IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 09 July 2019 07:18 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93AC8120326 for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 00:18:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZMmF4Yn2Yyp for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 00:18:23 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130057.outbound.protection.outlook.com [40.107.13.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 299031203A8 for <sipcore@ietf.org>; Tue, 9 Jul 2019 00:18:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EtFATVPdCU5F0Xnr7FO8VdY2Us66IWXT8IAVSJgWhnUSzs6sGlKqyVJalgv2Yt8CED8z8wFCWVYpPYhLVp8dxG6j1eUGQVS6T+ukfU1Bb2DOqT1DmLN88u6NAzAQ43rDb5KNgPjtVLkl4vcAqs44G4uoBIguBAH7XUr+bhSlQ31ecR4iqzfDUJzlcRjwIu1O+usanAsh5/PB9pYpPD1QsmmBfCgmcI2FA/UwL5Vo2t+ZdDTplBiA0tM8QzTusJzX1M5/WBjH45qomzcg/hUYxmy6D6/NTjo+3PRBSTAtpn5aqDVe7HDxRVz92Z2ppMaGtAyuMAYxs0mj1uZbMRXkYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MvdZ3j+o5foaWGQxpIy3Sz+3RhTlRfPYc4MeCKh9AUs=; b=EyzviIUBzYkepz97eVMaieNT15bpj//OrgZom33ksF1CVfDuHTGHonf938ryHqXbV+Ub8uG+BIysndkFcoo9qU/AtkhwiTR/eK5EIqoIly7W9ayYwT3njh3LiQDJTTX15QjZWqmghHFbdQ0eSCaIT5AG+dnmWbZvxFNbv+YtvYCCn4n6ObBPLtS61BDkhM1qsKJIgpbF5oL8zcIImSSkLzYnp4AVpTMu2tiFhtmHWIKyppgyfLMsqUP7QjW4i19tCsrTGJCVekzwsM52DLI/qGUYZdWGQib/htVf+aWfwEgI4FZ9f7g6IPIHbe1i3CNKcVV84ztGzg+92Yg/UNZbJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MvdZ3j+o5foaWGQxpIy3Sz+3RhTlRfPYc4MeCKh9AUs=; b=ErIfQI5o3Sw4Y2kj6JH8/jwB/B36SaHrHvAOhPhkR2f+d2C3wSuLoZzvf6ftCnmHOX50mLMi4sx4GK6qGn1jXiTM0S2f1dhBVf/qC4pFrUWFRqrLaidVqUR0i/l7+7kDtI/13BR036oad26yb2Ti95inqf5ZgEZRSm9+UjkAkac=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4332.eurprd07.prod.outlook.com (20.176.167.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.6; Tue, 9 Jul 2019 07:18:19 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Tue, 9 Jul 2019 07:18:19 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgA=
Date: Tue, 09 Jul 2019 07:18:18 +0000
Message-ID: <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu>
In-Reply-To: <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [62.113.190.248]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad84d33b-0459-4403-81ea-08d7043d9e3e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4332;
x-ms-traffictypediagnostic: HE1PR07MB4332:
x-microsoft-antispam-prvs: <HE1PR07MB4332B6D7F5E98CBB6087726D93F10@HE1PR07MB4332.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0093C80C01
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(366004)(346002)(136003)(396003)(43544003)(51444003)(199004)(189003)(102836004)(305945005)(6246003)(55016002)(76176011)(14444005)(256004)(52536014)(66946007)(66476007)(66556008)(66446008)(64756008)(76116006)(73956011)(86362001)(68736007)(478600001)(7696005)(486006)(9686003)(229853002)(2171002)(110136005)(33656002)(316002)(44832011)(74316002)(3846002)(8936002)(66066001)(6506007)(6116002)(14454004)(8676002)(81156014)(81166006)(99286004)(11346002)(26005)(446003)(71200400001)(71190400001)(186003)(25786009)(2501003)(7736002)(5660300002)(53936002)(2906002)(6436002)(476003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4332; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 0Sg6DgcOGjuwq/YMvsYtLL6gx0VwyM3lFL4Nme4N0hFZFFp3u64kao5knjJ8juSQ8mD6TjGe3eIB82+aBMSKQ7HzMM6A1XMG6YMzbY5NcRN7JxAu1Zlb9/CFdmLUfs6CBOvf1gGHr9OMyyWkCoov0XKlAZ2Q7kBa1BHib0L62woP2688l0xuPUulAzCGPV4v9veeG+cE4OmC8Y5+xXXzBZAcKCXlUZd2d1F4Ner4k+P569Y0NvueVO1yctAB3X/PGtrSLMQMuPOR0CK5omx/3Q/W28Y3ent8a/2Hvit5OelCY+iIg/pjwVuumEWJkpyEJH0dV5cpm9Mz3giQGejEwKCJr6g3Fg6TfvULJ2/IFVswrkIqhTs0mXvTzKtE2uc9xL8Bj6LmyrlgDn/Qb2vI5XOD6iqGRkO4JioW90tD0rM=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ad84d33b-0459-4403-81ea-08d7043d9e3e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2019 07:18:18.9328 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4332
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/MFISE7f_knaFA8Heqgvu29vIrE0>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 07:18:27 -0000

