Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 16 January 2020 10:34 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4344120019 for <sipcore@ietfa.amsl.com>; Thu, 16 Jan 2020 02:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkep8sNXuact for <sipcore@ietfa.amsl.com>; Thu, 16 Jan 2020 02:34:29 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60060.outbound.protection.outlook.com [40.107.6.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1367012001E for <sipcore@ietf.org>; Thu, 16 Jan 2020 02:34:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JMzl9FAD6gncsFH3Zae3kAZkQfCFAncUQrVnsbgz00u07O0x2qeXU3AHktuHt63XpFXzk6C14AwRNlZRIBNWi9GhumS8HNmF+FdsgK51dsS09PGhluTjfGtxzOVZCS4fXI+awb5PJ3E6JnuWQYcqrQx7bFwWmv59YhxNXw7cXOfaIXt811fY1qPUAirQQPyPmK0am5bvekJsaM5Q/zyn9E3ABULLXh6aYhXyHKv+vGVpXGk7i6kIUHh+nrqfb3H0lwil7Ei7eqtg2oiNNfl7KiGBzTtUuP3WcRl/LooNwdG27DQYEWrFfCVTIgmTtP9o1sPFJpUxus6XSu4hX1WgnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=opvAkQCeS9ulLyZOHzUZZCN2LT6cA8a+Oh5Ya61hkUg=; b=Mteh4gtETVnicIKnt7nbt22Z8z80tQ88/RdQi4U8fgALzrgK0Dci47KQJXp6R6X2vBu5ozeVbuH1vmKvY80gWWQH2DpQhf+Qf2rS0hYW/S+fAChnOhkRn9wrdkJvf8aYuVHfoxiB1x/6JTg5Zp094RZGc+nSYxdJiGvcQX0Hcs4EcspbT/6AJRrQF1de31+qfUO67mUO5v4DI0H2O09Uyq3CJbloIp6fGFdWvAwcYtZ7eMyQOJnmyjAxZOZqPNIhG+wRC+VeyB1bkDMAOehWl7CdbQR//o+7ifRihFQ5tCGfafjd43cMNS0pASP0aKlW61ec+S/Pa6epVCpetEqDfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=opvAkQCeS9ulLyZOHzUZZCN2LT6cA8a+Oh5Ya61hkUg=; b=D8EDBqUn+nw9BsEZJWdJPrzWxBp5O4OILWkmWm+CZS6BXPpogpN9xpN42PIiMatcnfJULDQEAEUI84btynqoWI5E7HiFuP6mB3w6Vz+22uTfgWsX5Ml7IoABBbg4Kct5PypDKDCr2wHwcJhUOAuQb46u7HaHIpN8+gqZwOQ9hKE=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (52.134.82.159) by AM0PR07MB6340.eurprd07.prod.outlook.com (10.186.173.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.6; Thu, 16 Jan 2020 10:34:27 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::28e8:93ab:34a6:c38d]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::28e8:93ab:34a6:c38d%3]) with mapi id 15.20.2644.015; Thu, 16 Jan 2020 10:34:27 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
Thread-Index: AQHVy+AzxIjSkjo9NkakdAJ4IU0VQKftOtMA
Date: Thu, 16 Jan 2020 10:34:26 +0000
Message-ID: <5FE1EF7E-8AFC-495C-9D82-4C55F4BF1CC2@ericsson.com>
References: <157911000899.29206.8478750155091458002@ietfa.amsl.com> <CAGL6ep+tO4baa221T3RZDV-XjBGeSaj0XpJD-cg-x=4caQyYjw@mail.gmail.com> <455440fa-3631-0ecb-a44f-85895b40c04b@alum.mit.edu>
In-Reply-To: <455440fa-3631-0ecb-a44f-85895b40c04b@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d91fe541-3698-42d2-68d8-08d79a6fa967
x-ms-traffictypediagnostic: AM0PR07MB6340:
x-microsoft-antispam-prvs: <AM0PR07MB634074E1398693DFD57B474893360@AM0PR07MB6340.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02843AA9E0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(396003)(346002)(39860400002)(376002)(199004)(189003)(36756003)(2906002)(81166006)(81156014)(110136005)(66574012)(33656002)(53546011)(86362001)(316002)(8676002)(6506007)(6486002)(6512007)(76116006)(966005)(478600001)(44832011)(5660300002)(26005)(186003)(71200400001)(66476007)(2616005)(66446008)(8936002)(64756008)(66556008)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6340; H:AM0PR07MB3987.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +bbYAtEOwVIyxGp/w4fRaUuQkQqZ/x5rdZmsJ5XSX4wKPogzEH7P5Fv8IFVJna4dRmtbr8jN16rLRQDu9SJ3uq+2E2+Hdo5wxwSshbZnlOMrtE7q7f3756oHI4x650WO39OPTc1tHbtuPaigohqJXPzSHTeFVq1tUJMKUnVTzvBrlLL18JB6qwNX0zHwy7e3xQ6YkwWGNcsILK5/FPqQuPdTkQLWApVWhFEERzDgASJQQjYmTDuvOhLWweLFmeOkgjt/k5ZpC6lOAcc49U5PG17RDSNBszjhWKcp8+n6oMBkQ25uwa5DiiMq7+JpMgZMtODroI5r9uJAYHShjYrovRAcYVfDhXH3BwgxnHyzaYvWDboJG2iy2wRIRIYeWx0Iv+HItMQAvUZ885ddvMNGiJFU+9T4orHA4yHvhYqyHC/HdsLqZ1+sh3OIJTVjIvTVgzrK8lpPHo2dSkk/lAGl2kvYbtddgfSlLFpZP68g4FqcGE9a3wgfYf3glxgwNuUFO7VHPPm4Yph8ofNFYuQZZQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C33FE2C2587A1944A6613E60D69F7578@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d91fe541-3698-42d2-68d8-08d79a6fa967
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2020 10:34:26.9858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bS7BhtIhgYHyxeV2Ssl1Sowj433jrvPIMzL7MrB2Ie3ceesQQMMJzzFN2Pk240bLLA0WUFhYjwNGTSUi8KeR5rbY3qRijBUYzc0XITg1SF8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6340
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/ezwpj35SOPAqDk85qeLseRxexvU>
Subject: Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 10:34:35 -0000
Hi Paul,
Regarding (1), you commented on that earlier, and we included the following text (updates 3261):
"If the UAC receives a 401/407 response with multiple WWW-
Authenticate/Proxy-Authenticate header fields, providing challenges
using different authentication schemes for the same realm, the UAC
provides credentials for one or more of the schemes that it supports,
based on local policy."
