Skip to Content.
Sympa Menu

sip.edu - Re: [sip.edu] Kerberos based authentication for SIP

Subject: SIP in higher education

List archive

Re: [sip.edu] Kerberos based authentication for SIP


Chronological Thread 
  • From: Candace Holman <>
  • To: Prashant Kumar <>
  • Cc: ,
  • Subject: Re: [sip.edu] Kerberos based authentication for SIP
  • Date: Fri, 31 Mar 2006 14:02:37 -0500

Hi Prashant,

I don't have a specific critique of using Kerberos for SIP, except for two generic comments. There are SIP-based client/server authentication methods brewing in the IETF, so the burden of introducing an additional server just for credentials may be an issue. Also, there may be more than one proxy involved in a session, and the transaction can cross trust realms. Do you think these would have an impact on the applicability of Kerberos?

Others in this group can comment better on a whether there is a big campus-centric interest in using Kerberos just for authenticating the client.

Regards,
Candace

Prashant Kumar wrote:
Hello Candce,
Thank you for the link. The draft you mentioned talks about using the Kerberos instead of TLS or IPSEC for securing the SIP traffic and the reason it must not have been considered is TLS and IPSEC is very much deployed in the Carrier networks. The Microsoft patent talks about using Proxy Authorization header. One of the methods they want to support in the Proxy authorization header Kerberos.
What I am proposing is using the Kerboros just for Authenticating the client or for mutual authentication. When a UA sends an REGISTER/INVITE, the proxy challenges it and the authentication specified in the challenge is "Kerboros". In response to the challenge, the UA sends the Kerboros token for the "proxy" and the "authenticator" info. The proxy uses this info to authenticate the UA (as simple as that:)).
The mechanism by which UA gets the token for the Proxy is out of scope since the UA could use "shared-secre" or PKI based mechanism.
What do you think?
Regards,
Prashant.
*/Candace Holman <>/* wrote:

Hi,

I'm not sure why Kerberos fell by the wayside, but there exists
already
an expired IETF draft from 2003:
http://www.iptel.org/ietf/allsipdir/draft-wagle-sip-kerbpki-00.txt
You
may be able to contact the author for more info.

Interestingly, Google turns up a European Microsoft patent from
2002 for
a Kerberized system:
http://v3.espacenet.com/textdoc?IDX=EP1267548&QPN=EP1267548

Candace

Timothy P Shortall wrote:
>
> Hello Prashant,
>
>
>
& gt; We are currently in the middle of a VOIP RFP. I personally
support
> the routing and switching for UMD, but understand that we are
> currently looking seriously at Kerberos as well so your
suggestion is
> very good.
>
>
>
> /Regards,/
>
> / /
>
> /Timothy P. Shortall/
>
> /Sr. Network Engineer/
>
> /University/ of Maryland
>
> /Networking & Telecommunications Services/
>
> /301.405.2994/
>
>
>
>
>
>
------------------------------------------------------------------------
>
> *From:* Prashant Kumar
[mailto:]
> *Sent:* Thursday, March 30, 2006 11:54 AM
> *To:*

> *Subject:* [sip.edu] Kerberos based authentication for SIP
>
>
>
> Hello All,
>
>
>
> Recently I spoke to some of our customers and they said tha t
SIP RFC
> 3261 not supporting Kerberos based authentication is a huge
problem in
> the University environment since there is no mechanism in HTTP
digest
> to get the the un-hashed password (token) back.
>
>
>
> Is there a huge interest for Kerberos Authentication in SIP
> environment? If yes, I could work on a draft which proposes
Kerboros
> based authentication scheme in SIP.
>
>
>
> Thanks,
>
> Prashant.
>
>
------------------------------------------------------------------------
>
> New Yahoo! Messenger with Voice. Call regular phones from your PC
>
> and save big.
>


------------------------------------------------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls <http://us.rd.yahoo.com/mail_us/taglines/postman1/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com> to the US (and 30+ countries) for 2ยข/min or less.




Archive powered by MHonArc 2.6.16.

Top of Page