RE: AW: [Sipping] FYI: RADIUS & SIP

I believe this is an excellent proposal!

Though a firm believer in the supremacy of IETF technology, sometimes it
makes sense to import innovation on to the Internet from other areas. The
SIM card is certainly on top of the list for technologies where its creators
had their act well together. 

Thanks, Henry

Henry Sinnreich
MCI
400 International Parkway
Richardson, Texas 75081
USA

Have you disconnected the PBX?

> -----Original Message-----
> From: sipping-admin@ietf.org [mailto:sipping-admin@ietf.org] 
> On Behalf Of Michael Haberler
> Sent: Wednesday, July 30, 2003 11:55 AM
> To: Jonathan Rosenberg; Bernard Aboba
> Cc: Liess, Laura; hgs@cs.columbia.edu; sipping@ietf.org; 
> Dumler, Alexander; Wolff, Christian
> Subject: Re: AW: [Sipping] FYI: RADIUS & SIP
> 
> authenticating SIP users is very much like authenticating 
> mobile users in cellular networks, and the solution developed 
> for GSM - subscriber identity in a smart card - is IMV 
> somthing we would be well advised to carry over to SIP space.
> 
> The utility of SIM cards has been recognized for 
> Internet-side authentication like EAP-SIM based WLAN roaming, 
> in particular as there is an existing billing an 
> authentication machinery which one can plug into from the 
> Internet side. However, SIM cards could also be used in a 
> strictly Internet-only service provider context as well.  
> Plus, SIM-based authentication could be used as a bootstrap 
> mechanism for X.509 certficate distribution and therefore for 
> TLS mutual authentication.
> 
> There is a draft for SIP authentication with Authentication 
> and Key Agreement (AKA, 
> http://www.ietf.org/internet-drafts/draft-torvinen-http-digest
> -aka-v2-00.txt
> and predecessor) which adresses authentication with UMTS SIM 
> (USIM)cards. 
> These have superior security properties compared to plain SIM cards. 
> However, HTTP AKA cannot negotiate down to plain SIM 
> authentication, and very few operators use USIM cards, so if 
> we wait for USIM cards to be ubiquitious we might wait very long.
> 
> Therefore, there is more pressing need for authentication 
> with plain GSM SIM cards (about 900 million cards out 
> there!), and there is currently no standard way of using 
> those at the SIP level - although at  the WLAN level, this 
> has been adressed by EAP/SIM which gets around some of the 
> weaknessess of plain SIM authentication. However, the HTTP 
> EAP Digest draft apparently fell through, so we cannot 
> combine HTTP EAP and EAP/SIM.
> 
> So the area of work I see a need for is retrofitting EAP/SIM 
> authentication flows into Digest authentication to create a 
> strong interoperable HTTP SIM authentication method, and 
> appropriate RADIUS support to back it up. Also, the RADIUS 
> support behind HTTP AKA needs fleshing out.
> 
> my vision is to have both WLAN/LAN access and SIP 
> authenticated through the same SIM card. I see quite a market 
> potential for such a feature set.
> 
> -Michael Haberler
> 
> 
> 
> At 14:12 29.07.2003 -0400, Jonathan Rosenberg wrote:
> 
> >I know of several carriers with RADIUS infrastructures that 
> want to use 
> >them to support SIP. They are currently using expired I-Ds and 
> >proprietary attributes. As a result, I would strongly 
> advocate work on 
> >standardizing RADIUS usage with SIP.
> >
> >There are two areas of work that I see a need for:
> >
> >1. Digest authentication. The sterman draft
> >(http://www.freeradius.org/radiusd/doc/rfc/draft-sterman-aaa-
> sip-00.txt
> >) is used quite a bit, it seems. It would be nice to standardize on 
> >this.
> >
> >2. Prepaid calling. Many folks are using vendor proprietary radius 
> >extensiosn to support prepaid calling. It would be nice to 
> bring those  
> >forward and standardize on them.
> >
> >-Jonathan R.
> >
> >Bernard Aboba wrote:
> >
> >>Is there some particular set of draft(s) that you are 
> advocating work on?
> >>On Fri, 18 Jul 2003, Liess, Laura wrote:
> >>
> >>>I think most carriers currently use some kind of RADIUS 
> platform to 
> >>>do user authentication and they would like to reuse it in 
> the future 
> >>>to authenticate their SIP customers.
> >>>My colleagues who are responsible for the RADIUS Platform of the 
> >>>Deutsche Telekom (CC)are currently on vacation so I could 
> not check 
> >>>with them now about how to answer this mail, but we already talked 
> >>>about this issue a number of times and my strong opinion is that 
> >>>"yes, Deutsche Telekom cares a lot about SIP and RADIUS". 
> Reusing the 
> >>>existing RADIUS platform for SIP authentication is a strong 
> >>>requirement for the development of SIP services within the 
> Deutsche Telekom.
> >>>
> >>>Laura (T-Systems/Deutsche Telekom Group)
> >>
> >>_______________________________________________
> >>Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
> >>This list is for NEW development of the application of SIP Use 
> >>sip-implementors@cs.columbia.edu for questions on current sip Use 
> >>sip@ietf.org for new developments of core SIP
> >
> >--
> >Jonathan D. Rosenberg, Ph.D.                600 Lanidex Plaza
> >Chief Technology Officer                    Parsippany, NJ 07054-2711
> >dynamicsoft
> >jdrosen@dynamicsoft.com                     FAX:   (973) 952-5050
> >http://www.jdrosen.net                     PHONE: (973) 952-5000
> >http://www.dynamicsoft.com
> >
> >
> >_______________________________________________
> >Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
> >This list is for NEW development of the application of SIP Use 
> >sip-implementors@cs.columbia.edu for questions on current sip Use 
> >sip@ietf.org for new developments of core SIP
> >
> 

_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP