---------- Forwarded message ----------
Date: Tue, 25 Oct 2005 15:32:16 +0300
From: mikko.aittola@nokia.com
To: aaa-wg@merit.edu
Subject: RE: [AAA-WG]: ISSUE, SIP, authentication parameters
Hi,
There is an error in the proposed text in my previous message.
The corrected version is:
If the Digest-Method AVP is either absent or received with a
value REGISTER in the Diameter MAR message and a User-Name AVP is
present, then the Diameter server MUST authorize that User-Name AVP
value is able to use the URI included in the SIP-AOR AVP. If this
authorization fails, the Diameter server must set the Result-Code AVP to
DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter
Multimedia-Auth-Answer (MAA) message.
BR,
Mikko
> -----Original Message-----
> From: owner-aaa-wg@merit.edu [mailto:owner-aaa-wg@merit.edu]
> Sent: 25 October, 2005 15:19
> To: aaa-wg@merit.edu
> Subject: [AAA-WG]: ISSUE, SIP, authentication parameters
>
>
> Description of issue: Authentication parameters
> Submitter name: Mikko Aittola
> Submitter email address: mikko.aittola@nokia.com
> Date first submitted: 25 Oct 05
> Document: sip (v. 10)
> Comment type: T
> Priority: S
> Sections: 7.7, 7.8, 8.5.3, 8.5.4, 8.5.5
> Rationale/Explanation of issue:
>
> SIP-Method is defined to be required AVP in MAR-command.
> Is there really need for this to be required AVP?
> I think Diameter server doesn't necessarily need to consider
> what is the SIP-method the SIP-server is asking to authenticate.
>
> Furthermore, there is already optional Digest-Method AVP
> in SIP-Authorization grouped AVP. This can be used for
> the same purpose as SIP-Method AVP.
>
> SIP-Authorization grouped AVP contains required AVP
> Digest-Username. This is duplicate information with
> the User-Name AVP sent in the MAR-command.
>
> It seems the case where Diameter server sends HA1 in MAA
> and client calculates and checks the response has not been
> taken into account when the required contents of SIP-Authorization,
> SIP-Authenticate, and SIP-Authentication-Info AVP have been defined.
>
> It is not clear what is included to MAA message in case
> Diameter server has checked the response successfully.
> It might be useful if the Diameter client receives a confirmation
> of the auth-scheme applied by the Diameter-server.
>
>
> Requested changes:
>
> 1. Remove SIP-Method AVP from the spec
> 2. Remove Digest-Username from the spec. (If needed add text where
> it is explained that Digest-Username is translated to
> User-Name in the case of Radius-Diameter translation.)
> 3. Change Digest-Nonce to optional in SIP-Authenticate
> 4. Change the following AVPs to optional in SIP-Authorization AVP:
> Digest-Nonce, Digest-URI, Digest-Response
> 5. Change Digest-Nextnonce to optional in SIP-Authentication-Info AVP
> 6. After Diameter server has checked that the response is ok
> it returns MAA where result-code is SUCCESS, and SIP-Auth-Data-Item
> with the SIP-Authentication-Scheme AVP.
>
> 7. Change the following text in Section 7.8:
> If the SIP-Methods AVP value of the Diameter MAR message is set to
> REGISTER and a User-Name AVP is present, then the Diameter server
> MUST authorize that User-Name AVP value is able to use the URI
> included in the SIP-AOR AVP. If this authorization fails, the
> Diameter server must set the Result-Code AVP to
> DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter
> Multimedia-Auth-Answer (MAA) message.
> To:
> If the Digest-Method AVP value is either absent or received with a
> value REGISTER in the Diameter MAR message and a User-Name AVP is
> present, then the Diameter server MUST authorize that User-Name AVP
> value is able to use the URI included in the SIP-AOR AVP. If this
> authorization fails, the Diameter server must set the
> Result-Code AVP to
> DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter
> Multimedia-Auth-Answer (MAA) message.
>
>
> BR,
> Mikko
>
>
> PS. Sorry for the late submission..
>