Hi,

>>> * Regarding WWW-Authenticate:
>>>
>>> I believe it will how be possible for a server to support both Digest 
>>> and Bearer. I think this means that the client can use either depending on what sort of credentials it or its user happen to know.
>>>
>>> I think it would be good to mention this. I guess in principle the 
>>> client could return credentials for both. In that case, I don't know whether both must be valid or if it is sufficient for one to be valid.
>>> Perhaps we need to discuss that. (Presumably only credentials for 
>>> a/the realm that the server supports are to be considered, with those 
>>> for other realms being ignored.)
>> 
>> I think that is outside the scope of the draft. There could be multiple variants of multiple challenges.
>> 
>> And, RFC 3261 already talks generally about multiple challenges. I do think some of the 3261 text could be improved and clarified, but that should be done as a separate task.
>
> While I agree in principle that this is in some sense independent of the individual schemes, Bearer is what pushes this from one to two, which 
> is when the issue appears. So IMO it makes sense to say something about it here. Saying that it *ought* to be in 3261 is fine, but in practice that is 
> simply saying that it isn't going to be considered at all.

I am saying that the procedures should be in one place, and that's RFC 3261. 

And, as 3261 already talks about multiple challenges/credentials, I don't think Bearer is pushing this.

Having said that, we can for sure reference the 3261 procedures in the draft, but I don't think the draft is the place where to describe SIP usage of multiple challenges/credentials.

>>> * Regarding non-registration requests (and maybe registration requests too):
>>>
>>>     The UA MUST NOT insert a token in a non-REGISTER request, unless the
>>>     non-REGISTER request has been challenged, or the peer is considered a
>>>     trusted entity.
>>>
>>> What is a trusted entity?
>> 
>> I asked that to be added, but it can be removed.
>> 
>>> In any case I think this is too strong. Once a request has been challenged the client knows this target wants the credentials.
>>> We certainly don't want to force every subsequent request to the same 
>>> target to take two round trips, one without credentials and then one 
>>> with. So the client needs to associate these credentials with this 
>>> target, for awhile. But that begs the question of how long to retain this association. In the case of Digest, a nonce eventually 
>>> expires and the old credentials fail and get forgotten and replaced by new ones. I guess the life cycle will be somewhat different for Bearer.
>>> This needs some thought and discussion.
>> 
>>  From a generic perspective I think 3261 should describe how credentials are provided in subsequent requests.
>
> See my comment above on what ought to go in 3261.
>
>> As far as tokens are concerned, I am not sure it's within the scope of this draft to define the lifetime of token credentials, as they are not SIP specific.
>
> I'm not too much concerned with the *lifetime* of the token, since that will pretty much take care of itself. (When it exceeds its lifetime it will stop working.)
>
> But I suspect there might be security concerns here, and that they may be different from those that apply to Digest.
>
> It *may* be that it would be fine to include the token in every request, regardless of target - that doing so won't cause any security concerns. 
> Conversely, that might not be so.
>
> IIUC, similar tokens are used for single-signon, so perhaps there are guidelines that can be repurposed for use here. But I think *something* 
> needs to be said or else implementors won't know what to do and the result will be interop problems.
>
>> Having said that, I DO agree with you that the current came out too strong - and wrong: my intention was to say that credentials 
>> from a REGISTER request are not placed in a non-REGISTER request.
>> 
>> BUT, if a non-REGISTER requests gets challenged, we should allow the client to include the credentials in subsequent non-REGISTER 
>> requests - at least within the same session (in case of session related requests).
>
> ISTM that is also too strong. If I used a token for REGISTER, and then I do something else (e.g., SUBSCRIBE) with the same server, 
> then it should be fine to use it in other requests directed to the same server. 

Fair enough, if you know the server is the same.

> And possibly to other servers as well. You seem to be assuming that credentials for registration are somehow different from credentials 
> for other things. It is up to the servers in question to decide that, not this protocol document.

As I said in another reply, if you by default place a REGISTER token in a non-REGISTER request the token may reach the remote peer, which could be a security concern. 

Regards,

Christer

v2.23.0 | Report a Bug | By Email