IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Christer Holmberg <christer.holmberg@ericsson.com> Sun, 26 April 2020 17:13 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35983A09FB for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 10:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kp8J3r8JXgXO for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 10:13:00 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140055.outbound.protection.outlook.com [40.107.14.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9273A09F7 for <sipcore@ietf.org>; Sun, 26 Apr 2020 10:12:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GQiAIW1Ytc5ZYa1ar4pjGMM+dgFjXWCmHi0RGYC+knhcrvEeGDlxtNj42jfZ92O8km7qA5WIot5r/G0Q5mIdYZLZ0h/5tfxKNZNUUEcfu0u/HYIU6o9H/THSLE0AUfpPs3pb4IY2hdZqE9j2eCqDQ35oX8QmGep44xDzxe0mkiOV+GHKHVBIkPa6un0Dtq5luJ9sFm+5i3qooSwns4lpTC/HvnJRM4xvhfx6WwckGoBdX/+AKvS47/lafA4cDphtfFGuRLUAsBVtNWfnACRVMjQItQPbN80vBT29G3BFOBwI1ZAHOhIfN64wjR5baqluTS5NH3DIc77h/IMllybLbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GlrKbr0A6ky6ijtSDHD+5oUnQZlvcIAs/2BEdu9sZO0=; b=WOXj5iQDwz3szZWWjFg3xLsKvyXUGKprhzTYO/tvP2rhN2QpADyMdyIo+jMiDLK53fF+dMrAMg0pPXT0JpcF7uqtWA00GUbh9nd/UUP1Ls/O7yQiET6WfctJVIAjvF3Pu0V614I9fZK7vcw/IxuBOVQTfhacZWqIHD/v8eeJwK6IYu/2OQLMGNr1quJJMqhrqt+jq5/3rnpLsh4e/Pbbi6umQLploS8HqSsdRIoVdbCeSVjZHycTxRoVA/iR0XB7H9imsUVlDvG9nUY+eA5zPzu/D8j8tpMU9VYaeo9TdTrP3xlvRg4MM8quQ2YXCyStJuJFMdDRTKboaXOeY+kNXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GlrKbr0A6ky6ijtSDHD+5oUnQZlvcIAs/2BEdu9sZO0=; b=htWqahdfh8wEjSQxQhoS4woa977HSRRd/dTMXuaRDrzFNR3ltsAdJg1CtZ5/cD2xQsXMSDFtYyCPNEpm61qZsoVSlPnWdHXxSUE7TeLtKZBwmuLjtVs2LvfdHTBibwBe0vHCcQO7/88e5nzQUlRLZJtjBFZ3mxWrK54cJ2B3+1s=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6867.eurprd07.prod.outlook.com (2603:10a6:20b:1be::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.12; Sun, 26 Apr 2020 17:12:56 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8%4]) with mapi id 15.20.2958.014; Sun, 26 Apr 2020 17:12:56 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>
CC: SIPCORE <sipcore@ietf.org>
Thread-Topic: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
Thread-Index: AQHWGwEtfH/bpP2YLUqlNdqU6ZLbLaiKrnoAgADJdACAABkjAIAARxIA
Date: Sun, 26 Apr 2020 17:12:56 +0000
Message-ID: <262816DF-8F09-43B4-BC5F-4F0544CFDF80@ericsson.com>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com> <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com> <ddffc5ff-4f7d-072e-d807-6ab5a9adc807@alum.mit.edu> <CAGL6epJ+s7d7fNB8NiZQhicuxjvZbnjLnZN6OSMb9LsnXF3S3Q@mail.gmail.com>
In-Reply-To: <CAGL6epJ+s7d7fNB8NiZQhicuxjvZbnjLnZN6OSMb9LsnXF3S3Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [178.55.150.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 024aef6e-997f-4ec2-4b31-08d7ea051068
x-ms-traffictypediagnostic: AM7PR07MB6867:
x-microsoft-antispam-prvs: <AM7PR07MB6867069670AB8AE24D90F2AB93AE0@AM7PR07MB6867.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB7012.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(366004)(376002)(396003)(346002)(86362001)(5660300002)(8936002)(44832011)(2906002)(91956017)(6512007)(26005)(76116006)(66946007)(36756003)(186003)(71200400001)(4326008)(33656002)(2616005)(6486002)(478600001)(966005)(66476007)(66556008)(64756008)(66446008)(6506007)(53546011)(110136005)(316002)(81156014)(8676002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: J8rGhlGtIr7epSPHsAqiOGRyQwwAHTmndKnMxMSs14xJgR1EJHzA/x6QaJmJuz7rGKgq67EfCwUVC/DFCKPbiHzm1Y3vTAcenfdyiadhBJo5u5h0q5rngceIGZSnnIHpv+vXAyrbvOMtcRFuta2BxvxqEcvU4Lp42LmN9va2BnTzQFpXi63fsj/1LQaVytoWJHHlVNVhQAVJeiagr7Wkm/8Cx3a/QceycpgXA6+LqVYUgHuuo3RJtAAvvm4r+u2l5bdmoedzdwnWiAHVhX2NbZ6CEQiKyB4JN/7pJxpknj8vSK+Cxz0wXR/fE7DK/g9eRbubAbNrqi4Pik0a8q6SnNlqGBPl/Ohll1iBt1YLr9LHE3TVdHVeRBwu292V7kEzb9mRmHnW+3TKVd+qQhLhuHC6l6b3UYnEIp/K9r/3/SfRcjwVZDd7PTNVoq1x9DEIqL0ki6TKGhFStDXgTgiD3UDc+G9cu0YtGRN97Cd6GwMPOUsko1lLzcfFm8sVgrLQkY02i039KkhIoLuqknHBtw==
x-ms-exchange-antispam-messagedata: dsWfpXeqC0vMzQI5aPlWKNRuDiiOBMswyoStAdkbvPTe5Z6h7SmCHEd+foQSCjx3oaZOytAXSxe7JPUuBV+Qja1jaDRI0QCzmiz4FA02rpk7UVOEZzHjcmadLF90kGkY8jL6xOlYDbxzdPUMno+5Sjto7PZfT2DfB5lmFGZ8QyDWayq9wJ+ggSlwZJM2Sl7aujPuOyoa5wSCHSaNpDYqVZsJqUNELVKeWIHomkmSmmQQg0kEmwOJsbzfY+pNPaExIp/5YUrWAOztC+H8YCibZyK7BQsrGH/8elQSm+kHGQTMFu/YSE7uKReUO5G2X+vVYE61UsBMVtYtoycgdUqJfUtFSLWShW+QCs8ViKFTrpRZBIQQP4w9NF/k5Fa8Nq6RkW8hd4I+bGeel2kN4VtaNCccZJpL/CJuu4oQ7awCNCIP2leDRD+wGDeJ4LUF9JA2cM53G8QJztSq18iyGVcIHM3jNd7fMPSOuYSuBAMzKRv2gaKt3jjPUPjKuUHt3mL1U7GVjNYLNqSp5+h6alnAqMHIwRYoLVItaqI85P3atZVPOxoFvIbu3v/JXHhVmdG0fVf6IcOBKKICS9cq2ATIpzZ+WdOJkwacZBU//4xslr56jJOTeOS/hlzNZzvjCcBCc2K6UkboigdW8qqvkxI68npemF3WjlmFJ6Y2J3Qe03Pn8BFyNPFIGCdaOSSBbiDYk4HtcOg5Q8Qmlb20bjj1JPgQlN4T2azp0zUBidfGdKIDGlS2f/IvZqn1PGYUsoOgVYJwyZ/Xvj3TThmoZxhkhHWmfqJ7YCY5CGjkHYIHpiU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_262816DF8F0943B4BC5F4F0544CFDF80ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 024aef6e-997f-4ec2-4b31-08d7ea051068
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2020 17:12:56.6016 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gK00OF8877/EXcjL94DXAoVqnm/nofUJFVebZsbReKCenVlVWoZifERI4qqrimn/Nu/aKHZffgcUoQQgn2GipyvZjBmz5CrRHlyIJVxOLo8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6867
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/3b_A8uUaBdLi_pTOUay-UDWQC_4>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 17:13:04 -0000

