EAP Authentication for SIPdraft-torvinen-http-eap-01.txt

Aki.Niemi@nokia.com

Vesa.Torvinen@ericsson.fi

Jari.Arkko@ericsson.com

EAP Authentication for SIP

• Extensible Authentication Protocol (RFC 2284)

• Originally used in PPP

• New applications emerged, e.g., IEEE 802.1X

• New auth-scheme for HTTP Authentication Framework (RFC 2617)

• Intended for initial authentication - could be used for session key or ticket generation for subsequent protection

• Adding new authentication methods under EAP requires no changes to SIP

• Protocol specification stays the same

• OS EAP APIs

• Offloading EAP to AAA servers

SIP Authentication Today

HTTP Eap

SIP

HTTP Authentication S/MIME

HTTP DigestHTTP Basic

EAP AKAEAP SRPEAP TLS EAP ...EAP Token Card

MIME PGP . . .

So Who Needs Extensible Authentication?

• Originally a requirement from 3GPP

• Necessary for any organization that needs past or future authentication schemes

• Security always needs set-up and infrastructure, both of which are typically tied to the used authentication schemes

• Undesirable to change existing infrastructure

• Most of the cost is in the cards, processes

• E.g., 3GPP handsets have SIM cards

• Avoid additional user configuration

Issues with HTTP Eap

• We have chosen to do only authentication

• Initial auth followed by e.g. Digest integrity

• Or extending HTTP Eap to cover also integrity

• Base64 encoded EAP in auth headers

• Usually not very large

• HTTP auth derived problems

• Multi-proxy authentication problem fixed

• Extra RTTs with EAP_ID_REQ

• The next draft version adds a username param to HTTP EAP which avoids this

Conclusion

• There is a requirement to support extensible and legacy authentication

• We believe something like this is needed for SIP

• Not just for 3GPP

• Some protocol detail issues to discuss

• What to do with the session keys - integrity protection

• Similar header interpretation issues as in Digest

• Base64 data (typically short, though)

• Time pressure from 3GPP

A Way Forward

• Work item for SIP

• Need input from the WG

• Technical issues

• Security issues