In Section 3.19 the general principles and requirements for early IMS security are described. Figure 10.17 shows how early IMS security works in principle when the network requires IP-based authentication and the UE supports both – i.e., full IMS security as well as early IMS security. There are other possible scenarios, which are listed in Section 10.15.2.
When the UE establishes an IMS signalling PDP context, the GGSN creates a RADIUS "Accounting-Request START" request towards the GGSN, in which it indicates the user's Mobile Subscriber Integrated Services Digital Network (MSISDN) number (i.e., the phone number) as well as the IP address for the IMSspecific PDP context.
After establishing a signalling PDP context the UE will send out an initial REGISTER request, as described in the previous sections, including the Authorization header, a Security-Client header as well as the "sec-agree" option tag in the Require and the Proxy-Require header:
REGISTER sip:home1.fr SIP/2.0 From: <sip:email@example.com>;tag=pohja To: <sip:firstname.lastname@example.org> Authorization: Digest username="email@example.com", realm="home1.fr", nonce="", uri="sip:home1.fr", response="" Security-Client: digest, IPsec-3gpp; alg=hmac-sha-1-96 ;spi-c=23456789 ;spi-s=12345678 ;port-c=2468; port-s=1357 Require: sec-agree Proxy-Require: sec-agree Contact: <sip:[5555::1:2:3:4]>;expires=600000