FWIW, I can’t remember that would even have seen Proxy-Authenticate in a real deployment, and I have definitely never seen a chain of proxies authenticating the UAC.

In my experience, the authentication is done by the home registrar, and it is done before a request has been forked.

In any case, RFC 3261 allows for other scenarios, so thanks to Paul for explaining :)

Regards,

Christer

From: sipcore <sipcore-bounces@ietf.org> on behalf of Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Sunday, 26 April 2020 at 18.59
To: "pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>
Cc: "sipcore@ietf.org" <sipcore@ietf.org>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Paul,

What you described is the theory; have you seen this deployed in practice?

Regards,
 Rifaat


On Sun, Apr 26, 2020 at 10:28 AM Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:
On 4/25/20 7:27 PM, Christer Holmberg wrote:
> Hi Benjamin,
>
>>> Section 2.3 states that:
>>>
>>>     When a proxy wishes to authenticate a received request, it MUST
>>>     search the request for Proxy-Authorization header fields with 'realm'
>>>     parameters that match its realm.  It then MUST successfully validate
>>>
>>> https://tools.ietf.org/html/rfc7235#section-4.4 suggests that it is not
>>> expected to have a sequence or list of Proxy-Authorization header fields
>>> present in a single request that are intended to be interpreted by different
>> proxies.  Is this text compatible with that part of RFC 7235?
>
> RFC 3261 allows multiple Proxy-Authorization header fields.

* Here is a situation when they come into play:

UAC ----- P1 ------- P2 ------- UAS

On the first request from UAC toward UAS, P1 challenges with a
Proxy-Authenticate containing realm P1.

UAC retries, including Proxy-Authorization for realm P1. P1 is happy and
passes the request along. P2 challenges with realm P2.

UAC retries again. It adds Proxy-Authorization for realm P2, but also
including the credentials for P1. P1 is happy and passes the request
along. P2 is also happy and passes the request along to UAS.

Note that UAC must *remember* to include the P1 credentials in the
second retry because there is no Proxy-Authenticate for P1 in the 407
from P2. Similarly, in future messages toward UAS the UAC should
remember to include credentials for P1 and P1.

* A more complex case is:

UAC ----- P1 -|------ P2 ------ UAS-A
               |
               |------ P3 ------ UAS-B

On the first request from UAC toward UAS, P1 challenges with a
Proxy-Authenticate containing realm P1.

UAC retries, including Proxy-Authorization for realm P1. P1 is happy.
If it does parallel forking then it passes the request along to both P2
and P3.

P2 challenges by returning a Proxy-Authenticate for realm P2.

P1 buffers that response while awaiting a response from P3.

P3 challenges by returning a Proxy-Authenticate for realm P3.

P2 passes a response back to UAC with Proxy-Authenticates for realms P2
and P3.

UAC retries again. It adds Proxy-Authorization for realms P2 and P3, but
also including the credentials for P1. P1 is happy and passes the
request along to both P2 and P3.

P2 finds its Proxy-Authorization and happily passes the request along to
UAS-A.

P3 finds its Proxy-Authorization and happily passes the request along to
UAS-B.

        Thanks,
        Paul

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email