[VOIPSEC] SIP B2BUA and Digest Authentication using
satyam tyagi
satyam_tyagi at hotmail.com
Thu Nov 3 09:15:04 CST 2005
Hi Baruch,
Completely agree this needs to be an RFC.
But this solves only half of our problem.
That is the case when the SIP server wants to challenge the phone.
The other half is when Phone challenges the SIP server. (Hopefully the
following example explains our problem in more detail)
Appreciate your help,
Satyam
Changing the example in the draft.
B = B2B SIP server
A = Phone
B->A
INVITE sip:97226491335 at 10.0.69.38 SIP/2.0
A->B
SIP/2.0 100 Trying
A->B
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="examplecom"
,nonce="3bada1a0", algorithm="md5"
Content-Length: 0
B->A
ACK sip:97226491335 at 10.0.69.38 SIP/2.0
[Now since B does not have the password, It needs to translate the above
into some form,
for which RADIUS server will generate a response such that B can respond to
A' challenge]
B->C
? [should contain A's challenge from 407, possibly entity body]
C->B
? [should contain enough information, such that B can respond to A's
challenge in subsequent INVITE]
B->A
INVITE sip:97226491335 at 10.0.69.38 SIP/2.0
Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0"
,opaque="",realm="examplecom"
,response="2ae133421cda65d67dc50d13ba0eb9bc"
,uri="sip:97226491335 at 10.0.69.38",username="12345678"
The actual example:
==============================================
A->B
INVITE sip:97226491335 at 10.0.69.38 SIP/2.0
B->A
SIP/2.0 100 Trying
B->A
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="examplecom"
,nonce="3bada1a0", algorithm="md5"
Content-Length: 0
A->B
ACK sip:97226491335 at 10.0.69.38 SIP/2.0
A->B
INVITE sip:97226491335 at 10.0.69.38 SIP/2.0
Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0"
,opaque="",realm="examplecom"
,response="2ae133421cda65d67dc50d13ba0eb9bc"
,uri="sip:97226491335 at 10.0.69.38",username="12345678"
B->C
Code = 1 (Access-Request)
Attributes:
NAS-IP-Address = a 0 45 26 (10.0.69.38)
NAS-Port-Type = 5 (Virtual)
User-Name = "12345678"
Digest-Response (DIG-RES) = "2ae133421cda65d67dc50d13ba0eb9bc"
Digest-Realm (DIG-REALM) = "examplecom"
Digest-Nonce (DIG-NONCE) = "3bada1a0"
Digest-Method (DIG-METHOD) = "INVITE"
Digest-URI (DIG-URI) = "sip:97226491335 at 10.0.69.38"
Digest-Algorithm (DIG-ALG) = "md5"
Digest-Username (DIG-USER) = "12345678"
C->B
Code = 2 (Access-Accept)
Attributes:
Digest-Response-Auth (DIG-RSPAUTH) =
"6303c41b0e2c3e524e413cafe8cce954"
B->A
SIP/2.0 180 Ringing
B->A
SIP/2.0 200 OK
A->B
ACK sip:97226491335 at 10.0.69.38:5060 SIP/2.0
Message: 10
Date: Wed, 2 Nov 2005 06:43:35 +0200
From: "Baruch Sterman" <baruch at tekhelet.com>
Subject: Re: [VOIPSEC] SIP B2BUA and Digest Authentication using
RADIUS AAA
To: "'satyam tyagi'" <satyam_tyagi at hotmail.com>, <Voipsec at voipsa.org>
Message-ID:
<mailman.12.1130932805.25687.voipsec_voipsa.org at voipsa.org>
Content-Type: text/plain; charset="us-ascii"
You can check out the draft:
http://www1.cs.columbia.edu/sip/drafts/sip/draft-sterman-aaa-sip-04.txt
(We really should try to move this to RFC!)
Baruch
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of satyam tyagi
Sent: Wednesday, November 02, 2005 4:30 AM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] SIP B2BUA and Digest Authentication using RADIUS AAA
Hi all,
We have a scenario, in which we want both the phone and SIP call server to
be able to challenge each other. Hence, the choice of B2BUA. But, we don't
want to store secret passwords on the B2BUA and instead have a RADIUS
interface.
Since the RADIUS only supports validating SIP responses. Is there anyway the
SIP call server can respond to the challenge (401) sent by phone but not
having tp store passwords locally(on B2BUA).
If this is not possible to accomplish with RADIUS. Is there any other
protocol which AAA servers support such as DIAMETER which will allow us to
accomplish this.
Thanks,
Satyam
More information about the Voipsec
mailing list