> I'll also note that this problem is not limited to gateways - its the
> fundamental issue of whether you authenticate a device or a user, and
> could equally well apply to a softphone application, single line
> gateway, and trunking gateway.
I've been thinking about the device vs. user issue for a while.
My conclusion is that you need to cater to both, and they
are distinct problems. When you try to make them the same
problem, you get wrapped around the proverbial axle.
Think of it as person-to-person instead of station-to-station
calling -- geez, there are probably a bunch of you who don't
know what the heck that means :(
User authentication implies either that there is an external
device (smartcard reader, or more probably a Bluetooth connection
to a PDA) OR a login mechanism. It would use Kerberos or PK
to authenticate a USER. It's clearly E-2-E, and implies proxies
don't have a role.
Device authentication is usually simpler. You can use a pretty wide
variety of mechanisms, and it's probably okay, in most cases, to
use Hop-by-hop mechanisms. I do worry about that "in most cases",
but maybe something like tunnel mode IPSEC could fix enough of them
that we just use that approach. I myself like the PacketCable
mechanisms, but there are several others than can work. Proxies
clearly could/would participate.
Anyway, I do think we need to keep the issues separate.
Brian
> -----Original Message-----
> From: Jonathan Rosenberg [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 25, 2000 1:26 AM
> To: David Harris
> Cc: Sip-Implementors (E-mail); sip
> Subject: [SIP] Re: SIP gateways and authentication
>
>
>
>
> > David Harris wrote:
> >
> > If an H.323 or MGCP originator calls a SIP user agent through a
> > gateway, I am thinking the messaging should go from the gateway to a
> > SIP proxy server and then to the SIP user agent. My guess is that
> > registering all possible originators from the gateway wouldn't be an
> > valid solution so if the proxy server is authenticating INVITEs, how
> > is authenticating an INVITE from a gateway handled?
>
> This is a good question; one that we have mentioned in
> passing here and
> there, but for which we have not yet settled on a solution.
>
> Let me rephrase the problem. A user makes a call from a PSTN phone
> through a PSTN->SIP gateway. This call arrives at a proxy server, then
> gets routed to a UAS. Either or both of the proxy/UAS might challenge
> this request. In this case, who is being authenticated, the gateway
> itself, or the user calling in through the gateway? If its the user
> themselves, how would that work?
>
> One might argue that authentication of a gateway by a proxy
> is useless;
> really in this case you want a hop by hop security mechanism
> like IPSec
> or TLS, and forgo completely the high overhead SIP authentication for
> each message. Then again, in the absence of support for IPSec or TLS,
> SIP proxy authentication migth provide a way to authenticate
> the gateway
> from a proxy.
>
> It also seems unlikely the UAS would really be interested in
> authenticating the originating gateway.
>
> So, given there are useful cases for authenticating both the
> gateway and
> the user calling in through the gateway, how do we know which is being
> challenged?
>
> Some options:
>
> 1. The realm indicates this. For example, a realm of "gateway" would
> indicate that the gateway is being authenticated, "user"
> means the user.
> We wouldn't need to standardize the actual words here, but rather
> standardize that the realm would indicate which was the case through
> administrative configuration.
>
> 2. Use a different response code for each case. Probably not a great
> idea.
>
> 3. Others?
>
>
> I'll also note that this problem is not limited to gateways - its the
> fundamental issue of whether you authenticate a device or a user, and
> could equally well apply to a softphone application, single line
> gateway, and trunking gateway.
>
> Thoughts on this issue?
>
> -Jonathan R.
> --
> Jonathan D. Rosenberg 72 Eagle Rock Ave.
> Chief Scientist First Floor
> dynamicsoft East Hanover, NJ 07936
> [EMAIL PROTECTED] FAX: (973) 952-5050
> http://www.cs.columbia.edu/~jdrosen PHONE: (732) 741-7244
> http://www.dynamicsoft.com
>
>
> _______________________________________________
> SIP mailing list
> [EMAIL PROTECTED]
> http://lists.bell-labs.com/mailman/listinfo/sip
>
