generation Network (NGN) hinsichtlich unterstützter Zugangsnetztechnologien und angebotener multimedialer Anwendungen sowie der eingesetzten Protokolle und Dienste zu komplexen, hochdynamischen, Multi-Service Infrastrukturen gewandelt. Die Kontrollschicht solcher NGNs ist dabei von übergeordneter Bedeutung, da diese zwischen den Zugangsnetzen und den Anwendungen sitzt. Der Einsatz und die Optimierung des IP-Multimedia Subsystem (IMS) wurde in diesem Kontext Jahrelang erforscht und diskutiert und es repräsentiert heute die weltweit anerkannte Kontrollplattform für feste und mobile Telekommunikationsnetze. Die Forschung an Protokollen und Diensten in diesen NGN Umgebungen ist aufgrund der Konvergenz von Technologien, Anwendungen und Business Modellen sowie der hohen Dynamik aber kurzen Innovationszyklen hochkomplex. Der frühzeitigen Zugang zu herstellerunabhängigen – aber dicht an der Produktwelt angelehnten - Validierungsinfrastrukturen, sogenannten offenen Technologietest-beds, kurz Test-beds, ist daher für Forschungs- und Entwicklungsabteilungen unerlässlich Die vorliegende Dissertation beschreibt die umfangreiche Forschungsarbeit des Autors auf dem Gebiet der offenen NGN Test-beds über die letzten neun Jahre und konzentriert sich dabei auf Entwurf, Entwicklung und Bereitstellung des Open Source IMS Core Projekt, das seit Jahren die Grundlage für eine Vielzahl von NGN Test-beds und zahllose NGN Forschungs- und Entwicklungsprojekte im akademischen als auch Industrienahen Umfeld rund um den Globus darstellt. Dabei wird ein großer Schwerpunkt auf die Anforderungen hinsichtlich Flexibilität, Leistung, Funktionalitätsumfang und Interoperabilität, sowie elementare Designprinzipien von Test-bedwerkzeugen gelegt. Die Arbeit beschreibt und bewertet darüberhinaus den Einsatz von Open Source Prinzipien und veranschaulicht die Vorteile dieses Ansatzes hinsichtlich Einfluss und Nachhaltigkeit der Forschung anhand des Aufbaus einer globalen Open Source IMS Core (OpenIMSCore) Forschungs-Community. Außerdem veranschaulicht die Arbeit zum Ende die Wiederverwendbarkeit der wesentlichen angewendeten Designprinzipien an anderen maßgeblich durch den Autor entwickelten Test-bed Werkzeugen, insbesondere dem Open Evolved Packet Core (OpenEPC) für die nahtlose Integration verschiedener Breitbandnetztechnologien.Information and Communication Technologies provide for a long time already the backbone of telecommunication networks, such that communication services represent an elementary foundation of today’s globally connected economy. The telecommunication landscape has experienced dramatic transformations through the convergence of the Telecom and the Internet worlds. The previously closed telecommunication domain is currently transforming itself through the so-called NGN evolution into a highly dynamic multiservice infrastructure, supporting rich multimedia applications, as well as providing comprehensive support for various access technologies. The control layer of such NGNs is then of paramount importance, as representing the convergent mediator between access and services. The use and the optimization of the IP-Multimedia Subsystem (IMS) was researched and considered in this domain for many years now, such that today it represents the world-wide recognized control platform for fixed and mobile NGNs. Research on protocols and services for such NGN architectures, due to the convergence of technologies, applications and business models, as well as for enabling highly dynamic and short innovation cycles, is highly complex and requires early access to vendor independent - yet close to real life systems - validation environments, the so-called open technology test-beds. The present thesis describes the extensive research of the author over the last nine years in the field of open NGN test-beds. It focuses on the design, development and deployment of the Open Source IMS Core project, which represents since years the foundation of numerous NGN test-beds and countless NGN Research & Development projects in the academia as well as the industry domain around the globe. A major emphasis is given for ensuring flexibility, performance, reference functionality and inter-operability, as well as satisfying elementary design principles of such test-bed toolkits. The study also describes and evaluates the use of Open Source principles, highlighting the advantages of using it in regard to the creation, impact and sustainability of a global OpenIMSCore research community. Moreover, the work documents that the essential design principles and methodology employed can be reused in a generic way to create test-bed toolkits in other technology domains. This is shown by introducing the OpenEPC project, which provides for seamless integration of different mobile broadband technologies

Towards 5G Software-Defined Ecosystems: Technical Challenges, Business Sustainability and Policy Issues

