| < draft-ietf-radext-rfc4590bis-01.txt | draft-ietf-radext-rfc4590bis-02.txt > | |||
|---|---|---|---|---|
| Network Working Group B. Sterman | Network Working Group B. Sterman | |||
| INTERNET-DRAFT Kayote Networks | INTERNET-DRAFT Kayote Networks | |||
| Obsoletes: 4590 D. Sadolevsky | Obsoletes: 4590 D. Sadolevsky | |||
| Category: Standards Track SecureOL, Inc. | Category: Standards Track SecureOL, Inc. | |||
| <draft-ietf-radext-rfc4590bis-01.txt> D. Schwartz | <draft-ietf-radext-rfc4590bis-02.txt> D. Schwartz | |||
| 21 March 2007 Kayote Networks | 2 July 2007 Kayote Networks | |||
| D. Williams | D. Williams | |||
| Cisco Systems | Cisco Systems | |||
| W. Beck | W. Beck | |||
| Deutsche Telekom AG | Deutsche Telekom AG | |||
| RADIUS Extension for Digest Authentication | RADIUS Extension for Digest Authentication | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| skipping to change at page 23, line 13 ¶ | skipping to change at page 23, line 13 ¶ | |||
| respond with an Access-Challenge. | respond with an Access-Challenge. | |||
| 6. Examples | 6. Examples | |||
| This is an example selected from the traffic between a softphone (A), | This is an example selected from the traffic between a softphone (A), | |||
| a Proxy Server (B), and an example.com RADIUS server (C). The | a Proxy Server (B), and an example.com RADIUS server (C). The | |||
| communication between the Proxy Server and a SIP Public Switched | communication between the Proxy Server and a SIP Public Switched | |||
| Telephone Network (PSTN) gateway is omitted for brevity. The SIP | Telephone Network (PSTN) gateway is omitted for brevity. The SIP | |||
| messages are not shown completely. | messages are not shown completely. | |||
| The password of user '12345678' is 'secret'. The shared secret | ||||
| between RADIUS client and server is 'secret'. To ease testing, only | ||||
| the last byte of the RADIUS authenticator changes between Access- | ||||
| Requests. In a real implementation, this would be a serious flaw. | ||||
| A->B | A->B | |||
| INVITE sip:97226491335@example.com SIP/2.0 | INVITE sip:97226491335@example.com SIP/2.0 | |||
| From: <sip:12345678@example.com> | From: <sip:12345678@example.com> | |||
| To: <sip:97226491335@example.com> | To: <sip:97226491335@example.com> | |||
| B->A | B->A | |||
| SIP/2.0 100 Trying | SIP/2.0 100 Trying | |||
| B->C | B->C | |||
| Code = 1 (Access-Request) | Code = Access-Request (1) | |||
| Attributes: | Packet identifier = 0x7c (124) | |||
| NAS-IP-Address = c0 0 2 26 (192.0.2.38) | Length = 97 | |||
| NAS-Port-Type = 5 (Virtual) | Authenticator = F5E55840E324AA49D216D9DBD069807C | |||
| NAS-IP-Address = 192.168.2.38 | ||||
| NAS-Port = 5 | ||||
| User-Name = 12345678 | User-Name = 12345678 | |||
| Digest-Method = INVITE | Digest-Method = INVITE | |||
| Digest-URI = sip:97226491335@example.com | Digest-URI = sip:97226491335@example.com | |||
| Message-Authenticator = | Message-Authenticator = 26039915C2A55FF51D7DF4D4608738BD | |||
| 08 af 7e 01 b6 8d 74 c3 a4 3c 33 e1 56 2a 80 43 | ||||
| C->B | C->B | |||
| Code = 11 (Access-Challenge) | Code = Access-Challenge (11) | |||
| Attributes: | Packet identifier = 0x7c (124) | |||
| Length = 72 | ||||
| Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D | ||||
| Digest-Nonce = 3bada1a0 | Digest-Nonce = 3bada1a0 | |||
| Digest-Realm = example.com | Digest-Realm = example.com | |||
| Digest-Qop = auth | Digest-Qop = auth | |||
| Digest-Algorithm = MD5 | Digest-Algorithm = MD5 | |||
| Message-Authenticator = | Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3 | |||
| f8 01 26 9f 70 5e ef 5d 24 ac f5 ca fb 27 da 40 | ||||
| B->A | B->A | |||
| SIP/2.0 407 Proxy Authentication Required | SIP/2.0 407 Proxy Authentication Required | |||
| Proxy-Authenticate: Digest realm="example.com" | Proxy-Authenticate: Digest realm="example.com" | |||
| ,nonce="3bada1a0",qop=auth,algorithm=MD5 | ,nonce="3bada1a0",qop=auth,algorithm=MD5 | |||
| Content-Length: 0 | Content-Length: 0 | |||
| A->B | A->B | |||
| ACK sip:97226491335@example.com SIP/2.0 | ACK sip:97226491335@example.com SIP/2.0 | |||
