[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Update on RFC 4590bis
As noted on July 8, 2007, the publication of RFC 4590bis was approved by the
IESG:
http://ops.ietf.org/lists/radiusext/2007/msg00501.html
In the process of review of Appendix A, it was noted that the addresses used
were not compatible with the address space allocated for example usage. As
a result, an RFC Editor Note is required. The corrected text required for
Appendix A is enclosed below as prepared by Wolfgang:
-----Ursprüngliche Nachricht-----
Von: Beck, Wolfgang
Gesendet: Montag, 9. Juli 2007 11:37
An: 'Bernard Aboba'
Betreff: AW: idnits warnings in rfc4590bis
Bernard,
here's a corrected version.
Wolfgang
-----------------------------------
This is an example selected from the traffic between a softphone (A),
a Proxy Server (B), and an example.com RADIUS server (C). The
communication between the Proxy Server and a SIP Public Switched
Telephone Network (PSTN) gateway is omitted for brevity. The SIP
messages are not shown completely.
The password of user '12345678' is 'secret'. The shared secret
between RADIUS client and server is 'secret'. To ease testing,
only the last byte of the RADIUS authenticator changes between
requests. In a real implementation, this would be a serious flaw.
A->B
INVITE sip:97226491335@example.com SIP/2.0
From: <sip:12345678@example.com>
To: <sip:97226491335@example.com>
B->A
SIP/2.0 100 Trying
B->C
Code = Access-Request (1)
Packet identifier = 0x7c (124)
Length = 97
Authenticator = F5E55840E324AA49D216D9DBD069807C
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
User-Name = 12345678
Digest-Method = INVITE
Digest-URI = sip:97226491335@example.com
Message-Authenticator = 7600D5B0BDC33987A60D5C6167B28B3B
C->B
Code = Access-challenge (11)
Packet identifier = 0x7c (124)
Length = 72
Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D
Digest-Nonce = 3bada1a0
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3
B->A
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="example.com"
,nonce="3bada1a0",qop=auth,algorithm=MD5
Content-Length: 0
A->B
ACK sip:97226491335@example.com SIP/2.0
A->B
INVITE sip:97226491335@example.com SIP/2.0
Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0"
,realm="example.com"
,response="7679b84a560835846ec553174dbabb69"
,uri="sip:97226491335@example.com",username="12345678"
,qop=auth,algorithm=MD5
,cnonce="56593a80,nc="00000001"
From: <sip:12345678@example.com>
To: <sip:97226491335@example.com>
B->C
Code = Access-Request (1)
Packet identifier = 0x7d (125)
Length = 221
Authenticator = F5E55840E324AA49D216D9DBD069807D
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
User-Name = 12345678
Digest-Method = INVITE
Digest-URI = sip:97226491335@example.com
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Digest-CNonce = 56593a80
Digest-Nonce = 3bada1a0
Digest-Nonce-Count = 00000001
Digest-Response = 7679b84a560835846ec553174dbabb69
Digest-Username = 12345678
SIP-AOR = sip:12345678@example.com
Message-Authenticator = BD037498E8385878A46ECF4D5F8D2B48
C->B
Code = Access-Accept (2)
Packet identifier = 0x7d (125)
Length = 72
Authenticator = 36E1201AD4377664E720184CE7B3D8C6
Digest-Response-Auth = 3792d3109224eb67213659e2d789f10d
Message-Authenticator = 9B79B410CEBD335176DAEB24735DCF64
B->A
SIP/2.0 180 Ringing
B->A
SIP/2.0 200 OK
A->B
ACK sip:97226491335@example.com SIP/2.0
A second example shows the traffic between a web browser (A), web
server (B), and a RADIUS server (C).
A->B
GET /index.html HTTP/1.1
B->C
Code = Access-Request (1)
Packet identifier = 0x7e (126)
Length = 68
Authenticator = F5E55840E324AA49D216D9DBD069807E
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
Digest-Method = GET
Digest-URI = /index.html
Message-Authenticator = 690BFC95E88DF3B185F15CD78E469992
C->B
Code = Access-challenge (11)
Packet identifier = 0x7e (126)
Length = 72
Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E
Digest-Nonce = a3086ac8
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A
B->A
HTTP/1.1 401 Authentication Required
WWW-Authenticate: Digest realm="example.com",
nonce="a3086ac8",qop=auth,algorithm=MD5
Content-Length: 0
A->B
GET /index.html HTTP/1.1
Authorization: Digest algorithm=MD5,qop=auth,nonce="a3086ac8"
,nc="00000001",cnonce="56593a78"
,realm="example.com"
,response="ba623217b5ec024d30c4aaef9d8494de"
,uri="/index.html",username="12345678"
B->C
Code = Access-Request (1)
Packet identifier = 0x7f (127)
Length = 176
Authenticator = F5E55840E324AA49D216D9DBD069807F
NAS-IP-Address = 192.0.2.38
NAS-Port = 5
User-Name = 12345678
Digest-Method = GET
Digest-URI = /index.html
Digest-Realm = example.com
Digest-Qop = auth
Digest-Algorithm = MD5
Digest-CNonce = 56593a80
Digest-Nonce = a3086ac8
Digest-Nonce-Count = 00000001
Digest-Response = ba623217b5ec024d30c4aaef9d8494de
Digest-Username = 12345678
Message-Authenticator = C360BFCEDFFBCE893469E802013DA5AA
C->B
Code = Access-Accept (2)
Packet identifier = 0x7f (127)
Length = 72
Authenticator = F1ECAC22D3C88E0260B287FA35595F80
Digest-Response-Auth = 29624e0bee4342994d041d07f7bcd44c
Message-Authenticator = 956312EC57AF51ABC4F6965270F34982
B->A
HTTP/1.1 200 OK
...
<html>
...
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>