Re: [MMUSIC] Gen-art last call review: draft-ietf-mmusic-rfc2326bis-34
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 04 September 2013 06:13 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A3B11E8174 for <mmusic@ietfa.amsl.com>; Tue, 3 Sep 2013 23:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.655
X-Spam-Level:
X-Spam-Status: No, score=-105.655 tagged_above=-999 required=5 tests=[AWL=0.594, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8Kvgmt2qTv5 for <mmusic@ietfa.amsl.com>; Tue, 3 Sep 2013 23:13:44 -0700 (PDT)
Received: from mailgw7.ericsson.se (mailgw7.ericsson.se [193.180.251.48]) by ietfa.amsl.com (Postfix) with ESMTP id 6756211E80C5 for <mmusic@ietf.org>; Tue, 3 Sep 2013 23:13:43 -0700 (PDT)
X-AuditID: c1b4fb30-b7f9a8e000005620-3b-5226cf95f747
Received: from ESESSHC021.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw7.ericsson.se (Symantec Mail Security) with SMTP id AC.C9.22048.59FC6225; Wed, 4 Sep 2013 08:13:41 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.19) by smtp.internal.ericsson.com (153.88.183.83) with Microsoft SMTP Server id 14.2.328.9; Wed, 4 Sep 2013 08:13:41 +0200
Message-ID: <5226CFCF.2030708@ericsson.com>
Date: Wed, 04 Sep 2013 08:14:39 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Robert Sparks <rjsparks@nostrum.com>
References: <51AFB3FF.7000009@nostrum.com> <51C047BC.1050207@ericsson.com> <51C06CDC.9050804@nostrum.com> <5224825F.6070306@ericsson.com> <52264BF9.9070006@nostrum.com>
In-Reply-To: <52264BF9.9070006@nostrum.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/mixed; boundary="------------050203060902050106050306"
X-Brightmail-Tracker: H4sIAAAAAAAAA02SaUgUcRjG+c+OM+OS9Hc9elMi8sIUy0Bzo8UKKiQQPDIi6FhxUXEV2fXo Qx88EI8iD1yPUTBsrV3TPPJMFNZjyxQyizXNMs9AyzOzPKLdmRH69ntfnneeZ+YZRiRZt3Ji YhOSFKoEudKFEpPl1/fu+WjeeoT5lr53lxbNlxBSzdNZUmqqTKfOi4I62c90kFb7hwhiO+fI ENENsSxKoYxNUahOBt4Rx6xNT9OJnUZ0d2sjOA1VlqA8ZM0A9oO0x6UCO8LIlwYqD4kZCe5D sJJTT/BDDYKlb9/NA8PYYG/oK1NbDkjsBppn/dwxhaUw/judsrADDofs9k2ObbAtDJbPkRa2 x55g0mppC4twGMx2ZxAWtsOXoczYxO0lWIdgvYnTW5utFj8Vkny4w9BWbRRuQ6B6cErQe0Na Ro5VAbJl/7Nj/5Px7Av91ZVWPB+FzNYKEc/+oOkZp/f37T8qhb0MBpZ2CZazPgjZQ8PmveVT NCLYHM2l+OElAlOVgeCHYgQFcyvcQOKfIpis/UXy925QWMcilvtkrrC30UWxXPTnCOazfHiN J5TpR8wahvOr73VlhUreNM4IMWxgqPgVxbMWwdoA8MajZm6pE1IYEBh2WmhWKPdD+wzizQYQ NLX68qInCMob+De19Dkx/47i07nD7OQDLvV+oSxXaAQ091RxenscDK0T3YIBX4rloYAXrKFm sYJ+hPxqER0vj1VGpwY0I/N/a2jZ8e1AzVOOvciZIV0O2bw4MRwqwdHyJEWcQpGoUN1WJSsV 6l5EMNZOaejIBdOYMnU1q9BrKIPWX1teLpk9ExcwQ8uqTk8uOBB13fePh4/SY/kfr9hlP/T4 emlb3j+jj0zyxO5FE/3OSRE33eLjglLqHA1ZyVs6yUWn0F1NW1cvMZA5ikuizsmO5U96RAaW 52ZdXdSZOioybq3/1ddHvfbcNW6f9detHkAupDpGfspLpFLL/wH2NBvhhQMAAA==
Cc: Martin Stiemerling <mls.ietf@gmail.com>, "mmusic (E-mail)" <mmusic@ietf.org>
Subject: Re: [MMUSIC] Gen-art last call review: draft-ietf-mmusic-rfc2326bis-34
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 06:13:49 -0000
On 2013-09-03 22:52, Robert Sparks wrote: > On 9/2/13 7:19 AM, Magnus Westerlund wrote: >> Robert and WG, >> >> Please see inline in this messages further comments or response on how >> we have dealt with listed issues. >> >> With this email we believe we have answered the outstanding issues and >> draft response and new text for all the issues. Therefore we will submit >> a new draft version so that you can review the changes in context. > Hi Magnus - > > This all looks good - I look forward to the new revision. It is available now. > > One question from what you sent though: >> >> When it comes to DIGEST, are you referring to section 22.4 in RFC 3261? >>> Yes >>>> That section indicates that some clarifications are likely needed. >> Okay, this was a big rathole. Actually found that we where missing two >> headers in addition to that some recommendations are needed. Posting a >> separate review message on this one. > I skimmed for that message, and didn't find it quickly - what subject > should I search for? > Subject: RTSP 2.0: Client Authentication I also attached it for your convenience. -- Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
