[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [AAA-WG]: Reconciling Radius/Diameter SIP application

To: radiusext@ops.ietf.org
Subject: Re: [AAA-WG]: Reconciling Radius/Diameter SIP application
From: Jari Arkko <jari.arkko@piuha.net>
Date: Wed, 24 Nov 2004 15:37:22 +0200
In-reply-to: <41936F4C.5080201@nokia.com>
Organization: None
References: <41936F4C.5080201@nokia.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316

Miguel Garcia wrote:

I am deliberately cross posting to AAA and Radius-ext because I believe this topic is of interest for both lists.

Yesterday Wolfgang and me met for a few hours and set the goal of reconcile the Diameter SIP application and the RADIUS HTTP/SIP Digest drafts. These are the drafts:
http://www.ietf.org/internet-drafts/draft-ietf-aaa-diameter-sip-app-04.txt
http://www.ietf.org/internet-drafts/draft-sterman-aaa-sip-04.txt
These are the main points we discuss. If you have any comments, speak up now, otherwise we will do the proposed changes in the relevant drafts:

1- We agreed to modify the Diameter SIP application so that it imports the Digest-* AVP from the corresponding RADIUS attributes address space. This came out of a comment from Jari Arkko, and I think it is important to avoid duplication of AVP/attributes.

As a side effect of the above, the SIP-Authentication-Context will disappear in Diameter SIP app. This was a grouped AVP that only contained a Digest-Entity-Body-Hash AVP. The latter will remain (in the RADIUS draft).


Great!

2- We noticed a divergence in the Digest-Expected-Response AVP in Diameter, which does not exist in RADIUS. RADIUS defines a Digest-HA1 attribute. The difference: Digest-HA1 contains H(A1), which is computed at the Radius server and sent to the Radius client, and it is used to compute the expected response. In Diameter, the expected response is computed at the Diameter server and sent to the client. This assumes a secure connection to avoid eavesdropping, which is not a problem for Diameter that mandates IPsec or TLS. I think Diameter can go for the Radius approach for compatibility reasons.

Proposal: Diameter will remove Digest-Expected-Response AVP and will import Digest-HA1 from Radius.

Ok.

3- Radius does not define UTF8String data types, so all these attributes will remain as String, but the Radius draft will indicate that contain a UTF8String verbally (this is required by HTTP and SIP).


Hm, I guess this is OK.

4- Currently here is a divergence on the definition of Digest-Stale attribute: Diameter uses "true" and "false" (as per RFC2617), Radius uses 1 and 0. We agreed to use "true" and "false" to avoid stupid transcodings.


This is much better. Good.

5- Diameter indicates that the Digest-* AVPs contain the quotes from/to the Digest directive, Radius assumes (although does not indicate) no quotes. We agreed that the Digest-* attributes do not need to include the quotes from HTTP Digest parameters. So, there will be an explicit indication that quotes are not part of the attribute value.


This is better too.

6- We run into a problem when multiple SIP proxies are authenticating the user, because at some point in time the SIP request may contain several Proxy-Authorization headers. The key here is the realm, it will be always different. If different Diameter/Radius servers are serving different realms, there is not problem. But, if a common Diameter/Radius server is serving different realms, then the server is not able to determine which credentials should be evaluated.

We propose that the Diameter/Radius client MUST send only one set of credentials at a time, those belonging to the served realm. This requires to configure the Diameter/Radius client with the realm it is serving. We will include some text indicating this case.


I fail to see the problem, most likely due to the insufficient
understanding of the protocol details on my part. But will
your solution lead to some problem if there's roaming
involved?

7- Some of the attributes (e.g, Digest-Response and
Digest-Response-Auth) had an artificial limit of 32 octets in the
value. While this value is correct for MD5 hashes, if in the future
other hashes are added to HTTP Digest, will run into
trouble. Proposal: don't restrict the length of a value.


Right.

8- In the Radius document, scenario 1, we have a question. We suspect that this scenario does not work if the Radius client generates a nextnonce. The reason is that in the following authentication, when the nextnonce becomes a nonce, the Radius server will not recognize the nonce as locally generated (it was generated by the Radius client), and will reject the request with a "state=true". RFC 2617 seems to describe the case:
   If the
   nextnonce field is present the client SHOULD use it when constructing
   the Authorization header for its next request. Failure of the client
   to do so may result in a request to re-authenticate from the server
   with the "stale=TRUE".
Does anyone have any comment? Can anyone confirm that the operation in Digest is as we indicate? We will add some text indicating the limitations of Scenario 1.


In looking at this, I have the same question as you. So no
help from me, sorry.

9- The Radius draft, in section 2.15, indicates:

         RADIUS
         servers that do not implement a parameter contained in a
         Digest-Auth-Param attribute MUST respond with an Access-Reject
         message.  RADIUS clients that do not implement a parameter
         contained in a Digest-Auth-Param attribute MUST reject the
         original HTTP-style request.

The problem is that the text seems to go against RFC 2617 that says:

   auth-param
     This directive allows for future extensions. Any unrecognized
     directive MUST be ignored.

The proposal is to remove the above text from the RADIUS draft.


Yes, this is correct.

10- Similar contradictory text was found in Section 2.16 of the RADIUS draft, that says:
  RADIUS servers that do
  not implement AKA Digest MUST response with an Access Reject
  message.
We propose to remove the above text. The motivation is that the algorithm already conveys the AKA (AKA extends the algorithm to be AKAv1-MD5 and AKAv1-MD5-sess). The server chooses the algorithm, so the situation currently described, where the client may include an auts attribute, is just an error case, where the client made a mistake and included AUTS when not doing AKA. In case the Radius server does not implement AKA authentication, it will safely ignore this AVP.


Right.

11- We noticed that most of the HTTP Digest directives contain just a single token. However, the "qop" directive may contain a comma-separated collection of tokens. For instance, qop="auth,auth-int". The question is how do encode these tokens in the Digest-Qop attribute. The options are:

a) Treat the whole thing as one token and put it into the attribute value. b) Each token is an attribute, thus, there might be multiple Digest-Qop attributes in a particular Radius/Diameter message.

We think that option b) is cleaner. Particularly it will be easier for the Diameter/Radius client to encode different values in different attributes.


I think option a) is cleaner, although I don't care enough to
think it should be a showstopper. But here's my reasoning:
avoid unnecessary mapping work that the client needs to do;
handle everything as much as possible by taking all text
from the SIP syntax and putting it blindly into an AVP...

--Jari


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: [Sterman Issue 7] Message Authenticator: Options
Next by Date: issues in 11 and 12 in the sterman draft
Previous by thread: RE: [AAA-WG]: Reconciling Radius/Diameter SIP application
Next by thread: RE: [AAA-WG]: Reconciling Radius/Diameter SIP application
Index(es):
- Date
- Thread