Re: [sipcore] SIP Digest - Open Issue
"Asveren, Tolga" <tasveren@sonusnet.com> Sat, 11 March 2017 19:33 UTC
Return-Path: <tasveren@sonusnet.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE9812957A for <sipcore@ietfa.amsl.com>; Sat, 11 Mar 2017 11:33:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.489
X-Spam-Level:
X-Spam-Status: No, score=-2.489 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=sonusnetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQXt_kAOKfSD for <sipcore@ietfa.amsl.com>; Sat, 11 Mar 2017 11:33:53 -0800 (PST)
Received: from us-smtp-delivery-126.mimecast.com (us-smtp-delivery-126.mimecast.com [216.205.24.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3819126FDC for <sipcore@ietf.org>; Sat, 11 Mar 2017 11:33:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SonusNetworks.onmicrosoft.com; s=selector1-sonusnet-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eAdgz7DDI8cCdY801aQ3k6U3RwuGFVmj2K1v/ckk62U=; b=W8DOCpJzBymM+yJMI4832ZEn5wytnnip3CXzQh1n0WbctALjmubn9fnLIJDhQNmvhDCWK3MKz9po/59HMdxMPeIS+HuPPrX0YTf3DmHjYS5EmQ/ShuYlfBC5jgq+NTcxla177vgOLZX4t1ljYcBwm+J4P+okMPjPPwWqT84OFOc=
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02lp0054.outbound.protection.outlook.com [207.46.163.54]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-5-fRKraN4CMEqn1ESG0vKpFA-1; Sat, 11 Mar 2017 14:33:48 -0500
Received: from CY1PR03MB2348.namprd03.prod.outlook.com (10.166.207.147) by CY1PR03MB2345.namprd03.prod.outlook.com (10.166.207.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Sat, 11 Mar 2017 19:33:43 +0000
Received: from CY1PR03MB2348.namprd03.prod.outlook.com ([10.166.207.147]) by CY1PR03MB2348.namprd03.prod.outlook.com ([10.166.207.147]) with mapi id 15.01.0947.020; Sat, 11 Mar 2017 19:33:42 +0000
From: "Asveren, Tolga" <tasveren@sonusnet.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [sipcore] SIP Digest - Open Issue
Thread-Index: AQHSmabd59F0Rrqp00+e754nGHfo7aGOeoHA
Date: Sat, 11 Mar 2017 19:33:42 +0000
Message-ID: <CY1PR03MB234897E86244C5A1B3E243CAB2230@CY1PR03MB2348.namprd03.prod.outlook.com>
References: <CAGL6ep+U+ozQgx+QCPo9JNAXA91L+ZV56ooUsUsJcQ3tuL5Xdw@mail.gmail.com> <CO2PR03MB234275628ACD940D566E0103B2210@CO2PR03MB2342.namprd03.prod.outlook.com> <CAGL6epJUL8Zoi0XrxuNvRs8S18Hqw-YUPkRwH3A-p-W4YfPOOA@mail.gmail.com>
In-Reply-To: <CAGL6epJUL8Zoi0XrxuNvRs8S18Hqw-YUPkRwH3A-p-W4YfPOOA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [73.29.18.75]
x-ms-office365-filtering-correlation-id: 1af5f615-bcde-45c7-de61-08d468b58701
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR03MB2345;
x-microsoft-exchange-diagnostics: 1; CY1PR03MB2345; 7:kQaqg/XVyQAeDFJfWTAAh5pTJgrRKLC8C8xX8r7FGxZvqXQfJFm1iEUP3OqkKdTlzf163s4n5SUr4wBM2v+gHYGRS72UW3pGlJEyIqb2TQK00KDSBXt7/WyYxngwjUhRJhXvD/hHnNFu2M951WOrR2+UPsxZ0v88aCehIrw4VtKCdwLWEsnfy+7vJ5r7Xo4KKBkc3kYpO0J+Qvwpc5nThcebSKineajAGXQQ5F2eNlsyjialhhmHRw3Op6CcS7pYFaNnlonwfZWcdWFLlRxb3v6Uwgo5aw8b/3k1E+5QY5OBD0EYvuEaGhOnhTmJWuJvR9osCiHN2Aq6C+D6ZlDFoA==; 20:fCorVLQFScreXzOwDnqNMb3yi5+8WuCniuggA4NcZh16WImpCElo43vlDIk1K6vgbleBw1POPyWC52kpmv2aYuOuGWnnKaaQ14vXWGdgz99o05SP2K3wBlyIwDK3fl9pyyct9InHuQm6kRakqGwykRCdOxEiblaVoPfAOAX4ssc=
x-microsoft-antispam-prvs: <CY1PR03MB23458BEDDFE8109D0C177211B2230@CY1PR03MB2345.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123564025)(20161123558025)(20161123555025)(20161123560025)(20161123562025)(6072148); SRVR:CY1PR03MB2345; BCL:0; PCL:0; RULEID:; SRVR:CY1PR03MB2345;
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39450400003)(377454003)(24454002)(18543002)(3280700002)(105586002)(229853002)(3660700001)(2906002)(99286003)(6306002)(77096006)(55016002)(8676002)(6436002)(53546006)(122556002)(106116001)(54896002)(9686003)(86362001)(606005)(6916009)(68736007)(7696004)(2950100002)(6506006)(25786008)(81166006)(6246003)(38730400002)(53936002)(110136004)(8936002)(236005)(33656002)(39060400002)(4326008)(3846002)(6116002)(102836003)(5660300001)(7906003)(790700001)(7736002)(2900100001)(189998001)(54356999)(74316002)(76176999)(50986999)(66066001)(19609705001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR03MB2345; H:CY1PR03MB2348.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: sonusnet.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2017 19:33:42.7116 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 29a671dc-ed7e-4a54-b1e5-8da1eb495dc3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR03MB2345
X-MC-Unique: fRKraN4CMEqn1ESG0vKpFA-1
Content-Type: multipart/alternative; boundary="_000_CY1PR03MB234897E86244C5A1B3E243CAB2230CY1PR03MB2348namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/3EufZ_YlCKxVFt4OUJ25q_B9D_M>
Cc: "sipcore@ietf.org" <sipcore@ietf.org>
Subject: Re: [sipcore] SIP Digest - Open Issue
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 19:33:55 -0000
It seems an option-tag wouldn’t be needed if existing UACs follow relevant specifications to the letter:
- RFC2617 (I refer to this one rather than RFC7616 as the latter one is “too new” for most existing implementations) tells that a challenge with an unknown algorithm should be ignored.
