IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 17:29 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE1A1201DC for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 10:29:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaHxontaNQFi for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 10:29:06 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30078.outbound.protection.outlook.com [40.107.3.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1839F1200D8 for <sipcore@ietf.org>; Thu, 11 Jul 2019 10:29:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RC1Q48A399JuPs6770ftylRBCswgvuzX/RUloiDgbEJxTA4bN29YFMO/KVCEiu04spAy/T/GITzQKuvOOOW4IjCV2CXwzPXublnW7yFQIMHmpxJ7pk314hTRNmlEnN321S6HtL3Ytj2dNbuoATz7bcuNS8bTTwsjjFE03piSzhpoitvenGkxv3TvghKR5b84yh75C0PW7/ZZ0rcRohrMEHYWEhvguL0bXQsI5Qiw0u8FCKeJ6xCG9nyukVIHzk+YAzdtc57yw8y7tQYQSDlgYCV3qPEILiH2N12D0QupcXweJSomRWfO4ncVNAqhlhfJ0T3jwmfD9bunJzgcpLcgwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jkvX9gWgMXt1TfVjYF7jKMeiQTLRo+mfdJDNhq2l4Tk=; b=FZUoYc4WNO7iY8viG4yPlvs4r6yhN42Cyx48K6Qs8101qvXCLoEcQVB7OaXb05let5H4tEnZJdzGkA/1TDTghQDdI905ayy3B5Xb2KW2QDuAtlv5FH2tODvRbqa+mcd2V1L5O1UbKGTeDh59jGI/O8fZuWN2UgE0h+yEsxxwvGng9VTqESGX793RTckfE1+8MUGBHF8eeak87k+VwKbmBcS1c/7UhkQp3SbZeYDtePDe5hzrvJBQocTqASjI/CK70OMM6bkXRNNjyqlkp91jKnOstYNYzfwaNf2+BKxypjdkviANCvOK/JlJoJPMgseYikh4GHA1XzYk1YAjfZ03Wg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jkvX9gWgMXt1TfVjYF7jKMeiQTLRo+mfdJDNhq2l4Tk=; b=bwvSolQqSG1LrnjYVIDaLaGRAPqnj8P80zQYgyhIYH9MPsXQf2Aiy9beXfr50rWZTmBDbzNJrJDYl0Zzy5lXieffxEEsvvEc1zavt2pVuCABQaa/CON8pNOtdGWYCrqETSo1gpf6O787d8ywpXWZ7n2i0UvMPK36WBiDKgU610E=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3483.eurprd07.prod.outlook.com (10.170.247.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Thu, 11 Jul 2019 17:29:03 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 17:29:03 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIAAOeSAgABE8QCAALlBgIAAP24AgAA3OYCAAAHsAIAANlEA
Date: Thu, 11 Jul 2019 17:29:02 +0000
Message-ID: <B1B79E7F-6D4E-42A5-8368-F05E6AAA1501@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <89A28FAE-A25A-4AFF-9A94-91E09FDD6C3B@ericsson.com> <2aa8cb91-aac6-b66e-e54a-b9f6c650ce02@alum.mit.edu> <D7218ABE-F204-407B-ADE1-39DAB98C2A98@ericsson.com> <cd23be26-c383-8b72-cdf1-4436a6bc175f@alum.mit.edu> <59F235A8-2BD4-49B5-8890-E793E1CF40EC@ericsson.com> <CBBA0603-C4B8-4BDE-B511-572668590F73@edvina.net>
In-Reply-To: <CBBA0603-C4B8-4BDE-B511-572668590F73@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 287795e6-d033-4352-c527-08d7062544ac
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3483;
x-ms-traffictypediagnostic: HE1PR07MB3483:
x-microsoft-antispam-prvs: <HE1PR07MB3483E12DE3F80934AF7AE54293F30@HE1PR07MB3483.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(396003)(376002)(366004)(136003)(39860400002)(189003)(199004)(305945005)(6506007)(14454004)(6916009)(66066001)(68736007)(6512007)(26005)(446003)(316002)(186003)(11346002)(102836004)(486006)(71200400001)(44832011)(36756003)(71190400001)(476003)(53936002)(86362001)(81166006)(7736002)(229853002)(81156014)(6116002)(66946007)(256004)(76116006)(99286004)(4326008)(54906003)(6246003)(6486002)(64756008)(3846002)(66476007)(33656002)(6436002)(66556008)(14444005)(478600001)(58126008)(2906002)(66446008)(8676002)(25786009)(5660300002)(8936002)(2616005)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3483; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: aaMXD7g7JrT9PniPtCWy7tWg20Fc7uGKNWdXCUJDO5xEHrIyijp0JQ9DB6/SfnEGZuUKB6y2NulrhBZCPhtqqekqNvKl1QgYEL5bvgvKavMC+B3wpTqWE6Gq4pIPMrK9rY/Jz55We/DxG3qm0bEhh39q1IHRv/yc+edR3TwnNxt98ocdkfrn1eAofc2VxOs+cYNdCUVFJWKS5TJCeaYyJeA1kUkGE529nrJAWoid3nnLFZDco/OukQphLNIifdrZW9a5NOYcDuXqG0oUfocy8ExMDbZW6tt/MJ6dAKwpJXWUN2zlu7pPNAnZ1cPKx4cKOlCZwIV7+5xdjra+BebMigQzcdDZnVzrZ4yg/JQmKWq1mfMCVFysNmeSOnxwsm9Y8VeHvVU13zoC3eK4b84FyjAQJuHNbGKrnShPrirk67c=
Content-Type: text/plain; charset="utf-8"
Content-ID: <D5A39E66D04E3D46A714AC0849256C86@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 287795e6-d033-4352-c527-08d7062544ac
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 17:29:03.0085 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3483
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/fyRaffQiSVouiHUdWSRSLEqO1VQ>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 17:29:10 -0000

