| Article Index |
|---|
| Diameter SIP Application AVPs |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| Page 8 |
| Page 9 |
| Page 10 |
| All Pages |
Page 6 of 10
9.5.5. SIP-Authentication-Info AVP
The SIP-Authentication-Info AVP (AVP Code 381) is of type Grouped and
contains a reconstruction of the SIP Authentication-Info header
specified in RFC 2617 [RFC2617] for the HTTP Digest authentication
scheme.
The SIP-Authentication-Info AVP is defined as follows (per the
grouped-avp-def of RFC 3588 [RFC3588]):
SIP-Authentication-Info ::= < AVP Header: 381 >
[ Digest-Nextnonce ]
[ Digest-QoP ]
[ Digest-Response-Auth ]
[ Digest-CNonce ]
[ Digest-Nonce-Count ]
* [ AVP ]
Note that, in some cases, the Digest-Response-Auth AVP cannot be
calculated at the Diameter server, but has to be calculated at the
Diameter client (SIP server). For example, if the value of the
quality of protection (qop) parameter in Digest is set to "auth-int",
then the response-digest (rspauth parameter value in Digest) is
calculated with the hash of the body of the SIP response, which is
not available at the Diameter server. In this case, the Diameter
client (SIP server) must calculate the response-digest once the body
of the SIP response is calculated.
Therefore, a value of "auth-int" in the Digest-QoP AVP of the
SIP-Authentication-Info AVP indicates that the Diameter client (SIP
server) MUST compute the Digest "rspauth" parameter value at the
Diameter client (SIP server).
9.5.6. Digest AVPs
The following AVPs are RADIUS attributes defined in the RADIUS
Extension for Digest Authentication [RFC4590] and imported by this
specification: Digest-AKA-Auts, Digest-Algorithm, Digest-Auth-Param,
Digest-CNonce, Digest-Domain, Digest-Entity-Body-Hash, Digest-HA1,
Digest-Method, Digest-Nextnonce, Digest-Nonce, Digest-Nonce-Count,
Digest-Opaque, Digest-QoP, Digest-Realm, Digest-Response,
Digest-Response-Auth, Digest-URI, Digest-Username, and Digest-Stale.
9.5.6.1. Considerations about Digest-HA1 AVP
The Digest-HA1 AVP contains the value, pre-calculated at the Diameter
server, of H(A1) as defined in RFC 2617 [RFC2617]. The Diameter
client can use H(A1) to calculate the expected Digest response,
according to this challenge. If the SIP UA is in possession of the
credentials, the calculated expected response and the response sent
from the SIP UA will match. The Diameter server MAY include this AVP
to enable and assist the SIP server in authenticating the SIP UA.
This scenario is not applicable when the Diameter server is
configured to use a session MD5 (MD5-sess) algorithm, because the
Diameter server requires the client nonce to compute the H(A1) before
sending it to the Diameter client, and the client nonce might not be
available when the computation of H(A1) is done. Therefore, if the
final authentication is delegated to the Diameter client, it is
RECOMMENDED to configure the Diameter server to use algorithms
different than MD5-sess in HTTP Digest.
It is up to the Diameter server to include a Digest-HA1 AVP. The
Diameter server calculates the Digest H(A1) with the username,
password, and realm (and nonce and cnonce, if applicable) as inputs,
and places the result in the Digest-HA1 AVP value. For more details
of the A1 computation, see RFC 2617 [RFC2617] Section 3.2.2.2. The
Diameter client can calculate the Digest expected response with H(A1)
as input, as described in RFC 2617 [RFC2617] Section 3.2.2.
Section 11 provides further normative details about the usage of the
Digest-HA1 AVP.
9.5.6.2. Considerations about Digest-Entity-Body-Hash AVP
The Digest-Entity-Body-Hash AVP contains a hash of the entity body
contained in the SIP message. This hash is required by HTTP Digest
with quality of protection set to "auth-int". Diameter clients MUST
use this AVP to transport the hash of the entity body when HTTP
Digest is the authentication mechanism and the Diameter server
requires verification of the integrity of the entity body (e.g., qop
parameter set to "auth-int").
The clarifications described in Section 22.4 of RFC 3261 [RFC3261]
about the hash of empty entity bodies apply to the
Digest-Entity-Body-Hash AVP.
9.5.6.3. Considerations about Digest-Auth-Param AVP
The Digest-Auth-Param AVP is the mechanism whereby the Diameter
client and Diameter server can exchange possible extension parameters
contained in Digest headers that are either not understood by the
Diameter client or for which there are no corresponding stand-alone
AVPs. Unlike the previously listed Digest-* AVPs, the
Digest-Auth-Param contains not only the value, but also the parameter
name, since it is unknown to the Diameter client. The Diameter node
MUST insert one Digest parameter/value combination per AVP value. If
the Digest header contains several unknown parameters, then the
Diameter implementation MUST repeat this AVP and each instance MUST
contain one different unknown Digest parameter/value combination.
This AVP corresponds to the "auth-param" parameter defined in Section
3.2.1 of RFC 2617 [RFC2617].
Example: Assume that the Diameter server wants the SIP server to send
a "foo" parameter with the value set to "bar", so that the SIP server
sends that combination in a SIP WWW-Authenticate header field. The
Diameter server builds a grouped SIP-Authenticate AVP that contains a
Digest-Auth-Param whose value is set to foo="bar". Then the SIP
server creates the WWW-Authenticate header field with all the digest
parameters (received in Digest-* AVPs) and adds the foo="bar"
parameter to that header field.