| A->B | A->B | |||
| INVITE sip:97226491335@example.com SIP/2.0 | INVITE sip:97226491335@example.com SIP/2.0 | |||
| Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0" | Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0" | |||
| ,realm="example.com" | ,realm="example.com" | |||
| ,response="f3ce87e6984557cd0fecc26f3c5e97a4" | ,response="7679b84a560835846ec553174dbabb69" | |||
| ,uri="sip:97226491335@example.com",username="12345678" | ,uri="sip:97226491335@example.com",username="12345678" | |||
| ,qop=auth,algorithm=MD5 | ,qop=auth,algorithm=MD5 | |||
| ,cnonce="56593a80,nc="00000001" | ||||
| From: <sip:12345678@example.com> | From: <sip:12345678@example.com> | |||
| To: <sip:97226491335@example.com> | To: <sip:97226491335@example.com> | |||
| B->C | B->C | |||
| Code = 1 (Access-Request) | Code = Access-Request (1) | |||
| Attributes: | Packet identifier = 0x7d (125) | |||
| NAS-IP-Address = c0 0 2 26 (192.0.2.38) | Length = 221 | |||
| NAS-Port-Type = 5 (Virtual) | Authenticator = F5E55840E324AA49D216D9DBD069807D | |||
| NAS-IP-Address = 192.168.2.38 | ||||
| NAS-Port = 5 | ||||
| User-Name = 12345678 | User-Name = 12345678 | |||
| Digest-Response = f3ce87e6984557cd0fecc26f3c5e97a4 | ||||
| Digest-Realm = example.com | ||||
| Digest-Nonce = 3bada1a0 | ||||
| Digest-Method = INVITE | Digest-Method = INVITE | |||
| Digest-URI = sip:97226491335@example.com | Digest-URI = sip:97226491335@example.com | |||
| Digest-Realm = example.com | ||||
| Digest-Qop = auth | Digest-Qop = auth | |||
| Digest-Algorithm = md5 | Digest-Algorithm = MD5 | |||
| Digest-Username = 12345678 | Digest-CNonce = 56593a80 | |||
| SIP-AOR = sip:12345678@example.com | Digest-Nonce = 3bada1a0 | |||
| Message-Authenticator = | Digest-Nonce-Count = 00000001 | |||
| ff 67 f4 13 8e b8 59 32 22 f9 37 0f 32 f8 e0 ff | Digest-Response = 7679b84a560835846ec553174dbabb69 | |||
| Digest-Username = 12345678 | ||||
| SIP-AOR = sip:12345678@example.com | ||||
| Message-Authenticator = 60832893BCB19D85DDF9836506F9C0D6 | ||||
| C->B | C->B | |||
| Code = Access-Accept (2) | ||||
| Code = 2 (Access-Accept) | Packet identifier = 0x7d (125) | |||
| Attributes: | Length = 72 | |||
| Digest-Response-Auth = | Authenticator = 36E1201AD4377664E720184CE7B3D8C6 | |||
| 6303c41b0e2c3e524e413cafe8cce954 | Digest-Response-Auth = 3792d3109224eb67213659e2d789f10d | |||
| Message-Authenticator = | Message-Authenticator = 9B79B410CEBD335176DAEB24735DCF64 | |||
| 75 8d 44 49 66 1f 7b 47 9d 10 d0 2d 4a 2e aa f1 | ||||
| B->A | B->A | |||
| SIP/2.0 180 Ringing | SIP/2.0 180 Ringing | |||
| B->A | B->A | |||
| SIP/2.0 200 OK | ||||
| SIP/2.0 200 OK | ||||
| A->B | A->B | |||
| ACK sip:97226491335@example.com SIP/2.0 | ACK sip:97226491335@example.com SIP/2.0 | |||
| A second example shows the traffic between a web browser (A), web | A second example shows the traffic between a web browser (A), web | |||
| server (B), and a RADIUS server (C). | server (B), and a RADIUS server (C). | |||
| A->B | A->B | |||
| GET /index.html HTTP/1.1 | GET /index.html HTTP/1.1 | |||
| B->C | B->C | |||
| Code = 1 (Access-Request) | Code = Access-Request (1) | |||
| Attributes: | Packet identifier = 0x7e (126) | |||
| NAS-IP-Address = c0 0 2 26 (192.0.2.38) | Length = 68 | |||
| NAS-Port-Type = 5 (Virtual) | Authenticator = F5E55840E324AA49D216D9DBD069807E | |||
| NAS-IP-Address = 192.168.2.38 | ||||
| NAS-Port = 5 | ||||
| Digest-Method = GET | Digest-Method = GET | |||
| Digest-URI = /index.html | Digest-URI = /index.html | |||
| Message-Authenticator = | Message-Authenticator = A78C0D4FEF57CAD5EEE922AC3562B1F3 | |||
| 34 a6 26 46 f3 81 f9 b4 97 c0 dd 9d 11 8f ca c7 | ||||
| C->B | C->B | |||
| Code = 11 (Access-Challenge) | Code = Access-Challenge (11) | |||
| Attributes: | Packet identifier = 0x7e (126) | |||
| Length = 72 | ||||
| Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E | ||||
| Digest-Nonce = a3086ac8 | Digest-Nonce = a3086ac8 | |||
| Digest-Realm = example.com | Digest-Realm = example.com | |||
| Digest-Qop = auth | Digest-Qop = auth | |||
| Digest-Algorithm = MD5 | Digest-Algorithm = MD5 | |||
