4 Malicious Communication Identification (MCID)

24.6163GPPMalicious Communication Identification (MCID) using IP Multimedia (IM) Core Network (CN) subsystemProtocol specificationRelease 16TS

4.1 Introduction

The MCID service will store session related information of incoming communications independent of the service requested. The following communication information shall be registered:

– Destination Party Identity Information;

– originating Party Identity Information; and

– local time and date of the invocation in the network serving the called user.

The communication information shall not be available to the terminal equipment under the control of the called user nor the originating user. The communication information shall be stored at a location(s) under the control of the network operator. In order for the MCID service to operate when two networks are involved both networks need to be within the same trust domain for identity information transfer.

A network subscription option can be provided which allows automatic invocation of MCID service on communications to the served user which are not answered.

NOTE: The purpose of this option is to allow for registration of communications that ring for a short time only.

A user subscription option can be provided where the MCID service can either be invoked during the active phase of the communication, or for a limited period after the communication has ceased.

4.2 Description

4.2.1 General description

The Malicious Communication Identification (MCID) service allows the service provider to trace the identity information of the source of an incoming communication on request of the destination user.

4.3 Operational requirements

4.3.1 Provision/withdrawal

This service shall be provided and withdrawn after pre-arrangement with the service provider, in accordance with national legal requirements.

This service has two modes: permanent mode and temporary mode. In permanent mode the MCID service is invoked for all incoming communications, and in temporary mode the MCID service is invoked only for the incoming communications declared by the served user.

As a network option, the MCID service can be offered with several subscription options. A network providing the MCID service shall support permanent mode at a minimum. Subscription options are summarized in table 4.3.1.1.

Table 4.3.1.1: Subscription options for MCID services

Subscription options

Value

Mode

Permanent Mode
Temporary Mode

4.3.2 Requirements on the originating network side

No specific requirements are needed in the originating network.

4.3.3 Void

Void.

4.3.4 Requirements on the terminating network side

No specific requirements are needed in the terminating network.

NOTE: If the subscriber has a permanent or case by case subscription, based on Initial Filter Criteria (IFC) the INVITE request is forwarded to the AS that provides the MCID service. Annex B provides an example on how an Initial Filter Criteria (IFC) can be configured.

4.4 Coding requirements

The present clause defines the XML Schema to be used for providing the MCID Request/Response and to invoke the temporary mode of the MCID Service.

The application/vnd.etsi.mcid+xml MIME type used to provide request of a missing originating ID and the delivery of the requested originating id AS of the served user shall be coded as following described:

<?xml version="1.0" encoding="UTF-8"?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://uri.etsi.org/ngn/params/xml/simservs/mcid" targetNamespace="http://uri.etsi.org/ngn/params/xml/simservs/mcid" elementFormDefault="qualified">

<xs:annotation>

<xs:documentation>XML Schema Definition to the mcid request-response to the Malicious Communication Identification service</xs:documentation>

</xs:annotation>

<!–Definition of simple types–>

<xs:simpleType name="bitType">

<xs:restriction base="xs:string">

<xs:pattern value="[0-1]"/>

</xs:restriction>

</xs:simpleType>

<!–Definition of complex types–>

<xs:complexType name="requestType">

<xs:sequence>

<xs:element name="McidRequestIndicator" type="bitType"/>

<xs:element name="HoldingIndicator" type="bitType"/>

<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>

</xs:complexType>

<xs:complexType name="responseType">

<xs:sequence>

<xs:element name="McidResponseIndicator" type="bitType"/>

<xs:element name="HoldingProvidedIndicator" type="bitType"/>

<xs:element name="OrigPartyIdentity" type="xs:anyURI" minOccurs="0"/>

<xs:element name="OrigPartyPresentationRestriction" type="xs:boolean" default="true" minOccurs="0"/>

<xs:element name="GenericNumber" type="xs:anyURI" minOccurs="0"/>

<xs:element name="GenericNumberPresentationRestriction" type=" xs:boolean" default="true" minOccurs="0"/>

<xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>

</xs:sequence>

</xs:complexType>

<!–Definition of document structure–>

<xs:element name="mcid">

<xs:complexType>

<xs:choice>

<xs:element name="request" type="requestType"/>

<xs:element name="response" type="responseType"/>

</xs:choice>

</xs:complexType>

</xs:element>

</xs:schema>

4.5 Signalling requirements

4.5.1 Activation/deactivation

The MCID service is provisioned only by the network operator. The MCID service is activated at provisioning and de-activated at withdrawal.

4.5.1a Registration/erasure

The MCID service requires no registration. Erasure is not applicable.

4.5.1b Interrogation

Interrogation of MCID is not applicable.

4.5.2 Invocation and operation

4.5.2.1 Actions at the originating UE

Basic communication procedures according to 3GPP TS 24.229 [2] shall apply.

4.5.2.2 Void

4.5.2.3 Void

4.5.2.4 Void

4.5.2.5 Actions at the AS of the terminating user

4.5.2.5.0 General

The AS shall at the minimum store the following elements of a received INVITE request:

– Destination Party Identity Information included in the Request-URI;

– Originating Party Identity Information included in the P-Asserted-Identity header field, if the
P-Asserted-Identity header field is included in the request;

– local time and date of the invocation in the network serving the called user;

– call diversion information ("cause" SIP URI parameter) received in the History-Info header field, if included in the request;

– Referred-By header field when available;

– Contact header field;

– To header field; and

– From header field.

NOTE: The Originating Party Identity Information included in the P-Asserted-Identity header field is always present in the INVITE request if the request is originated in a trusted network.

If the INVITE request does not contain the information of the originating party, the AS shall send an INFO request including an Identification Request MIME body.

When receiving the INFO request containing identification information, the AS shall in addition to the already stored information elements of the earlier received INVITE request, at the minimum store the information as received in the body of the INFO request.

4.5.2.5.1 Subscriber has a permanent subscription

The AS shall register stored information. The exact procedure to register the information is implementation dependent and out of scope of the present document.

4.5.2.5.2 Subscriber has a temporary subscription

The AS shall store the required elements of a received INVITE request for a limited period after the communication has been released. If an initial INVITE request as specified in subclause 4.5.2.12.1 is received during this period the AS shall register the stored information as in subclause 4.5.2.5.1. If no MCID request is received during that period the stored elements for the last communication can be deleted.

A received reINVITE request of the served user as defined in subclause 4.5.2.12.1 is identified as MCID request and the AS shall register the required information.

The exact procedure to register the information is implementation dependent and out of scope of the present document.

After receiving a BYE request from the originating side the call state shall be held for a current time defined by Timer
TMCID-BYE.

With expiry of the TMCID-BYE the BYE request shall be forwarded to the served user and the communication shall be released according to the basic communication procedures defined in 3GPP TS 24.229 [2].

If no MCID request was received the stored elements for the last communication can be deleted.

4.5.2.5.3 Request of a missing or incomplete originating Id (network option)

The present subclause is applicable when interacting with the PSTN/ISDN.

If a received initial INVITE request does not contain an originating identification or a incomplete originating identification and only if requested by operator policy regarding the received P-Asserted-Identity header field, the AS shall send a INFO request containing a XML mcid body with MCID XML Request schema requesting the originating ID towards the originating network. If requested by operator policy and proprietary signalling, the AS shall skip sending the INFO request containing a XML mcid body with MCID XML Request schema and continue with the session setup as defined in 3GPP TS 24.229 [2].

NOTE: The received P-Asserted-Identity header field can contain a specific value indicating to skip sending INFO requests as the INFO request can indicate the request for identity towards the originating UA. The specific content of the P-Asserted-identity header field that triggers this behaviour is operator specific and is outside the scope of this specification.

After sending of the INFO request requesting the originating id, timer TO-ID (as defined in subclause 4.8) is started.

