RADIUS attribute from rfc5090


SIP-AOR

This attribute is used for the authorization of SIP messages.
         The SIP-AOR Attribute identifies the URI, the use of which must
         be authenticated and authorized.  The RADIUS server uses this
         attribute to authorize the processing of the SIP request.  The
         SIP-AOR can be derived from, for example, the To header field
         in a SIP REGISTER request (user under registration), or the
         From header field in other SIP requests.  However, the exact
         mapping of this attribute to SIP can change due to new
         developments in the protocol.  This attribute MUST only be used
         when the RADIUS client wants to authorize SIP users and MUST
         only be used in Access-Request packets.
   Type
         122 for SIP-AOR
   Length
         >= 3
   Text
         The syntax of this attribute corresponds either to a SIP URI
         (with the format defined in  or a tel URI (with the
         format defined in ).

         The SIP-AOR Attribute holds the complete URI, including
         parameters and other parts.  It is up to the RADIUS server as
         to which components of the URI are regarded in the
         authorization decision.4.  Diameter CompatibilityThis document defines support for Digest Authentication in RADIUS.  A
   companion document "Diameter Session Initiation Protocol (SIP)
   Application"  defines support for Digest Authentication in
   Diameter, and addresses compatibility issues between RADIUS and
   Diameter.5.  Table of AttributesThe following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.Access- Access- Access- Access-    Acct-
 Request Accept  Reject  Challenge  Req   #  Attribute
  0-1      0      0      0          0-1   1  User-Name
  0-1      0      0      1          0    24  State 
  1        1      1      1          0-1  80  Message-Authenticator
  0-1      0      0      0          0   103  Digest-Response
  0-1      0      0      1          0-1 104  Digest-Realm
  0-1      0      0      1          0   105  Digest-Nonce
  0        0-1    0      0          0   106  Digest-Response-Auth 
  0        0-1    0      0          0   107  Digest-Nextnonce
  1        0      0      0          0-1 108  Digest-Method
  0-1      0      0      0          0-1 109  Digest-URI
  0-1      0      0      0+         0-1 110  Digest-Qop
  0-1      0      0      0-1        0-1 111  Digest-Algorithm 
  0-1      0      0      0          0   112  Digest-Entity-Body-Hash
  0-1      0      0      0          0   113  Digest-CNonce
  0-1      0      0      0          0   114  Digest-Nonce-Count
  0-1      0      0      0          0-1 115  Digest-Username
  0-1      0      0      0-1        0   116  Digest-Opaque
  0+       0+     0      0+         0+  117  Digest-Auth-Param
  0-1      0      0      0          0   118  Digest-AKA-Auts
  0        0      0      0+         0+  119  Digest-Domain
  0        0      0      0-1        0   120  Digest-Stale
  0        0-1    0      0          0   121  Digest-HA1 
  0-1      0      0      0          0   122  SIP-AOR

   The following table defines the meaning of the above table entries.

      0     This attribute MUST NOT be present in the packet.
      0+    Zero or more instances of this attribute MAY be
            present in the packet.
      0-1   Zero or one instance of this attribute MAY be
            present in the packet.

    Digest-HA1 MUST be used instead of Digest-Response-Auth if
            Digest-Qop is 'auth-int'.

    Digest-Response-Auth MUST be used instead of Digest-HA1 if
            Digest-Qop is 'auth'.

    If Digest-Algorithm is missing, 'MD5' is assumed.

    An Access-Challenge MUST contain a State attribute, which is
            copied to the subsequent Access-Request.  A server receiving
            an Access-Request that contains a State attribute MUST
            respond with either an Access-Accept or an Access-Reject;
            the server MUST NOT respond with an Access-Challenge.6.  ExamplesThis is an example selected from the traffic between a softphone (A),
   a Proxy Server (B), and an example.com RADIUS server (C).  The
   communication between the Proxy Server and a SIP Public Switched
   Telephone Network (PSTN) gateway is omitted for brevity.  The SIP
   messages are not shown completely.

   The password of user '12345678' is 'secret'.  The shared secret
   between the RADIUS client and server is 'secret'.  To ease testing,
   only the last byte of the RADIUS authenticator changes between
   requests.  In a real implementation, this would be a serious flaw.

   A->B

      INVITE sip:[email protected] SIP/2.0
      From: 
      To: 

   B->A

      SIP/2.0 100 Trying

   B->C

      Code = Access-Request (1)
      Packet identifier = 0x7c (124)
      Length = 97
      Authenticator = F5E55840E324AA49D216D9DBD069807C
      NAS-IP-Address = 192.0.2.38
      NAS-Port = 5
      User-Name = 12345678
      Digest-Method = INVITE
      Digest-URI = sip:[email protected]
      Message-Authenticator = 7600D5B0BDC33987A60D5C6167B28B3B

   C->B

      Code = Access-challenge (11)
      Packet identifier = 0x7c (124)
      Length = 72
      Authenticator = EBE20199C26EFEAD69BF8AB0E786CA4D
      Digest-Nonce = 3bada1a0
      Digest-Realm = example.com
      Digest-Qop = auth
      Digest-Algorithm = MD5
      Message-Authenticator = 5DA18ED3BBC9513DCBDE0A37F51B7DE3B->A

      SIP/2.0 407 Proxy Authentication Required
      Proxy-Authenticate: Digest realm="example.com"
           ,nonce="3bada1a0",qop=auth,algorithm=MD5
      Content-Length: 0

   A->B

      ACK sip:[email protected] SIP/2.0

   A->B

      INVITE sip:[email protected] SIP/2.0
      Proxy-Authorization: Digest nonce="3bada1a0"
           ,realm="example.com"
           ,response="756933f735fcd93f90a4bbdd5467f263"
           ,uri="sip:[email protected]",username="12345678"
           ,qop=auth,algorithm=MD5
           ,cnonce="56593a80,nc="00000001"

