IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Paul Kyzivat <pkyzivat@alum.mit.edu> Sun, 26 April 2020 19:43 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AC3B3A0FE3 for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 12:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzDuFrJqtvzV for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 12:43:32 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2078.outbound.protection.outlook.com [40.107.236.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 953D93A0FE7 for <sipcore@ietf.org>; Sun, 26 Apr 2020 12:43:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nBgZSS6wnuyyvO+AiTJ2RyVdQYT8SHRPrIqu9esZ5okbiytsOCDIDus36xF4RyqnqPjJ21OfOChK8gIwQhEY1pFP1eB2v2VNUp/4HlnnV+sRq11+Y2b30UdsrUxnGg3QTA1ugIkQmxvmYEM4s3buU7Giq0a9ZP50QBkjj+aN0pOBfCSuz+Rl5pKYeENj5ADUYha9tqvE/w5DMzv5PniKEBmjdr3W3AutpSY9VFTFdk0MuX+sfOjPCPZSREnOzoJzh8ayg6cJeFF6tGKFyXB4gWBlkaHvdk9tfkrN10UzQPkgX+luwahqQtkJnjHkQlKOj9rIMv+pdLRqMsfAdorkiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F78vhpYSilQRdEpg9LBmKwKmWFmjwLSRDLmaP7jVcfU=; b=PnTX5EGVZtSQau5/vn0nfscG6T8By6MK5c19KCtsx1pTGyg7RUcxYDx9H9QELQEY8FPnXdsBkpdml8Ul+Ch7YGZ18hVcsW26l6lJ03bENO3d8lzwRoGYGbTCo6x3375oB9PElrR7l3+kRlNPuCj8tbeSJwHSGH9gZDL6dwO4s8SKmzZhBd2AwjKIUyf0rvBrKmoN8P2GN07r0t7lwC+EVKYNOfxlcUrLj0k3+TdlVcxk6w06brgXZNAYpv2G8t/ac6HRS2Lw1YOp6u8RseWF1JBRXfyL1qouoMnPbleXFegKwkkgl4qByVHMi5FMYRJtGNy5jzUTVUl64pPi50HRIQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=gmail.com smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F78vhpYSilQRdEpg9LBmKwKmWFmjwLSRDLmaP7jVcfU=; b=glUI2mvCKXvAiZAzcBdoH84Hod9SN8+AA+68pGXDb6HpO1nJg8fleBLPR32syluMYC3T2hBs/XeL+M8HR9Cvw/XVjXxMBlH/vQYJTvS0sToUSI3uYLJYeVSW/F5m7PfkyxznF5Ihc1+ii4ZhOAGY3jYQHPzqlr0D3GE/tqLnwEk=
Received: from SN2PR01CA0062.prod.exchangelabs.com (2603:10b6:800::30) by MN2PR12MB3390.namprd12.prod.outlook.com (2603:10b6:208:c9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sun, 26 Apr 2020 19:43:30 +0000
Received: from SN1NAM02FT052.eop-nam02.prod.protection.outlook.com (2603:10b6:800:0:cafe::38) by SN2PR01CA0062.outlook.office365.com (2603:10b6:800::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Sun, 26 Apr 2020 19:43:30 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT052.mail.protection.outlook.com (10.152.72.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Sun, 26 Apr 2020 19:43:29 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 03QJhRPd030160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 26 Apr 2020 15:43:28 -0400
