Most services on the Internet make use of a single TCP or UDP connection. The client opens a TCP connection from a random port to a well known port on the server (e.g. port 443 for HTTPS) and performs authentication and establishment of an encrypted session in that connection. Simple! In VoLTE, however, things are much more complicated as there are three streams used in practice and TCP and UDP can even be mixed.Having said that let’s have a closer look. For all details I’m going to omit here for clarity and brevity’s sake have a look at 3GPP TS 33.203, Chapter 7, which deals with Access Security For IMS.
Step 1: Unencrypted Part
To register to the IMS via the P-CSCF the mobile (UE, User Equipment) sends an unencrypted SIP REGISTER message from a random port to well known SIP port 5060.
The IMS responds with a 401 UNAUTHORIZED message from port 5060 which contains the security challenge. Part of that challenge is the UDP/TCP port number to which the following encrypted messages have to be sent. This is called the ‘port-s’ (server). The message also contains a ‘port-c’ (client) number which is used later when the IMS wants to proactively contact the UE.
These are the only two messages exchanged to and from port 5060!
Step 2 – The First Encrypted Message
The UE then sends another REGISTER message, this time encrypted and with the response to the security challenge to the TCP port given in ‘port-s’ in the previous message. In the REGISTER message the UE repeats the ‘port-c’ and ‘port-s’ parameters it has received from the server (which makes me wonder why as it already uses ‘port-s’…) and, in addition, gives the IMS its own local ‘port-c’ and ‘port-s’ parameters. For this dialog the combination of the UE’s ‘port-c’ and the IMS’s ‘port-s’ ports are used. The second port combination, i.e. IMS’s ‘port-c’ and the UE’s ‘port-c’ are used later-on when the IMS wants to contact the UE. Why it is necessary to have two streams instead of one, well, I don’t know…
If the second REGISTER message was correct the network returns a 200 OK message and the UE is registered.
Step 3 – Communication Once Security Is In Place
As said above, whenever the UE contacts the network with a SIP message it will use it’s own ‘port-c’ (client) as source TCP port and ‘port-s’ (server) of the IMS to send the message. Responses from the network will be sent over the same port combination.
If the network wants to send a message that is not directly connected with a message previously sent by the UE, it uses the ‘port-c’ port number of the network as the source as it is the client in this conversion and the ‘port-s’ of the UE as the destination port.
And just to make things even more fun, TCP and UDP can be mixed depending on message sizes. Yes, I’m sure this makes it so much more efficient… One thing all of this doesn’t make very efficient is bug hunting and tracing with Wireshark. As no ‘well known’ port is used Wireshark can’t detect SIP messages and has to be manually told which port combinations contain SIP exchanges.