[AAA-WG]: issue with expected response calculation (fwd)
Bernard Aboba <aboba@internaut.com> Tue, 12 April 2005 13:10 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 12 Apr 2005 13:11:10 +0000
Date: Tue, 12 Apr 2005 06:10:07 -0700
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: [AAA-WG]: issue with expected response calculation (fwd)
Message-ID: <Pine.LNX.4.56.0504120609550.22096@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
---------- Forwarded message ---------- Date: Tue, 12 Apr 2005 14:26:05 +0200 From: Jo Hermans <jo.hermans@gmail.com> To: aaa-wg@merit.edu Subject: [AAA-WG]: issue with expected response calculation I have a problem with paragraph 8.5.6.1 <http://8.5.6.1> in draft-ietf-aaa-diameter-sip-app-07 , 3th paragraph ("Please note that the expected response ...") The draft mentions that the expected response calculation can't be done when the SIP UA has sent a expected response based on client nonces. It then mentions that this is the case when the qop-parameter is present in the client request. That last part I don't understand. I though that H(A1) is dependent on the algorithm, not qop. Qop has only influence on the A2 and digest, which are both calculated in the Diameter Client (SIP Server). See also < http://danforsberg.info:8080/draft-ietf-aaa-diameter-sip/issue40> But even then I don't understand. I think that the Diameter Server does has the client-nonces available (they're in the SIP-Authorization AVP, and were used to calculate the request digest !)), and is able to calculate a H(A1). Even if MD5-sess was used, it could still calculate H(A1). MD5-sess also has the added advantage that H(A1) could only be used once, which is also the reason why draft-sterman-aaa-sip-04.txt doesn't want to use MD5 unless the message is protected against eavesdropping. I agree that if qop is missing and algorithm is MD5, client-nonces aren't used at all (backwards compatibility with RFC2069). H(A1) might be stored inside the Diameter Client (SIP server) when it's first received, and reused later on. Is it this that the draft is alluding to ? -- Jo Hermans "Eagles may soar, but weasels aren't sucked into jet engines" -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- [AAA-WG]: issue with expected response calculatio… Bernard Aboba