SIP Authentication using CHAP-Password

Bryan J. ByerlyDavid Williams

draft-byerly-sip-radius-00.txt

Problem and Objectives

Problem HTTP-Digest user authentication is not compatible with

deployed backend Radius servers. SIP user authentication (RFC2617) and Radius (RFC 2138) user

authentication run MD5 over differently formatted messages.

Objective Provide mechanism to allow authentication of users using

deployed Radius servers. Advantageous to ISPs deploying SIP voice service to PPP customers

Approaches Extend SIP to support CHAP-Password Extend Radius to support HTTP-Digest

Comparison of hash formats

CHAP-Password: MD5 MD5(seqnum, user-password, nonce)

HTTP-Digest: MD5 MD5(unq(username-value) “:” unq(realm-

value) “:” password) HTTP-Digest: MD5-sess

MD5(unq(username-value) “:” unq(realm-value) “:” password “:” unq(nonce-value) “:” unq(cnonce-value))

SIP User Authentication using Radius backend

SIP client SIP proxy RADIUS server

INVITE

Access-Request

Access-Accept

407 Proxy Authorization RequiredProxy-Authenticate: CHAP-Password;algorithm="MD5" ;id=0;nonce="cccccccccccccccccccccccccccccccc"

INVITEProxy-Authorization: CHAP-Password;username="byerly" ;algorithm="MD5" ;id=0;nonce="cccccccccccccccccccccccccccccccc";response="dddddddddddddddddddddddddddddddd"

INVITE

CHAP-Password=(dddddddddddddddddddddddddddddddd)

Future

Remaining issues Multiple Proxy-Authorization headers

(semicolon vs. comma separated tags) Is additional complexity of Mahler draft

necessary?Reflection attack in trusted side of network

Proposed next steps SIP WG item Standards track