IPSec implementation in IMS Core

Recently, in a telco environment implementation, I tried my hands on the
following structure to improvise the Multimedia Subsystem security in IP
Networks and further addition of IPSec to secure the carrier network.

I started with the first interaction and authentication at the User
Equipment level with IMS core through ISIM authorization and used PKINIT for
IKE. At this first interaction interface, I tried to replace PKINIT with
traditional gateway devices for data authentication in both active and
passive mode but PKINIT proved to be a better option.
Entire authentication and authorization here is handled via Serving CSCF but
key generation as theoretically proven by 3GPP TR 33.978 is done primarily
via Home serving network.

Next with Gm interface, I used cavium nitrox plugin cards with the Proxy
CSCF to implement AH as well as ESP. Both the linkage between user equipment
as well as Proxy CSCF as well as the interaction between both parties is
secured via AH and ESP respectively.

For Cx Interface, traditional diameter protocol was used which protected
traditional CSCF interaction all across the ecosystem.

At Za interaction between Proxy and SIP services, both IPsec and any generic
ike was utilized as security at this juncture involve AKA for visitor
networks when UE is roaming. Same with Zb at Proxy interaction with SIP
Services when used is in home network.

Overall, after implementing the following multitier security mechanism at
Multimedia Subsystem Core, can further attacks be simulated and checked
against effectiveness which I will produce as results in my next post
alongwith lab setup details. All these experimental analysis is done
alongwith Sec team at Appin Group.

I need to know any alternative approach to securing IP multimedia subsystem
core with details on CSCF intercommunication security.

regards
Varun Srivastava
Appin Group
varunsrivastava(dot)com
appinlabs(dot)com