draft-ietf-radext-rfc4590bis-01.txt   draft-ietf-radext-rfc4590bis-02.txt 
Network Working Group B. Sterman Network Working Group B. Sterman
INTERNET-DRAFT Kayote Networks INTERNET-DRAFT Kayote Networks
Obsoletes: 4590 D. Sadolevsky Obsoletes: 4590 D. Sadolevsky
Category: Standards Track SecureOL, Inc. Category: Standards Track SecureOL, Inc.
<draft-ietf-radext-rfc4590bis-01.txt> D. Schwartz <draft-ietf-radext-rfc4590bis-02.txt> D. Schwartz
21 March 2007 Kayote Networks 2 July 2007 Kayote Networks
D. Williams D. Williams
Cisco Systems Cisco Systems
W. Beck W. Beck
Deutsche Telekom AG Deutsche Telekom AG
RADIUS Extension for Digest Authentication RADIUS Extension for Digest Authentication
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
skipping to change at page 23, line 13 skipping to change at page 23, line 13
respond with an Access-Challenge. respond with an Access-Challenge.
6. Examples 6. Examples
This is an example selected from the traffic between a softphone (A), This is an example selected from the traffic between a softphone (A),
a Proxy Server (B), and an example.com RADIUS server (C). The a Proxy Server (B), and an example.com RADIUS server (C). The
communication between the Proxy Server and a SIP Public Switched communication between the Proxy Server and a SIP Public Switched
Telephone Network (PSTN) gateway is omitted for brevity. The SIP Telephone Network (PSTN) gateway is omitted for brevity. The SIP
messages are not shown completely. messages are not shown completely.
The password of user '12345678' is 'secret'. The shared secret
between RADIUS client and server is 'secret'. To ease testing, only
the last byte of the RADIUS authenticator changes between Access-
Requests. In a real implementation, this would be a serious flaw.
A->B A->B
INVITE sip:97226491335@example.com SIP/2.0 INVITE sip:97226491335@example.com SIP/2.0
From: <sip:12345678@example.com> From: <sip:12345678@example.com>
To: <sip:97226491335@example.com> To: <sip:97226491335@example.com>
B->A B->A
SIP/2.0 100 Trying SIP/2.0 100 Trying
B->C B->C
Code = 1 (Access-Request) Code = Access-Request (1)
Attributes: Packet identifier = 0x7c (124)
NAS-IP-Address = c0 0 2 26 (192.0.2.38) Length = 97
NAS-Port-Type = 5 (Virtual) Authenticator = F5E55840E324AA49D216D9DBD069807C
NAS-IP-Address = 192.168.2.38
NAS-Port = 5
User-Name = 12345678 User-Name = 12345678
Digest-Method = INVITE Digest-Method = INVITE
Digest-URI = sip:97226491335@example.com Digest-URI = sip:97226491335@example.com
Message-Authenticator = Message-Authenticator = 26039915C2A55FF51D7DF4D4608738BD
08 af 7e 01 b6 8d 74 c3 a4 3c 33 e1 56 2a 80 43
C->B C->B
Code = 11 (Access-Challenge) Code = Access-Challenge (11)
Attributes: Packet identifier = 0x7c (124)
Length = 72
Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D
Digest-Nonce = 3bada1a0 Digest-Nonce = 3bada1a0
Digest-Realm = example.com Digest-Realm = example.com
Digest-Qop = auth Digest-Qop = auth
Digest-Algorithm = MD5 Digest-Algorithm = MD5
Message-Authenticator = Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3
f8 01 26 9f 70 5e ef 5d 24 ac f5 ca fb 27 da 40
B->A B->A