Techno-economic drivers are creating the conditions for a radical change of paradigm in the design and operation of future telecommunications infrastructures. In fact, SDN, NFV, Cloud and Edge-Fog Computing are converging together into a single systemic transformation termed “Softwarization” that will find concrete exploitations in 5G systems. The IEEE SDN Initiative1 has elaborated a vision, an evolutionary path and some techno-economic scenarios of this transformation: specifically, the major technical challenges, business sustainability and policy issues have been investigated. This white paper presents: 1) an overview on the main techno-economic drivers steering the “Softwarization” of telecommunications; 2) an introduction to the Open Mobile Edge Cloud vision (covered in a companion white paper); 3) the main technical challenges in terms of operations, security and policy; 4) an analysis of the potential role of open source software; 5) some use case proposals for proof-of-concepts; and 6) a short description of the main socio-economic impacts being produced by “Softwarization”. Along these directions, IEEE SDN is also developing of an open catalogue of software platforms, toolkits, and functionalities aiming at a step-by-step development and aggregation of test-beds/field-trials on SDNNFV- 5G

Using decoys to block SPIT in the IMS

Includes bibliographical references (leaves 106-111)In recent years, studies have shown that 80-85% of e-mails sent were spam. Another form of spam that has just surfaced is VoIP (Voice over Internet Telephony) spam. Currently, VoIP has seen an increasing numbers of users due to the cheap rates. With the introduction of the IMS (IP Multimedia Subsystem), the number of VoIP users are expected to increase dramatically. This calls for a cause of concern, as the tools and methods that have been used for blocking email spam may not be suitable for real-time voice calls. In addition, VoIP phones will have URI type addresses, so the same methods that were used to generate automated e-mail spam messages can be employed for unsolicited voice calls. Spammers will always be present to take advantage of and adapt to trends in communication technology. Therefore, it is important that IMS have structures in place to alleviate the problems of spam. Recent solutions proposed to block SPIT (Spam over Internet Telephony) have the following shortcomings: restricting the users to trusted senders, causing delays in voice call set-up, reducing the efficiency of the system by increasing burden on proxies which have to do some form of bayesian or statistical filtering, and requiring dramatic changes in the protocols being used. The proposed decoying system for the IMS fits well with the existing protocol structure, and customers are oblivious of its operation

Implementing a secured IMS-based Identity exchange

With the continuous development of telecommunications, networking and the ubiquitous computing the necessity of higher bandwidth and better quality of services is always one of the most important user requirements. In this background, IP Multimedia Subsystem (IMS) is becoming very important for the Next Generation Networking (NGN) and all-Internet Protocol (all-IP) infrastructure. This new tendency provides opportunities for new operators and service providers to enter the market and to be competitive. These developments will generate new challenges related to the user identity assurance. It will be more difficult to rely on the old paradigms of the static operator relationships guaranteeing end-to-end the identity of the users. In this case there is crucial need to find new mechanisms to provide to the end points assurance about the identity of their counterparts. In this work we implemented a solution that establishes a trust between two end points by taking advantage of IMS in a roaming scenario where the visited access network may not be entirely trustworthy. In essence, this means establishing an identity association so that the parties can have operator provided assurance regarding the used identities. This allows local trust decisions and does not rely on the existence of global Public Key Infrastructure (PKI). Concretely in this work we have modified the Session Initiation Protocol (SIP) “INVITE” messages by adding new SIP headers such as the identity and the signature of the SIP entities taking part in a multimedia conversation. Every SIP entity has to add its own identity and signature and also has to verify those of its counterparts in a typical SIP “INVITE” exchange. By this work we show that establishing this kind of identity association is feasible but some scalability issues have to be taken into account such as the time delay or the size of the new messages. In order to accomplish this master thesis work, we have used the Open Source IMS Core (OSIMS) platform developed by FOKUS, SailFin project as the Application Server (AS) and IMS Communicator as the IMS client. /Kir1

A criação de redes de próxima geração IMS usando produtos Open Source

Estágio realizado na PT InovaçãoTese de mestrado integrado. Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 200

A vulnerability assesment framework for the IMS

Includes bibliography.With multimedia services being made available via more and more devices to end users, it is no longer feasible to develop a delivery platform for each new type of service. The IP multimedia subsystem (IMS) aims to provide a unified service delivery platform capable of supporting a wide range of multimedia, data and voice services. It has been developed with a focus on content delivery and rich communications, and has already begun to replace existing legacy GSM network components. The IMS is intended to be an access agnostic platform, capable of providing services over both mobile and fixed networks using a multi-access all-IP platform. By providing a feature-rich all IP platform, operators are able to deploy open IP-based networks, allowing for easy deployment and development of new, rich multimedia centric communication services. With the IMS in place, an operator may take the role of a service broker, providing them with far more revenue generating opportunities than just traditional voice and data. Application services may leverage the functionality provided by the IMS to create new services quickly while allowing them to be easily integrated into the network infrastructure. With the IMS gaining more and more attention from telecoms operators, and already being adopted by some, the ability to assess the security of the system becomes critical to the success of the IMS platform. While the 3GPP has placed emphasis on security throughout the development of the IMS, implementation is left up to vendors looking to create their own IMS systems. Implementation specific vulnerabilities may be missed by standard quality assurance testing, as they may be triggered only by boundary or near boundary conditions, or non-standard or unexpected state transitions