SIP Authentication using CHAP-Password
Bryan J. ByerlyDavid Williams
draft-byerly-sip-radius-00.txt
Problem and Objectives
Problem HTTP-Digest user authentication is not compatible with
deployed backend Radius servers. SIP user authentication (RFC2617) and Radius (RFC 2138) user
authentication run MD5 over differently formatted messages.
Objective Provide mechanism to allow authentication of users using
deployed Radius servers. Advantageous to ISPs deploying SIP voice service to PPP customers
Approaches Extend SIP to support CHAP-Password Extend Radius to support HTTP-Digest
Comparison of hash formats
CHAP-Password: MD5 MD5(seqnum, user-password, nonce)
HTTP-Digest: MD5 MD5(unq(username-value) “:” unq(realm-
value) “:” password) HTTP-Digest: MD5-sess
MD5(unq(username-value) “:” unq(realm-value) “:” password “:” unq(nonce-value) “:” unq(cnonce-value))
SIP User Authentication using Radius backend
SIP client SIP proxy RADIUS server
INVITE
Access-Request
Access-Accept
407 Proxy Authorization RequiredProxy-Authenticate: CHAP-Password;algorithm="MD5" ;id=0;nonce="cccccccccccccccccccccccccccccccc"
INVITEProxy-Authorization: CHAP-Password;username="byerly" ;algorithm="MD5" ;id=0;nonce="cccccccccccccccccccccccccccccccc";response="dddddddddddddddddddddddddddddddd"
INVITE
CHAP-Password=(dddddddddddddddddddddddddddddddd)
Future
Remaining issues Multiple Proxy-Authorization headers
(semicolon vs. comma separated tags) Is additional complexity of Mahler draft
necessary?Reflection attack in trusted side of network
Proposed next steps SIP WG item Standards track