IETF Logo Mail Archive

Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02

Yehoshua Gev <yoshigev@gmail.com> Sun, 10 June 2018 11:48 UTC

Return-Path: <yoshigev@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AF51130E3C for <sipcore@ietfa.amsl.com>; Sun, 10 Jun 2018 04:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nj1XQ1mSzPzB for <sipcore@ietfa.amsl.com>; Sun, 10 Jun 2018 04:48:44 -0700 (PDT)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59EC5130E35 for <sipcore@ietf.org>; Sun, 10 Jun 2018 04:48:44 -0700 (PDT)
Received: by mail-ua0-x22f.google.com with SMTP id z16-v6so11738966uaz.10 for <sipcore@ietf.org>; Sun, 10 Jun 2018 04:48:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BVlsuNaAvAuIR5kfuFZMDONNkMd6KMVeEKvhdell3aI=; b=KQ+VLD8VL2Swcsx/ALmPc0L8AakeQaENVLQUFrNf+Hrt+pUtdU8YzrkS/Ry3Z+kAzC eHNwFDjbGKQZFVqlC4YI5a4Oy/+ErQ6M3IqvzpQGJl9NOqCu6u1Lca9N3sOqWadLvtDI XkWCx9WtJbgZE9mYDycrT2PfgW5NMCNIxWihi0fEqzksZRxWLQRmO+Dtpf/ulA2/LZkG BUuZjU3m5ol7Ufi2yB78XBw85SJlmOnKzhR8+3c9wI/FIz9AkYdkhvRz8tmJpQjAfSiq zdFPsV3N/XZjnXxPdOl6MFOyiM1BAVcTmclHRXsoSmGMVGTDrvHV1Kt4r+dvdDOPdWPV TlUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BVlsuNaAvAuIR5kfuFZMDONNkMd6KMVeEKvhdell3aI=; b=JawhJYVWPuAsR+BI3YT9cGCTND11YReZSaQU8L1ajTd4YTmBneS/jYT4l2r8QeMVfw bCj9KTghMaPj5BgLmRu6jVEtNduqbJCs3h8Qav1fkOng9MzJ/kRMFpZtaHW/V9W4ofgX Kb6CpPoAaQ3BGsD1apUxQBWE+y5rOaFyjjF4pVrtgndki71S43zsTiwcItCZ8tygHCxX 1mp/waiHcrsMd07Hi5OPxWPp4uKcZkCKmQC8Ze8UOIVqwzwrAlneDn99pDuinJeocT4a sCIhKM6AU43iY3hGz3QX28Sk7O4O/51NbudZAeRsQMh7Z2OZlgL85cLziMdoEOHKr8er vsWA==
X-Gm-Message-State: APt69E0/ipKZfC7f0DHwaLVAMqFp+A8ZAwdD1KYCKzijaS66S1TyAoHl ItnaEYVhtLs0/N3g4JXKcO4pGwwAUWd7+QNdkag=
X-Google-Smtp-Source: ADUXVKJrumlR3hGc/9ssEzFqPRUKchrXTaokSeIvwLEkdEKSi2pYL9SQpfxlvp5HRctt3HE6W5zlg0IWbZcZy2ioEtc=
X-Received: by 2002:ab0:30f6:: with SMTP id d22-v6mr9244121uam.58.1528631323306; Sun, 10 Jun 2018 04:48:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:48e7:0:0:0:0:0 with HTTP; Sun, 10 Jun 2018 04:48:42 -0700 (PDT)
In-Reply-To: <CAGL6epK24wvDfvA5c+rpR7XeNbwYmCNAxFRvxZtMX=i9QOQRWw@mail.gmail.com>
References: <CAF_j7yZPaG07LpEx+-aA6qDQQd00EfigNtd5TUxsXbPykPiPZA@mail.gmail.com> <CAGL6epK24wvDfvA5c+rpR7XeNbwYmCNAxFRvxZtMX=i9QOQRWw@mail.gmail.com>
From: Yehoshua Gev <yoshigev@gmail.com>
Date: Sun, 10 Jun 2018 14:48:42 +0300
Message-ID: <CAF_j7yaQwAmiKSK9cYsmzEx4UxGB42USXB9xZMH2X2F+ZmCeHQ@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000004b13e056e483781"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/o4KWmwBJgtVQgeVpQzAPOkyaj6I>
Subject: Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jun 2018 11:48:48 -0000

Thanks Rifaat.
See inline.



