IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 09 July 2019 17:45 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E68E1200F7 for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 10:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBnGxhhElpSi for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 10:45:54 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0630.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A972412004E for <sipcore@ietf.org>; Tue, 9 Jul 2019 10:45:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DaUqyYrN8R4DDedgq2D8xJsuGvvCGoXMfm6D76gi3B3PXOEHj9DtErLPJ8ishvTHr0a5sUjsg1xlVnVDl+ty6mjrbxV6f1aQSNQWm19TDQDMOipGhwFVfkaocb1Xm0OJD9I3EosbRJrDAtYSYzONEf54H7b2qxQ2BtRFs6PPyD8e30A3mJh+x5stluupmtOCxb5paH7qGJTN4v7ORNWr9RkeZB467x+s+n2Te4Cgs2GsFqpPGy0MDXBpkFXEqk/GLJQwFNJj8FFKVwrDMfvejg1aj1gX17sowVrd3R2LjZzlDBBvs+6l7WceqFhF0tBbiXOA1HqvJOGBbTOx8ZHs9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qQgzLaX84WLwegGuSdm/v4krXJ/aUFddTsY7bj6gtr8=; b=UH6c4+F25g1AfYUS5F5sfl8H6/Z2AjTFSto15rQ27uqLxQC4X7jzoZ1lVpF0qn8kaH6krQcNBBSFgOhFwUb8uxTWNZXr8rDqyEcJt3vNMdlJRrDAT1wI09EI/wiIrFR9cjJTzaNWDRb3L9F9BcsTzgAFOjW8LiJuSuoBVcwBmWuLw89OD05NKh4MlDGOCIifXdp6Vq0+WIPh4Kf/o8IB86a9Dr0X6249YawVDsKIXHFKUML6c2wLthmY6OovRU79OZijr5qTJtiWmLo4Tt8PNjZYcjzrTzgobywmyF5HyrAguhD/K3hb2Ue+N4X57rcNC+qoiobD1Nmq+uf4hJowjg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qQgzLaX84WLwegGuSdm/v4krXJ/aUFddTsY7bj6gtr8=; b=gjxAc1OwJTPK1mPKZttS8Hgg2MGWALNeJ1Ca7gR5QpJeESWSFiYLqNfOK9glQCrhs7ha9aAyB1V1F8FlrZfibtJJyPzOmwyttv/Zs5T3N+PDFq7USTFwXlBrGAjfSYS3c6L24jy6wPKp2XPOrtT+0RQMZHD2kvnM2Cp3OX2ogug=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3114.eurprd07.prod.outlook.com (10.170.245.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Tue, 9 Jul 2019 17:45:50 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Tue, 9 Jul 2019 17:45:50 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXAA=
Date: Tue, 09 Jul 2019 17:45:50 +0000
Message-ID: <607A513F-8616-4777-8B5E-59390E845709@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu>
In-Reply-To: <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58d708ec-7572-475e-7f7d-08d704954873
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3114;
x-ms-traffictypediagnostic: HE1PR07MB3114:
x-microsoft-antispam-prvs: <HE1PR07MB3114308FC4ECB2B0D0CD135593F10@HE1PR07MB3114.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0093C80C01
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(39860400002)(396003)(376002)(366004)(189003)(199004)(66556008)(66946007)(44832011)(229853002)(68736007)(256004)(2171002)(2906002)(73956011)(76116006)(14444005)(102836004)(26005)(6506007)(66446008)(64756008)(186003)(7736002)(8676002)(81156014)(71190400001)(71200400001)(81166006)(53936002)(446003)(11346002)(486006)(5660300002)(86362001)(6246003)(6436002)(6116002)(6486002)(66476007)(6512007)(476003)(2616005)(3846002)(66066001)(2501003)(305945005)(33656002)(14454004)(110136005)(316002)(58126008)(478600001)(99286004)(76176011)(25786009)(8936002)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3114; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Qr9yefmVgG9Cti4/pJOJOnIYyrsbE0NoNaJF+g+pkYYWy8g1lcNPbXHgLySDWz9U9pGWhfF4VTyaG3dFDISnBFVerpqCVmTyjoVoFMqW7zdU3oDC3teu4IfxHYYZKnwFSWtHJlpBbIWi7CXGq08ZJ3ZF5U9PBLtC5KlG1w0uq3BXS+ssMNjjrTsSz239yT6LAa+CwraMaOax/v+fWO1DMi0wA2Hl1+NxW6n1PAgVZQt5GWPj4hAWbX5tSG35dhs+6Bklr910cLwRvT7Hj6SNdlYyrXzCRRwUPHyZYMjsUZnZyZgBIqVKDSZu83iGgDOHyhSMUP05TyTj7+qtMAT7wepFhu8obQGKiw0Q1dklCJ5/kvBWgg+/zcY/OV8EIOL4B9WpccRN9ACENZmXBRPVQ5VSewOejsN6UWmEUDHeNDo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <50D4CAE0E2AC654ABAC59D1D70184E40@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 58d708ec-7572-475e-7f7d-08d704954873
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2019 17:45:50.6562 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3114
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/vIz24hPFNLLHI7zsVBcpJqABOKw>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 17:45:57 -0000

