IETF Logo Mail Archive

Re: AW: [Sipping] FYI: RADIUS & SIP

Michael Haberler <mah@eunet.at> Wed, 30 July 2003 16:58 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA08071 for <sipping-archive@odin.ietf.org>; Wed, 30 Jul 2003 12:58:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19huH0-0000xe-Il for sipping-archive@odin.ietf.org; Wed, 30 Jul 2003 12:57:59 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h6UGvwo5003690 for sipping-archive@odin.ietf.org; Wed, 30 Jul 2003 12:57:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19huH0-0000xQ-DX for sipping-web-archive@optimus.ietf.org; Wed, 30 Jul 2003 12:57:58 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA08049 for <sipping-web-archive@ietf.org>; Wed, 30 Jul 2003 12:57:51 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19huG9-0001lp-00 for sipping-web-archive@ietf.org; Wed, 30 Jul 2003 12:57:05 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19huG8-0001lm-00 for sipping-web-archive@ietf.org; Wed, 30 Jul 2003 12:57:04 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19huG6-0000oh-3c; Wed, 30 Jul 2003 12:57:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19huFO-0000mA-EA for sipping@optimus.ietf.org; Wed, 30 Jul 2003 12:56:18 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA08016 for <sipping@ietf.org>; Wed, 30 Jul 2003 12:56:12 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19huFM-0001lD-00 for sipping@ietf.org; Wed, 30 Jul 2003 12:56:16 -0400
Received: from smtp-05.inode.at ([62.99.194.7] helo=smtp.inode.at) by ietf-mx with esmtp (Exim 4.12) id 19huFL-0001lA-00 for sipping@ietf.org; Wed, 30 Jul 2003 12:56:15 -0400
Received: from ap1.stiwoll.mah.priv.at ([62.99.233.53]:29367 helo=mah9.eunet.at) by smtp.inode.at with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.10) id 19huFC-0000Me-00; Wed, 30 Jul 2003 18:56:06 +0200
Message-Id: <5.2.0.9.2.20030730002949.043edc48@mail.inode.at>
X-Sender: mah#inode.at@mail.inode.at (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Wed, 30 Jul 2003 18:55:02 +0200
To: Jonathan Rosenberg <jdrosen@dynamicsoft.com>, Bernard Aboba <aboba@internaut.com>
From: Michael Haberler <mah@eunet.at>
Subject: Re: AW: [Sipping] FYI: RADIUS & SIP
Cc: "Liess, Laura" <Laura.Liess@t-systems.com>, hgs@cs.columbia.edu, sipping@ietf.org, "Dumler, Alexander" <Alexander.Dumler@telekom.de>, "Wolff, Christian" <Christian.Wolff@telekom.de>
In-Reply-To: <3F26B925.1010306@dynamicsoft.com>
References: <Pine.LNX.4.53.0307192036040.16327@internaut.com> <43240544763FB8479F1529372F6197CF053CC8CD@G8PQC.blf01.telekom.de> <Pine.LNX.4.53.0307192036040.16327@internaut.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; x-avg-checked="avg-ok-717A6E0D"; boundary="=======51A719FE======="
Sender: sipping-admin@ietf.org
Errors-To: sipping-admin@ietf.org
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Id: SIPPING Working Group (applications of SIP) <sipping.ietf.org>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>

authenticating SIP users is very much like authenticating mobile users in 
cellular networks, and the solution developed for GSM - subscriber identity 
in a smart card - is IMV somthing we would be well advised to carry over to 
SIP space.

The utility of SIM cards has been recognized for Internet-side 
authentication like EAP-SIM based WLAN roaming, in particular as there is 
an existing billing an authentication machinery which one can plug into 
from the Internet side. However, SIM cards could also be used in a strictly 
Internet-only service provider context as well.  Plus, SIM-based 
authentication could be used as a bootstrap mechanism for X.509 certficate 
distribution and therefore for TLS mutual authentication.

