Re: [aboba@internaut.com: Re: [SIP] draft-calhoun-sip-aaa-req]
Michael Thomas <mat@cisco.com> Wed, 03 January 2001 18:16 UTC
Received: from lists.bell-labs.com (share.research.bell-labs.com [204.178.16.58]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA00684 for <sip-archive@odin.ietf.org>; Wed, 3 Jan 2001 13:16:33 -0500 (EST)
Received: from share.research.bell-labs.com (localhost.localdomain [127.0.0.1]) by lists.bell-labs.com (Postfix) with ESMTP id DC74E4435A; Wed, 3 Jan 2001 12:15:07 -0500 (EST)
Delivered-To: sip@lists.bell-labs.com
Received: from cisco.com (jindo.cisco.com [171.69.11.73]) by lists.bell-labs.com (Postfix) with ESMTP id DEB9344336 for <sip@lists.bell-labs.com>; Wed, 3 Jan 2001 11:42:17 -0500 (EST)
Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by cisco.com (8.8.8/2.5.1/Cisco List Logging/8.8.8) with ESMTP id JAA14620; Wed, 3 Jan 2001 09:42:04 -0800 (PST)
Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id JAA20424; Wed, 3 Jan 2001 09:42:04 -0800 (PST)
From: Michael Thomas <mat@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <14931.25708.455779.464579@thomasm-u1.cisco.com>
To: Pat Calhoun <Pat.Calhoun@eng.sun.com>
Cc: Michael Thomas <mat@cisco.com>, Stephen Thomas <stephen.thomas@transnexus.com>, SIP List <sip@lists.bell-labs.com>
Subject: Re: [aboba@internaut.com: Re: [SIP] draft-calhoun-sip-aaa-req]
In-Reply-To: <Roam.SIMC.2.0.6.978541203.29620.pcalhoun@nasnfs>
References: <14931.22933.824401.586453@thomasm-u1.cisco.com> <Roam.SIMC.2.0.6.978541203.29620.pcalhoun@nasnfs>
X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid
X-Face: &, heK/V66p?[2!i|tVn, 9lN0TUvEv7:9FzXREj/AuzN4m<D]vnFJ>u!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a), -7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d, g">$%B!0w{W)qIhmwhye104zd bUcI'1!
Sender: sip-admin@lists.bell-labs.com
Errors-To: sip-admin@lists.bell-labs.com
X-BeenThere: sip@lists.bell-labs.com
X-Mailman-Version: 2.0beta6
Precedence: bulk
List-Help: <mailto:sip-request@lists.bell-labs.com?subject=help>
List-Post: <mailto:sip@lists.bell-labs.com>
List-Subscribe: <http://lists.bell-labs.com/mailman/listinfo/sip>, <mailto:sip-request@lists.bell-labs.com?subject=subscribe>
List-Id: IETF SIP Mailing List <sip.lists.bell-labs.com>
List-Unsubscribe: <http://lists.bell-labs.com/mailman/listinfo/sip>, <mailto:sip-request@lists.bell-labs.com?subject=unsubscribe>
List-Archive: http://lists.bell-labs.com/pipermail/sip/
Date: Wed, 03 Jan 2001 09:42:04 -0800
Content-Transfer-Encoding: 7bit
Pat Calhoun writes: > > What is in scope is whether there are any > > peculiar requirements for SIP and AAA, and > > indeed whether AAA protocols are the right > > means to the end of providing cross realm > > services at proxies and UA's. For proxies, > > about the only advantage I can see of using > > an outbound proxy in the visited network is > > that it may be topologically closer which may > > help the overall post dial delay. If it's > > having to make round trips to the home AAA, > > you've probably negated that advantage, and > > it's not clear that it's even much of an > > advantage in other than a small subset of > > calls. > > As I mentioned, the initial AAA infrastructure is ONLY contacted once per > session (or once per user, depending upon the service and authorization > information returned from the home, I suppose). Of course accounting messages > are still sent to the home, but these do not add latency since they are done > in parallel. > > > > > For UA's... I get the impression that there > > is some sort of moral dividing line in the > > AAA wg about CPE using AAA protocols. A SIP > > UA is a SIP UA though, and since any old > > UA may want to be able to authenticate and > > authorize a session, it looks like this is > > going to at the very least like duplication > > of capabilities that are needed for SIP UA's. > > Since we don't even have a very good model > > for those capabilities within SIP right now, > > it's not clear to me that further muddying > > the waters with AAA backhaul is going to be > > especially productive. In fact, it will > > probably make things much worse because of > > protocol combinatorics. > > Well, I am not sure that I really understand your comment here. In Mobile IP, > we were able to get AAA support with VERY minimal changes. The problem is that you're proposing to backhaul most (all?) of the SIP message back as an opaque blob. That sort of begs the question of why don't you just send it as a SIP message as Henning suggests; the AAA is, if nothing else, going to have quite a bit of proxy logic to determine whether it should authorize the request. Looks like duck, walks like duck... probably is duck. > In fact, the > following was done: 1. Allow the mobile to have an NAI as its identifier, as > opposed to a home address (something that is already supported in SIP, so no > change required). 2. Allow the mobile to share a secret with its AAAH, as > opposed to its Home Agent (something that is VERY easy to do, and probably > requires NO protocol changes in SIP). I assume that you're talking about draft-ietf-mobileip-aaa-key-01.txt? Assuming that I'm reading the draft correctly, I have to tell you that the entire idea makes me extremely queasy: shipping the user's long term key from the AAA to other entities of which have questionable and/or unknown security practices seems *extremely* dangerous. Kerberos, for this very reason, does not do this; instead a short term ephemeral secret is created for use between the client and server. That you even call the AAAH a "KDC" (to which I don't disagree) should give pause that the AAA should at least learn the lessons of "real" KDC's which consumes endless hours of lots of smart security folks. FYI, I'm in the process of writing a draft which has the functionality you're looking for but uses Kerberos mechanisms to create an ephemeral session key. Mike _______________________________________________ SIP mailing list SIP@lists.bell-labs.com http://lists.bell-labs.com/mailman/listinfo/sip
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Michael Thomas
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Michael Thomas
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henning G. Schulzrinne
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Gross, Gerhard
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… ferreiro_j
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henning G. Schulzrinne
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Michael Thomas
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henning G. Schulzrinne
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henning G. Schulzrinne
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Gross, Gerhard
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henry Sinnreich
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Matt Holdrege
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Christian Huitema
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Gross, Gerhard
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Matt Holdrege
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Tom Tang
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henry Sinnreich
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Stephen Thomas
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… David Frascone
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Michael Thomas
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Michael Thomas
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Henry Sinnreich
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Gross, Gerhard
- RE: [aboba@internaut.com: Re: [SIP] draft-calhoun… Christian Huitema
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun
- Re: [aboba@internaut.com: Re: [SIP] draft-calhoun… Pat Calhoun