---------- Forwarded message ----------
Date: Tue, 25 Oct 2005 15:19:05 +0300
From: mikko.aittola@nokia.com
To: aaa-wg@merit.edu
Subject: [AAA-WG]: ISSUE, SIP, authentication parameters
Description of issue: Authentication parameters
Submitter name: Mikko Aittola
Submitter email address: mikko.aittola@nokia.com
Date first submitted: 25 Oct 05
Document: sip (v. 10)
Comment type: T
Priority: S
Sections: 7.7, 7.8, 8.5.3, 8.5.4, 8.5.5
Rationale/Explanation of issue:
SIP-Method is defined to be required AVP in MAR-command.
Is there really need for this to be required AVP?
I think Diameter server doesn't necessarily need to consider
what is the SIP-method the SIP-server is asking to authenticate.
Furthermore, there is already optional Digest-Method AVP
in SIP-Authorization grouped AVP. This can be used for
the same purpose as SIP-Method AVP.
SIP-Authorization grouped AVP contains required AVP
Digest-Username. This is duplicate information with
the User-Name AVP sent in the MAR-command.
It seems the case where Diameter server sends HA1 in MAA
and client calculates and checks the response has not been
taken into account when the required contents of SIP-Authorization,
SIP-Authenticate, and SIP-Authentication-Info AVP have been defined.
It is not clear what is included to MAA message in case
Diameter server has checked the response successfully.
It might be useful if the Diameter client receives a confirmation
of the auth-scheme applied by the Diameter-server.
Requested changes:
1. Remove SIP-Method AVP from the spec
2. Remove Digest-Username from the spec. (If needed add text where
it is explained that Digest-Username is translated to
User-Name in the case of Radius-Diameter translation.)
3. Change Digest-Nonce to optional in SIP-Authenticate
4. Change the following AVPs to optional in SIP-Authorization AVP:
Digest-Nonce, Digest-URI, Digest-Response
5. Change Digest-Nextnonce to optional in SIP-Authentication-Info AVP
6. After Diameter server has checked that the response is ok
it returns MAA where result-code is SUCCESS, and SIP-Auth-Data-Item
with the SIP-Authentication-Scheme AVP.
7. Change the following text in Section 7.8:
If the SIP-Methods AVP value of the Diameter MAR message is set to
REGISTER and a User-Name AVP is present, then the Diameter server
MUST authorize that User-Name AVP value is able to use the URI
included in the SIP-AOR AVP. If this authorization fails, the
Diameter server must set the Result-Code AVP to
DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter
Multimedia-Auth-Answer (MAA) message.
To:
If the Digest-Method AVP value is either absent or received with a
value REGISTER in the Diameter MAR message and a User-Name AVP is
present, then the Diameter server MUST authorize that User-Name AVP
value is able to use the URI included in the SIP-AOR AVP. If this
authorization fails, the Diameter server must set the Result-Code AVP
to
DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter
Multimedia-Auth-Answer (MAA) message.
BR,
Mikko
PS. Sorry for the late submission..