algorithm
A string indicating a pair of algorithms used to produce the digest
and a checksum. If this is not present it is assumed to be "MD5".
If the algorithm is not understood, the challenge should be ignored
(and a different one used, if there is more than one).
No RFC2119 keywords here but still I would take it as a mandate. OTOH, I wouldn’t be surprised, if there are quite some implementations out there, which would have issues in practice:
- UAC ignoring all challenges if one of them -especially the topmost one- has an unknown algorithm
- UAC assuming MD5 without checking algorithm field and replying for all challenges as such
An option tag may benefit also new UACs which are replying to high volume of challenges, e.g. a core network element rather than a UE. If they are able to indicate support for SHA*, a new challenger would ask only for it. Otherwise UAC would be challenged with both MD5/SHA* and needs to reply for both. Can’t we allow UAC to reply only with SHA*? I wouldn’t think so, as there may be forking and one of the forked challengers may be using only MD5.
Overall, an option-tag is not a semantical MUST but would add real value in practice AFAICT.
On another note, I think ordering of Authentication header should not matter as “alg” has to be included if it is not MD5 (again per above quoted text). OTOH, I think it could be good to mandate/mention this explicitly in the draft.
And RFC3261 has the following:
When resubmitting its request in response to a 401 (Unauthorized) or
407 (Proxy Authentication Required) that contains multiple
challenges, a UAC MAY include an Authorization value for each WWW-
Authenticate value and a Proxy-Authorization value for each Proxy-
Authenticate value for which the UAC wishes to supply a credential.
As noted above, multiple credentials in a request SHOULD be
differentiated by the "realm" parameter.
Which probably need to be updated to say “request SHOULD be differentiated by the “realm”/”alg” parameter combination.
Thanks,
Tolga
From: Rifaat Shekh-Yusef [mailto:rifaat.ietf@gmail.com]
Sent: Friday, March 10, 2017 9:01 AM
To: Asveren, Tolga <tasveren@sonusnet.com>
Cc: sipcore@ietf.org
Subject: Re: [sipcore] SIP Digest - Open Issue
On Thu, Mar 9, 2017 at 2:42 PM, Asveren, Tolga <tasveren@sonusnet.com<mailto:tasveren@sonusnet.com>> wrote:
i- I think it needs to be handled. It may have a cohort of anti-fans but forking is part of RFC3261 and should be covered for any scenario/new mechanism.
Ok.
ii- I am not sure whether “UAC responds with the ones it supports” is the right approach. New/updated implementations may follow that advice but what about existing UACs?
Existing UAC will use MD5 if present in the challenge. If MD5 is not present, it means that the server decided not to support MD5 and requires new clients that support SHA2.
I think there may be a need to define a new option-tag indicating support for SHA*. If that is not present, only MD5 should be used. And actually this comment is applicable for any scenario, not just for forking. For forking, aggregation should consider the option-tag.
I am not clear on why an option-tag is needed; can you please elaborate?
iii- UAC supporting SHA* and receiving challenges for both MD5/SHA* should reply for both of them.
It depends, if the challenge is coming from one server that supports both, then the UAC should prefer SHA2; otherwise, you are right, the UAC will have to provide both.
Authorization headers should be ordered based on the order of received WWW/Proxy-Authenticate header if challenges for both MD5/SHA* are received for the same realm. This would be needed if forking happens and one of the forked challengers support only MD5. Forking proxy should send only MD5 Authorization header to such an entity.
This is already covered by the existing text.
iv- In general, I don’t think there is a need to repeat “Updates to HTTP” etc…, which are already present in RFC3261.
There are few differences between what is in RFC3261 and what is in the draft. Also, this is provided for completeness to cover the Digest mechanism in one document.
Regards,
Rifaat
Thanks,
Tolga
From: sipcore [mailto:sipcore-bounces@ietf.org<mailto:sipcore-bounces@ietf.org>] On Behalf Of Rifaat Shekh-Yusef
Sent: Thursday, March 9, 2017 9:04 AM
To: sipcore@ietf.org<mailto:sipcore@ietf.org>
Subject: [sipcore] SIP Digest - Open Issue
Hi,
There is an open issue around the Digest draft and I would like to get some thoughts from the WG about it:
https://datatracker.ietf.org/doc/draft-yusef-sipcore-digest-scheme/
The issue is related to section 2.5 Forking:
Is this a real use case? if so, the current text calls for the proxy to aggregate the responses and for the UAC to respond to the the ones it support; is this a reasonable approach?
Appreciate any thoughts about this.
Regards,
Rifaat
- [sipcore] SIP Digest - Open Issue Rifaat Shekh-Yusef
- Re: [sipcore] SIP Digest - Open Issue Asveren, Tolga
- Re: [sipcore] SIP Digest - Open Issue Rifaat Shekh-Yusef
- Re: [sipcore] SIP Digest - Open Issue Asveren, Tolga