When the Identification response (INFO request containing a XML mcid body with MCID XML Response schema containing the originating identity) is received:

– the timer TO-ID is stopped; and

– the MCID information is stored;and

– a 180 (Ringing) response is sent towards the originating user according to the basic communication procedures.

When a Identification response INFO request is received without the Originating Party Identity information:

– timer TO-ID is stopped; and

– a 180 (Ringing) response is sent towards the originating user according to the basic communication procedures.

When the timer TO-ID expires before an Identification response INFO request is received, a 180 (Ringing) response is sent towards the originating user according to the basic communication procedures.

4.5.2.6 Void

4.5.2.7 Void

4.5.2.8 Void

4.5.2.9 Void

4.5.2.10 Void

4.5.2.11 Void

4.5.2.12 Actions at the destination UE

4.5.2.12.0 Subscriber has a permanent subscription

Basic communication procedures according to 3GPP TS 24.229 [2] shall apply.

4.5.2.12.1 Subscriber has a temporary subscription

In order to invoke the MCID service during the call the UE shall send a reINVITE request including a XML MIME with XML mcid body with MCID XML Request schema containing a McidRequestIndicator set to 1.

As a network operator option, the UE can skip including the XML MIME with XML mcid body in the reINVITE.

NOTE: A reINVITE request without the XML MIME with XML mcid body can not be clearly identified as a trigger for the MCID service in an AS and therefore this reINVITE request will be sent towards the originating side. Additionally, if this network option is chosen, the AS will register MCID data for every reINVITE that the UE sends.

In order to invoke the MCID service after a completed call, the UE shall send an initial INVITE request in accordance with 3GPP TS 24.229 [2] and include a Request-URI set to an operator specific URI provided by the user, and in the SDP offer media for which the UE can receive an announcement.

4.6 Interaction with other services

4.6.1 Communication Hold (HOLD)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.2 Terminating Identification Presentation (TIP)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.3 Terminating Identification Restriction (TIR)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.4 Originating Identification Presentation (OIP)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.5 Originating Identification Restriction (OIR)

Even if the originating identification is a secret (restricted) identification, MCID invocation is possible.

4.6.6 Conference (CONF)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.7 Communication Diversion Services (CDIV)

The MCID service can be invoked for a diverted communication. In addition to the normal operation of the MCID service, the identity of the first diverting user shall be registered and, as a network option, the last diverting user can be registered.

4.6.7.1 Communication Forwarding Unconditional (CFU)

If the served user has activated CFU service, once forwarding has taken place, the forwarding user cannot invoke the MCID service.

4.6.7.2 Communication Forwarding Busy (CFB)

If the served user has activated CFB, once forwarding has taken place, the forwarding user cannot invoke the MCID service.

4.6.7.3 Communication Forwarding No Reply (CFNR)

If the served user has activated CFNR, once forwarding has taken place, the forwarding user (served user) cannot invoke the MCID service.

The MCID service shall not be automatically invoked when an alerting communication is terminated due to the invocation of the communication forwarding no reply service.

4.6.7.4 Communication Forwarding on Not Logged-In (CFNL)

If the served user has activated CFNL, once forwarding has taken place, the forwarding user (served user) cannot invoke the MCID service even after a log-in procedure.

The MCID service shall not be automatically invoked when an alerting communication is terminated due to the invocation of the communication forwarding not logged in service.

4.6.7.5 Communication Deflection (CD)

If the served user has activated communication deflection, once deflection has taken place, the deflecting user cannot invoke the MCID service.

The MCID service shall not be automatically invoked when an alerting communication is terminated due to the invocation of the communication deflection service.

4.6.8 Call Waiting (CW)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.9 Anonymous Communication Rejection and Communication session Barring (ACR/CB)

No impact, i.e. neither service shall affect the operation of the other service.

4.6.10 Explicit Communication Transfer (ECT)

If the transferor invokes the malicious communication identification service on an initial communication after that communication has been successfully transferred then the AS will reject the request.

