Security: Signaling - SIP/IMS (IP Multimedia Subsystem)

🛡️ Tactical Domain Mapping: SIP/IMS Security

🚦 Tactical Release Realizations

For release-specific 3GPP implementations of IMS security and VoLTE/VoWiFi:

• Tactical Realization: 3GPP Rel-15 (Baseline)
• Tactical Realization: 3GPP Rel-16 (UP Security)

🏛️ Strategic Alignment

• ITU Series: Primarily mapped to itu-t Series-H (Multimedia/VoIP services) and itu-t Series-Q (Signaling protocols).
• Study Groups: SG11 (Protocols & Signaling) and SG17 (Security Architecture for IMS).

🧪 Penetration Testing Tools

• SIPp: High-volume SIP traffic generation for load and registration flood testing.
• SIPVicious: SIP scanner suite (svmap, svwar, svcrack) for user enumeration and brute-force.
• Metasploit SIP modules: Exploits for SIP REGISTER hijacking and media interception.
• INVITE-Fuzzer: Protocol-level fuzzer for SIP message parsing vulnerabilities in S-CSCF/P-CSCF.

📋 Field Audit Checklist

• [ ] TLS on SIP: Is SIP signalling transported over TLS (SIPs URI) on all Mw interfaces?
• [ ] SRTP Enforcement: Are all media sessions using SRTP with SDES or DTLS-SRTP key exchange?
• [ ] P-Asserted-Identity: Is PAI restricted to trusted nodes only (P-CSCF verified against subscriber profile)?
• [ ] REGISTER Auth: Is Authorization header validated end-to-end (IMS-AKA or SIP Digest with TLS)?
• [ ] Topology Hiding: Does the IBCF strip internal CSCF IP addresses before exiting to IPX?

!WARNINGVoLTE Trust Boundary: In VoLTE deployments, the P-CSCF often resides in the operator's PDN, but the UE has a direct IP path to it. If IPsec between UE and P-CSCF (TS 33.203 §7) is not enforced, any user on the same PDN/APN can perform SIP MITM attacks against other subscribers.