SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

Slides:

Advertisements

Similar presentations

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

Advertisements

dynamicsoft Inc. Proprietary VON Developers Conference 1/19/00 C O N N E C T I N G T H E W O R L D W I T H A P P L I C A T I O N S.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

Internet Telecom Expo September 20, 2000 SIP vs. H.323 SIP vs. H.323 Will the Real IP Telephony Please Stand Up? Jonathan Rosenberg.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Remote Call/Device Control IETF82, Dispatch WG, Taipei November 15, Rifaat Shekh-Yusef Cullen Jennings Alan Johnston.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Lecture 23 Internet Authentication Applications

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

1 Extending SIP Speaker: Hsuan-Ming Chen Adviser: Ho-Ting Wu Date: 2005/04/26.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

Single Sign-On -Mayuresh Pardeshi M.Tech CSE - I.

1 RTCWEB interim Remote recording use case / requirements John Elwell.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

HTTPA (Accountable Hyper Text Transfer Protocol) PhD Proposal Talk Oshani Seneviratne DIG, MIT CSAIL May 31, 2011.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

XCON WG IETF-73 Meeting Instant Messaging Sessions with a Centralized Conferencing (XCON) System draft-boulton-xcon-session-chat-02 Authors: Chris Boulton.

SPML Interoperability Demonstration Gavenraj Sodhi, Business Layers 14 April 2003 RSA Conference 2003.

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

IETF67 DIME WG Towards the specification of a Diameter Resource Control Application Dong Sun IETF 67, San Diego, Nov 2006 draft-sun-dime-diameter-resource-control-requirements-00.txt.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.

FriendFinder Location-aware social networking on mobile phones.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

FriendFinder Location-aware social networking on mobile phones.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Using SAML for SIP H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander.

Secure Skype for Business

File Transfer Services in the Context of SIP Based Communication Markus Isomäki draft-isomaki-sipping-file-transfer-00.

SIP file directory draft-garcia-sipping-file-sharing-framework-00.txt draft-garcia-sipping-file-event-package-00.txt draft-garcia-sipping-file-desc-pidf-00.txt.

July 28, 2009BLISS WG IETF-751 Shared Appearance of a SIP AOR draft-ietf-bliss-shared-appearances-03 Alan Johnston Mohsen Soroushnejad Venkatesh Venkataramanan.

Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Secure Mobile Development with NetIQ Access Manager

F5 APM & Security Assertion Markup Language ‘sam-el’

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Introduction to Windows Azure AppFabric

Analyn Policarpio Andrew Jazon Gupaal

SIP Configuration Issues: IETF 57, SIPPING

Data and Applications Security Developments and Directions

Radius, LDAP, Radius used in Authenticating Users

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Windows Azure AppFabric

Addressing the Beast: Single Sign-On II

CompTIA Security+ Study Guide (SY0-401)

Enhancing Web Application Security with Secure Hardware Tokens

PLUG-N-HARVEST ID: H2020-EU

Office 365 Identity Management

SAML/SIP Profiles and Call Initiation

D Guidance 26-Jun: Would like to see a refresh of this title slide

Presentation transcript:

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

Overview Authorization Framework components: – Authentication: The process of verifying the identity of a user trying to get access to some network services. – Authorization: The process of controlling a user access to network services and the level of service provided to the user. 2

Authentication Does SIP need an identity provider feature? – And if so, do we need more than one? No shortage of approaches – RFC4474/STIR already has something Authority provides a crypto token Relying parties trust authority, authority vouches for user – RFC4484, draft-ietf-sip-saml (d. 2011) SAML focused on attribute-based authorization – OpenID/OAuth has been proposed – Something like RTCWeb’s IdP? 3

Authorization Does SIP need an authorization feature? – And if so, do we need more than one? Possible approaches – RFC4484, draft-ietf-sip-saml (d. 2011) SAML focused on attribute-based authorization – OpenID/OAuth 4

Adhoc Audio & Video Conference A Conference Server provides adhoc audio and video services. The server controls who gets access to the service, and the level of service provided to the user: – Audio vs video – Limit on number of participants: per audio conference per video conference 5

Adhoc Conference Possible Solutions With a User Directory – The server has a User Directory with the details of services associated with the user. Without a User Directory – The server does not have a User Directory, and the services associated with the user must be specified in the request sent to the server. 6

Corporate-wide SSO An enterprise is interested in providing its users with an SSO capability to the corporate various services. The enterprise has an authorization server for controlling the user access to their network and would like to extend that existing authorization server to control the user access to the various services and level of service provided by their SIP network. The user is expected to provide his corporate credentials to login to the corporate network and get different types of services, regardless of the protocol used to provide the service, and without the need to create different accounts for these different types of services. 7

User-to-User Authentication Two users with no association between them, want to be able to call each other. Each user should be able to make a call to the other user and should be able to authenticate the identity of the other user. 8

WebRTC-based Access to IMS The system allows a WebRTC client to authenticate the user, and then allows that user access to the services provided by the IMS system. 9

Backup Slides 10

Mobile Client Access to SIP An Application Server that provides Mobile Clients with access to SIP services. The Mobile Client uses a proprietary protocol to communicate with the Application Server that registers and gets service from the SIP network on behalf of the user that is using the Mobile Client. 11

SIP SSO An enterprise is interested in providing its users with an SSO capability to the corporate various SIP services. The enterprise wants to control the services provided to their SIP users and the level of service provided to the user by their SIP application servers without the need to create different accounts for these services. The enterprise wants to utilize an existing authentication mechanism provided by SIP, but would like to be able to control who gets access to what service and when. The user is expected to use his SIP credentials to login to the SIP network and get access to the basic services, and to get access to the services provided by the various SIP application servers without being challenged to provide credentials for each type of service. 12

Edge Authorization An enterprise is interested in authenticating and authorizing a remote user trying to get access to services provided by the corporate SIP network. The enterprise would like to authenticate and authorize the remote user at the edge of the network using a SIP network element that does not have direct access to the SIP user account, e.g. SBC. The enterprise is also interested in providing the user with an SSO capability to the corporate various SIP services. The user is expected to use his SIP credentials to login to the SIP network and get access to the basic services, and to get access to the services provided by the various SIP application servers without being challenged to provide credentials for each type of service. 13

Internet-Wide SSO A user wants to subscribe to sip services the same way he subscribes to web services - using his identity from one of the popular internet-wide authentication services. (E.g., Google+, Facebook, Disqus.) After that, all that is needed to gain access to those services is to log his device in to the chosen authentication service. 14

Core features Header (or body) to carry a token – May be an artifact, or a URI: dereferenced to acquire the token – Also possible to carry the token in-band (header or body) – RFC4474: Identity header carries a crypto token Pointer to the identity provider – RFC4474: Identity-Info header, containing a URI Locates the credentials needed to verify the token Possible axis of extensibility Capability negotiation – Reject requests without tokens – Reject requests because the token is broken – RFC4474 defined error codes along these lines 428 “Use Identity”, 438 “Invalid Identity Header”, etc 15