Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 02 August 2018 18:35 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A65127AC2 for <sipcore@ietfa.amsl.com>; Thu, 2 Aug 2018 11:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MbIlz1GrdYEm for <sipcore@ietfa.amsl.com>; Thu, 2 Aug 2018 11:35:54 -0700 (PDT)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1872120049 for <sipcore@ietf.org>; Thu, 2 Aug 2018 11:35:54 -0700 (PDT)
Received: by mail-it0-x233.google.com with SMTP id d16-v6so3375559itj.0 for <sipcore@ietf.org>; Thu, 02 Aug 2018 11:35:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p7t7We/6osfTYM7fgdVqSd3iaiT6QQigTUUTAA4K+XI=; b=vAFGrAdJ5dgR7eo0ijfuCRJ/AwBMOeWm0amKZyzP7lSCh5nFX5u5Ol327ChP15Xnm/ ZYMNbBPm3SgDQBR15X1jAzVK/PxeKjxLF70/lNR7PNrq1v4sDLgHj1IP9hIPS+0rTvKK pb8uDzwtm4GqX5p7IWpj9Rwa0Dum0UnZP6CMbevpcWSekzLucGtc08vG022/Hlu2GqFh sHBYEHrHSI0pGzWV9Q7RsPTZe+a2c0lhIGe4opgpYgudqJckqWFdS6s9fL8U3RJjdC6F bvwwChaybwkX2viBbxlQQx9GkSaT+fPjkmEzSo6bU/4C6yHJ35pTdcRJnuFDSQG8LSBE nVww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p7t7We/6osfTYM7fgdVqSd3iaiT6QQigTUUTAA4K+XI=; b=lkjjdHUO/eHH9YbshRQde3ie6zi88+FCY0TBmAzGUj/oQvxljmgg/RR1kOzMBSP2s5 5yCrmQGh6MlM6LjQpJFxBTeQ9S0J80r7TuAiuzOEXN1L8urv4D56V/868CfchKBsWo/5 +SAF5btipcQ7E+n/iWIZDsctxCGGySyB1EVBjM9qWP8wV339G/6A0nuDlwKUPWHNT+GT JgqWkB5hhv75aMg0PY62pWEh6olzsHq/5srqt7zFqn7KVu0Yu6D/+w7jpUpNC1QfsnsW B6QiRkJ/UoRGYXyBjxea4Z7ZlUszbqzCHtF0h4jUrLiZ6ysdZjGfPxPW/Akn6oc+xKHM RsfA==
X-Gm-Message-State: AOUpUlGafixyvWedFn5Gj5/sHRUP/ThZA03ycRzPj8v+dRUUqskcpj4d 2gTTXpltD3lTvkrER0q3pLRFSLF4638o6S7qP3g=
X-Google-Smtp-Source: AAOMgpchfUt5RD3oL8q7uKN6Sh1VX0u91Yt7FL/A0WtgMM+8MZ2Z9tMLjVflXd7mYT0ct8pN2XQbbpkQfxWuKBU1Cjw=
X-Received: by 2002:a02:6c45:: with SMTP id w66-v6mr671176jab.87.1533234953840; Thu, 02 Aug 2018 11:35:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAF_j7yZPaG07LpEx+-aA6qDQQd00EfigNtd5TUxsXbPykPiPZA@mail.gmail.com> <CAGL6epK24wvDfvA5c+rpR7XeNbwYmCNAxFRvxZtMX=i9QOQRWw@mail.gmail.com> <CAF_j7yaQwAmiKSK9cYsmzEx4UxGB42USXB9xZMH2X2F+ZmCeHQ@mail.gmail.com> <CAGL6epKBpYCagJrOfzEhWqR1Bnpxb0M-qO1vcbSGqTxGtEz5jg@mail.gmail.com> <CAF_j7yaXzOhY-kpMsM_PvLUE1gGJqAg2tXkD7nihYC03datTqQ@mail.gmail.com>
In-Reply-To: <CAF_j7yaXzOhY-kpMsM_PvLUE1gGJqAg2tXkD7nihYC03datTqQ@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Thu, 02 Aug 2018 14:36:32 -0400
Message-ID: <CAGL6epLZHKsyB-2pU8KVbTekptz2UYfTtoyWuQuXCFOujBsS0A@mail.gmail.com>
To: Yehoshua Gev <yoshigev@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7f04d057278144a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/2-t-5PxOncrxNWNMlJ57Lg4dVL0>
Subject: Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 18:35:57 -0000
Thanks Yehoshua, Please, see my reply inline... Regards, Rifaat On Wed, Aug 1, 2018 at 5:23 AM Yehoshua Gev <yoshigev@gmail.com> wrote: > Hi Rifaat, > > Another question about section 3. > RFC 3261 separates between "User-to-User Authentication" (section 2.2), > which uses the Authorization header, and "Proxy-to-User Authentication" > (section 2.3), which uses the Proxy-Authorization header. > As you wrote, the draft is mostly intended for Proxy-to-User, so maybe the > Proxy-Authorization header should be used. > Here is a quote from RFC3261: 21.4.2 <https://tools.ietf.org/html/rfc3261#section-21.4.2> 401 Unauthorized The request requires user authentication. This response is issued by UASs and registrars, while 407 (Proxy Authentication Required) is used by proxy servers. Since so far the draft was mainly talking about the registration part, I think the use of Authorization header is correct. > In any case, I think that the following security consideration should be > added: > For HTTP, the request is passed without intermediates, so as long as the > transport is secured (HTTPS) the access token is not exposed by the > protocol to other parties. > For SIP, proxies are used, so unless the token is authenticated by the > nearest proxy, there is no way to avoid exposure the token to the proxies > along the way. > Additionally, if the token is authenticated by a proxy, the proxy MUST > remove the Authorization header when forwarding the request, to avoid > exposure of the token. > The document is intentionally silent on this issue, because it is out of scope for this document. But I agree that the security section must be enhanced to clearly state that TLS must be used to protect the authz code and tokens. > > Regarding error conditions, I think that SIP should follow the behavior of > HTTP, and return 401 with WWW-Authenticate (or Proxy-Authenticate) header > as described in RFC 6750 section 3. > > Some additional nits: > - Section 4: s/authorization header/Authorization header field/ > - Section 4: Indicate that the syntax is given in ABNF (at least for me > it's useful, so I can search the document for "ABNF" and find the syntax > :-) ). > - Section 8.2: [RFC474bis] -> [RFC8224] > > Thanks, Rifaat > Regards, > Yehoshua > > > >
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Yehoshua Gev
- [sipcore] Comments on draft-ietf-sipcore-sip-auth… Yehoshua Gev
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Yehoshua Gev
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef