IETF Logo Mail Archive

Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 11 June 2018 20:01 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB9CF130ECB for <sipcore@ietfa.amsl.com>; Mon, 11 Jun 2018 13:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWk-0cBU0dLc for <sipcore@ietfa.amsl.com>; Mon, 11 Jun 2018 13:01:36 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCCD3130EC9 for <sipcore@ietf.org>; Mon, 11 Jun 2018 13:01:35 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id d74-v6so12747786vke.10 for <sipcore@ietf.org>; Mon, 11 Jun 2018 13:01:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SrtZzw+CYSW8jlXhBechMXNxx3R7bx366J8KwIcOMKE=; b=hjmRzSBTVfYeGuo24Hen4jOuzgYq597WbMB+9D5bVG1ydD9SQh9Olo1ml/UkX6VS27 mCOhpDoJ+yiV3fG6hoCSxss8XjR5UydouuYPrjS2lFsOeRYu5zc2IcBgPfqsRBsQ1sBj ffbl3doJqxzqudteu8fIhIKqn4qtPLzlIrNuMdEbySxc/jmeW+1cFtJ/G2YRVRWziQwG i/KbEdfcL6S2eOjpMTgwj3pqCU0hjgxnf+dLehYMVqwvc43UDvgbJp9oUdNoLir7g+64 v2CIPEnq20ca0I7+S966U4xRPEJDSu1auXyn0HgES6jax0DWHn6SoeKIQJZk/7Mh10cG rUlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SrtZzw+CYSW8jlXhBechMXNxx3R7bx366J8KwIcOMKE=; b=GYO6HM0BEGEhWtl9nbfo0rlz7DKQ/2hWadFDWcAc97NYZbyllBaulTyzP27cPu4NWr bdGT+nXjaYF4LLKmtbSvNyfvoiunZ6SevnhP8rJSyVXQAD0HeMV//3vpjThARstmkUHi eRVcMa8Nlnb6XYIh9v0P1vCDkD7FN9uSqLHFeJcvvzoaYheiccjxKGkoNGpV1sHZtkqs B2yPEZOk+g56gMJF71Dj+1NMCb8b23ttY/tCpBZTm5sOjKnUyh2kYMtnUjIQ5W/n2pwG mnkGrpOi6tHy1KQbku8bRjJbBgGJh54pVSTtvvn2a2rWnA5LSCBwpBsqu+rsQj1GTmCn JSug==
X-Gm-Message-State: APt69E1+5VxqPc5kWf7TPC9iIYr4RN07k5JtuasODrzwS/WfqZ8HYhVy JO0t6zhW403oDxiMJ8juaywQWYnTMYMOuK5b7qs=
X-Google-Smtp-Source: ADUXVKI4J33cEeCiIsKgZzJ/O4EpyxrTxuoOLR9uyJnpqN/sgdHzXe4ScxvmzgiSsFyLlUzgVWqnYkgmtPSHkXvJ848=
X-Received: by 2002:a1f:8bc6:: with SMTP id n189-v6mr377319vkd.104.1528747294677; Mon, 11 Jun 2018 13:01:34 -0700 (PDT)
MIME-Version: 1.0
References: <CAF_j7yZPaG07LpEx+-aA6qDQQd00EfigNtd5TUxsXbPykPiPZA@mail.gmail.com> <CAGL6epK24wvDfvA5c+rpR7XeNbwYmCNAxFRvxZtMX=i9QOQRWw@mail.gmail.com> <CAF_j7yaQwAmiKSK9cYsmzEx4UxGB42USXB9xZMH2X2F+ZmCeHQ@mail.gmail.com>
In-Reply-To: <CAF_j7yaQwAmiKSK9cYsmzEx4UxGB42USXB9xZMH2X2F+ZmCeHQ@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Mon, 11 Jun 2018 16:01:53 -0400
Message-ID: <CAGL6epKBpYCagJrOfzEhWqR1Bnpxb0M-qO1vcbSGqTxGtEz5jg@mail.gmail.com>
To: Yehoshua Gev <yoshigev@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000736023056e6337b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/yWBvWkCrIAaUIJmN_CV9b7SPOSA>
Subject: Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 20:01:39 -0000

Inline...

On Sun, Jun 10, 2018 at 7:48 AM Yehoshua Gev <yoshigev@gmail.com> wrote:

> Thanks Rifaat.
> See inline.
>
>
>
> On Fri, Jun 8, 2018 at 10:16 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com
> > wrote:
>
>> Hi Yehoshua,
>>
>> Thanks for your review and comments.
>> See my replies inline.
>>
>> Regards,
>>  Rifaat
>>
>>
>> On Thu, Jun 7, 2018 at 3:54 AM, Yehoshua Gev <yoshigev@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Several comments:
>>>
>>> Section 2.2.4: There is a reference to RFC 4474 for the list of SIP
>>> headers to be included in digest-string.
>>> I think it would be good to specifically indicate that the digest-string
>>> equals to signed-identity-digest of RFC 4474, but without the enclosing
>>> quotes.
>>>
>>
>> I am not clear on what you mean by "digest-string equals to
>> signed-identity-digest "
>> The goal is to use the shared-key to provide a hash of digest-string as
>> proof that the client has access to the shared-key.
>>
>
> I meant that the current text doesn't include the specific syntax of digest-string,
> it just references RFC 4474, which doesn't mention digest-string.
> RFC 4474 mention another element (signed-identity-digest) which seems
> very similar to digest-string.
> The only difference I see between them, is that signed-identity-digest is
> enclosed by quoted, while digest-string doesn't.
>

digest-string is defined in section 9
https://tools.ietf.org/html/rfc4474#section-9


