Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 16 January 2020 10:34 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4344120019 for <sipcore@ietfa.amsl.com>; Thu, 16 Jan 2020 02:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkep8sNXuact for <sipcore@ietfa.amsl.com>; Thu, 16 Jan 2020 02:34:29 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60060.outbound.protection.outlook.com [40.107.6.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1367012001E for <sipcore@ietf.org>; Thu, 16 Jan 2020 02:34:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JMzl9FAD6gncsFH3Zae3kAZkQfCFAncUQrVnsbgz00u07O0x2qeXU3AHktuHt63XpFXzk6C14AwRNlZRIBNWi9GhumS8HNmF+FdsgK51dsS09PGhluTjfGtxzOVZCS4fXI+awb5PJ3E6JnuWQYcqrQx7bFwWmv59YhxNXw7cXOfaIXt811fY1qPUAirQQPyPmK0am5bvekJsaM5Q/zyn9E3ABULLXh6aYhXyHKv+vGVpXGk7i6kIUHh+nrqfb3H0lwil7Ei7eqtg2oiNNfl7KiGBzTtUuP3WcRl/LooNwdG27DQYEWrFfCVTIgmTtP9o1sPFJpUxus6XSu4hX1WgnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=opvAkQCeS9ulLyZOHzUZZCN2LT6cA8a+Oh5Ya61hkUg=; b=Mteh4gtETVnicIKnt7nbt22Z8z80tQ88/RdQi4U8fgALzrgK0Dci47KQJXp6R6X2vBu5ozeVbuH1vmKvY80gWWQH2DpQhf+Qf2rS0hYW/S+fAChnOhkRn9wrdkJvf8aYuVHfoxiB1x/6JTg5Zp094RZGc+nSYxdJiGvcQX0Hcs4EcspbT/6AJRrQF1de31+qfUO67mUO5v4DI0H2O09Uyq3CJbloIp6fGFdWvAwcYtZ7eMyQOJnmyjAxZOZqPNIhG+wRC+VeyB1bkDMAOehWl7CdbQR//o+7ifRihFQ5tCGfafjd43cMNS0pASP0aKlW61ec+S/Pa6epVCpetEqDfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=opvAkQCeS9ulLyZOHzUZZCN2LT6cA8a+Oh5Ya61hkUg=; b=D8EDBqUn+nw9BsEZJWdJPrzWxBp5O4OILWkmWm+CZS6BXPpogpN9xpN42PIiMatcnfJULDQEAEUI84btynqoWI5E7HiFuP6mB3w6Vz+22uTfgWsX5Ml7IoABBbg4Kct5PypDKDCr2wHwcJhUOAuQb46u7HaHIpN8+gqZwOQ9hKE=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (52.134.82.159) by AM0PR07MB6340.eurprd07.prod.outlook.com (10.186.173.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.6; Thu, 16 Jan 2020 10:34:27 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::28e8:93ab:34a6:c38d]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::28e8:93ab:34a6:c38d%3]) with mapi id 15.20.2644.015; Thu, 16 Jan 2020 10:34:27 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
Thread-Index: AQHVy+AzxIjSkjo9NkakdAJ4IU0VQKftOtMA
Date: Thu, 16 Jan 2020 10:34:26 +0000
Message-ID: <5FE1EF7E-8AFC-495C-9D82-4C55F4BF1CC2@ericsson.com>
References: <157911000899.29206.8478750155091458002@ietfa.amsl.com> <CAGL6ep+tO4baa221T3RZDV-XjBGeSaj0XpJD-cg-x=4caQyYjw@mail.gmail.com> <455440fa-3631-0ecb-a44f-85895b40c04b@alum.mit.edu>
In-Reply-To: <455440fa-3631-0ecb-a44f-85895b40c04b@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d91fe541-3698-42d2-68d8-08d79a6fa967
x-ms-traffictypediagnostic: AM0PR07MB6340:
x-microsoft-antispam-prvs: <AM0PR07MB634074E1398693DFD57B474893360@AM0PR07MB6340.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02843AA9E0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(396003)(346002)(39860400002)(376002)(199004)(189003)(36756003)(2906002)(81166006)(81156014)(110136005)(66574012)(33656002)(53546011)(86362001)(316002)(8676002)(6506007)(6486002)(6512007)(76116006)(966005)(478600001)(44832011)(5660300002)(26005)(186003)(71200400001)(66476007)(2616005)(66446008)(8936002)(64756008)(66556008)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6340; H:AM0PR07MB3987.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +bbYAtEOwVIyxGp/w4fRaUuQkQqZ/x5rdZmsJ5XSX4wKPogzEH7P5Fv8IFVJna4dRmtbr8jN16rLRQDu9SJ3uq+2E2+Hdo5wxwSshbZnlOMrtE7q7f3756oHI4x650WO39OPTc1tHbtuPaigohqJXPzSHTeFVq1tUJMKUnVTzvBrlLL18JB6qwNX0zHwy7e3xQ6YkwWGNcsILK5/FPqQuPdTkQLWApVWhFEERzDgASJQQjYmTDuvOhLWweLFmeOkgjt/k5ZpC6lOAcc49U5PG17RDSNBszjhWKcp8+n6oMBkQ25uwa5DiiMq7+JpMgZMtODroI5r9uJAYHShjYrovRAcYVfDhXH3BwgxnHyzaYvWDboJG2iy2wRIRIYeWx0Iv+HItMQAvUZ885ddvMNGiJFU+9T4orHA4yHvhYqyHC/HdsLqZ1+sh3OIJTVjIvTVgzrK8lpPHo2dSkk/lAGl2kvYbtddgfSlLFpZP68g4FqcGE9a3wgfYf3glxgwNuUFO7VHPPm4Yph8ofNFYuQZZQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C33FE2C2587A1944A6613E60D69F7578@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d91fe541-3698-42d2-68d8-08d79a6fa967
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2020 10:34:26.9858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bS7BhtIhgYHyxeV2Ssl1Sowj433jrvPIMzL7MrB2Ie3ceesQQMMJzzFN2Pk240bLLA0WUFhYjwNGTSUi8KeR5rbY3qRijBUYzc0XITg1SF8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6340
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/ezwpj35SOPAqDk85qeLseRxexvU>
Subject: Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 10:34:35 -0000
