Security Aspects of Policy Enforcement in IMS

The policy and charging control function discussed in Section 3.5.11 does not only assure that the user gets the appropriate QoS, gets charged appropriately, etc., but it also serves to protect the mobile terminals from attacks from other mobile terminals and from external networks. It also prevents mobile terminals from sending traffic uncontrollably (e.g. if the mobile terminal is infected by a virus).

As noted in Section 6.2.3 regarding security domains, the underlying network uses strong perimeter protection, and IMS traffic is not generally allowed to flow freely between the mobile terminal and any other node on the public Internet, or even to another mobile terminal connected to the same network.

During the setup of a SIP session, the P-CSCF acts as an Application Function (AF). The P-CSCF requests from the Policy and Charging Rules Function (PCRF), over the Rx interface, that the flows described in the SIP INVITE message be allowed to pass through the Gateway (GW) node, which is a GGSN in the case where the underlying network is a 3GPP network. If the decision by the PCRF is that the flows are allowed to be established, it transfers filter rules (coupled with other data, such as QoS and NAT rules) to the GW, over the Gx interface, which has the effect that these flows will be allowed passage. The GW next instantiates the rules received. If a session involves two mobile terminals that are attached to networks of different operators, it is the task of each P-CSCF to request that the flows be allowed to pass their respective GW.

This mechanism gives the operator strong control over what traffic is allowed to be initiated by the mobile terminals in the network and, as noted previously, also protects the mobile terminals from attacks.

0 0

Post a comment