IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Paul Kyzivat <pkyzivat@alum.mit.edu> Sun, 26 April 2020 18:54 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 809D33A0DF2 for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 11:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5W4uCpp3FS4 for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 11:54:02 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2041.outbound.protection.outlook.com [40.107.236.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71D453A0DF1 for <sipcore@ietf.org>; Sun, 26 Apr 2020 11:54:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lZSzBFPcprFVOK/mkba+T/3xvt2yaxEGNMoAkcflvp84700AB/hBtpwArmlccCnzUcVwRDRZJ/1w58qs1aOLUe8zj/X4sDJ06O3iGyTStjfBck82vYWmHkk0TqnO0xfSKHO+FPHxIl9OfNfumGDDXCUH08ygWC9eglCgNtN3Z9pMrX/lnUKMHwg75a8QjOYcEa4KeHtVnfaxeZCeMdg86jcE6pMXh3NcBlDz3MGEQAxO72R/8k2Nz0ykwMLiLkEySq2Wqza/tFhtqYyXkgr5bXObHPaAiaCxv26EMrqFNh7Z/4uGDDtORm3DZRxgxXsS4gLu7Dci4PV4zlLLL3MNwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4/ZM4DX5IoXeC4wib51lMDGx3zSM8mIc6QCgFPmiQOw=; b=EuJMUb+unb4HoY7i1vwNeWiDqiFIOkq79TBqIpul28zoFZn9fABdwVYykWvNLIDKAKrqPQ+MQsH5oEFNclbzAJgnSnlaxRxr1CuXtE0kXxsPZX0Qd0p37Lly+zK2OaKAvjqc5Jdpsorf8aIAMRtip0YaTL0cKjRCZnGCqIdMsf0JGrQP0J4Jdzpj+KXowCp8N4hYAI05faV+Ne/BSnV4peI4PC6eJz4T1CAmoHRU0KSRqcUiuItFG8gjg4KJwv7jUev19TgJau7r9lYBfZhqZ+B+K4sJpguK3ew5wO4hGZBr9QDHL1WhEOiMve82fmhyEz/FEFTg9IzPasuR8F4kKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=gmail.com smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4/ZM4DX5IoXeC4wib51lMDGx3zSM8mIc6QCgFPmiQOw=; b=Qnvw1+19rWl6zPID2xTbd/6eH7kNrDUXAtXV9xhO0LR43MyEduJwOQRyVtP4+4gI65YHWfI0gXNSNKuJmjVRzhBkgIEgMkvjSAhjrJBBsjEgnbGlszDyKEZg1qUhmy60Y7q45rmacl1e9OtAH0x9vbRCcxCRjVuGRUCqL1QvSYs=
Received: from SN6PR04CA0107.namprd04.prod.outlook.com (2603:10b6:805:f2::48) by BYAPR12MB2966.namprd12.prod.outlook.com (2603:10b6:a03:df::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sun, 26 Apr 2020 18:54:00 +0000
Received: from SN1NAM02FT015.eop-nam02.prod.protection.outlook.com (2603:10b6:805:f2:cafe::b5) by SN6PR04CA0107.outlook.office365.com (2603:10b6:805:f2::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Sun, 26 Apr 2020 18:53:59 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT015.mail.protection.outlook.com (10.152.72.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Sun, 26 Apr 2020 18:53:59 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 03QIru0C026433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 26 Apr 2020 14:53:57 -0400
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com> <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com> <ddffc5ff-4f7d-072e-d807-6ab5a9adc807@alum.mit.edu> <CAGL6epJ+s7d7fNB8NiZQhicuxjvZbnjLnZN6OSMb9LsnXF3S3Q@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <46e9dd50-0ccf-cb06-1eca-8df245f214b4@alum.mit.edu>
Date: Sun, 26 Apr 2020 14:53:56 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epJ+s7d7fNB8NiZQhicuxjvZbnjLnZN6OSMb9LsnXF3S3Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFTY:; SFS:(136003)(346002)(396003)(39860400002)(376002)(46966005)(8676002)(31696002)(246002)(8936002)(2616005)(4326008)(70586007)(70206006)(75432002)(47076004)(336012)(53546011)(186003)(956004)(31686004)(5660300002)(86362001)(82740400003)(356005)(6916009)(966005)(7596003)(82310400002)(2906002)(26005)(36906005)(478600001)(786003)(316002); DIR:OUT; SFP:1101;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 42ee9382-4bd0-4f9f-b90d-08d7ea132df8
X-MS-TrafficTypeDiagnostic: BYAPR12MB2966:
X-Microsoft-Antispam-PRVS: <BYAPR12MB2966499D45B3D79235BF621DF9AE0@BYAPR12MB2966.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-Forefront-PRVS: 03853D523D
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: YNBk+GL7fSV1RB3KOIkPRSbhn8NWQQ+X1GG5lPsAS7HbJnp6f88LsdhFQFBlDgFJ5q3AijViF9zYAAiL5NL4QITVIXIvDauiH1158nlpK2boHeOrbRkMN6voFPSfje40mWi97ot46XVLmZyFfj+VwJ5z+BHY1M6Ze+2ct3X3iyjRWKZMA/pOl9byFU4ASgPzQQa3lwfQuTUyrkrFCzMV+GsGNhYQvJGUEVKqpwyHQrSPQ/E8SaPC8XX0VoZtpRv28EACswEwN4WKUEG3YKCeOd9cRY+haTKXL6+pxizY4bXtH9fTSAppT9czYN2oSG5Y/hdda3g7i2qRM/dRKJXMKveu+oTbfqS2nzmtKGvUvrZoVCddB4BPwtHDDDIRCObQljWcfujL0ph9AvexMwJNIny+edlZu9Qfp1yBwC/chBNVi/L+LveAa52h4jcU7HJGTJ3OKItqGfBeWkCd8jvlGp6qlSC9/4sSjL7+hODWICvBNgq32FxIKw5LNZhSuc2oJ5bdQ5M8ZYJNPtC92hnqsdKcCIls9KUDxHfE1jUYDsL7MQO7lb3Ne7Dmu8RPAwwM//u21jQTJtuPzivnhdpA6g==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2020 18:53:59.0968 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 42ee9382-4bd0-4f9f-b90d-08d7ea132df8
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB2966
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/0QjEjbBHM1dYgVAkWOGVwU0IXSE>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 18:54:06 -0000