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com> <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com> <ddffc5ff-4f7d-072e-d807-6ab5a9adc807@alum.mit.edu> <CAGL6epJ+s7d7fNB8NiZQhicuxjvZbnjLnZN6OSMb9LsnXF3S3Q@mail.gmail.com> <46e9dd50-0ccf-cb06-1eca-8df245f214b4@alum.mit.edu> <CAGL6epKnmhbxLm_t+BVZgY9CsBvfLjGenGtCsRo3feM8XASOtA@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <d322a1c8-3f7f-0c97-1520-69b71a589d46@alum.mit.edu>
Date: Sun, 26 Apr 2020 15:43:27 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epKnmhbxLm_t+BVZgY9CsBvfLjGenGtCsRo3feM8XASOtA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFTY:; SFS:(376002)(136003)(346002)(39860400002)(396003)(46966005)(7596003)(246002)(8936002)(8676002)(31686004)(82310400002)(26005)(5660300002)(2616005)(956004)(53546011)(70586007)(36906005)(316002)(786003)(70206006)(356005)(4326008)(186003)(2906002)(336012)(966005)(478600001)(82740400003)(75432002)(86362001)(6916009)(31696002)(47076004); DIR:OUT; SFP:1101;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6a430bf8-5452-48f5-38e9-08d7ea1a18bf
X-MS-TrafficTypeDiagnostic: MN2PR12MB3390:
X-Microsoft-Antispam-PRVS: <MN2PR12MB33901E93E53AF69B0D152FF5F9AE0@MN2PR12MB3390.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 03853D523D
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: KzDc42shf1LF6DiSaspi9IbTdjQ4B1T2uGDIRtFjKnxuKoUxbAw99VP/lKVLkTFoL7nFECGDnCDfWniuw1rSLLnfC7dfI51BC4Qfxv5+Wb02OWTWfy50UaClnNY5+9RX9nPAcawd0Ph5QO+lYvfrITZEjZh0Cye76XlGTYLGDV4g8Lm/MmACbRZA8hBSbD/FZwlDOGvl2lGQ+hQKibIubfTufmtucJ/oFCBENf8Zc5+aWM4UcJTcqba4f4Xc+tU9nJzhZ1H9gxAd/qfST7w+ryGmrY1lmIxIYNNP4pCRKWNiaNZQcZM2AE9xGC/2G6kJ2OqV1hvBaFnmuveT4DoQytle8j5ykdCJVBJ2W2nwZKVuCPr7NfnYdkdV4Uwm8t9KMsUygDVd7e0Wm4fosARFIrTdYrt8wsgVf2bXmUlsyxQYr0y2r9xcosnfg3g8UphbkXFVgWMH+xEW0sTKgKyHqXw2jTh1JvUwpIPK7vcywCby6k+eC9Tt7+LtW1FPobG4FNVAzoxoyRacNQay3E1Hp2DxZifJrUZrL11FOUqN+LwKYlTcn/y0z1zK25gSsGvN2wfOB/LNrABN3YzLyeDymQ==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2020 19:43:29.8760 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a430bf8-5452-48f5-38e9-08d7ea1a18bf
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB3390
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/R4YmnT7pP11Nr73kk9ppZVfOvU4>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 19:43:40 -0000