There is a draft for SIP authentication with Authentication and Key 
Agreement (AKA, 
http://www.ietf.org/internet-drafts/draft-torvinen-http-digest-aka-v2-00.txt 
and predecessor) which adresses authentication with UMTS SIM (USIM)cards. 
These have superior security properties compared to plain SIM cards. 
However, HTTP AKA cannot negotiate down to plain SIM authentication, and 
very few operators use USIM cards, so if we wait for USIM cards to be 
ubiquitious we might wait very long.

Therefore, there is more pressing need for authentication with plain GSM 
SIM cards (about 900 million cards out there!), and there is currently no 
standard way of using those at the SIP level - although at  the WLAN level, 
this has been adressed by EAP/SIM which gets around some of the weaknessess 
of plain SIM authentication. However, the HTTP EAP Digest draft apparently 
fell through, so we cannot combine HTTP EAP and EAP/SIM.

So the area of work I see a need for is retrofitting EAP/SIM authentication 
flows into Digest authentication to create a strong interoperable HTTP SIM 
authentication method, and appropriate RADIUS support to back it up. Also, 
the RADIUS support behind HTTP AKA needs fleshing out.

my vision is to have both WLAN/LAN access and SIP authenticated through the 
same SIM card. I see quite a market potential for such a feature set.

-Michael Haberler



At 14:12 29.07.2003 -0400, Jonathan Rosenberg wrote:

>I know of several carriers with RADIUS infrastructures that want to use 
>them to support SIP. They are currently using expired I-Ds and proprietary 
>attributes. As a result, I would strongly advocate work on standardizing 
>RADIUS usage with SIP.
>
>There are two areas of work that I see a need for:
>
>1. Digest authentication. The sterman draft 
>(http://www.freeradius.org/radiusd/doc/rfc/draft-sterman-aaa-sip-00.txt) 
>is used quite a bit, it seems. It would be nice to standardize on this.
>
>2. Prepaid calling. Many folks are using vendor proprietary radius 
>extensiosn to support prepaid calling. It would be nice to bring 
>those  forward and standardize on them.
>
>-Jonathan R.
>
>Bernard Aboba wrote:
>
>>Is there some particular set of draft(s) that you are advocating work on?
>>On Fri, 18 Jul 2003, Liess, Laura wrote:
>>
>>>I think most carriers currently use some kind of RADIUS platform to do 
>>>user authentication and they would like to reuse it in the future to 
>>>authenticate their SIP customers.
>>>My colleagues who are responsible for the RADIUS Platform of the 
>>>Deutsche Telekom (CC)are currently on vacation so I could not check with 
>>>them now about how to answer this mail, but we already talked about this 
>>>issue a number of times and my strong opinion is that "yes, Deutsche 
>>>Telekom cares a lot about SIP and RADIUS". Reusing the existing RADIUS 
>>>platform for SIP authentication is a strong requirement for the 
>>>development of SIP services within the Deutsche Telekom.
>>>
>>>Laura (T-Systems/Deutsche Telekom Group)
>>
>>_______________________________________________
>>Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
>>This list is for NEW development of the application of SIP
>>Use sip-implementors@cs.columbia.edu for questions on current sip
>>Use sip@ietf.org for new developments of core SIP
>
>--
>Jonathan D. Rosenberg, Ph.D.                600 Lanidex Plaza
>Chief Technology Officer                    Parsippany, NJ 07054-2711
>dynamicsoft
>jdrosen@dynamicsoft.com                     FAX:   (973) 952-5050
>http://www.jdrosen.net                     PHONE: (973) 952-5000
>http://www.dynamicsoft.com
>
>
>_______________________________________________
>Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
>This list is for NEW development of the application of SIP
>Use sip-implementors@cs.columbia.edu for questions on current sip
>Use sip@ietf.org for new developments of core SIP
>

v2.23.0 | Report a Bug | By Email