In earlier implementation of IMS, in order to prevent the IMS services and/or IP address from embezzlement, Early IMS is presented. In Early IMS, The HSS has a binding between the IMSI and/or MSISDN and the IMPI and IMPU(s), and is therefore able to store the currently assigned IP address from the GGSN against the user's IMPI and/or IMPU(s). The mechanism assumes that the P-CSCF checks that the source IP address in the SIP header is the same as the source IP address in the IP header received from the UE. The assumption here, as well as for the full security solution, is that no NAPT is present between the GGSN and the P-CSCF.
But when a NAPT device is between the GGSN and P-CSCF, this mechanism is not available. Although there is no IP address theft, when signaling messages traverse the NAPT device, the source IP address and port number in network layer will be translated. When P-CSCF compares the source IP address and port number in network layer with the ones in SIP header, it will find that these two addresses are not equal, and will attach the source IP address and port number in network layer from which this request message is received in the “received” and “rport” parameter of Via header respectively. When request message is forwarded to S-CSCF, S-CSCF shall compare the IP address and port number in “received” and “rport” parameter respectively with that the ones stored in HSS. It is obvious that these two addresses are not equal, and registration is not passed. It means that Early IMS cannot distinguish between address translation and theft.