Section 3.8.4 describes how access security works in principle. Security via the Gm interface is achieved by means of IPsec SAs, which require specific handling at the SIP signalling level. This section describes how the UE and P-CSCF negotiate the security mechanism, how IPsec-related parameters are exchanged and how SAs are established and handled.
As the establishment of IPsec SAs is based on authentication of the user, new SAs are established during every re-authentication process. Consequently, new pairs of IPsec SAs have to be established between the UE and the P-CSCF.
The initial REGISTER request as well as the 401 (Unauthorized) response are sent between the UE and the P-CSCF without any kind of protection. These two messages transport information that allows the UE and the P-CSCF to negotiate the security mechanism and to agree on the parameters and ports that will be used for the SAs.
During the registration process two pairs of IPsec SAs are established between the UE and the P-CSCF. Unless otherwise stated, such a set of two pairs of SAs is referred to as a "set of SAs", while a single or specific IPsec SA from these four is referred to as an "SA".
The four IPsec SAs are not static connections (e.g., TCP connections). They can be regarded as logical associations between the UE and the P-CSCF that allow the secure exchange of SIP messages.