Hi Paul, Regarding (1), you commented on that earlier, and we included the following text (updates 3261): "If the UAC receives a 401/407 response with multiple WWW- Authenticate/Proxy-Authenticate header fields, providing challenges using different authentication schemes for the same realm, the UAC provides credentials for one or more of the schemes that it supports, based on local policy." Regarding (2), (3) and (4), I am not sure whether the protocol needs to explicitly forbid those scenarios. A network designer can always mess up things - without breaking the protocol. Perhaps it would be useful to put together a BCP regarding SIP authentication, but it is outside the scope of THIS draft. So, can we now move the draft forward? Regards, Christer On 15/01/2020, 22.13, "sipcore on behalf of Paul Kyzivat" <sipcore-bounces@ietf.org on behalf of pkyzivat@alum.mit.edu> wrote: While reviewing this new version I began to wonder if the general procedures for authentication in sip are sufficiently clear and unambiguous. This isn't strictly an issue for this draft, but because this draft introduces a new authentication scheme along side digest it has the potential to aggravate thee issues. ISTM that without answers to these issues it will be difficult to deploy this new token authnz draft. But that draft may not be the appropriate place to answer them. I'd like to hear what others here think is the proper way to deal with this. My general issue is what to do when, while trying to send a request, a UAC receives authorization challenges for multiple schemes and/or multiple realms. This can potentially occur in a single 401 response, a single 407 response, or some combination of 407 and 401 responses. Note that a forking proxy may aggregate 401 and 407 responses from multiple forks and pass the multiple WWW-Authenticate and Proxy-Authenticate responses back to the UAC. How the UAC deals with this is also at issue. Also, if there are multiple authenticating proxies on an unforked path from UAC to UAS, then the UAC will receive the challenges one at a time. The request will only reach a subsequent proxy after the request is sent with adequate credentials for every early proxy in the change. Note that this means that the UAC must remember to include the credentials from earlier challenges when retrying after a subsequent challenge because that subsequent challenge won't include the earlier challenges. (1) is it valid for a single UAS or proxy to issue concurrent challenges specifying differing schemes? I believe it is or should be. (2) is it valid for a single UAS or proxy to issue concurrent challenges on its own behalf specifying differing realms? I'm not sure if this makes sense or not. (This is distinct from a forking proxy aggregating downstream challenges.) (3) If a UAS or proxy does issue concurrent challenges specifying differing schemes, how is the UAC expected to successfully respond? Is the UAC expected to respond with credentials for *each* scheme, or is it sufficient to respond to one of them? I am inclined to think that the different schemes should be considered alternatives, so that it is sufficient to respond to one of them. At least in the case where they are for the same realm. It may be more confusing if they are for differing realms. (4) If multiple UASs and/or proxies claim the same realm then are they expected to accept the same credentials? I think this must be so, else the user and UAC won't be able to sort out what credential to use for a given challenge. Generally, ISTM that the UAC should group challenges by realm, attempting to obtain a single set of credentials for each realm. If there is more than one realm mentioned in the response, then it should obtain a set of credentials for each. And then, if there 407 responses to prior attempts to send this same request then the credentials chosen for them should also be included in this retry. What do others think about this? Do you think this is sufficiently specified in existing RFCs? If so, can you explain this? Thanks, Paul On 1/15/20 12:42 PM, Rifaat Shekh-Yusef wrote: > All, > > We have just submitted a new version of the document that hopefully > addresses all the comments received so far. > Please, take a look and let us know what you think. > > Regards, > Rifaat > > > On Wed, Jan 15, 2020 at 12:40 PM <internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org>> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Session Initiation Protocol Core WG > of the IETF. > > Title : Third-Party Token-based Authentication > and Authorization for Session Initiation Protocol (SIP) > Authors : Rifaat Shekh-Yusef > Christer Holmberg > Victor Pascual > Filename : draft-ietf-sipcore-sip-token-authnz-07.txt > Pages : 14 > Date : 2020-01-15 > > Abstract: > This document defines a SIP mechanism that relies on the OAuth 2.0 > and OpenID Connect Core 1.0 to enable delegation of the user > authentication and SIP registration authorization to a third-party. > The document updates RFC 3261. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-07 > https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-07 > <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-07> > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-07 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org <mailto:sipcore@ietf.org> > https://www.ietf.org/mailman/listinfo/sipcore > > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore > _______________________________________________ sipcore mailing list sipcore@ietf.org https://www.ietf.org/mailman/listinfo/sipcore
- [sipcore] I-D Action: draft-ietf-sipcore-sip-toke… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Paul Kyzivat
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Christer Holmberg