Skip to Content.
Sympa Menu

sip.edu - Re: [sip.edu] Kerberos based authentication for SIP

Subject: SIP in higher education

List archive

Re: [sip.edu] Kerberos based authentication for SIP


Chronological Thread 
  • From: Prashant Kumar <>
  • To: ,
  • Cc:
  • Subject: Re: [sip.edu] Kerberos based authentication for SIP
  • Date: Thu, 30 Mar 2006 13:36:32 -0800 (PST)
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=rF2SBmxGMjO4cT3vNpgRKpJMuqN2TAVz49ahmuhOm5CJ9dOfniEgzjXcV/wlK29sU7fs2g9qohQZq8sZpN80jOTkbEoNJeXmEP4HiB4x7Mm6OAlcfH1+tW9hQNWJlqnfEq0sEmIrMepBuhBHa5w3tkjRhsHOEmfEU0TmN73cAi0= ;
Hello Candce,
 
Thank you for the link. The draft you mentioned talks about using the Kerberos instead of TLS or IPSEC for securing the SIP traffic and the reason it must not have been considered is TLS and IPSEC is very much deployed in the Carrier networks. The Microsoft patent talks about using Proxy Authorization header. One of the methods they want to support in the Proxy authorization header Kerberos.
 
What I am proposing is using the Kerboros just for Authenticating the client or for mutual authentication. When a UA sends an REGISTER/INVITE, the proxy challenges it and the authentication specified in the challenge is "Kerboros". In response to the challenge, the UA sends the Kerboros token for the "proxy" and the "authenticator" info. The proxy uses this info to authenticate the UA (as simple as that:)).
 
The mechanism by which UA gets the token for the Proxy is out of scope since the UA could use "shared-secre" or PKI based mechanism.
 
What do you think?
 
Regards,
Prashant.
 
 
 
 
 
Candace Holman <> wrote:
Hi,

I'm not sure why Kerberos fell by the wayside, but there exists already
an expired IETF draft from 2003:
http://www.iptel.org/ietf/allsipdir/draft-wagle-sip-kerbpki-00.txt You
may be able to contact the author for more info.

Interestingly, Google turns up a European Microsoft patent from 2002 for
a Kerberized system:
http://v3.espacenet.com/textdoc?IDX=EP1267548&QPN=EP1267548

Candace

Timothy P Shortall wrote:
>
> Hello Prashant,
>
>
>
& gt; We are currently in the middle of a VOIP RFP. I personally support
> the routing and switching for UMD, but understand that we are
> currently looking seriously at Kerberos as well so your suggestion is
> very good.
>
>
>
> /Regards,/
>
> / /
>
> /Timothy P. Shortall/
>
> /Sr. Network Engineer/
>
> /University/ of Maryland
>
> /Networking & Telecommunications Services/
>
> /301.405.2994/
>
>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* Prashant Kumar [mailto:]
> *Sent:* Thursday, March 30, 2006 11:54 AM
> *To:*
> *Subject:* [sip.edu] Kerberos based authentication for SIP
>
>
>
> Hello All,
>
>
>
> Recently I spoke to some of our customers and they said tha t SIP RFC
> 3261 not supporting Kerberos based authentication is a huge problem in
> the University environment since there is no mechanism in HTTP digest
> to get the the un-hashed password (token) back.
>
>
>
> Is there a huge interest for Kerberos Authentication in SIP
> environment? If yes, I could work on a draft which proposes Kerboros
> based authentication scheme in SIP.
>
>
>
> Thanks,
>
> Prashant.
>
> ------------------------------------------------------------------------
>
> New Yahoo! Messenger with Voice. Call regular phones from your PC
>
> and save big.
>


Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2ยข/min or less.

Archive powered by MHonArc 2.6.16.

Top of Page