4.6.11 Enhanced Calling Name (eCNAM)

No impact. Neither service shall affect the operation of the other service.

4.6.12 Multi-Device (MuD)

No impact. Neither service shall affect the operation of the other service.

4.6.13 Multi-Identity (MiD)

No impact. Neither service shall affect the operation of the other service.

NOTE: If the originating user has activated the MiD service and if the operator policy and regulatory requirements state that for the originating request the P-Asserted-Identity header field cannot be modified, identities from the P-Asserted-Identity header field and the From header field stored by the MCID service can represent different users.

4.7 Interactions with other networks

4.7.1 Void

4.7.2 Void

4.7.3 Void

4.8 Parameter values (timers)

A new timer is identified in the destination exchange:

Timer TO-ID: 4-15 seconds.

Timer TO-ID is initiated only at the AS of the served user after sending an MCID request in an INFO request and is stopped at the receipt of an INFO request containing a XML mcid body with MCID XML Response schema.

At expiry of the timer, the communication continues according to the basic communication procedures.

A new timer is identified in the AS to count the post time for invoking the MCID temporary mode.

Timer TMCID-BYE: recommended 0-120 seconds. The timer value is defined by the Operator.

Timer TMCID-BYE initiated only at the AS of the served user after receiving a CANCEL request or BYE request.

At expiry of the timer, the communication continues shall be released according to the basic communication procedures defined in 3GPP TS 24.229 [2].

Annex A (informative):
Signalling Flows

A.1 MCID invocation

The MCID invokes, in the destination, the storage of data.

Figure A.1 shows an example signalling flow for the scenario.

Figure A.1: MCID Permanent and triggered by the B user

The steps of the flow are as follows:

1) INVITE request (to S-CSCF).

The INVITE request is sent from the UE to S-CSCF. The INVITE request includes P-Asserted-Identity header fields as follows:

– P-Asserted-Identity: "John Doe" <tel:+1-212-555-1111>;

– Privacy header field: id or Privacy header or Privacy user; and

– P-Asserted-Identity: "John Doe" <sip:user1_public1@home1.net>.

2) 100 (Trying) response (from S-CSCF).

3) Evaluation of initial filter criteria.

The initial Filter criteria identifies that the requested URI is subscribed to the MCID service. Therefore the S-CSCF forwards the INVITE request to the MCID AS.

4) INVITE request (S-CSCF to AS).

INVITE request is send to the AS.

5) 100 (Trying) response from S-CSCF.

6) AS stores Data.

AS stores:

– Request URI.

– To header field.

– P-Asserted-Identity header fields.

– From header field.

– Contact header field.

– Time and date field.

7-12) INVITE request (S-CSCF to AS).

INVITE request is send towards the UE:B.

A.2 Identity information not present in the initial request

Hereby, we show a PSTN to IMS scenario, but notice that any call, originated in the PSTN domain and being diverted before reaching the served user AS, must be treated in the same manner. The terminating AS sends a 18x provisional response previous to sending a SIP INFO request, which requests the information from the originating network. It can then route the call while waiting for an answer to the INFO request. Note that the 18x response is sent reliably, this is not intended to indicate ringing (not be a 180 (Ringing) response), and contains no SDP. This 18x response establishes a early dialog, which is needed before the INFO request can be sent.

Figure A.2.1:MCID with Information Request towards the ISDN/PSTN

The Terminating AS will then wait for an INFO request containing the response to the information query in the previous INFO request. This request provides the requested identity. If such a request is not received within a period of time, the service cannot be provided.

Figure A.2.2: MCID with Information Response towards the ISDN/PSTN

A.3 MCID invocation during the call in temporary mode

The MCID invokes, in the destination, the storage of data.

Figure A.3.1 shows an example signalling flow for the scenario.

Figure A.3.1: MCID Permanent and triggered by the B user

The steps of the flow are as follows:

1) INVITE request (to S-CSCF).

