IETF Logo Mail Archive

Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues

Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 15 January 2020 20:12 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F76C120935 for <sipcore@ietfa.amsl.com>; Wed, 15 Jan 2020 12:12:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixQsxstneZfm for <sipcore@ietfa.amsl.com>; Wed, 15 Jan 2020 12:12:53 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2073.outbound.protection.outlook.com [40.107.237.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE7E1208EA for <sipcore@ietf.org>; Wed, 15 Jan 2020 12:12:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RzVeq+CQRcYoxhCTTMLWFdwq1Q0qj1ujJL21Hg1BbstKWCvoSutfzZKJBrdNqbKor7qudlH8+ccI6VFTU0Ukrcmx+OiRwlNxVCsXIUVv3GTzE6JfN6AdkvB5aG6UPnsSzr4A+7uqce3GGp8BykvB9Qu1XWvhZKd6vBNQl4eHpEpyFOUgpANvzmJprDfe9HxZtpM72QW9CapvpQYQhvUytbthYY3B/Ihpf80uOUyRuWrFy9dyBOAvQoZFqRI3ppGs4/tkRefH1YsLf/l72afuAVMSBqKLUaH+bRfrvmGUbZ5PuNatO0Z9hCqBhCXOUrjIANq5ZoL0NOcB7nDWKdwBUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MIS4VQD5ydQ1DpjL2jTpSrcvXJboEfR7I3m5Eno2ddc=; b=eWcEh1S0br5gNmOhOUVlcOOYiAf4W+GNRjiTge3Wl59WGMxjkmZ+bDoHMxUQeQZMa6CUR6ThyQ4nY0sRMMUvquEF+D/4zVHEACLaMJJ3WXiOVkZI2Gg9nSG5NQwT76AodjQpAbMu8DC4zVddP8lR5f1NvZJxmMmyrPVZhKRED9aumzSH+aqwX2I+pAASO8fw3HHQQIBSRmtmDsWPA9LQF32GwFAIK1yxYGqfl6X3VMB42GE7uXLHeYgRQm1Ow5Lp5jYZcs18M2NpxiD8q749nyWrVhHrjj+a+lzrTwyUjkZnNT+0tuKXDnDksOQM179oyAZbi9Jt3PRibDsFmOeYEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MIS4VQD5ydQ1DpjL2jTpSrcvXJboEfR7I3m5Eno2ddc=; b=YSSP+hdTBNKA53AHLadkG8jgMzm9U1SyuIQ61rn2BpQc9VfV5v3E7Ki4pS4Xin+O13M0kSU0neyBm7aL+xeaUlSURdYb5NjsivHTAgCTHkLhhJ54RznfgupeDD4N3DHkNPHZR8852wW6ICl7kpNkdTBGRlVAGdppHTa5kkh590c=
Received: from MWHPR12CA0062.namprd12.prod.outlook.com (2603:10b6:300:103::24) by BN6PR12MB1732.namprd12.prod.outlook.com (2603:10b6:404:107::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.14; Wed, 15 Jan 2020 20:12:51 +0000
Received: from SN1NAM02FT044.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e44::200) by MWHPR12CA0062.outlook.office365.com (2603:10b6:300:103::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20 via Frontend Transport; Wed, 15 Jan 2020 20:12:51 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT044.mail.protection.outlook.com (10.152.72.173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19 via Frontend Transport; Wed, 15 Jan 2020 20:12:49 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 00FKClaw009893 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Wed, 15 Jan 2020 15:12:48 -0500
To: sipcore@ietf.org
References: <157911000899.29206.8478750155091458002@ietfa.amsl.com> <CAGL6ep+tO4baa221T3RZDV-XjBGeSaj0XpJD-cg-x=4caQyYjw@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <455440fa-3631-0ecb-a44f-85895b40c04b@alum.mit.edu>
Date: Wed, 15 Jan 2020 15:12:47 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <CAGL6ep+tO4baa221T3RZDV-XjBGeSaj0XpJD-cg-x=4caQyYjw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(376002)(346002)(199004)(189003)(7596002)(316002)(478600001)(75432002)(186003)(786003)(966005)(66574012)(36906005)(956004)(336012)(5660300002)(26826003)(246002)(53546011)(6916009)(70586007)(8936002)(356004)(31686004)(86362001)(70206006)(26005)(2906002)(2616005)(8676002)(31696002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR12MB1732; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3fa3d07d-88e5-48ed-282c-08d799f74b5f
X-MS-TrafficTypeDiagnostic: BN6PR12MB1732:
X-Microsoft-Antispam-PRVS: <BN6PR12MB1732FA43FDA9B4F136B0618CF9370@BN6PR12MB1732.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 02830F0362
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GQqds7va2sNYVXxT1R27BOZYk4R0F/SoduDaQ325jAiQK4pI6jNnD1qVwEhK9Qb6K0yYgbN4gnBoRc87gLAdUk5npNjKOjZIxanqu2qS6z+UmM6j1Y4cTGS8Ar4r7wEyXxnyAHEldhcGfmBXpqQlps9YUyNo7vKKPDiu6OCVJ1QACbtCOcPNrhNAsfEI7QHAn9s3BK1k4pi2Yd7NA7+KyIq6mtv0lrISHOsePGzY6yYrS0fhgSoKRnL+QavAA/RzAQMEfBFTo+kz+K6VLPTjJwbKhCRciaQ6ajeb79Pl8IOnkwBfvSQ50HWH4GFRyTmXF8Yng3VuGSzmN31FxuKDd9713mhVdViwOr92zIfyirmJFLVgQZNslHkPtGEqTOmWaMWEE4alhjRM/0GGjhIOnWA1ns6ID9exjUb/INxxOC124MsfsOude+2STyqLctfkoSPQzirTDTqc7r+SEKYSvTM92HKBk9KDuqI8mEuqO+mYKG961TTdxEM7BGXqEIOFld82tIVVuW7CLvLEmND+jA==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2020 20:12:49.5292 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3fa3d07d-88e5-48ed-282c-08d799f74b5f
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1732
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/u4HluTl5uPOACB3YY8bFZX_p6xk>
Subject: Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 20:12:56 -0000

