Issues with HTTP Authentication for SIP - PowerPoint PPT Presentation

About This Presentation
Title:

Issues with HTTP Authentication for SIP

Description:

1 NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials. Company Confidential ... NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials. Company Confidential. The ... – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 9
Provided by: HishamKh2
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Issues with HTTP Authentication for SIP


1
Issues with HTTP Authentication for SIP
  • Hisham Khartabil
  • SIP WG
  • IETF 59, Seoul
  • hisham.khartabi_at_nokia.com

2
Analysis HTTP Authentication for SIP
  • draft-khartabil-sip-auth-analysis-00
  • The document analyses HTTP Authentication for SIP
    and discusses some implementation issues
  • Some solutions are proposed

3
The realm Issue (1)
4
The realm Issue (1)
  • Issue how does the UAC know, when the second
    proxy challenges, that it is not the first proxy
    re-challenging because the credentials provided
    to it were wrong?
  • Proposals
  • Mandate that the proxy places stalefalse when it
    is re-challenging due to wrong credentials. This
    means stalefalse is different that stale not
    present at all. The UAC replaces the provided
    proxy-authorization header with a new one.
  • Mandate that the proxy does not change the nonce
    when it is re-challenging due to wrong
    credentials. The UAC replaces the provided
    proxy-authorization header with a new one.
  • Mandate that the 1st proxy challenges with a qop
    param. Also mandate that it also sends an
    Authentication-info header when there is a
    challenge by a downstream proxy with the same
    realm.

5
The realm Issue (2)
  • Issue Section 22.3 of RFC 3261 says "When
    multiple proxies are used in a chain, a
    Proxy-Authorization header field value MUST NOT
    be consumed by any proxy whose realm does not
    match the "realm" parameter specified in that
    value".
  • In the second INVITE, there are 2
    Proxy-Authorization headers. Which one does it
    consume? It does not know since examining the
    realm is not enough
  • Proposals
  • Need to specify that a proxy examines all digest
    response matching the realm AS WELL AS THE NONCE.

6
The realm Issue (3)
7
The realm Issue (3)
  • Issue When receiving the second INVITE, how does
    a challenging proxy, that the request has been
    forked, to know, by just examining the realm,
    that this is a digest response to a challenge it
    issued?
  • Proposals Need to specify that a proxy examines
    all digest response matching the realm AS WELL AS
    THE NONCE.

8
Use of 401 and 407 Responses
  • The use of 401 and 407 must be more normative.
    Text should read A UAS that require
    authentication MUST use 401 in a response and
    MUST challenge with a www-authenticate header.
    Registrars and redirect servers MUST use 401
    and www-authenticate header. Proxies MUST use
    407 and proxy-authenticate header.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Issues with HTTP Authentication for SIP" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!