Re: [dispatch] SASL Authentication for SIP

Eric Rescorla <ekr@rtfm.com> Mon, 17 October 2022 13:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D2B2C152596 for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajRaEXj6wAYS for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11EB6C152590 for <dispatch@ietf.org>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id d14so5782875ilf.2 for <dispatch@ietf.org>; Mon, 17 Oct 2022 06:15:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=iuzMH+IqZCfbuw/QpuowMpe5wBpzJXrWH/mEJtl4FrY=; b=mJ3DtDcKD9iNoUgdvfmSFSnob90NRdd1gF4SfllVmpb9zSEZ1P3Iux7Y6EHVve6D8b GifKUADG0J/azQ18ikv7YHOw3he/Cb8OAO1La53sGLDAy0w9b0MXFLY25DILY9TMw/Xa HPoqwQCbAPhz0qO4L9FNeRYvzF3lbP9XMZmA2hQsJ1FTr4rXCZNMi41Yb/6XyhtfTLZl tyHOG8SGzed53p4yKnK70oznywLzb71YylDnHkdZ8f/zNKs/Y0fltopqbuGPRbDeYHft OjRpitdwuPHCUrEoyalXffAj6PW0wuc8/CY2/5hnhXECH+1DXCh1DLLsq5pcdsaQT4a8 uXRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iuzMH+IqZCfbuw/QpuowMpe5wBpzJXrWH/mEJtl4FrY=; b=mpQSS6Vh2FtqCst4g+dM1hQBs7vajG1sqff4RUGWWbgzgI139n7hcNe+v6lkt9Io76 NR4LDHCIFNkdCKSJUDWpV3vxJQpFg19jhId6sKqmRSRjHdROd9jpv4IQm/6VZTuSaetM o/V6loXtZo6imkTn/EpVBD6Z1+E4h05Mn620KRcs7BllRDFoi33Tk9kv7NAXmiDjZqFr 7E+fiKxomqdHX7oiacgboX8BLV1ky22NcxSKZIGfAIXuOdqyWjYS5ZVL1AbOkvcmFTun tZ94R3BJs25qz56g9z9wgvbDLoYuNes8Nzj5pzn2Zd+n9CxjH3zUz2/ZsJyPSA9JmGsP girQ==
X-Gm-Message-State: ACrzQf0O2smBd/mT+JWI8SQ/vYXmyK1+KMGcySi754KINElxOtLxhHJQ hVZtGVAWKF2nNQ+KOwznYy49aIrQ4cbVNuFGZZ733dYp/o8=
X-Google-Smtp-Source: AMsMyM730Wwq0fKqJwT3TXvcFUR3hQsajVvbIt9ulu53eJshOeQR2r+Pk6tGSxV/nsESOJ5pAW90L8l2CsEWwt8hfDQ=
X-Received: by 2002:a05:6e02:148f:b0:2fc:54d2:7aa8 with SMTP id n15-20020a056e02148f00b002fc54d27aa8mr4666912ilk.224.1666012556931; Mon, 17 Oct 2022 06:15:56 -0700 (PDT)
MIME-Version: 1.0
References: <20221015195315.GA11346@openfortress.nl> <CABcZeBMHshP_C36+E7UPXfPoug87RAu6faw4EMkQ=qWdCeZzuA@mail.gmail.com> <20221016065327.GA12615@openfortress.nl> <CABcZeBOgiisAm+k=m4tSor-brTeaN5Y22HOz=JBTckcGZt0h9A@mail.gmail.com> <20221017075149.GB15330@openfortress.nl>
In-Reply-To: <20221017075149.GB15330@openfortress.nl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 17 Oct 2022 06:15:20 -0700
Message-ID: <CABcZeBP0d=NovvnrjMqmMbW+r=vBMuv51KBS3L4WK-S5QsPgGw@mail.gmail.com>
To: dispatch@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a5cec305eb3ac6ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/HBIIhy6VJI7IZe_n7YTq9I6Z_eQ>
Subject: Re: [dispatch] SASL Authentication for SIP
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2022 13:15:58 -0000

On Mon, Oct 17, 2022 at 12:52 AM Rick van Rein <rick@openfortress.nl> wrote:

> Hello,
>
> > I'm not really following this. Users authenticate to domains with
> passwords
> > (at least sometimes) but I would expect inter-domain authentication to be
> > done with TLS mutual auth.
>
> Ah, yes.  TLS is transport protection, usually between the proxies of
> a domain.  It does not allow end-to-end authentication between the
> parties.  Also, any encryption or key derivation that might be based on
> the end-to-end assurance is lost for the end points.  (The proxy may be
> operated by an external party.)
>

The general assumption has been that any end-to-end authentication
will be done by digitally signing the SIP messages. Probably the most
plausible at the moment is to base it on STIR/Passport. It's not
clear to me why SASL would help here.

> Also, my sense is that authentication is not the primary barrier to
> > inter-domain calling.
>
> Of course there are more issues; IPv4/IPv6, MTU, and probably more.
>

I don't think the issues are primarily technical at all, but whether the
carriers
want to do this.


> More or less. It's hard to see the IETF doing successful work in this
> space
> > if providers aren't interested.
>
> This is reasonable, but it does yield a catch-22 situation.  Can you
> explain how this is commonly resolved?
>
> I can see how a very large vendor would simply push their ideas out,
> and not all technical ideas should be standardised.  OTOH, there is a
> need to have standards before adoption can occur.
>

What one usually sees is that there is some unofficial discussion between
interested parties to get a general sense of the solution space and build
up interest. That's what happened in (for instance) MLS, PPM, etc.
Sometimes the IETF will create a mailing list for that discussion, though
I've also seen it happen in other fora.

-Ekr