Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.

Published byJessie Sharp Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul."— Presentation transcript:

1 1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul hisham.khartabi@nokia.com

2 2 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Analysis: HTTP Authentication for SIP draft-khartabil-sip-auth-analysis-00 The document analyses HTTP Authentication for SIP and discusses some implementation issues Some solutions are proposed

3 3 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The realm Issue (1) INVITE 407 ACK Realm: nokia.com Alice 407 INVITE ACK

4 4 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The realm Issue (1) Issue: how does the UAC know, when the second proxy challenges, that it is not the first proxy re-challenging because the credentials provided to it were wrong? Proposals: Mandate that the proxy places stale=false when it is re- challenging due to wrong credentials. This means stale=false is different that stale not present at all. The UAC replaces the provided proxy-authorization header with a new one. Mandate that the proxy does not change the nonce when it is re-challenging due to wrong credentials. The UAC replaces the provided proxy-authorization header with a new one. Mandate that the 1 st proxy challenges with a qop param. Also mandate that it also sends an Authentication-info header when there is a challenge by a downstream proxy with the same realm. INVITE 407 ACK Realm: nokia.com Alice 407 INVITE ACK

5 5 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The realm Issue (2) Issue: Section 22.3 of RFC 3261 says: "When multiple proxies are used in a chain, a Proxy- Authorization header field value MUST NOT be consumed by any proxy whose realm does not match the "realm" parameter specified in that value". In the second INVITE, there are 2 Proxy- Authorization headers. Which one does it consume? It does not know since examining the realm is not enough Proposals: Need to specify that a proxy examines all digest response matching the realm AS WELL AS THE NONCE. INVITE 407 ACK Realm: nokia.com Alice 407 INVITE ACK

6 6 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The realm Issue (3) INVITE Realm: nokia.com Alice Realm: nokia.com INVITE 407 ACK 407 ACK 407 ACK INVITE

7 7 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The realm Issue (3) Issue: When receiving the second INVITE, how does a challenging proxy, that the request has been forked, to know, by just examining the realm, that this is a digest response to a challenge it issued? Proposals: Need to specify that a proxy examines all digest response matching the realm AS WELL AS THE NONCE. INVITE Realm: nokia.com Alice Realm: nokia.com INVITE 407 ACK 407 ACK 407 ACK INVITE

8 8 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Use of 401 and 407 Responses The use of 401 and 407 must be more normative. Text should read: A UAS that require authentication MUST use 401 in a response and MUST challenge with a www-authenticate header. Registrars and redirect servers MUST use 401 and www-authenticate header. Proxies MUST use 407 and proxy-authenticate header.

Download ppt "1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul."

Similar presentations

IM Delivery and Read Reports Hisham Khartabil

IM Delivery and Read Reports Hisham Khartabil
Indication of support for keep- alive draft-holmberg-sip-keep-03 Christer Holmberg

Indication of support for keep- alive draft-holmberg-sip-keep-03 Christer Holmberg
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com Internet Telecom Expo 2000 - September 20, 2000 SIP vs. H.323 SIP vs. H.323 Will the Real IP Telephony Please Stand Up? Jonathan Rosenberg.

Internet Telecom Expo September 20, 2000 SIP vs. H.323 SIP vs. H.323 Will the Real IP Telephony Please Stand Up? Jonathan Rosenberg.
SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.
IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.

IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat 41546342 Supervisor: Dr. Rajan Shankaran.

1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat Supervisor: Dr. Rajan Shankaran.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
Session Initiation Protocol (SIP) Common Log Format (CLF) Vijay K. Gurbani Bell Laboratories/Alcatel-Lucent 75 th IETF, Stockholm, Sweden July 26-31, 2009.

Session Initiation Protocol (SIP) Common Log Format (CLF) Vijay K. Gurbani Bell Laboratories/Alcatel-Lucent 75 th IETF, Stockholm, Sweden July 26-31, 2009.
SIP Session Initiation Protocol Short Introduction Artur Hecker, ENST.

SIP Session Initiation Protocol Short Introduction Artur Hecker, ENST.
Proposed Fix to HERFP* (Heterogeneous Error Response Forking Problem) Rohan Mahy * for INVITE transactions.

Proposed Fix to HERFP* (Heterogeneous Error Response Forking Problem) Rohan Mahy * for INVITE transactions.
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur.

The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.
2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Similar presentations

Ads by Google