| Message-Authenticator = | Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A | |||
| f8 01 26 9f 70 5e ef 5d 24 ac f5 ca fb 27 da 40 | ||||
| B->A | B->A | |||
| HTTP/1.1 401 Authentication Required | HTTP/1.1 401 Authentication Required | |||
| WWW-Authenticate: Digest realm="example.com", | WWW-Authenticate: Digest realm="example.com", | |||
| nonce="a3086ac8",qop=auth,algorithm=MD5 | nonce="a3086ac8",qop=auth,algorithm=MD5 | |||
| Content-Length: 0 | Content-Length: 0 | |||
| A->B | A->B | |||
| GET /index.html HTTP/1.1 | GET /index.html HTTP/1.1 | |||
| Authorization: Digest algorithm=MD5,nonce="a3086ac8" | Authorization: Digest algorithm=MD5,qop=auth,nonce="a3086ac8" | |||
| ,nc="00000001",cnonce="56593a78" | ||||
| ,realm="example.com" | ,realm="example.com" | |||
| ,response="f052b68058b2987aba493857ae1ab002" | ,response="ba623217b5ec024d30c4aaef9d8494de" | |||
| ,uri="/index.html",username="12345678" | ,uri="/index.html",username="12345678" | |||
| ,qop=auth,algorithm=MD5 | ||||
| B->C | B->C | |||
| Code = 1 (Access-Request) | Code = Access-Request (1) | |||
| Attributes: | Packet identifier = 0x7f (127) | |||
| NAS-IP-Address = c0 0 2 26 (192.0.2.38) | Length = 176 | |||
| NAS-Port-Type = 5 (Virtual) | Authenticator = F5E55840E324AA49D216D9DBD069807F | |||
| NAS-IP-Address = 192.168.2.38 | ||||
| NAS-Port = 5 | ||||
| User-Name = 12345678 | User-Name = 12345678 | |||
| Digest-Response = f052b68058b2987aba493857ae1ab002 | ||||
| Digest-Realm = example.com | ||||
| Digest-Nonce = a3086ac8 | ||||
| Digest-Method = GET | Digest-Method = GET | |||
| Digest-URI = /index.html | Digest-URI = /index.html | |||
| Digest-Username = 12345678 | Digest-Realm = example.com | |||
| Digest-Qop = auth | Digest-Qop = auth | |||
| Digest-Algorithm = MD5 | Digest-Algorithm = MD5 | |||
| Message-Authenticator = | Digest-CNonce = 56593a80 | |||
| 06 e1 65 23 57 94 e6 de 87 5a e8 ce a2 7d 43 6b | Digest-Nonce = a3086ac8 | |||
| Digest-Nonce-Count = 00000001 | ||||
| Digest-Response = ba623217b5ec024d30c4aaef9d8494de | ||||
| Digest-Username = 12345678 | ||||
| Message-Authenticator = 932B7565467F028AD399B8FBE57BE98C | ||||
| C->B | C->B | |||
| Code = 2 (Access-Accept) | Code = Access-Accept (2) | |||
| Attributes: | Packet identifier = 0x7f (127) | |||
| Digest-Response-Auth = | Length = 72 | |||
| e644aa513effbfe1caff67103ff6433c | Authenticator = F1ECAC22D3C88E0260B287FA35595F80 | |||
| Message-Authenticator = | Digest-Response-Auth = 29624e0bee4342994d041d07f7bcd44c | |||
| 7a 66 73 a3 52 44 dd ca 90 e2 f6 10 61 2d 81 d7 | Message-Authenticator = 956312EC57AF51ABC4F6965270F34982 | |||
| B->A | B->A | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| ... | ... | |||
| <html> | <html> | |||
| ... | ... | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| skipping to change at page 32, line 5 ¶ | skipping to change at page 32, line 40 ¶ | |||
| Method attribute is required within an Access-Request. Also, an | Method attribute is required within an Access-Request. Also, an | |||
| entry has been added for the State attribute. The table also | entry has been added for the State attribute. The table also | |||
| includes entries for Accounting-Request messages. As noted in the | includes entries for Accounting-Request messages. As noted in the | |||
| examples, the User-Name attribute is not necessary when requesting a | examples, the User-Name attribute is not necessary when requesting a | |||
| nonce. | nonce. | |||
| o Two errors in attribute assignment have been corrected within the | o Two errors in attribute assignment have been corrected within the | |||
| IANA Considerations (Section 7). Digest-Response-Auth is assigned | IANA Considerations (Section 7). Digest-Response-Auth is assigned | |||
| attribute 106, and Digest-Nextnonce is assigned attribute 107. | attribute 106, and Digest-Nextnonce is assigned attribute 107. | |||
| o Several errors in the examples section have been corrected. | ||||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| End of changes. 29 change blocks. | ||||
| 64 lines changed or deleted | 83 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||