A user agent (UA) may be registered at an Internet Protocol Multimedia Subsystem (IMS) network. Access to the IMS network runs via an Internet Protocol (IP) access network. The IP access network is responsible for providing IP connectivity to the terminal, including IP address, access to Domain Name System (DNS) server etc. The registration to the IMS network may include authentication. The user is authorized to use the IMS services. A security association may exist between the user terminal and the IMS network (e.g. with the Proxy Call Session Control Function (P-CSCF) entity in the IMS network). If no security association is used, then Transport Layer Security (TLS) can be used between the user terminal and the IMS network. By virtue of said authentication in combination with Security association or TLS, all access to the IMS network is secure and trusted.
When a Security association is used for IMS access, then the IP address that the terminal uses for its IMS access may be provided by the P-CSCF entity. This IP address is then a local IP address from a P-CSCF point of view. The terminal uses this local IP address, which is tightly coupled to this Security association, for SIP registration and SIP session establishment. The Security association is carried over the IP access that is provided by the IP access network.
The terminal can also access other IP services than IMS. For example, the terminal may access a Hypertext Transfer Protocol (HTTP) server. The terminal uses the IP connectivity from the IP access network for accessing the HTTP server. The access to the HTTP server does not utilize a secure link comparable to the Security association that is established between the terminal and the IMS network. The access to the HTTP server is therefore not secure, from an HTTP server point of view.
The subscriber has two IP terminations. A first IP termination is from the IP access network (public IP termination). This first IP termination is used for IP services in general, such as HTTP and E-mail. This first IP termination is also used for non-secure access to the IMS network (e.g. before a security association is established). In addition, this first IP termination is used for IMS user plane media, such as Real-time Transport Protocol (RTP). This first IP termination may, in addition, be used to establish a Virtual Private Network (VPN) tunnel. A second IP termination is from the IMS network (IMS IP termination). This second IP termination is used for SIP signaling to/from the IMS network. This second IP termination constitutes a secure connection, based on IMS authentication.