1. Essentials Guide
  2. Oracle USM Supporting the IMS Edge
  3. IMS-AKA Change Client Port
  4. Protected Ports

Protected Ports

Within IMS networks, the P-CSCF provides the network access point and serves as the outbound proxy server for user equipment -- smart phones, tablets, and similar devices. The UE must connect to the P-CSCF prior to registration and initiation of SIP sessions. Connection to the P-CSCF, which can be in the user's home network, or in a visited network if the UE is roaming, is accomplished using Dynamic Host Control Protocol (DHCP) P-CSCF discovery procedures.

After successful discovery, the P-CSCF and UE negotiate IPSec security associations (SAs) which are used to establish four protected (authenticated and encrypted using Encapsulating Security Payload protocol) ports between the UE and the P-CSCF.

The four protected ports are shown in the following illustration:

This image shows the four protected ports, the UE and USM's client and server ports.

As required by Section 7.4 of 3GPP TS 33.203, the protected client ports, one on the UE and the other on the Oracle Communications Unified Session Manager, must be changed after each successful re-registration.

To fulfill this requirement, this release adds a new attribute to the existing ims-aka-profile configuration object. This attribute (end-protected-client-port) works in conjunction with start-protected-client-port (protected-client-port in previous releases) to enable the identification of a pool of protected client ports, which will be used for re-registration scenarios where the Oracle Communications Unified Session Manager is required to change the client port.

The Oracle Communications Unified Session Manager creates new protected client ports, one on the UE and the other on the Oracle Communications Unified Session Manager, after every re-registration. Old protected client ports, along with their associated SAs, are maintained for 30 seconds after re-registration to ensure correct handling or any pending responses to previously transmitted messages.

Depicts the creation of new ports for IPSec SAs upon endpoint re-registration.

After successful re-registration, the Oracle Communications Unified Session Manager updates the registration cache with updated port information and checkpoint with the HA peer, if present.