--- Begin Message ---WG, As part of Robert's comments is this minor comment: > >> As written, a client and server can use HTTP Basic authentication over >> TCP that is not protected with TLS. Consider restricting it's use to TLS >> only. Are you sure you don't need to say anything RTSP specific about >> DIGEST computations (I don't think you need to go as far as SIP did >> talking about DIGEST, but I'm surprised you haven't run into issues >> relying only on 2617 literally. > Are you referring to Section 19.1 here? Yes > > Yes, I would not have any issue with requiring Basic to be combined with > TLS. I think that is appropriate. > > When it comes to DIGEST, are you referring to section 22.4 in RFC 3261? Yes > > That section indicates that some clarifications are likely needed. This actually resulted in finding a bit more shortcomings around the client authentication. The high level summary of what my proposal for fixing this is: - Mandate TLS for basic authentication. - Added the missing Authentication-Info and Proxy-Authentication-Info - Corrected ABNF that was missing basic - Written an equivalent of the RFC 2617 clarification section of RFC 3261. - Tried to press on the hop-by-hop nature of proxy-authorization - Put up a warning flag for server to client requests lack authentication. This massive amount obviously needs review. The resulting relevant text sections are: 18 Header tables: +------------------+-------+-----+----+-----+-----+-----+-----+-----+ | Header | Where | Pro | DE | OPT | STP | PLY | PSE | TRD | | | | xy | S | | | | | | +------------------+-------+-----+----+-----+-----+-----+-----+-----+ | Authentication-I | r | | o | o | o | o | o | o/- | | nfo | | | | | | | | | | Authorization | R | | o | o | o | o | o | o | | Proxy- | 407 | amr | m | m | m | m | m | m | | Authenticate | | | | | | | | | | | | | | | | | | | | Proxy-Authentica | r | amd | o | o | o | o | o | o/- | | tion-Info | | r | | | | | | | | | | | | | | | | | | Proxy- | R | rd | o | o | o | o | o | o | | Authorization | | | | | | | | | | | | | | | | | | | | WWW- | 401 | | m | m | m | m | m | m | | Authenticate | | | | | | | | | +------------------+---------+-----+----+----+----+-----+-----+-----+ +-------------------------+---------+-------+-----+-----+-----+-----+ | Header | Where | Proxy | GPR | SPR | RDR | PNY | +-------------------------+---------+-------+-----+-----+-----+-----+ | Authentication-Info | r | | o/- | o/- | - | - | | | | | | | | | | Authorization | R | | o | o | o | - | | | | | | | | | | Proxy-Authenticate | 407 | amdr | m | m | m | - | | | | | | | | | | Proxy-Authentication-In | r | amdr | o/- | o/- | - | - | | fo | | | | | | | | | | | | | | | | Proxy-Authorization | R | amdr | o | o | o | - | +------------------+---------+-------+-----+-----+-----+-----+ | Header | Where | Proxy | GPR | SPR | RDR | PNY | +------------------+---------+-------+-----+-----+-----+-----+ | | | | | | | | | WWW-Authenticate | 401 | | m | m | m | - | +------------------+---------+-------+-----+-----+-----+-----+ 18.7. Authentication-Info The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response message. This usage of this header is specified in [RFC2617] with some RTSP clarification in Section 19.1. This header MUST only be used in response messages related to client to server requests. 18.8. Authorization An RTSP client that wishes to authenticate itself with a server using authentication mechanism from HTTP [RFC2617] , usually, but not necessarily, after receiving a 401 response, does so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested. This header MUST only be used in client to server requests. If a request is authenticated and a realm specified, the same credentials SHOULD be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, such as credentials that vary according to a challenge value or using synchronized clocks). When a shared cache (see Section 16) receives a request containing an Authorization field, it MUST NOT return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds: 1. If the response includes the "max-age" cache-control directive, the cache MAY use that response in replying to a subsequent request. But (if the specified maximum age has passed) a proxy cache MUST first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate the new request. (This is the defined behavior for max-age.) If the response includes "max-age=0", the proxy MUST always revalidate it before re-using it. 2. If the response includes the "must-revalidate" cache-control directive, the cache MAY use that response in replying to a subsequent request. But if the response is stale, all caches MUST first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate the new request. 3. If the response includes the "public" cache-control directive, it MAY be returned in reply to any subsequent request. 