Recently, in a telco environment implementation, I tried my hands on the following structure to improvise the Multimedia Subsystem security in IP Networks and further addition of IPSec to secure the carrier network.

I started with the first interaction and authentication at the User Equipment level with IMS core through ISIM authorization and used PKINIT for IKE. At this first interaction interface, I tried to replace PKINIT with traditional gateway devices for data authentication in both active and passive mode but PKINIT proved to be a better option.
Entire authentication and authorization here is handled via Serving CSCF but key generation as theoretically proven by 3GPP TR 33.978 is done primarily via Home serving network.

Next with Gm interface, I used cavium nitrox plugin cards with the Proxy CSCF to implement AH as well as ESP. Both the linkage between user equipment as well as Proxy CSCF as well as the interaction between both parties is secured via AH and ESP respectively.

For Cx Interface, traditional diameter protocol was used which protected traditional CSCF interaction all across the ecosystem.

At Za interaction between Proxy and SIP services, both IPsec and any generic ike was utilized as security at this juncture involve AKA for visitor networks when UE is roaming. Same with Zb at Proxy interaction with SIP Services when used is in home network.

Overall, after implementing the following multitier security mechanism at Multimedia Subsystem Core, can further attacks be simulated and checked against effectiveness which I will produce as results in my next post alongwith lab setup details. All these experimental analysis is done alongwith Sec team at Appin Group.

Varun Srivastava
Appin Group