On 4/26/20 3:22 PM, Rifaat Shekh-Yusef wrote:
> Why should we do that?
> Why can't we just acknowledge that this was a nice idea in theory that 
> never materialized in practice because they was never a need for it?
> Why can't this document explicitly state that this theoretical case is 
> *not *cover and move on to do something more useful that people actually 
> care about?

I didn't say what we should do about it. I was just explaining the use case.

I generally agree that this document isn't the place to discuss such 
cases. (Especially since the case I describe doesn't even involve 
multiple schemes, and is scheme independent, so it is nothing that this 
document impacts.)

This is something that is implicit in 3261, and something that 
implementors ought to support as a matter of course. Somebody can argue 
that it isn't used and so shouldn't have to be supported. If so, then 
there is a need to define exactly what *should* be supported. But again, 
this isn't the right document for that.

	Thanks,
	Paul

> Regards,
>   Rifaat
> 
> 
> On Sun, Apr 26, 2020 at 2:54 PM Paul Kyzivat <pkyzivat@alum.mit.edu 
> <mailto:pkyzivat@alum.mit.edu>> wrote:
> 
>     On 4/26/20 11:58 AM, Rifaat Shekh-Yusef wrote:
>      > Paul,
>      >
>      > What you described is the theory; have you seen this deployed in
>     practice?
> 
>     Its just theory. But the specs should cover all the theoretical cases.
> 
>              Thanks,
>              Paul
> 
>      > Regards,
>      >   Rifaat
>      >
>      >
>      > On Sun, Apr 26, 2020 at 10:28 AM Paul Kyzivat
>     <pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu>
>      > <mailto:pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu>>> wrote:
>      >
>      >     On 4/25/20 7:27 PM, Christer Holmberg wrote:
>      >      > Hi Benjamin,
>      >      >
>      >      >>> Section 2.3 states that:
>      >      >>>
>      >      >>>     When a proxy wishes to authenticate a received
>     request, it MUST
>      >      >>>     search the request for Proxy-Authorization header fields
>      >     with 'realm'
>      >      >>>     parameters that match its realm.  It then MUST
>     successfully
>      >     validate
>      >      >>>
>      >      >>> https://tools.ietf.org/html/rfc7235#section-4.4 suggests
>     that
>      >     it is not
>      >      >>> expected to have a sequence or list of Proxy-Authorization
>      >     header fields
>      >      >>> present in a single request that are intended to be
>     interpreted
>      >     by different
>      >      >> proxies.  Is this text compatible with that part of RFC 7235?
>      >      >
>      >      > RFC 3261 allows multiple Proxy-Authorization header fields.
>      >
>      >     * Here is a situation when they come into play:
>      >
>      >     UAC ----- P1 ------- P2 ------- UAS
>      >
>      >     On the first request from UAC toward UAS, P1 challenges with a
>      >     Proxy-Authenticate containing realm P1.
>      >
>      >     UAC retries, including Proxy-Authorization for realm P1. P1
>     is happy
>      >     and
>      >     passes the request along. P2 challenges with realm P2.
>      >
>      >     UAC retries again. It adds Proxy-Authorization for realm P2,
>     but also
>      >     including the credentials for P1. P1 is happy and passes the
>     request
>      >     along. P2 is also happy and passes the request along to UAS.
>      >
>      >     Note that UAC must *remember* to include the P1 credentials
>     in the
>      >     second retry because there is no Proxy-Authenticate for P1 in
>     the 407
>      >     from P2. Similarly, in future messages toward UAS the UAC should
>      >     remember to include credentials for P1 and P1.
>      >
>      >     * A more complex case is:
>      >
>      >     UAC ----- P1 -|------ P2 ------ UAS-A
>      >                     |
>      >                     |------ P3 ------ UAS-B
>      >
>      >     On the first request from UAC toward UAS, P1 challenges with a
>      >     Proxy-Authenticate containing realm P1.
>      >
>      >     UAC retries, including Proxy-Authorization for realm P1. P1
>     is happy.
>      >     If it does parallel forking then it passes the request along
>     to both P2
>      >     and P3.
>      >
>      >     P2 challenges by returning a Proxy-Authenticate for realm P2.
>      >
>      >     P1 buffers that response while awaiting a response from P3.
>      >
>      >     P3 challenges by returning a Proxy-Authenticate for realm P3.
>      >
>      >     P2 passes a response back to UAC with Proxy-Authenticates for
>     realms P2
>      >     and P3.
>      >
>      >     UAC retries again. It adds Proxy-Authorization for realms P2
>     and P3,
>      >     but
>      >     also including the credentials for P1. P1 is happy and passes the
>      >     request along to both P2 and P3.
>      >
>      >     P2 finds its Proxy-Authorization and happily passes the request
>      >     along to
>      >     UAS-A.
>      >
>      >     P3 finds its Proxy-Authorization and happily passes the request
>      >     along to
>      >     UAS-B.
>      >
>      >              Thanks,
>      >              Paul
>      >
>      >     _______________________________________________
>      >     sipcore mailing list
>      > sipcore@ietf.org <mailto:sipcore@ietf.org>
>     <mailto:sipcore@ietf.org <mailto:sipcore@ietf.org>>
>      > https://www.ietf.org/mailman/listinfo/sipcore
>      >
>

v2.23.0 | Report a Bug | By Email