While reviewing this new version I began to wonder if the general 
procedures for authentication in sip are sufficiently clear and 
unambiguous. This isn't strictly an issue for this draft, but because 
this draft introduces a new authentication scheme along side digest it 
has the potential to aggravate thee issues. ISTM that without answers to 
these issues it will be difficult to deploy this new token authnz draft. 
But that draft may not be the appropriate place to answer them. I'd like 
to hear what others here think is the proper way to deal with this.

My general issue is what to do when, while trying to send a request, a 
UAC receives authorization challenges for multiple schemes and/or 
multiple realms. This can potentially occur in a single 401 response, a 
single 407 response, or some combination of 407 and 401 responses.

Note that a forking proxy may aggregate 401 and 407 responses from 
multiple forks and pass the multiple WWW-Authenticate and 
Proxy-Authenticate responses back to the UAC. How the UAC deals with 
this is also at issue.

Also, if there are multiple authenticating proxies on an unforked path 
from UAC to UAS, then the UAC will receive the challenges one at a time. 
The request will only reach a subsequent proxy after the request is sent 
with adequate credentials for every early proxy in the change. Note that 
this means that the UAC must remember to include the credentials from 
earlier challenges when retrying after a subsequent challenge because 
that subsequent challenge won't include the earlier challenges.

(1) is it valid for a single UAS or proxy to issue concurrent challenges 
specifying differing schemes? I believe it is or should be.

(2) is it valid for a single UAS or proxy to issue concurrent challenges 
on its own behalf specifying differing realms? I'm not sure if this 
makes sense or not. (This is distinct from a forking proxy aggregating 
downstream challenges.)

(3) If a UAS or proxy does issue concurrent challenges specifying 
differing schemes, how is the UAC expected to successfully respond? Is 
the UAC expected to respond with credentials for *each* scheme, or is it 
sufficient to respond to one of them? I am inclined to think that the 
different schemes should be considered alternatives, so that it is 
sufficient to respond to one of them. At least in the case where they 
are for the same realm. It may be more confusing if they are for 
differing realms.

(4) If multiple UASs and/or proxies claim the same realm then are they 
expected to accept the same credentials? I think this must be so, else 
the user and UAC won't be able to sort out what credential to use for a 
given challenge.

Generally, ISTM that the UAC should group challenges by realm, 
attempting to obtain a single set of credentials for each realm. If 
there is more than one realm mentioned in the response, then it should 
obtain a set of credentials for each. And then, if there 407 responses 
to prior attempts to send this same request then the credentials chosen 
for them should also be included in this retry.

What do others think about this? Do you think this is sufficiently 
specified in existing RFCs? If so, can you explain this?

	Thanks,
	Paul

On 1/15/20 12:42 PM, Rifaat Shekh-Yusef wrote:
> All,
> 
> We have just submitted a new version of the document that hopefully 
> addresses all the comments received so far.
> Please, take a look and let us know what you think.
> 
> Regards,
>   Rifaat
> 
> 
> On Wed, Jan 15, 2020 at 12:40 PM <internet-drafts@ietf.org 
> <mailto:internet-drafts@ietf.org>> wrote:
> 
> 
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Session Initiation Protocol Core WG
>     of the IETF.
> 
>              Title           : Third-Party Token-based Authentication
>     and Authorization for Session Initiation Protocol (SIP)
>              Authors         : Rifaat Shekh-Yusef
>                                Christer Holmberg
>                                Victor Pascual
>              Filename        : draft-ietf-sipcore-sip-token-authnz-07.txt
>              Pages           : 14
>              Date            : 2020-01-15
> 
>     Abstract:
>         This document defines a SIP mechanism that relies on the OAuth 2.0
>         and OpenID Connect Core 1.0 to enable delegation of the user
>         authentication and SIP registration authorization to a third-party.
>         The document updates RFC 3261.
> 
> 
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/
> 
>     There are also htmlized versions available at:
>     https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-07
>     https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-07
>     <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-07>
> 
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-07
> 
> 
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
> 
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
> 
>     _______________________________________________
>     sipcore mailing list
>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>     https://www.ietf.org/mailman/listinfo/sipcore
> 
> 
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email