SIP Authentication using CHAP-Password draft-byerly-sip-radius-00.txt Bryan J. Byerly David Williams
Problem and Objectives HTTP-Digest user authentication is not compatible with deployed backend Radius servers. SIP user authentication (RFC2617) and Radius (RFC 2138) user authentication run MD5 over differently formatted messages. Objective Provide mechanism to allow authentication of users using deployed Radius servers. Advantageous to ISPs deploying SIP voice service to PPP customers Approaches Extend SIP to support CHAP-Password Extend Radius to support HTTP-Digest
Comparison of hash formats CHAP-Password: MD5 MD5(seqnum, user-password, nonce) HTTP-Digest: MD5 MD5(unq(username-value) “:” unq(realm-value) “:” password) HTTP-Digest: MD5-sess MD5(unq(username-value) “:” unq(realm-value) “:” password “:” unq(nonce-value) “:” unq(cnonce-value))
SIP User Authentication using Radius backend SIP client SIP proxy RADIUS server INVITE Access-Request Access-Accept 407 Proxy Authorization Required Proxy-Authenticate: CHAP-Password ;algorithm="MD5" ;id=0 ;nonce="cccccccccccccccccccccccccccccccc" INVITE Proxy-Authorization: CHAP-Password ;username="byerly" ;algorithm="MD5" ;id=0 ;response="dddddddddddddddddddddddddddddddd" CHAP-Password=(dddddddddddddddddddddddddddddddd)
Future Remaining issues Proposed next steps Multiple Proxy-Authorization headers (semicolon vs. comma separated tags) Is additional complexity of Mahler draft necessary? Reflection attack in trusted side of network Proposed next steps SIP WG item Standards track