1 / 7

EAP Authentication for SIP draft-torvinen-http-eap-01.txt

EAP Authentication for SIP draft-torvinen-http-eap-01.txt. Aki.Niemi@nokia.com Vesa.Torvinen@ericsson.fi Jari.Arkko@ericsson.com. EAP Authentication for SIP. Extensible Authentication Protocol (RFC 2284) Originally used in PPP New applications emerged, e.g., IEEE 802.1X

qabil
Download Presentation

EAP Authentication for SIP draft-torvinen-http-eap-01.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAP Authentication for SIPdraft-torvinen-http-eap-01.txt Aki.Niemi@nokia.com Vesa.Torvinen@ericsson.fi Jari.Arkko@ericsson.com

  2. EAP Authentication for SIP • Extensible Authentication Protocol (RFC 2284) • Originally used in PPP • New applications emerged, e.g., IEEE 802.1X • New auth-scheme for HTTP Authentication Framework (RFC 2617) • Intended for initial authentication - could be used for session key or ticket generation for subsequent protection • Adding new authentication methods under EAP requires no changes to SIP • Protocol specification stays the same • OS EAP APIs • Offloading EAP to AAA servers

  3. SIP Authentication Today SIP HTTP Authentication S/MIME MIME PGP . . . HTTP Basic HTTP Digest HTTP Eap EAP Token Card EAP TLS EAP SRP EAP AKA EAP ...

  4. So Who Needs Extensible Authentication? • Originally a requirement from 3GPP • Necessary for any organization that needs past or future authentication schemes • Security always needs set-up and infrastructure, both of which are typically tied to the used authentication schemes • Undesirable to change existing infrastructure • Most of the cost is in the cards, processes • E.g., 3GPP handsets have SIM cards • Avoid additional user configuration

  5. Issues with HTTP Eap • We have chosen to do only authentication • Initial auth followed by e.g. Digest integrity • Or extending HTTP Eap to cover also integrity • Base64 encoded EAP in auth headers • Usually not very large • HTTP auth derived problems • Multi-proxy authentication problem fixed • Extra RTTs with EAP_ID_REQ • The next draft version adds a username param to HTTP EAP which avoids this

  6. Conclusion • There is a requirement to support extensible and legacy authentication • We believe something like this is needed for SIP • Not just for 3GPP • Some protocol detail issues to discuss • What to do with the session keys - integrity protection • Similar header interpretation issues as in Digest • Base64 data (typically short, though) • Time pressure from 3GPP

  7. A Way Forward • Work item for SIP • Need input from the WG • Technical issues • Security issues

More Related