>>
>>>
>>> Section 3.2: The last paragraph does not indicate what should be done in
>>> case of authentication failure (due to missing authentication token in the
>>> request or usage of invalid token).
>>> RFC 6750 section 3 requires the use of 401 with WWW-Authenticate header,
>>> and details the syntax of that header.
>>> I believe that the draft can add a reference to that section, saying
>>> that the same syntax should be used in SIP.
>>>
>>
>> Yeah, I agree that the document should explicitly cover the failure use
>> case.
>> I will address that in the next version of the document.
>>
>>
>>> Section 4:
>>> a. I think that a note should be added that the syntax of the Bearer
>>> scheme defined here for SIP deviates from the syntax defined by RFC 6750
>>> (in that that the token is given in a name=value format). I believe this is
>>> done to conform to the current SIP ABNF - maybe this should be written as a
>>> reasoning for the deviation.
>>>
>>
>> That is correct. I will add a note.
>>
>>
>>>
>>> b.. Given the proposed syntax, I don't see a reason to forbid
>>> extensions. Maybe the syntax could be written like:
>>>   credentials /= ("Bearer" LWS bearer-response)
>>>   bearer-response = "access_token" EQUAL access_token *(COMMA auth-param)
>>>
>>>
>> We could do that. Do you have a specific parameter in mind?
>>
> I don't have anything in mind.
>
> I will look into the proper syntax for this.
>>
>>
>>
>>> General:
>>> The draft describes how registrations are authenticated.
>>> There are scenarios for which there is no registration done (like
>>> click-to-call, where only outbound calls are done).
>>> Maybe the draft should be expanded to include any SIP request.
>>>
>>>
>> Good point. I will add some text around that.
>>
>>
>>
>>> This might even be a security issue:
>>> In regular SIP Digest authentication, the Authorization header is
>>> included in all requests even after successful registration, probably as
>>> SIP doesn't require that subsequent requests are sent over the same
>>> [authenticated/secured] transport-layer connection.
>>> Section 2 of the draft roughly corresponds to the methods described in
>>> section 4 (Obtaining Authorization) of RFC 6749.
>>> But, in RFC 6749 these methods are only used to obtain an access token
>>> to be used on subsequent requests, whilst in the draft they are used for
>>> achieving access.
>>> I'm not an expert on OAuth, but I believe the only methods to achieve
>>> access are defined in section 7 (Accessing Protected Resources) of RFC
>>> 6749, which require the usage of an access token with Authorization header
>>> (similar to section 3 of the draft).
>>>
>>>
>> Section 2.1.2 defines the idea of a shared-key to be used to establish
>> new connection and re-register to the proxy after a connection is lost,
>> without the need for a new code.
>> This same mechanism could be used with all subsequent requests, not only
>> registration. I will add some text to explicitly state that.
>>
>> After re-reading section 2, I think I can better explain my concern.
> The section defines a way for the SIP proxy to maintain the authenticity
> of the UA without challenging all the requests of the UA.
> Probably it takes the assumption that all (and only) the UA traffic will
> be sent over the same secured transport-layer connection.
> If this is the assumption (which I don't really like), I think that this
> should be defined as a MUST for the proxy to reject requests received on
> other connections.
>
> No, the point of the shared-key idea is to allow the phone to establish
new connections, when needed, to send new requests.


> Also, if the UA "is incapable of maintainings (typo) the confidentiality
> of the user credentials and any obtained tokens." (section 1.4), how
> would it store the shared-key of section 2.1.2?
>

The shared-key is created and maintained in memory, while the other
credentials are usually stored locally for example in flash.
Also, the document provides a way to enable or disable this functionality,
based on the security policy on the server.


> And how come OAuth, as used for HTTP, doesn't rely on proxies, but relies
> on the clients storing a token? Are SIP UAs more insecure than web browsers?
>
>

> I suggest that the mechanisms of section 2 will only be used by the UA to
> acquire a token, which will later be used according to the mechanism of
> section 3.
> This way the behavior of SIP UA will be much similar to the behavior of
> HTTP client.
>

The browser does not store any tokens when the *code flow* is used, and
that is what this flow is trying to do here.
Section 3 defines that mechanism that you are suggesting here.

Regards,
 Rifaat


>
>> Regards,
>>  Rifaat
>>
>>
>>
>>
>>> Thanks,
>>> Yehoshua Gev
>>>
>>>
>>> _______________________________________________
>>> sipcore mailing list
>>> sipcore@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sipcore
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email