On Fri, Jun 8, 2018 at 10:16 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
wrote:

> Hi Yehoshua,
>
> Thanks for your review and comments.
> See my replies inline.
>
> Regards,
>  Rifaat
>
>
> On Thu, Jun 7, 2018 at 3:54 AM, Yehoshua Gev <yoshigev@gmail.com> wrote:
>
>> Hi,
>>
>> Several comments:
>>
>> Section 2.2.4: There is a reference to RFC 4474 for the list of SIP
>> headers to be included in digest-string.
>> I think it would be good to specifically indicate that the digest-string
>> equals to signed-identity-digest of RFC 4474, but without the enclosing
>> quotes.
>>
>
> I am not clear on what you mean by "digest-string equals to
> signed-identity-digest "
> The goal is to use the shared-key to provide a hash of digest-string as
> proof that the client has access to the shared-key.
>

I meant that the current text doesn't include the specific syntax of
digest-string,
it just references RFC 4474, which doesn't mention digest-string.
RFC 4474 mention another element (signed-identity-digest) which seems very
similar to digest-string.
The only difference I see between them, is that signed-identity-digest is
enclosed by quoted, while digest-string doesn't.

>
>
>>
>> Section 3.2: The last paragraph does not indicate what should be done in
>> case of authentication failure (due to missing authentication token in the
>> request or usage of invalid token).
>> RFC 6750 section 3 requires the use of 401 with WWW-Authenticate header,
>> and details the syntax of that header.
>> I believe that the draft can add a reference to that section, saying that
>> the same syntax should be used in SIP.
>>
>
> Yeah, I agree that the document should explicitly cover the failure use
> case.
> I will address that in the next version of the document.
>
>
>> Section 4:
>> a. I think that a note should be added that the syntax of the Bearer
>> scheme defined here for SIP deviates from the syntax defined by RFC 6750
>> (in that that the token is given in a name=value format). I believe this is
>> done to conform to the current SIP ABNF - maybe this should be written as a
>> reasoning for the deviation.
>>
>
> That is correct. I will add a note.
>
>
>>
>> b.. Given the proposed syntax, I don't see a reason to forbid extensions.
>> Maybe the syntax could be written like:
>>   credentials /= ("Bearer" LWS bearer-response)
>>   bearer-response = "access_token" EQUAL access_token *(COMMA auth-param)
>>
>>
> We could do that. Do you have a specific parameter in mind?
>
I don't have anything in mind.

I will look into the proper syntax for this.
>
>
>
>> General:
>> The draft describes how registrations are authenticated.
>> There are scenarios for which there is no registration done (like
>> click-to-call, where only outbound calls are done).
>> Maybe the draft should be expanded to include any SIP request.
>>
>>
> Good point. I will add some text around that.
>
>
>
>> This might even be a security issue:
>> In regular SIP Digest authentication, the Authorization header is
>> included in all requests even after successful registration, probably as
>> SIP doesn't require that subsequent requests are sent over the same
>> [authenticated/secured] transport-layer connection.
>> Section 2 of the draft roughly corresponds to the methods described in
>> section 4 (Obtaining Authorization) of RFC 6749.
>> But, in RFC 6749 these methods are only used to obtain an access token to
>> be used on subsequent requests, whilst in the draft they are used for
>> achieving access.
>> I'm not an expert on OAuth, but I believe the only methods to achieve
>> access are defined in section 7 (Accessing Protected Resources) of RFC
>> 6749, which require the usage of an access token with Authorization header
>> (similar to section 3 of the draft).
>>
>>
> Section 2.1.2 defines the idea of a shared-key to be used to establish new
> connection and re-register to the proxy after a connection is lost, without
> the need for a new code.
> This same mechanism could be used with all subsequent requests, not only
> registration. I will add some text to explicitly state that.
>
> After re-reading section 2, I think I can better explain my concern.
The section defines a way for the SIP proxy to maintain the authenticity of
the UA without challenging all the requests of the UA.
Probably it takes the assumption that all (and only) the UA traffic will be
sent over the same secured transport-layer connection.
If this is the assumption (which I don't really like), I think that this
should be defined as a MUST for the proxy to reject requests received on
other connections.

Also, if the UA "is incapable of maintainings (typo) the confidentiality of
the user credentials and any obtained tokens." (section 1.4), how would it
store the shared-key of section 2.1.2?
And how come OAuth, as used for HTTP, doesn't rely on proxies, but relies
on the clients storing a token? Are SIP UAs more insecure than web browsers?

I suggest that the mechanisms of section 2 will only be used by the UA to
acquire a token, which will later be used according to the mechanism of
section 3.
This way the behavior of SIP UA will be much similar to the behavior of
HTTP client.


> Regards,
>  Rifaat
>
>
>
>
>> Thanks,
>> Yehoshua Gev
>>
>>
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org
>> https://www.ietf.org/mailman/listinfo/sipcore
>>
>>
>

v2.23.0 | Report a Bug | By Email