1 / 7

Jari.Arkko@Ericsson

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia), http://www.arkko.com/draft-torvinen-http-eap-00.txt. Jari.Arkko@Ericsson.com. AAA-server. SIP-server. Client. TLS, IKE/IPsec. New DIAMETER extensions. Current SIP Authentication Situation.

kumiko
Download Presentation

Jari.Arkko@Ericsson

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAP Authentication for SIP & HTTPV. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),http://www.arkko.com/draft-torvinen-http-eap-00.txt Jari.Arkko@Ericsson.com

  2. AAA-server SIP-server Client TLS, IKE/IPsec New DIAMETER extensions Current SIP Authentication Situation Existing security can be used at an outer layer HTTP basic HTTP digest PGP Work has started to extend DIAMETER to support HTTP authentication methods Certain SIP-specific methods exist. Work going on to refine these.

  3. AAA-server SIP-server Client TLS, IKE/IPsec New DIAMETER Extensions Reusing existing RADIUS and DIAMETER How Does This Work Fit to the Picture? HTTP basic HTTP digest HTTP EAP PGP • We define a new alternative HTTP • authentication method which is • more flexible than previous ones • takes less roundtrips than e.g. IKE • implies no changes protocols or SIP server as new auth mechanisms are invented We reuse existing AAA protocols directly

  4. Background for Our Work • Third generation mobile networks will provide a multimedia system that runs over IP and uses SIP • The 3GPP is working on security to ensure such multimedia service can be trusted and can be billed for • One of the issues is the authentication of devices/users towards the home operator during registration • We’d like to define a mechanism that satisfies the requirements of 3GPP networks as well as other uses of SIP • 3GPP needs UMTS AKAand other authentication methods - EAP (RFC 2284) for allow many methods

  5. SIP Authentication Schemes SIP HTTP Authentication PGP HTTP Basic HTTP Digest HTTP EAP EAP Token Card EAP TLS EAP GSM EAP AKA EAP ...

  6. Concrete Authentication Example in SIP REGISTER sip:… SIP/2.0 SIP/2.0 401 Authentication Required WWW-Authenticate: eapeap-packet REGISTER sip:… SIP/2.0 Authorization: eapeap-packet SIP/2.0 200 OK Authentication-info: eap-packet User agent Reg. server May be repeated

  7. Conclusions and Going Forward • Looks like HTTP EAP provides a flexible authentication scheme for SIP, and allows us to leverage existing EAP methods • Feedback is sought on the applicability, security and other aspects of this approach • We’d like this work to be a work item of the WG • Further work is needed at least on the following issues: • How headers and subsequent SIP messages can be protected by the keys generated by some EAP methods • While the authentication can reuse DIAMETER NASREQ extension, it may still be necessary to define new attributes that tell the DIAMETER server more about what is happening at SIP level (3GPP has also special requirements and needs an own DIAMETER extension).

More Related