| Article Index |
|---|
| Diameter SIP Application AVPs |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| Page 8 |
| Page 9 |
| Page 10 |
| All Pages |
Page 5 of 10
9.5. SIP-Auth-Data-Item AVP
The SIP-Auth-Data-Item (AVP Code 376) is of type Grouped and contains
the authentication and/or authorization information pertaining to a
user.
When the Diameter server uses the grouped SIP-Auth-Data-Item AVP to
include a SIP-Authenticate AVP, the Diameter server MUST send a
maximum of one authentication data item (e.g., in case the SIP
request contained several credentials). Section 11 contains a
detailed discussion and normative text of the case when a SIP request
contains several credentials.
The SIP-Auth-Data-Item AVP is defined as follows (per the
grouped-avp-def of RFC 3588 [RFC3588]):
SIP-Auth-Data-Item ::= < AVP Header: 376 >
{ SIP-Authentication-Scheme }
[ SIP-Item-Number ]
[ SIP-Authenticate ]
[ SIP-Authorization ]
[ SIP-Authentication-Info ]
* [ AVP ]
9.5.1. SIP-Authentication-Scheme AVP
The SIP-Authentication-Scheme AVP (AVP Code 377) is of type
Enumerated and indicates the authentication scheme used in the
authentication of SIP services. RFC 2617 identifies this value as an
"auth-scheme" (see Section 1.2 of RFC 2617 [RFC2617]). The only
currently defined value is:
o DIGEST (0) to indicate HTTP Digest authentication as specified in
RFC 2617 [RFC2617] Section 3.2.1. Derivative work is also
considered Digest authentication scheme, as long as the
"auth-scheme" is identified as Digest in the SIP headers carrying
the HTTP authentication. This includes, e.g., the HTTP Digest
authentication using AKA [RFC3310].
Each HTTP Digest directive (parameter) is transported in a
corresponding AVP, whose name follows the pattern Digest-*. The
Digest-* AVPs are RADIUS attributes imported from the RADIUS
Extension for Digest Authentication [RFC4590] namespace, allowing a
smooth transition between RADIUS and Diameter applications supporting
SIP. The Diameter SIP application goes a step further by grouping
the Digest-* AVPs into the SIP-Authenticate, SIP-Authorization, and
SIP-Authentication-Info grouped AVPs that correspond to the SIP WWW-
Authenticate/Proxy-Authentication, Authorization/Proxy-Authorization,
and Authentication-Info headers fields, respectively.
Note: Due to the fact that HTTP Digest authentication [RFC2617] is
the only mandatory authentication mechanism in SIP, this memo only
provides support for HTTP Digest authentication and derivative
work such as HTTP Digest authentication using AKA [RFC3310].
Extensions to this memo can register new values and new AVPs to
provide support for other authentication schemes or extensions to
HTTP Digest authentication.
Note: Although RFC 2617 [RFC2617] defines the Basic and Digest
schemes for authenticating HTTP requests, RFC 3261 [RFC3261] only
imports HTTP Digest as a mechanism to provide authentication in
SIP.
Due to syntactic requirements, HTTP Digest authentication has to
escape quote characters in contents of HTTP Digest directives. When
translating directives into Digest-* AVPs, the Diameter client or
server removes the surrounding quotes where present, as required by
the syntax of the Digest-* attributes defined in the "RADIUS
Extension for Digest Authentication" [RFC4590].
9.5.2. SIP-Item-Number AVP
The SIP-Item-Number (AVP Code 378) is of type Unsigned32 and is
included in a SIP-Auth-Data-Item grouped AVP in circumstances where
there are multiple occurrences of SIP-Auth-Data-Item AVPs and the
order of processing is relevant. The AVP indicates the order in
which the Grouped SIP-Auth-Data-Item should be processed. Lower
values of the SIP-Item-Number AVP indicate that the whole
SIP-Auth-Data-Item SHOULD be processed before other
SIP-Auth-Data-Item AVPs that contain higher values in the
SIP-Item-Number AVP.
9.5.3. SIP-Authenticate AVP
The SIP-Authenticate AVP (AVP Code 379) is of type Grouped and
contains a reconstruction of either the SIP WWW-Authenticate or
Proxy-Authentication header fields specified in RFC 2617 [RFC2617]
for the HTTP Digest authentication scheme. Additionally, the AVP may
include a Digest-HA1 AVP that contains H(A1) (as defined in RFC 2617
[RFC2617]). H(A1) allows the Diameter client to create an expected
response and compare it with the Digest response received from the
SIP UA.
The SIP-Authenticate AVP is defined as follows (per the
grouped-avp-def of RFC 3588 [RFC3588]):
SIP-Authenticate ::= < AVP Header: 379 >
{ Digest-Realm }
{ Digest-Nonce }
[ Digest-Domain ]
[ Digest-Opaque ]
[ Digest-Stale ]
[ Digest-Algorithm ]
[ Digest-QoP ]
[ Digest-HA1]
* [ Digest-Auth-Param ]
* [ AVP ]
9.5.4. SIP-Authorization AVP
The SIP-Authorization AVP (AVP Code 380) is of type Grouped and
contains a reconstruction of either the SIP Authorization or
Proxy-Authorization header fields specified in RFC 2617 [RFC2617] for
the HTTP Digest authentication scheme.
The SIP-Authorization AVP is defined as follows (per the
grouped-avp-def of RFC 3588 [RFC3588]):
SIP-Authorization ::= < AVP Header: 380 >
{ Digest-Username }
{ Digest-Realm }
{ Digest-Nonce }
{ Digest-URI }
{ Digest-Response }
[ Digest-Algorithm ]
[ Digest-CNonce ]
[ Digest-Opaque ]
[ Digest-QoP ]
[ Digest-Nonce-Count ]
[ Digest-Method]
[ Digest-Entity-Body-Hash ]
* [ Digest-Auth-Param ]
* [ AVP ]
