Authentication

Builds upon authentication schemes developed for HTTP (see RFC 2716), for example challenge/response, digest, …

Two forms:

user agent-to-user agent
- 401 Unauthorized ⇒ Authentication Required
user agent-to-server
- 407 Proxy Authentication Required ⇒ Authentication Required (response sent by a proxy/server)

Note: Any SIP request can be challenged for authentication.

Note: There is no integrity protection, for additional information see SIP Security, NATs, and Firewalls later in these notes.

Slide Notes

[RFC 2716] B. Aboba and D. Simon, ‘PPP EAP TLS Authentication Protocol’, Internet Request for Comments, vol. RFC 2716 (Experimental), Oct. 1999 [Online]. Available: http://www.rfc-editor.org/rfc/rfc2716.txt

Transcript

[slide153] So how do we do authentication in this whole system? We can basically piggyback from what we had in HTTP where we either do user agent to user agent authentication. So the first thing that will happen is we'll send back a 401 unauthorized saying authentication is required. And now we force the other party to authentication themselves. Or we can do user agent authentication to server in which case a 407 proxy authentication required is sent, and we send out authentication to the proxy. Note: No integrity protection. These are text messages that are being sent between these nodes. So unless you put them inside tunnels and you set up some sort of security, there isn't any.