Re: [sipcore] SASL Authentication for SIP
"Olle E. Johansson" <oej@edvina.net> Wed, 19 October 2022 11:32 UTC
Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B94AC14CF1D for <sipcore@ietfa.amsl.com>; Wed, 19 Oct 2022 04:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUZFxXMuaP87 for <sipcore@ietfa.amsl.com>; Wed, 19 Oct 2022 04:32:52 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17FEDC14CF14 for <sipcore@ietf.org>; Wed, 19 Oct 2022 04:32:48 -0700 (PDT)
Received: from smtpclient.apple (h-176-10-205-12.A165.corp.bahnhof.se [176.10.205.12]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id C66312171; Wed, 19 Oct 2022 13:32:43 +0200 (CEST)
From: "Olle E. Johansson" <oej@edvina.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Date: Wed, 19 Oct 2022 13:32:43 +0200
References: <20221014162340.GA7844@openfortress.nl> <69DDB655-0B52-4D14-A67A-54EC9A7D7DFE@brianrosen.net> <20221014173308.GA8165@openfortress.nl> <20221019082937.GA22077@openfortress.nl>
To: sipcore@ietf.org, Rick van Rein <rick@openfortress.nl>
In-Reply-To: <20221019082937.GA22077@openfortress.nl>
Message-Id: <38EC5E77-6150-4334-B331-39D7D1E0B27A@edvina.net>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/PIAxc0KrOc9D1Q9WVAKOVy00gDI>
Subject: Re: [sipcore] SASL Authentication for SIP
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 11:32:56 -0000
> On 19 Oct 2022, at 10:29, Rick van Rein <rick@openfortress.nl> wrote: > > Hello, > > I cannot really work out what the formal arrangements are > for new authentication mechanisms in SIP. IANA lists a > Security Mechanism Names registry, but it is dedicated to > RFC 3329, a meta-protocol for negotiating what would be > available between peers. > > RFC 3261 is a bit informal when it says > > SIP provides a stateless, challenge-based mechanism for > authentication that is based on authentication in HTTP. There are a few different auth mechanisms. TLS which is not very well documented, HTTP digest and token bearers (RFC 8898). The last one is the newest kid on the block. There’s also a mechanism that is used for setting up an IPsec VPN after initial registration that could inspire you. I think it’s called AKA and is used in IMS - but it starts with http digest. For inter-domain trust there’s been a few attempts, SIP identity was one that is now replaced by the work in stir/shaken that focus a lot on old-fashioned telephone numbers and the problems related with that. > > Does that mean that any mechanism defined for HTTP will > automatically be permissible in SIP if peers agreed on > it? Lacking a formal registry that is what I would > assume. There’s no SIP police. At least I can’t say if there is one or not. ;-) SIP is very permissive in what you can add in headers. As long as you don’t request support for an extension, the receiver may ignore your headers. But if you want other implementers to pick up your work, you want to convince us to work with you and get an RFC published. The outcome may be different from your original idea, but that is quite often a good thing. > > Then, a specification like SIP-SASL that adds specifics > for SIP could be an Independent proposal. You start with the solution. I may have missed it, but I don’t see a definition of the problem you are trying to solve. > > > FWIW, the purpose of this work is to have an end-to-end > mechanism for key derivation. This can be useful for > private telephony, but my purpose for now is the setup > of Wireguard sessions using SIP. The two seem to be a > match made in heaven. Key derivation can yield a PSK > that helps the VPN combat quantum computing. I need to read your document in more detail to understand, but reading this, I don’t see how SASL is the solution to what you describe here. Do you want to use SIP offer/answer to set up a peer 2 peer VPN using wireguard? Like we currently use it to set up RTP streams between user agents? /O
- [sipcore] SASL Authentication for SIP Rick van Rein
- Re: [sipcore] SASL Authentication for SIP Brian Rosen
- Re: [sipcore] SASL Authentication for SIP Rick van Rein
- Re: [sipcore] SASL Authentication for SIP Brian Rosen
- Re: [sipcore] SASL Authentication for SIP Rick van Rein
- Re: [sipcore] SASL Authentication for SIP Olle E. Johansson
- Re: [sipcore] SASL Authentication for SIP Rick van Rein
- Re: [sipcore] SASL Authentication for SIP Olle E. Johansson