Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 11 June 2018 20:01 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB9CF130ECB for <sipcore@ietfa.amsl.com>; Mon, 11 Jun 2018 13:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWk-0cBU0dLc for <sipcore@ietfa.amsl.com>; Mon, 11 Jun 2018 13:01:36 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCCD3130EC9 for <sipcore@ietf.org>; Mon, 11 Jun 2018 13:01:35 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id d74-v6so12747786vke.10 for <sipcore@ietf.org>; Mon, 11 Jun 2018 13:01:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SrtZzw+CYSW8jlXhBechMXNxx3R7bx366J8KwIcOMKE=; b=hjmRzSBTVfYeGuo24Hen4jOuzgYq597WbMB+9D5bVG1ydD9SQh9Olo1ml/UkX6VS27 mCOhpDoJ+yiV3fG6hoCSxss8XjR5UydouuYPrjS2lFsOeRYu5zc2IcBgPfqsRBsQ1sBj ffbl3doJqxzqudteu8fIhIKqn4qtPLzlIrNuMdEbySxc/jmeW+1cFtJ/G2YRVRWziQwG i/KbEdfcL6S2eOjpMTgwj3pqCU0hjgxnf+dLehYMVqwvc43UDvgbJp9oUdNoLir7g+64 v2CIPEnq20ca0I7+S966U4xRPEJDSu1auXyn0HgES6jax0DWHn6SoeKIQJZk/7Mh10cG rUlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SrtZzw+CYSW8jlXhBechMXNxx3R7bx366J8KwIcOMKE=; b=GYO6HM0BEGEhWtl9nbfo0rlz7DKQ/2hWadFDWcAc97NYZbyllBaulTyzP27cPu4NWr bdGT+nXjaYF4LLKmtbSvNyfvoiunZ6SevnhP8rJSyVXQAD0HeMV//3vpjThARstmkUHi eRVcMa8Nlnb6XYIh9v0P1vCDkD7FN9uSqLHFeJcvvzoaYheiccjxKGkoNGpV1sHZtkqs B2yPEZOk+g56gMJF71Dj+1NMCb8b23ttY/tCpBZTm5sOjKnUyh2kYMtnUjIQ5W/n2pwG mnkGrpOi6tHy1KQbku8bRjJbBgGJh54pVSTtvvn2a2rWnA5LSCBwpBsqu+rsQj1GTmCn JSug==
X-Gm-Message-State: APt69E1+5VxqPc5kWf7TPC9iIYr4RN07k5JtuasODrzwS/WfqZ8HYhVy JO0t6zhW403oDxiMJ8juaywQWYnTMYMOuK5b7qs=
X-Google-Smtp-Source: ADUXVKI4J33cEeCiIsKgZzJ/O4EpyxrTxuoOLR9uyJnpqN/sgdHzXe4ScxvmzgiSsFyLlUzgVWqnYkgmtPSHkXvJ848=
X-Received: by 2002:a1f:8bc6:: with SMTP id n189-v6mr377319vkd.104.1528747294677; Mon, 11 Jun 2018 13:01:34 -0700 (PDT)
MIME-Version: 1.0
References: <CAF_j7yZPaG07LpEx+-aA6qDQQd00EfigNtd5TUxsXbPykPiPZA@mail.gmail.com> <CAGL6epK24wvDfvA5c+rpR7XeNbwYmCNAxFRvxZtMX=i9QOQRWw@mail.gmail.com> <CAF_j7yaQwAmiKSK9cYsmzEx4UxGB42USXB9xZMH2X2F+ZmCeHQ@mail.gmail.com>
In-Reply-To: <CAF_j7yaQwAmiKSK9cYsmzEx4UxGB42USXB9xZMH2X2F+ZmCeHQ@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Mon, 11 Jun 2018 16:01:53 -0400
Message-ID: <CAGL6epKBpYCagJrOfzEhWqR1Bnpxb0M-qO1vcbSGqTxGtEz5jg@mail.gmail.com>
To: Yehoshua Gev <yoshigev@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000736023056e6337b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/yWBvWkCrIAaUIJmN_CV9b7SPOSA>
Subject: Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 20:01:39 -0000
Inline... On Sun, Jun 10, 2018 at 7:48 AM Yehoshua Gev <yoshigev@gmail.com> wrote: > Thanks Rifaat. > See inline. > > > > On Fri, Jun 8, 2018 at 10:16 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com > > wrote: > >> Hi Yehoshua, >> >> Thanks for your review and comments. >> See my replies inline. >> >> Regards, >> Rifaat >> >> >> On Thu, Jun 7, 2018 at 3:54 AM, Yehoshua Gev <yoshigev@gmail.com> wrote: >> >>> Hi, >>> >>> Several comments: >>> >>> Section 2.2.4: There is a reference to RFC 4474 for the list of SIP >>> headers to be included in digest-string. >>> I think it would be good to specifically indicate that the digest-string >>> equals to signed-identity-digest of RFC 4474, but without the enclosing >>> quotes. >>> >> >> I am not clear on what you mean by "digest-string equals to >> signed-identity-digest " >> The goal is to use the shared-key to provide a hash of digest-string as >> proof that the client has access to the shared-key. >> > > I meant that the current text doesn't include the specific syntax of digest-string, > it just references RFC 4474, which doesn't mention digest-string. > RFC 4474 mention another element (signed-identity-digest) which seems > very similar to digest-string. > The only difference I see between them, is that signed-identity-digest is > enclosed by quoted, while digest-string doesn't. > digest-string is defined in section 9 https://tools.ietf.org/html/rfc4474#section-9 >> >>> >>> Section 3.2: The last paragraph does not indicate what should be done in >>> case of authentication failure (due to missing authentication token in the >>> request or usage of invalid token). >>> RFC 6750 section 3 requires the use of 401 with WWW-Authenticate header, >>> and details the syntax of that header. >>> I believe that the draft can add a reference to that section, saying >>> that the same syntax should be used in SIP. >>> >> >> Yeah, I agree that the document should explicitly cover the failure use >> case. >> I will address that in the next version of the document. >> >> >>> Section 4: >>> a. I think that