IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Paul Kyzivat <pkyzivat@alum.mit.edu> Sun, 26 April 2020 14:28 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE7BE3A044F for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 07:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUOxQ-W0gUQJ for <sipcore@ietfa.amsl.com>; Sun, 26 Apr 2020 07:28:41 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2047.outbound.protection.outlook.com [40.107.223.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C303A044E for <sipcore@ietf.org>; Sun, 26 Apr 2020 07:28:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LqqamtNyo6y+qspoN+WjOdH/Mq+BeiUw3SUqZdoTwKJJlGGlCSTkTSgNIsggMWr0feTGKoe9LsVXLuLzPJZqatnaASbSPjxsFIWPlK3wyamMqs48233mdql46cWgNi6DKnPqN0IMWluGDQuiSnlxg0FtZ73LzQAgQu16K8vsGvtLTGPPraHsbM3PZ8pxvt/+KO5w9P5PdMNp4yW2xp+qqjAv97OiSBIJ8oW9OsPfVO/ewZdl+lrXMfGdvkIBPd/A1l90sRHkxnmQW1EQ0mewn4N5g4tmsrT0lnVs7sVbBYLatcbC6YqOzZiUg3HzLCEHC2toVC4JT44fM+nQxYnx0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WS0L6dFBlabNt+Djb4mJJCNupoNAFf0PNjwfmAANEWI=; b=KJ7PgKvSoZtfJRM4i1+oh3Q74n9he4JZmLFSC+ODmFo6l3oueYowsGaK+iWmQ3lJSG6ckgXk9BK6gKnjB4HTMEiXK7hzNWOfq/tasDxX9KeNW9QQ2jVgjTvRMNs2etPkGjAA3+sV2ss267AT5WCQazYdADCQRRWhcs+g1fG6SjeTu4av8npAbDuvOBo8HJN1qFBT1MXL0JqMxmn1RxCXZLWHmrFYvrKBwXOsYzC9AvWsNl+yQoiA6O76hm8u1PrFPV6HSeud/ScE1HHX/WVSugU6pkAHdVl1dT5qiImq4C7tDbEmgiO7lqY7yJeDHE3oVflQigpK7zb3oedhM/0G3g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WS0L6dFBlabNt+Djb4mJJCNupoNAFf0PNjwfmAANEWI=; b=gmFULCMGrpu2rUDLbIaCXl6rbYp++nmiDpAhnECpUFhLIEYhLlYWlBDpO/ZvjuzIu29oymJNCBbHHxQPIuR7ILoKrF4MBfLSB/5klhwwW3/jFLhq+mebtO2lJGO5SX/cXmNk3tUy7i3HF4qP41vgKi0S1FJZDNR5d5icyPymlts=
Received: from MN2PR18CA0024.namprd18.prod.outlook.com (2603:10b6:208:23c::29) by DM6PR12MB4547.namprd12.prod.outlook.com (2603:10b6:5:2a9::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sun, 26 Apr 2020 14:28:39 +0000
Received: from BL2NAM02FT038.eop-nam02.prod.protection.outlook.com (2603:10b6:208:23c:cafe::31) by MN2PR18CA0024.outlook.office365.com (2603:10b6:208:23c::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Sun, 26 Apr 2020 14:28:38 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by BL2NAM02FT038.mail.protection.outlook.com (10.152.77.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Sun, 26 Apr 2020 14:28:38 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 03QESaDq007600 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Sun, 26 Apr 2020 10:28:37 -0400
To: sipcore@ietf.org
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com> <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <ddffc5ff-4f7d-072e-d807-6ab5a9adc807@alum.mit.edu>
Date: Sun, 26 Apr 2020 10:28:36 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFTY:; SFS:(136003)(376002)(39860400002)(396003)(346002)(46966005)(31686004)(336012)(2616005)(956004)(7596003)(356005)(8676002)(31696002)(316002)(786003)(8936002)(82310400002)(86362001)(75432002)(246002)(36906005)(478600001)(70206006)(82740400003)(53546011)(26005)(70586007)(6916009)(2906002)(47076004)(966005)(186003)(5660300002); DIR:OUT; SFP:1101;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b7a76f47-fbdc-4a4f-b20f-08d7e9ee1c4c
X-MS-TrafficTypeDiagnostic: DM6PR12MB4547:
X-Microsoft-Antispam-PRVS: <DM6PR12MB45476F65F8AC1215B24C8352F9AE0@DM6PR12MB4547.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 03853D523D
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IKBn7kF0VMYTeP0HfFYovjJh7KYTIL2pPBelgvpxHA8YSwr1nikq2BX87wwcxNUtSobPLy+sNC87UD3wA6kxRbCDOqLhWOijumSpaei9WwU9obaxwdoEAVbsTZPFsA1VPAzgREx7xhttlwlS5u8wACl0n8vSdbNEzPL0Pjg527hQY1pXPM798VV8pihZ8+GSbBXmGIi6GrDYLzDHXmuDfPEExYRU/fy4FxfCIyIRylrjTpcl/HjMrPd5+0PHNCz7me0joaTjEgU1Gf3yZKw/KMbYBb7qUv9/zCIBkZ3GMBrNueBMzHMUcWVZ9Bp+3THPxaTtfSXmvSIOus4btaZ7OyNFGeXjpNYubTMt2b21xzLi17yHo5tCKuLKdudDof2CRIVunKWk3xLPXy81wastd9ex/F6ci4JAqAOhU+XK3/eD8o05W5yUnNMUCf1kOCaUcJ/4jGz1wCM5mTmzOJbhox7zJHWiK3mFcSWKWTMJEX4IZC0ayB1yON82imKFa59qkXDgXQOvzH82XNcy6d3mlSH6Whd6wgaweY1JEGgcdS3V4idWG+GI7zskSwSgaFT7Qhk1p+bRy1Q24LmSNcJdYQ==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2020 14:28:38.1911 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b7a76f47-fbdc-4a4f-b20f-08d7e9ee1c4c
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4547
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/RpcD5heoVPknOI8zAyOcdvNcaws>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 14:28:44 -0000

On 4/25/20 7:27 PM, Christer Holmberg wrote:
> Hi Benjamin,
>   
>>> Section 2.3 states that:
>>>
>>>     When a proxy wishes to authenticate a received request, it MUST
>>>     search the request for Proxy-Authorization header fields with 'realm'
>>>     parameters that match its realm.  It then MUST successfully validate
>>>
>>> https://tools.ietf.org/html/rfc7235#section-4.4 suggests that it is not
>>> expected to have a sequence or list of Proxy-Authorization header fields
>>> present in a single request that are intended to be interpreted by different
>> proxies.  Is this text compatible with that part of RFC 7235?
> 
> RFC 3261 allows multiple Proxy-Authorization header fields.

* Here is a situation when they come into play:

UAC ----- P1 ------- P2 ------- UAS

On the first request from UAC toward UAS, P1 challenges with a 
Proxy-Authenticate containing realm P1.

UAC retries, including Proxy-Authorization for realm P1. P1 is happy and 
passes the request along. P2 challenges with realm P2.

UAC retries again. It adds Proxy-Authorization for realm P2, but also 
including the credentials for P1. P1 is happy and passes the request 
along. P2 is also happy and passes the request along to UAS.

Note that UAC must *remember* to include the P1 credentials in the 
second retry because there is no Proxy-Authenticate for P1 in the 407 
from P2. Similarly, in future messages toward UAS the UAC should 
remember to include credentials for P1 and P1.

* A more complex case is:

UAC ----- P1 -|------ P2 ------ UAS-A
               |
               |------ P3 ------ UAS-B

On the first request from UAC toward UAS, P1 challenges with a 
Proxy-Authenticate containing realm P1.

UAC retries, including Proxy-Authorization for realm P1. P1 is happy.
If it does parallel forking then it passes the request along to both P2 
and P3.

P2 challenges by returning a Proxy-Authenticate for realm P2.

P1 buffers that response while awaiting a response from P3.

P3 challenges by returning a Proxy-Authenticate for realm P3.

P2 passes a response back to UAC with Proxy-Authenticates for realms P2 
and P3.

UAC retries again. It adds Proxy-Authorization for realms P2 and P3, but 
also including the credentials for P1. P1 is happy and passes the 
request along to both P2 and P3.

P2 finds its Proxy-Authorization and happily passes the request along to 
UAS-A.

P3 finds its Proxy-Authorization and happily passes the request along to 
UAS-B.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email