SIP/2.0 407 Proxy Authentication Required SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest realm="example.com" Proxy-Authenticate: Digest realm="example.com"
,nonce="3bada1a0",qop=auth,algorithm=MD5 ,nonce="3bada1a0",qop=auth,algorithm=MD5
Content-Length: 0 Content-Length: 0
A->B A->B
ACK sip:97226491335@example.com SIP/2.0 ACK sip:97226491335@example.com SIP/2.0
A->B A->B
INVITE sip:97226491335@example.com SIP/2.0 INVITE sip:97226491335@example.com SIP/2.0
Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0" Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0"
,realm="example.com" ,realm="example.com"
,response="f3ce87e6984557cd0fecc26f3c5e97a4" ,response="7679b84a560835846ec553174dbabb69"
,uri="sip:97226491335@example.com",username="12345678" ,uri="sip:97226491335@example.com",username="12345678"
,qop=auth,algorithm=MD5 ,qop=auth,algorithm=MD5
,cnonce="56593a80,nc="00000001"
From: <sip:12345678@example.com> From: <sip:12345678@example.com>
To: <sip:97226491335@example.com> To: <sip:97226491335@example.com>
B->C B->C
Code = 1 (Access-Request) Code = Access-Request (1)
Attributes: Packet identifier = 0x7d (125)
NAS-IP-Address = c0 0 2 26 (192.0.2.38) Length = 221
NAS-Port-Type = 5 (Virtual) Authenticator = F5E55840E324AA49D216D9DBD069807D
NAS-IP-Address = 192.168.2.38
NAS-Port = 5
User-Name = 12345678 User-Name = 12345678
Digest-Response = f3ce87e6984557cd0fecc26f3c5e97a4
Digest-Realm = example.com
Digest-Nonce = 3bada1a0
Digest-Method = INVITE Digest-Method = INVITE
Digest-URI = sip:97226491335@example.com Digest-URI = sip:97226491335@example.com
Digest-Realm = example.com
Digest-Qop = auth Digest-Qop = auth
Digest-Algorithm = md5 Digest-Algorithm = MD5
Digest-CNonce = 56593a80
Digest-Nonce = 3bada1a0
Digest-Nonce-Count = 00000001
Digest-Response = 7679b84a560835846ec553174dbabb69
Digest-Username = 12345678 Digest-Username = 12345678
SIP-AOR = sip:12345678@example.com SIP-AOR = sip:12345678@example.com
Message-Authenticator = Message-Authenticator = 60832893BCB19D85DDF9836506F9C0D6
ff 67 f4 13 8e b8 59 32 22 f9 37 0f 32 f8 e0 ff
C->B C->B
Code = Access-Accept (2)
Code = 2 (Access-Accept) Packet identifier = 0x7d (125)
Attributes: Length = 72
Digest-Response-Auth = Authenticator = 36E1201AD4377664E720184CE7B3D8C6
6303c41b0e2c3e524e413cafe8cce954 Digest-Response-Auth = 3792d3109224eb67213659e2d789f10d
Message-Authenticator = Message-Authenticator = 9B79B410CEBD335176DAEB24735DCF64
75 8d 44 49 66 1f 7b 47 9d 10 d0 2d 4a 2e aa f1
B->A B->A
SIP/2.0 180 Ringing SIP/2.0 180 Ringing
B->A B->A
SIP/2.0 200 OK SIP/2.0 200 OK
A->B A->B
ACK sip:97226491335@example.com SIP/2.0 ACK sip:97226491335@example.com SIP/2.0
A second example shows the traffic between a web browser (A), web A second example shows the traffic between a web browser (A), web
server (B), and a RADIUS server (C). server (B), and a RADIUS server (C).
A->B A->B
skipping to change at page 25, line 19 skipping to change at page 25, line 32
A second example shows the traffic between a web browser (A), web A second example shows the traffic between a web browser (A), web
server (B), and a RADIUS server (C). server (B), and a RADIUS server (C).