Hi,

>>>>>> As I said in another reply, if you by default place a REGISTER token in a non-REGISTER request the token may reach the remote peer, which could be a security concern.
>>>>>      
>>>>>      I would like to hear more about this. Is there something about the token
>>>>>      that reveals stuff that might not be suitable to expose to everyone? I
>>>>>      personally don't know. This seems like something that ought to be
>>>>>      discussed in security considerations.
>>>>>     
>>>> The token itself does not reveal anything, but in OAuth the token is used to access the requested resource, so it is considered sensitive information.
>>>>
>>>> As far as I know, OAuth for SIP has only been used for REGISTER requests, between the UA and the registrar. I have never heard about anyone using
>>>> it for non-REGISTER authentication, and I wonder whether we even need to cover it in the draft. We could limit the scope the REGISTER requests.
>>>> Then, if anyone ever needs OAuth for non-REGISTER requests, a separate draft can be written.
>>>     
>>>     Yes, you can do that if you wish. But ISTM that the issues are largely
>>>     the same so I don't know why you would do that.
>> 
>> The REGISTER request, and the token, will only reach the registrar.
>    
>    And any proxies on the path to the registrar.
  
Sure, and that we do need to cover: the token needs to be protected.
  
>    But if I send an INVITE, am challenged by the target of the INVITE, and 
>    then send the token in a retry of the INVITE then it only goes there, 
>    where it is supposed to go. How is that any different from the registrar 
>    case? Is it because I somehow trust the registrar more that I trust who 
>    I am calling?
  
I assume most people trust their registrar. If you don't, you obviously can't use the mechanism. We can for sure add text to clarify that, if needed.

And, you can for sure decide to trust the one you are calling. But, again, I still think we could leave user-to-user authentication out of scope of the draft. The scope has been using OAuth for registrations from day one, and that is what people have been asking for. 

Also, after people had raised issues with the previous draft, we agreed to only move the current parts into the new draft.

>    ISTM that what is more important is the relationship between the domain 
>    of the UAS I'm trying to contact and the realm of the challenge. (Do I 
>    think this server has any business claiming to be authenticate for this 
>    realm?)
>    
>    The other tricky part is deciding whether to send the cached credentials 
>    (token) in a new request that hasn't just immediately challenged. But 
>    note that the request "in response" to a challenge is indistinguishable 
>    from a request sent to the same target later other than by time delay. 
>    The security concerns should be the same. Sending the token to some 
>    other target before being challenged by that target is a different leap 
>    of faith, so has different concerns.
    
>    My main point here is not to get you to explain it to me in this email 
>    thread. What I want is to see this discussed adequately in the security 
>    considerations of the document. If it isn't "safe" to send the token to 
>    everybody, then how do I decide who I can safely send it to?
>
>    One partial answer might be: if a challenge results in asking the user 
>    to authenticate for the realm, then the user gets to decide if he wants 
>    to, and if so then the resulting token should be sent to the same target 
>    just then. But this doesn't address when the same token can be used 
>    preemptively later. That still needs discussion.
  
OAuth allows you to re-use the token as many times as you want (until it expires) for the same service. So, for SIP, re-using the token in binding refresh REGISTER requests is fine.

But, you should not re-use a token you got for one "service" (e.g., your registration authentication) with another "service" (e.g., user-to-user authentication for a SIP call). It most likely wouldn't even work.

Regards,

Christer

v2.23.0 | Report a Bug | By Email