      From: 
      To: 

   B->C

      Code = Access-Request (1)
      Packet identifier = 0x7d (125)
      Length = 221
      Authenticator = F5E55840E324AA49D216D9DBD069807D
      NAS-IP-Address = 192.0.2.38
      NAS-Port = 5
      User-Name = 12345678
      Digest-Method = INVITE
      Digest-URI = sip:[email protected]
      Digest-Realm = example.com
      Digest-Qop = auth
      Digest-Algorithm = MD5
      Digest-CNonce = 56593a80
      Digest-Nonce = 3bada1a0
      Digest-Nonce-Count = 00000001
      Digest-Response = 756933f735fcd93f90a4bbdd5467f263
      Digest-Username = 12345678
      SIP-AOR = sip:[email protected]
      Message-Authenticator = B6C7F7F8D11EF261A26933D234561A60C->B

      Code = Access-Accept (2)
      Packet identifier = 0x7d (125)
      Length = 72
      Authenticator = FFDD74D6470D21CB6FC4D6056BE245D2
      Digest-Response-Auth = f847de948d12285f8f4199e366f1af21
      Message-Authenticator = 7B76E2F10A7067AF601938BF13B0A62E

   B->A

      SIP/2.0 180 Ringing

   B->A

      SIP/2.0 200 OK

   A->B

      ACK sip:[email protected] SIP/2.0

   A second example shows the traffic between a web browser (A), a web
   server (B), and a RADIUS server (C).

   A->B

      GET /index.html HTTP/1.1

   B->C

      Code = Access-Request (1)
      Packet identifier = 0x7e (126)
      Length = 68
      Authenticator = F5E55840E324AA49D216D9DBD069807E
      NAS-IP-Address = 192.0.2.38
      NAS-Port = 5
      Digest-Method = GET
      Digest-URI = /index.html
      Message-Authenticator = 690BFC95E88DF3B185F15CD78E469992C->B

      Code = Access-challenge (11)
      Packet identifier = 0x7e (126)
      Length = 72
      Authenticator = 2EE5EB01C02C773B6C6EC8515F565E8E
      Digest-Nonce = a3086ac8
      Digest-Realm = example.com
      Digest-Qop = auth
      Digest-Algorithm = MD5
      Message-Authenticator = 646DB2B0AF9E72FFF2CF7FEB33C4952A

   B->A

      HTTP/1.1 401 Authentication Required
      WWW-Authenticate: Digest realm="example.com",
          nonce="a3086ac8",qop=auth,algorithm=MD5
      Content-Length: 0

   A->B

      GET /index.html HTTP/1.1
      Authorization: Digest = algorithm=MD5,qop=auth,nonce="a3086ac8"
           ,nc="00000001",cnonce="56593a80"
           ,realm="example.com"
           ,response="a4fac45c27a30f4f244c54a2e99fa117"
           ,uri="/index.html",username="12345678"

   B->C

      Code = Access-Request (1)
      Packet identifier = 0x7f (127)
      Length = 176
      Authenticator = F5E55840E324AA49D216D9DBD069807F
      NAS-IP-Address = 192.0.2.38
      NAS-Port = 5
      User-Name = 12345678
      Digest-Method = GET
      Digest-URI = /index.html
      Digest-Realm = example.com
      Digest-Qop = auth
      Digest-Algorithm = MD5
      Digest-CNonce = 56593a80
      Digest-Nonce = a3086ac8
      Digest-Nonce-Count = 00000001
      Digest-Response = a4fac45c27a30f4f244c54a2e99fa117
      Digest-Username = 12345678
      Message-Authenticator = 237D85C1478C70C67EEAF22A9C456821C->B

      Code = Access-Accept (2)
      Packet identifier = 0x7f (127)
      Length = 72
      Authenticator = 6364FA6ED66012847C05A0895607C694
      Digest-Response-Auth = 08c4e942d1d0a191de8b3aa98cd35147
      Message-Authenticator = 43795A3166492AD2A890AD57D5F97D56

   B->A

      HTTP/1.1 200 OK
      ...

      
      ...7.  IANA ConsiderationsThe following values from the RADIUS Attribute Types number space
   were assigned in .  This document requests that the values
   in the table below be entered within the existing registry.

   Attribute               #
   ---------------        ----
   Digest-Response         103
   Digest-Realm            104
   Digest-Nonce            105
   Digest-Response-Auth    106
   Digest-Nextnonce        107
   Digest-Method           108
   Digest-URI              109
   Digest-Qop              110
   Digest-Algorithm        111
   Digest-Entity-Body-Hash 112
   Digest-CNonce           113
   Digest-Nonce-Count      114
   Digest-Username         115
   Digest-Opaque           116
   Digest-Auth-Param       117
   Digest-AKA-Auts         118
   Digest-Domain           119
   Digest-Stale            120
   Digest-HA1              121
   SIP-AOR                 1228.  Security ConsiderationsThe RADIUS extensions described in this document enable RADIUS to
   transport the data that is required to perform a digest calculation.
   As a result, RADIUS inherits the vulnerabilities of HTTP Digest (see) in addition to RADIUS security vulnerabilities
   described in, and.

   An attacker compromising a RADIUS client or proxy can carry out man-
   in-the-middle attacks even if the paths between A, B and B, C (Figure
   2) have been secured with TLS or IPsec.

   The RADIUS server MUST check the Digest-Realm Attribute it has
   received from a client.  If the RADIUS client is not authorized to
   serve HTTP-style clients of that realm, it might be compromised.