Hi,

    >>>>>> All I am saying is that one should not send a token to someone that it has NOT been issued for.
    >>>>> 
    >>>>>    Then you are saying that a token should *never* be included in a request
    >>>>>    to a target for which you have not received a challenge some time in the
    >>>>>    past.
    >>>>> 
    >>>>>    That is a bit extreme, but I guess you can specify that if you think it
    >>>>>    is the right thing to do.
    >>>> 
    >>>> That is my understanding of the generic OAuth security considerations: you don't give a token to someone it was not intended for.
    >>>> 
    >>>> Of course, if you know (based on whatever configuration/policy) that it's ok to give the token to the target I guess you could do it.
    >>>> 
    >>>>>    But note that this logic won't always work for Proxy-Authenticate. You
    >>>>>    *might* know that a particular proxy will be visited (if it is mentioned
    >>>>>    on a Route header), but it is pretty common for the request to visit
    >>>>>    proxies unknown (at least in advance) to the UAC.
    >>>> 
    >>>> It is important to remember that, since the token needs to be protected, a proxy needs to have the 
    >>>> associated protection credentials to be able to access the token.
    >>> 
    >>> I'm lost here. How is the token protected? Is it because it is passed by 
    >>> reference, and other credentials are needed to dereference it? Or is it 
    >>> passed by value but encrypted?
    >> 
    >>    That depends on how your protect it.
    >> 
    >>    If the oauth2 token itself is encrypted, and only authorized entities can decrypt it, then I guess it does not matter if a non-authorized user gets it, as it will not be able to use it.
    >> 
    >>    But, if the oauth2 token is sent in "plain text", then the SIP signaling needs to be protected/encrypted.
    > Encryption of signalling is not going to protect a token in a SIP header from reaching to the wrong servers, it is just a
    > first hop encryption. We have far too many SIP RFCs that indicate that all security problems are solved if we wrap signalling in TLS.

    It would work in networks where the interface between the client and server is considered "trusted", but for the general case I agree. 

    >>> But, in that case, if I make a phone call to you, and the call itself is valid, then I should not send you the oauth2 token unless it's meant 
    >>> for you, because once you decrypt the signaling you will have access to it.
    >>> Right. And we have no way in SIP of forbidding any server of forwarding a specific header.
    >> 
    >>   What is important is that a non-authorized user should not have access to a non-protected oauth2 token.
    > Define “user" and “token”.  A non-encrypted access token should not be shared with any unauthorized SIP network element - client or server software.

    Correct.

    (The reason I used "user" was because the use-case was a call between two users)

    Regards,

    Christer

v2.23.0 | Report a Bug | By Email