a note should be added that the syntax of the Bearer >>> scheme defined here for SIP deviates from the syntax defined by RFC 6750 >>> (in that that the token is given in a name=value format). I believe this is >>> done to conform to the current SIP ABNF - maybe this should be written as a >>> reasoning for the deviation. >>> >> >> That is correct. I will add a note. >> >> >>> >>> b.. Given the proposed syntax, I don't see a reason to forbid >>> extensions. Maybe the syntax could be written like: >>> credentials /= ("Bearer" LWS bearer-response) >>> bearer-response = "access_token" EQUAL access_token *(COMMA auth-param) >>> >>> >> We could do that. Do you have a specific parameter in mind? >> > I don't have anything in mind. > > I will look into the proper syntax for this. >> >> >> >>> General: >>> The draft describes how registrations are authenticated. >>> There are scenarios for which there is no registration done (like >>> click-to-call, where only outbound calls are done). >>> Maybe the draft should be expanded to include any SIP request. >>> >>> >> Good point. I will add some text around that. >> >> >> >>> This might even be a security issue: >>> In regular SIP Digest authentication, the Authorization header is >>> included in all requests even after successful registration, probably as >>> SIP doesn't require that subsequent requests are sent over the same >>> [authenticated/secured] transport-layer connection. >>> Section 2 of the draft roughly corresponds to the methods described in >>> section 4 (Obtaining Authorization) of RFC 6749. >>> But, in RFC 6749 these methods are only used to obtain an access token >>> to be used on subsequent requests, whilst in the draft they are used for >>> achieving access. >>> I'm not an expert on OAuth, but I believe the only methods to achieve >>> access are defined in section 7 (Accessing Protected Resources) of RFC >>> 6749, which require the usage of an access token with Authorization header >>> (similar to section 3 of the draft). >>> >>> >> Section 2.1.2 defines the idea of a shared-key to be used to establish >> new connection and re-register to the proxy after a connection is lost, >> without the need for a new code. >> This same mechanism could be used with all subsequent requests, not only >> registration. I will add some text to explicitly state that. >> >> After re-reading section 2, I think I can better explain my concern. > The section defines a way for the SIP proxy to maintain the authenticity > of the UA without challenging all the requests of the UA. > Probably it takes the assumption that all (and only) the UA traffic will > be sent over the same secured transport-layer connection. > If this is the assumption (which I don't really like), I think that this > should be defined as a MUST for the proxy to reject requests received on > other connections. > > No, the point of the shared-key idea is to allow the phone to establish new connections, when needed, to send new requests. > Also, if the UA "is incapable of maintainings (typo) the confidentiality > of the user credentials and any obtained tokens." (section 1.4), how > would it store the shared-key of section 2.1.2? > The shared-key is created and maintained in memory, while the other credentials are usually stored locally for example in flash. Also, the document provides a way to enable or disable this functionality, based on the security policy on the server. > And how come OAuth, as used for HTTP, doesn't rely on proxies, but relies > on the clients storing a token? Are SIP UAs more insecure than web browsers? > > > I suggest that the mechanisms of section 2 will only be used by the UA to > acquire a token, which will later be used according to the mechanism of > section 3. > This way the behavior of SIP UA will be much similar to the behavior of > HTTP client. > The browser does not store any tokens when the *code flow* is used, and that is what this flow is trying to do here. Section 3 defines that mechanism that you are suggesting here. Regards, Rifaat > >> Regards, >> Rifaat >> >> >> >> >>> Thanks, >>> Yehoshua Gev >>> >>> >>> _______________________________________________ >>> sipcore mailing list >>> sipcore@ietf.org >>> https://www.ietf.org/mailman/listinfo/sipcore >>> >>> >> >
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Yehoshua Gev
- [sipcore] Comments on draft-ietf-sipcore-sip-auth… Yehoshua Gev
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Yehoshua Gev
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] Comments on draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef