Re: [AAA-WG]: issue with expected response calculation
Miguel Garcia <Miguel.An.Garcia@nokia.com> Wed, 13 April 2005 09:14 UTC
Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA07865 for <aaa-archive@lists.ietf.org>; Wed, 13 Apr 2005 05:14:19 -0400 (EDT)
Received: by trapdoor.merit.edu (Postfix) id 7D41E912FB; Wed, 13 Apr 2005 05:14:11 -0400 (EDT)
Delivered-To: aaa-wg-outgoing@trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid 56) id 4C61F912FF; Wed, 13 Apr 2005 05:14:11 -0400 (EDT)
Delivered-To: aaa-wg@trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id E5EE3912FB for <aaa-wg@trapdoor.merit.edu>; Wed, 13 Apr 2005 05:14:09 -0400 (EDT)
Received: by segue.merit.edu (Postfix) id D39B55828D; Wed, 13 Apr 2005 05:14:09 -0400 (EDT)
Delivered-To: aaa-wg@segue.merit.edu
Received: from testbed9.merit.edu (testbed9.merit.edu [198.108.1.10]) by segue.merit.edu (Postfix) with ESMTP id 8EF9258288 for <aaa-wg@segue.merit.edu>; Wed, 13 Apr 2005 05:14:09 -0400 (EDT)
Received: by testbed9.merit.edu (Postfix) id 9566D1877; Wed, 13 Apr 2005 05:14:09 -0400 (EDT)
Delivered-To: aaa-wg@merit.edu
Received: from mgw-x2.nokia.com (mgw-x2.nokia.com [131.228.20.22]) by testbed9.merit.edu (Postfix) with ESMTP id 1BCE9186D for <aaa-wg@merit.edu>; Wed, 13 Apr 2005 05:14:08 -0400 (EDT)
Received: from esdks004.ntc.nokia.com (esdks004.ntc.nokia.com [172.21.138.159]) by mgw-x2.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3D9E6O01845; Wed, 13 Apr 2005 12:14:06 +0300 (EET DST)
X-Scanned: Wed, 13 Apr 2005 11:59:47 +0300 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks004.ntc.nokia.com (8.12.9/8.12.9) id j3D8xlvM001355; Wed, 13 Apr 2005 11:59:47 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks004.ntc.nokia.com 00NAN3Mk; Wed, 13 Apr 2005 11:59:46 EEST
Received: from esebh002.NOE.Nokia.com (esebh002.ntc.nokia.com [172.21.138.77]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3D8xiM17355; Wed, 13 Apr 2005 11:59:44 +0300 (EET DST)
Received: from [127.0.0.1] ([172.21.39.90]) by esebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 13 Apr 2005 11:59:43 +0300
Message-ID: <425CDF7E.6030706@nokia.com>
Date: Wed, 13 Apr 2005 11:59:42 +0300
From: Miguel Garcia <Miguel.An.Garcia@nokia.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
X-Accept-Language: en-us, en, es-es
MIME-Version: 1.0
To: Jo Hermans <jo.hermans@gmail.com>
Cc: aaa-wg@merit.edu
Subject: Re: [AAA-WG]: issue with expected response calculation
References: <a4ba2af605041205262c911cf6@mail.gmail.com> <a4ba2af605041215447164d6ce@mail.gmail.com>
In-Reply-To: <a4ba2af605041215447164d6ce@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 13 Apr 2005 08:59:43.0104 (UTC) FILETIME=[221A8800:01C54007]
Sender: owner-aaa-wg@merit.edu
Precedence: bulk
Content-Transfer-Encoding: 7bit
Hi Jo:
Thanks for your comment. I agree with you that the paragraph in Section
8.5.6.1 (Note that...) does not make sense again, and it is related to
issue 40. It should have been fixed together.
Since it seems that we will add support for client generated nonces,
there will be new versions of the Diameter SIP app, and at that time we
will fix this paragraph, and add the considerations about the MD5-sess
you mentioned.
Thanks a lot,
Miguel
Jo Hermans wrote:
> Replying on my own question ...
>
> On 4/12/05, Jo Hermans <jo.hermans@gmail.com
> <mailto:jo.hermans@gmail.com>> wrote:
>
> I have a problem with paragraph 8.5.6.1 <http://8.5.6.1> in
> draft-ietf-aaa-diameter-sip-app-07 , 3th paragraph ("Please note
> that the expected response ...")
>
> The draft mentions that the expected response calculation can't be
> done when the SIP UA has sent a expected response based on client
> nonces. It then mentions that this is the case when the
> qop-parameter is present in the client request.
>
> That last part I don't understand. I though that H(A1) is dependent
> on the algorithm, not qop. Qop has only influence on the A2 and
> digest, which are both calculated in the Diameter Client (SIP
> Server). See also
> <http://danforsberg.info:8080/draft-ietf-aaa-diameter-sip/issue40>
>
> But even then I don't understand. I think that the Diameter Server
> does has the client-nonces available (they're in the
> SIP-Authorization AVP, and were used to calculate the request digest
> !)), and is able to calculate a H(A1). Even if MD5-sess was used, it
> could still calculate H(A1). MD5-sess also has the added advantage
> that H(A1) could only be used once, which is also the reason why
> draft-sterman-aaa-sip-04.txt doesn't want to use MD5 unless the
> message is protected against eavesdropping.
>
>
> Now I see that the Digest-HA1 attribute is present in the
> SIp-Authenticate AVP, which probably never saw a cnonce at all, because
> it's part of the challenge. My mistake was that I thought that it was in
> SIP-Authorisation too.
>
> This also means that if a server decides to include Digest-Ha1 to assist
> the SIP-server (to avoid that the next packet with the Sip-Authorisation
> should be forwarded to the server too), then it should not offer the SIP
> UA to use MD5-sess, because that includes client-nonces in A1. Qop is
> not a problem, despite paragraph 3 in section 8.5.6.1 <http://8.5.6.1>
> of sip-app-07.
>
> I agree that if qop is missing and algorithm is MD5, client-nonces
> aren't used at all (backwards compatibility with RFC2069). H(A1)
> might be stored inside the Diameter Client (SIP server) when it's
> first received, and reused later on. Is it this that the draft is
> alluding to ?
>
> --
> Jo Hermans
>
> "Eagles may soar, but weasels aren't sucked into jet engines"
>
>
>
>
> --
> Jo Hermans
> www.bluesweb.org <http://www.bluesweb.org>
>
> "Eagles may soar, but weasels aren't sucked into jet engines"
--
Miguel A. Garcia tel:+358-50-4804586
sip:miguel.an.garcia@openlaboratory.net
Nokia Research Center Helsinki, Finland