The INVITE request is sent from the UE to S-CSCF The INVITE request includes a P-Asserted-Identity header fields as follows:

– P-Asserted-Identity: "John Doe" <tel:+1-212-555-1111>, "John Doe" <sip:user1_public1@home1.net>;

– Privacy header field: id or Privacy header or Privacy user.

2) 100 (Trying) response (from S-CSCF).

3) Evaluation of initial filter criteria.

The initial Filter criteria identifies that the requested URI is subscribed to the MCID service. Therefore the S-CSCF forwards the INVITE request to the MCID AS.

4) INVITE request (S-CSCF to AS).

INVITE request is send to the AS.

5) 100 (Trying) response from S-CSCF.

6) Temporarily AS stores Data.

AS stores:

– Request URI.

– To header field.

– P-Asserted-Identity header fields.

– From header field.

– Contact header field.

– Time and date field.

7-12) INVITE request (S-CSCF to AS).

INVITE request is send towards the UE:B.

NOTE: 180 (Ringing) response is not shown.

13-18) UE-B takes the communication. A 200 (OK) response is sent towards UE-A.

19) UE-B initiates the temporary mode with sending a reINVITE request – see example in table A.3-19.

Table A.3-19: re-INVITE request (UE-B to P-CSCF)

INVITE sip:user1_public1@home1.net; gr=urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6 ;comp=sigcomp

Via: SIP/2.0/UDP [5555::aaa:bbb:ccc:ddd]:1357;comp=sigcomp;branch=z9hG4bKnashds7

Max-Forwards: 70

Route: <sip:pcscf1.visited1.net:7531;lr;comp=sigcomp>, <sip:orig@scscf1.home1.net;lr>

P-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=234151D0FCE11

Privacy: none

From: <sip:user1_public1@home1.net>; tag=171828

To: <tel:+1-212-555-2222>

Call-ID: cb03a0s09a2sdfglkj490333

Cseq: 127 INVITE

Require: sec-agree

Proxy-Require: sec-agree

Supported: precondition, 100rel, gruu, 199

Security-Verify: ipsec-3gpp; q=0.1; alg=hmac-sha-1-96; spi-c=98765432; spi-s=87654321; port-c=8642; port-s=7531

Contact: <user2_public1@home2.net;gr=urn:uuid:2ad8950e-48a5-4a74-8d99-ad76cc7fc74 ;comp=sigcomp SIP/2.0>;+g.3gpp.icsi-ref="urn%3Aurn-7%3gpp-service.ims.icsi.mmtel"

Allow: INVITE, ACK, CANCEL, BYE, PRACK, UPDATE, REFER, MESSAGE, SUBSCRIBE, NOTIFY

Content-Type: application/sdp

Content-Length: (…)

v=0

o=- 2987933615 2987933615 IN IP6 5555::aaa:bbb:ccc:ddd

s=-

c=IN IP6 5555::aaa:bbb:ccc:ddd

t=0 0

m=video 3400 RTP/AVPF 98 99

b=AS:75

a=curr:qos local none

a=curr:qos remote none

a=des:qos mandatory local sendonly

a=des:qos none remote sendonly

a=inactive

a=rtpmap:98 H263

a=fmtp:98 profile-level-id=0

a=rtpmap:99:MPVMP4V-ES

m=audio 3456 RTP/AVPF 97 96

b=AS:25.4

a=curr:qos local none

a=curr:qos remote none

a=des:qos mandatory local sendonly

a=des:qos none remote sendonly

a=inactive

a=rtpmap:97 AMR

a=fmtp:97 mode-set=0,2,5,7; maxframes=2

a=rtpmap:96 telephone-event

20-22) network routes the reINVITE request.

23) The AS finally stores the regarding MCID data cached at step 6).

Annex B (informative):
Example of filter criteria

This annex provides an example of a filter criterion that triggers SIP requests that are subject to initial filter criteria evaluation.

The coding of the Initial Filter Criteria is described in 3GPP TS 29.228 [9].