EAP Authentication for SIP draft-torvinen-http-eap-01.txt
description
Transcript of EAP Authentication for SIP draft-torvinen-http-eap-01.txt
EAP Authentication for SIPdraft-torvinen-http-eap-01.txt
EAP Authentication for SIP
• Extensible Authentication Protocol (RFC 2284)
• Originally used in PPP
• New applications emerged, e.g., IEEE 802.1X
• New auth-scheme for HTTP Authentication Framework (RFC 2617)
• Intended for initial authentication - could be used for session key or ticket generation for subsequent protection
• Adding new authentication methods under EAP requires no changes to SIP
• Protocol specification stays the same
• OS EAP APIs
• Offloading EAP to AAA servers
SIP Authentication Today
HTTP Eap
SIP
HTTP Authentication S/MIME
HTTP DigestHTTP Basic
EAP AKAEAP SRPEAP TLS EAP ...EAP Token Card
MIME PGP . . .
So Who Needs Extensible Authentication?
• Originally a requirement from 3GPP
• Necessary for any organization that needs past or future authentication schemes
• Security always needs set-up and infrastructure, both of which are typically tied to the used authentication schemes
• Undesirable to change existing infrastructure
• Most of the cost is in the cards, processes
• E.g., 3GPP handsets have SIM cards
• Avoid additional user configuration
Issues with HTTP Eap
• We have chosen to do only authentication
• Initial auth followed by e.g. Digest integrity
• Or extending HTTP Eap to cover also integrity
• Base64 encoded EAP in auth headers
• Usually not very large
• HTTP auth derived problems
• Multi-proxy authentication problem fixed
• Extra RTTs with EAP_ID_REQ
• The next draft version adds a username param to HTTP EAP which avoids this
Conclusion
• There is a requirement to support extensible and legacy authentication
• We believe something like this is needed for SIP
• Not just for 3GPP
• Some protocol detail issues to discuss
• What to do with the session keys - integrity protection
• Similar header interpretation issues as in Digest
• Base64 data (typically short, though)
• Time pressure from 3GPP
A Way Forward
• Work item for SIP
• Need input from the WG
• Technical issues
• Security issues