A->B A->B
GET /index.html HTTP/1.1 GET /index.html HTTP/1.1
B->C B->C
Code = 1 (Access-Request) Code = Access-Request (1)
Attributes: Packet identifier = 0x7e (126)
NAS-IP-Address = c0 0 2 26 (192.0.2.38) Length = 68
NAS-Port-Type = 5 (Virtual) Authenticator = F5E55840E324AA49D216D9DBD069807E
NAS-IP-Address = 192.168.2.38
NAS-Port = 5
Digest-Method = GET Digest-Method = GET
Digest-URI = /index.html Digest-URI = /index.html
Message-Authenticator = Message-Authenticator = A78C0D4FEF57CAD5EEE922AC3562B1F3
34 a6 26 46 f3 81 f9 b4 97 c0 dd 9d 11 8f ca c7
C->B C->B
Code = 11 (Access-Challenge) Code = Access-Challenge (11)
Attributes: Packet identifier = 0x7e (126)
Length = 72
Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E
Digest-Nonce = a3086ac8 Digest-Nonce = a3086ac8
Digest-Realm = example.com Digest-Realm = example.com
Digest-Qop = auth Digest-Qop = auth
Digest-Algorithm = MD5 Digest-Algorithm = MD5
Message-Authenticator = Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A
f8 01 26 9f 70 5e ef 5d 24 ac f5 ca fb 27 da 40
B->A B->A
HTTP/1.1 401 Authentication Required HTTP/1.1 401 Authentication Required
WWW-Authenticate: Digest realm="example.com", WWW-Authenticate: Digest realm="example.com",
nonce="a3086ac8",qop=auth,algorithm=MD5 nonce="a3086ac8",qop=auth,algorithm=MD5
Content-Length: 0 Content-Length: 0
A->B A->B
GET /index.html HTTP/1.1 GET /index.html HTTP/1.1
Authorization: Digest algorithm=MD5,nonce="a3086ac8" Authorization: Digest algorithm=MD5,qop=auth,nonce="a3086ac8"
,nc="00000001",cnonce="56593a78"
,realm="example.com" ,realm="example.com"
,response="f052b68058b2987aba493857ae1ab002" ,response="ba623217b5ec024d30c4aaef9d8494de"
,uri="/index.html",username="12345678" ,uri="/index.html",username="12345678"
,qop=auth,algorithm=MD5
B->C B->C
Code = 1 (Access-Request) Code = Access-Request (1)
Attributes: Packet identifier = 0x7f (127)
NAS-IP-Address = c0 0 2 26 (192.0.2.38) Length = 176
NAS-Port-Type = 5 (Virtual) Authenticator = F5E55840E324AA49D216D9DBD069807F
NAS-IP-Address = 192.168.2.38
NAS-Port = 5
User-Name = 12345678 User-Name = 12345678
Digest-Response = f052b68058b2987aba493857ae1ab002
Digest-Realm = example.com
Digest-Nonce = a3086ac8
Digest-Method = GET Digest-Method = GET
Digest-URI = /index.html Digest-URI = /index.html
Digest-Username = 12345678 Digest-Realm = example.com
Digest-Qop = auth Digest-Qop = auth
Digest-Algorithm = MD5 Digest-Algorithm = MD5
Message-Authenticator = Digest-CNonce = 56593a80
06 e1 65 23 57 94 e6 de 87 5a e8 ce a2 7d 43 6b Digest-Nonce = a3086ac8
Digest-Nonce-Count = 00000001
Digest-Response = ba623217b5ec024d30c4aaef9d8494de
Digest-Username = 12345678
Message-Authenticator = 932B7565467F028AD399B8FBE57BE98C
C->B C->B
Code = 2 (Access-Accept) Code = Access-Accept (2)
Attributes: Packet identifier = 0x7f (127)
Digest-Response-Auth = Length = 72
e644aa513effbfe1caff67103ff6433c Authenticator = F1ECAC22D3C88E0260B287FA35595F80
Message-Authenticator = Digest-Response-Auth = 29624e0bee4342994d041d07f7bcd44c
7a 66 73 a3 52 44 dd ca 90 e2 f6 10 61 2d 81 d7 Message-Authenticator = 956312EC57AF51ABC4F6965270F34982
B->A B->A
HTTP/1.1 200 OK HTTP/1.1 200 OK
... ...
<html> <html>
... ...
7. IANA Considerations 7. IANA Considerations
skipping to change at page 32, line 5 skipping to change at page 32, line 40
Method attribute is required within an Access-Request. Also, an Method attribute is required within an Access-Request. Also, an
entry has been added for the State attribute. The table also entry has been added for the State attribute. The table also
includes entries for Accounting-Request messages. As noted in the includes entries for Accounting-Request messages. As noted in the
examples, the User-Name attribute is not necessary when requesting a examples, the User-Name attribute is not necessary when requesting a
nonce. nonce.
o Two errors in attribute assignment have been corrected within the o Two errors in attribute assignment have been corrected within the
IANA Considerations (Section 7). Digest-Response-Auth is assigned IANA Considerations (Section 7). Digest-Response-Auth is assigned
attribute 106, and Digest-Nextnonce is assigned attribute 107. attribute 106, and Digest-Nextnonce is assigned attribute 107.
o Several errors in the examples section have been corrected.
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
 End of changes. 29 change blocks. 
61 lines changed or deleted 79 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/