FTT-IMS

Firewall Traversal Tunnel to IP network of IMS

Core Network
Introduced in Rel-12
A standardized mechanism to securely traverse firewalls and NATs for IMS signaling and media. It enables reliable IMS service delivery across diverse network boundaries, ensuring connectivity for SIP-based services like VoLTE and VoNR in managed and unmanaged IP networks.

Description

The Firewall Traversal Tunnel to IP network of IMS (FTT-IMS) is a 3GPP-defined solution specified in TS 24.322. It addresses the fundamental challenge of establishing and maintaining IP Multimedia Subsystem (IMS) sessions across network boundaries that contain firewalls and Network Address Translators (NATs). These middleboxes often block unsolicited incoming packets or obscure the true IP address and port of a User Equipment (UE), which breaks the end-to-end connectivity assumptions of the Session Initiation Protocol (SIP) and the Real-time Transport Protocol (RTP). FTT-IMS provides a standardized, network-assisted method to create and maintain secure pinholes or tunnels through these barriers.

The architecture involves several key functional entities. The UE, equipped with an FTT-IMS client, initiates the process. The core network element is the FTT-IMS Application Server (FTT-IMS AS), which acts as a signaling intermediary and tunnel endpoint. The P-CSCF (Proxy-Call Session Control Function) is also aware of the FTT-IMS procedures. The mechanism works by having the UE first establish a secure, long-lived control connection (a tunnel) to the FTT-IMS AS. This control tunnel is used to exchange the necessary information for media traversal. When the UE initiates or receives an IMS session, the SDP (Session Description Protocol) offer/answer is relayed through this control tunnel. The FTT-IMS AS can then instruct any Session Border Controller (SBC) or firewall in the path to open specific pinholes for the RTP/RTCP media streams associated with that session, using the negotiated IP addresses and ports.

This process ensures that media packets can flow bi-directionally. For signaling, SIP messages are also typically routed through the FTT-IMS AS, which acts as an outbound proxy, ensuring that all signaling appears to come from a stable, reachable address. The solution supports both IPv4 and IPv6 and is designed to work with IMS Authentication and Key Agreement (AKA) for security. Its role is critical in scenarios where the UE is attached via a private or carrier-grade NAT, such as in many fixed broadband or enterprise networks, guaranteeing that IMS-based voice, video, and messaging services work reliably regardless of the underlying IP network topology.

Purpose & Motivation

FTT-IMS was created to solve the pervasive problem of IMS service failure in networks protected by firewalls and NATs. The original IMS architecture assumed relatively open IP connectivity, but real-world deployments, especially as operators began offering services over third-party or unmanaged access networks (like residential Wi-Fi), faced significant connectivity issues. NATs break the end-to-end principle of the internet, making it impossible for a remote party to initiate a connection to a UE behind a NAT without explicit mechanisms in place. Firewalls often block the UDP ports used by SIP and RTP.

Prior to standardization, proprietary solutions and non-standardized use of techniques like Interactive Connectivity Establishment (ICE) and Traversal Using Relays around NAT (TURN) were attempted, but these lacked interoperability and network control. The motivation for FTT-IMS was to provide a standardized, operator-managed solution that guarantees service delivery. It gives the network operator visibility and control over the firewall traversal process, which is essential for ensuring quality of service, lawful interception, and consistent user experience for mission-critical services like emergency calls over IMS.

Its introduction in Release 12 was driven by the need to solidify IMS as the sole voice and communication service platform for LTE (VoLTE) and future networks. By solving the traversal problem, FTT-IMS removed a major deployment barrier, enabling the vision of "IMS everywhere" and facilitating the convergence of fixed and mobile services over a common IMS core.

Key Features

  • Standardized firewall and NAT traversal for IMS signaling (SIP)
  • Secure tunneling for media (RTP/RTCP) stream establishment
  • Network-controlled pinhole management via the FTT-IMS AS
  • Support for both IPv4 and IPv6 network environments
  • Integration with IMS AKA for authentication and security
  • Enables reliable IMS service for UEs in private/NATed networks

Evolution Across Releases

Rel-12 Initial

Initial introduction and specification of the FTT-IMS architecture in TS 24.322. Defined the core procedures for establishing a control tunnel between the UE and the FTT-IMS Application Server, and the mechanism for the network to facilitate traversal of IMS media and signaling through firewalls and NATs.

TS 24.322

Defining Specifications

SpecificationTitle
TS 24.322 3GPP TS 24.322