On 4/26/20 11:58 AM, Rifaat Shekh-Yusef wrote:
> Paul,
> 
> What you described is the theory; have you seen this deployed in practice?

Its just theory. But the specs should cover all the theoretical cases.

	Thanks,
	Paul

> Regards,
>   Rifaat
> 
> 
> On Sun, Apr 26, 2020 at 10:28 AM Paul Kyzivat <pkyzivat@alum.mit.edu 
> <mailto:pkyzivat@alum.mit.edu>> wrote:
> 
>     On 4/25/20 7:27 PM, Christer Holmberg wrote:
>      > Hi Benjamin,
>      >
>      >>> Section 2.3 states that:
>      >>>
>      >>>     When a proxy wishes to authenticate a received request, it MUST
>      >>>     search the request for Proxy-Authorization header fields
>     with 'realm'
>      >>>     parameters that match its realm.  It then MUST successfully
>     validate
>      >>>
>      >>> https://tools.ietf.org/html/rfc7235#section-4.4 suggests that
>     it is not
>      >>> expected to have a sequence or list of Proxy-Authorization
>     header fields
>      >>> present in a single request that are intended to be interpreted
>     by different
>      >> proxies.  Is this text compatible with that part of RFC 7235?
>      >
>      > RFC 3261 allows multiple Proxy-Authorization header fields.
> 
>     * Here is a situation when they come into play:
> 
>     UAC ----- P1 ------- P2 ------- UAS
> 
>     On the first request from UAC toward UAS, P1 challenges with a
>     Proxy-Authenticate containing realm P1.
> 
>     UAC retries, including Proxy-Authorization for realm P1. P1 is happy
>     and
>     passes the request along. P2 challenges with realm P2.
> 
>     UAC retries again. It adds Proxy-Authorization for realm P2, but also
>     including the credentials for P1. P1 is happy and passes the request
>     along. P2 is also happy and passes the request along to UAS.
> 
>     Note that UAC must *remember* to include the P1 credentials in the
>     second retry because there is no Proxy-Authenticate for P1 in the 407
>     from P2. Similarly, in future messages toward UAS the UAC should
>     remember to include credentials for P1 and P1.
> 
>     * A more complex case is:
> 
>     UAC ----- P1 -|------ P2 ------ UAS-A
>                     |
>                     |------ P3 ------ UAS-B
> 
>     On the first request from UAC toward UAS, P1 challenges with a
>     Proxy-Authenticate containing realm P1.
> 
>     UAC retries, including Proxy-Authorization for realm P1. P1 is happy.
>     If it does parallel forking then it passes the request along to both P2
>     and P3.
> 
>     P2 challenges by returning a Proxy-Authenticate for realm P2.
> 
>     P1 buffers that response while awaiting a response from P3.
> 
>     P3 challenges by returning a Proxy-Authenticate for realm P3.
> 
>     P2 passes a response back to UAC with Proxy-Authenticates for realms P2
>     and P3.
> 
>     UAC retries again. It adds Proxy-Authorization for realms P2 and P3,
>     but
>     also including the credentials for P1. P1 is happy and passes the
>     request along to both P2 and P3.
> 
>     P2 finds its Proxy-Authorization and happily passes the request
>     along to
>     UAS-A.
> 
>     P3 finds its Proxy-Authorization and happily passes the request
>     along to
>     UAS-B.
> 
>              Thanks,
>              Paul
> 
>     _______________________________________________
>     sipcore mailing list
>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>     https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email