18.34. Proxy-Authenticate The Proxy-Authenticate response-header field MUST be included as part of a 407 (Proxy Authentication Required) response. The field value consists of a challenge that indicates the authentication scheme and parameters applicable to the proxy for this Request-URI. The HTTP access authentication process is described in [RFC2617]. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and SHOULD NOT be passed on to downstream agents. This header MUST only be used in response messages related to client to server requests. 18.35. Proxy-Authentication-Info The Proxy-Authentication-Info header is used by the proxy to communicate some information regarding the successful authentication to the proxy in the message response. The content and usage of this header is described in the HTTP access authentication [RFC2617] that is also used by RTSP and clarified in Section 19.1. This header MUST only be used in response messages related to client to server requests. This header has hop by hop scope. 18.36. Proxy-Authorization The Proxy-Authorization request-header field allows the client to identify itself (or its user) to a proxy which requires authentication. The Proxy-Authorization field value consists of credentials containing the authentication information of the user agent for the proxy and/or realm of the resource being requested. The HTTP access authentication process is described in [RFC2617]. Unlike Authorization, the Proxy-Authorization header field applies only to the next hop proxy. This header MUST only be used in client to server requests. 18.58. WWW-Authenticate The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI. This header MUST only be used in response messages related to client to server requests. The HTTP access authentication process is described in [RFC2617] with some clarification in Section 19.1. User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters. 19.1. RTSP and HTTP Authentication RTSP and HTTP share common authentication schemes, and thus follow the same usage guidelines as specified in [RFC2617] with the additions for digest specified below in Section 19.1.1. Servers SHOULD implement both basic and digest [RFC2617] authentication. Clients MUST implement both basic and digest authentication [RFC2617] so that a server that requires the client to authenticate can trust that the capability is present. It should be stressed that using the HTTP authentication alone does not provide full control message security. Therefore, in environments requiring tighter security for the control messages, TLS SHOULD be used, see Section 19.2. Any RTSP message containing an Authorization header containg a basic authorization MUST be using a TLS connection with confidentiality protection enabled, i.e. no NULL encryption. In cases where there is a chain of proxies between the client and the server, each proxy may individually request the client or previous proxy to authenticate itself. This is done using the Proxy- Authenticate (Section 18.34), the Proxy-Authorization (Section 18.36) and the Proxy-Authentication-Info (Section 18.35) headers. These headers are hop-by-hop headers and have only scope for the current connection. Thus if a chain exist, the proxy connecting to another proxy will have to act as a client to authorize itself towards the next proxy. The WWW-Authenticate (Section 18.58), Authorization (Section 18.8) and Authentication-Info (Section 18.7) headers are end-to-end and must not be modified by proxies. This authentication mechanism works only for client to server requests as currently defined. This leaves server to client request outside of the context of TLS based communication more vulnerable to message injection attacks on the client. Based on the server to client methods that exist, the potential risks are various; hijacking (REDIRECT), denial of service (TEARDOWN and PLAY_NOTIFY) or attacks with uncertain results (SET_PARAMETER). 19.1.1. Digest Authentication This section describes the modifications and clarifications required to apply the HTTP Digest authentication scheme to RTSP. The RTSP scheme usage is almost completely identical to that for HTTP [RFC2617]. These are based on the procedures defined for SIP 2.0 [RFC3261]. The rules for Digest authentication follow those defined in [RFC2617], with "HTTP/1.1" replaced by "RTSP/2.0" in addition to the following differences: 1. Use the ABNF specified in this document, rather than the one in [RFC2617]. That way the following is assured: * Using the right RTSP URIs allowed in the challenge as well as in the digest. * Resolved the error in the "uri" parameter of the Authorization header in [RFC2617]. 2. If MTags are used then the example procedure for choosing a nonce based on Etag can work based on replacing ETag with the MTag. 3. As a clarification to the calculation of the A2 value for message integrity assurance in the Digest authentication scheme, implementers should assume, when the entity-body is empty (that is, when the RTSP messages have no message body) that the hash of the message-body resolves to the MD5 hash of an empty string, or: H(entity-body) = MD5("") = "d41d8cd98f00b204e9800998ecf8427e". 4. RFC 2617 notes that a cnonce value MUST NOT be sent in an Authorization (and by extension Proxy-Authorization) header field if no qop directive has been sent. Therefore, any algorithms that have a dependency on the cnonce (including "MD5-Sess") require that the qop directive be sent. Use of the "qop" parameter is optional in RFC 2617 for the purposes of backwards compatibility with RFC 2069; since this specification defines RTSP 2.0 there is no backwards compatibilit issue with mandating. Thus, all RTSP agents MUST implement qop-options. Authentication-Info = "Authentication-Info" HCOLON auth-info auth-info = auth-info-entry *(COMMA auth-info-entry) auth-info-entry = nextnonce / message-qop / response-auth / cnonce / nonce-count nextnonce = "nextnonce" "=" nonce-value response-auth = "rspauth" "=" response-digest response-digest = DQ *LHEX DQ Authorization = "Authorization" HCOLON credentials credentials = basic-credential / digest-credential / other-response basic-credential = "Basic" LWS basic-credentials basic-credentials = base64 ; Base64 encoding of user-password user-password = basic-username ":" password basic-username = *CF-TEXT CF-TEXT = %x20-39 / %x3B-7E / %x80-FF ; TEXT without : password = *TEXT digest-credential = ("Digest" LWS digest-response) digest-response = dig-resp *(COMMA dig-resp) dig-resp = username / realm / nonce / digest-uri / dresponse / algorithm / cnonce / opaque / message-qop / nonce-count / auth-param username = "username" EQUAL username-value username-value = quoted-string digest-uri = "uri" EQUAL LDQUOT digest-uri-value RDQUOT digest-uri-value = RTSP-REQ-URI message-qop = "qop" EQUAL qop-value cnonce = "cnonce" EQUAL cnonce-value cnonce-value = nonce-value nonce-count = "nc" EQUAL nc-value nc-value = 8LHEX dresponse = "response" EQUAL request-digest request-digest = LDQUOT 32LHEX RDQUOT auth-param = auth-param-name EQUAL ( token / quoted-string ) auth-param-name = token other-response = auth-scheme LWS auth-param *(COMMA auth-param) auth-scheme = token Proxy-Authenticate = "Proxy-Authenticate" HCOLON challenge-list challenge-list = challenge *(COMMA challenge) challenge = ("Digest" LWS digest-cln *(COMMA digest-cln)) / ("Basic" LWS realm) / other-challenge other-challenge = auth-scheme LWS auth-param *(COMMA auth-param) digest-cln = realm / domain / nonce / opaque / stale / algorithm / qop-options / auth-param realm = "realm" EQUAL realm-value realm-value = quoted-string domain = "domain" EQUAL LDQUOT RTSP-REQ-Ref *(1*SP RTSP-REQ-Ref ) RDQUOT nonce = "nonce" EQUAL nonce-value nonce-value = quoted-string opaque = "opaque" EQUAL quoted-string stale = "stale" EQUAL ( "true" / "false" ) algorithm = "algorithm" EQUAL ("MD5" / "MD5-sess" / token) qop-options = "qop" EQUAL LDQUOT qop-value *("," qop-value) RDQUOT qop-value = "auth" / "auth-int" / token Proxy-Auth-Info = "Proxy-Authentication-Info" HCOLON auth-info Proxy-Authorization = "Proxy-Authorization" HCOLON credentials WWW-Authenticate = "WWW-Authenticate" HCOLON challenge-list -- Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ---------------------------------------------------------------------- _______________________________________________ mmusic mailing list mmusic@ietf.org https://www.ietf.org/mailman/listinfo/mmusic--- End Message ---
- [MMUSIC] Gen-art last call review: draft-ietf-mmu… Robert Sparks
- Re: [MMUSIC] Gen-art last call review: draft-ietf… Magnus Westerlund
- Re: [MMUSIC] Gen-art last call review: draft-ietf… Robert Sparks
- Re: [MMUSIC] Gen-art last call review: draft-ietf… Magnus Westerlund
- Re: [MMUSIC] Gen-art last call review: draft-ietf… Robert Sparks
- Re: [MMUSIC] Gen-art last call review: draft-ietf… Magnus Westerlund