70 likes | 229 Vues
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia), http://www.arkko.com/draft-torvinen-http-eap-00.txt. Jari.Arkko@Ericsson.com. AAA-server. SIP-server. Client. TLS, IKE/IPsec. New DIAMETER extensions. Current SIP Authentication Situation.
E N D
EAP Authentication for SIP & HTTPV. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),http://www.arkko.com/draft-torvinen-http-eap-00.txt Jari.Arkko@Ericsson.com
AAA-server SIP-server Client TLS, IKE/IPsec New DIAMETER extensions Current SIP Authentication Situation Existing security can be used at an outer layer HTTP basic HTTP digest PGP Work has started to extend DIAMETER to support HTTP authentication methods Certain SIP-specific methods exist. Work going on to refine these.
AAA-server SIP-server Client TLS, IKE/IPsec New DIAMETER Extensions Reusing existing RADIUS and DIAMETER How Does This Work Fit to the Picture? HTTP basic HTTP digest HTTP EAP PGP • We define a new alternative HTTP • authentication method which is • more flexible than previous ones • takes less roundtrips than e.g. IKE • implies no changes protocols or SIP server as new auth mechanisms are invented We reuse existing AAA protocols directly
Background for Our Work • Third generation mobile networks will provide a multimedia system that runs over IP and uses SIP • The 3GPP is working on security to ensure such multimedia service can be trusted and can be billed for • One of the issues is the authentication of devices/users towards the home operator during registration • We’d like to define a mechanism that satisfies the requirements of 3GPP networks as well as other uses of SIP • 3GPP needs UMTS AKAand other authentication methods - EAP (RFC 2284) for allow many methods
SIP Authentication Schemes SIP HTTP Authentication PGP HTTP Basic HTTP Digest HTTP EAP EAP Token Card EAP TLS EAP GSM EAP AKA EAP ...
Concrete Authentication Example in SIP REGISTER sip:… SIP/2.0 SIP/2.0 401 Authentication Required WWW-Authenticate: eapeap-packet REGISTER sip:… SIP/2.0 Authorization: eapeap-packet SIP/2.0 200 OK Authentication-info: eap-packet User agent Reg. server May be repeated
Conclusions and Going Forward • Looks like HTTP EAP provides a flexible authentication scheme for SIP, and allows us to leverage existing EAP methods • Feedback is sought on the applicability, security and other aspects of this approach • We’d like this work to be a work item of the WG • Further work is needed at least on the following issues: • How headers and subsequent SIP messages can be protected by the keys generated by some EAP methods • While the authentication can reuse DIAMETER NASREQ extension, it may still be necessary to define new attributes that tell the DIAMETER server more about what is happening at SIP level (3GPP has also special requirements and needs an own DIAMETER extension).