Regarding (2), (3) and (4), I am not sure whether the protocol needs to explicitly forbid those scenarios. A network designer can always mess up things - without breaking the protocol. Perhaps it would be useful to put together a BCP regarding SIP authentication, but it is outside the scope of THIS draft.
So, can we now move the draft forward?
Regards,
Christer
On 15/01/2020, 22.13, "sipcore on behalf of Paul Kyzivat" <sipcore-bounces@ietf.org on behalf of pkyzivat@alum.mit.edu> wrote:
While reviewing this new version I began to wonder if the general
procedures for authentication in sip are sufficiently clear and
unambiguous. This isn't strictly an issue for this draft, but because
this draft introduces a new authentication scheme along side digest it
has the potential to aggravate thee issues. ISTM that without answers to
these issues it will be difficult to deploy this new token authnz draft.
But that draft may not be the appropriate place to answer them. I'd like
to hear what others here think is the proper way to deal with this.
My general issue is what to do when, while trying to send a request, a
UAC receives authorization challenges for multiple schemes and/or
multiple realms. This can potentially occur in a single 401 response, a
single 407 response, or some combination of 407 and 401 responses.
Note that a forking proxy may aggregate 401 and 407 responses from
multiple forks and pass the multiple WWW-Authenticate and
Proxy-Authenticate responses back to the UAC. How the UAC deals with
this is also at issue.
Also, if there are multiple authenticating proxies on an unforked path
from UAC to UAS, then the UAC will receive the challenges one at a time.
The request will only reach a subsequent proxy after the request is sent
with adequate credentials for every early proxy in the change. Note that
this means that the UAC must remember to include the credentials from
earlier challenges when retrying after a subsequent challenge because
that subsequent challenge won't include the earlier challenges.
(1) is it valid for a single UAS or proxy to issue concurrent challenges
specifying differing schemes? I believe it is or should be.
(2) is it valid for a single UAS or proxy to issue concurrent challenges
on its own behalf specifying differing realms? I'm not sure if this
makes sense or not. (This is distinct from a forking proxy aggregating
downstream challenges.)
(3) If a UAS or proxy does issue concurrent challenges specifying
differing schemes, how is the UAC expected to successfully respond? Is
the UAC expected to respond with credentials for *each* scheme, or is it
sufficient to respond to one of them? I am inclined to think that the
different schemes should be considered alternatives, so that it is
sufficient to respond to one of them. At least in the case where they
are for the same realm. It may be more confusing if they are for
differing realms.
(4) If multiple UASs and/or proxies claim the same realm then are they
expected to accept the same credentials? I think this must be so, else
the user and UAC won't be able to sort out what credential to use for a
given challenge.
Generally, ISTM that the UAC should group challenges by realm,
attempting to obtain a single set of credentials for each realm. If
there is more than one realm mentioned in the response, then it should
obtain a set of credentials for each. And then, if there 407 responses
to prior attempts to send this same request then the credentials chosen
for them should also be included in this retry.
What do others think about this? Do you think this is sufficiently
specified in existing RFCs? If so, can you explain this?
Thanks,
Paul
On 1/15/20 12:42 PM, Rifaat Shekh-Yusef wrote:
> All,
>
> We have just submitted a new version of the document that hopefully
> addresses all the comments received so far.
> Please, take a look and let us know what you think.
>
> Regards,
> Rifaat
>
>
> On Wed, Jan 15, 2020 at 12:40 PM <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org>> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Session Initiation Protocol Core WG
> of the IETF.
>
> Title : Third-Party Token-based Authentication
> and Authorization for Session Initiation Protocol (SIP)
> Authors : Rifaat Shekh-Yusef
> Christer Holmberg
> Victor Pascual
> Filename : draft-ietf-sipcore-sip-token-authnz-07.txt
> Pages : 14
> Date : 2020-01-15
>
> Abstract:
> This document defines a SIP mechanism that relies on the OAuth 2.0
> and OpenID Connect Core 1.0 to enable delegation of the user
> authentication and SIP registration authorization to a third-party.
> The document updates RFC 3261.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-07
> https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-07
> <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-07>
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-07
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org
> <http://tools.ietf.org>.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org <mailto:sipcore@ietf.org>
> https://www.ietf.org/mailman/listinfo/sipcore
>
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>
_______________________________________________
sipcore mailing list
sipcore@ietf.org
https://www.ietf.org/mailman/listinfo/sipcore
- [sipcore] I-D Action: draft-ietf-sipcore-sip-toke… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Paul Kyzivat
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Christer Holmberg