| Article Index |
|---|
| The Diameter Sip Application : General |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| Page 8 |
| Page 9 |
| Page 10 |
| All Pages |
Page 4 of 10
6.3. Delegating Final Authentication Check to the SIP Server
An operator with a large base of installed SIP servers may wish to
minimize the number of round-trips between the Diameter client and
the Diameter server. We provide support for a mechanism where the
Diameter server delegates the final authentication check to the SIP
server, thereby saving a round-trip. Section 14.1 discusses the
security considerations of this scenario.
It must noted that this scenario is not applicable when the Diameter
server is configured to use a session MD5 (MD5-sess) algorithm,
because the Diameter server requires the client nonce to compute the
H(A1) before sending it to the Diameter client. However, the client
nonce might not be available at that time.
+--------+ +--------+ +--------+
| SIP | |Diameter| | SIP |
|server 1| | server | |server 2|
+--------+ +--------+ +--------+
| | |
1. SIP REGISTER | | |
-------------------->| 2. UAR | |
|------------------>| |
| 3. UAA | |
|<------------------| |
| 4. SIP REGISTER |
|-------------------------------------->|
| | 5. MAR |
| |<------------------|
| | 6. MAA |
| |------------------>|
| 7. SIP 401 (Unauthorized) |
8. SIP 401 (Unauth.) |<--------------------------------------|
<--------------------| | |
9. SIP REGISTER | | |
-------------------->| 10. UAR | |
|------------------>| |
| 11. UAA | |
|<------------------| |
| 12. SIP REGISTER |
|-------------------------------------->|
| | 13. SAR |
| |<------------------|
| | 14. SAA |
| |------------------>|
| 15. SIP 200 (OK) |
16. SIP 200 (OK) |<--------------------------------------|
<--------------------| | |
| | |
Figure 3: Delegation of authentication to the SIP server
Figure 3 shows an example where a SIP server is dynamically allocated
to serve a SIP User Agent with the support of the Diameter server.
This may be the case of certain architectures, such as that of the
3rd Generation Partnership Project (3GPP) IP Multimedia Core Network
Subsystem.
A first SIP server receives a SIP REGISTER request (step 1) whose
target is the home network domain. In Figure 3, we assume that this
SIP server is located at the edge of the administrative home domain.
The Diameter client in this SIP server requests authorization from
the Diameter server to proceed with the registration, by sending a
Diameter User-Authorization-Request (UAR) message (step 2). The
message includes, among other Attribute-Value-Pairs (AVPs), the SIP
Address-Of-Record (AOR) that is included in the SIP REGISTER request.
The Diameter server verifies the SIP AOR and, if it is a valid
defined user in the home network, authorizes the registration to
proceed. The Diameter server responds with a Diameter
User-Authorization-Answer (UAA) message (step 3), which informs the
Diameter client/SIP server about the result of the user
authorization. In case of a successful authorization, the Diameter
UAA message indicates the address of a local SIP server (SIP server 2
in Figure 3) and/or a list of capabilities that SIP server 1 may use
to select an appropriate SIP server 2.
When the authorization is successful, SIP server 1 forwards the SIP
REGISTER request (step 4) to the appropriate SIP server (SIP server
2). The Diameter client in SIP server 2 requests authentication
parameters by sending a Diameter Multimedia-Auth-Request (MAR)
message (step 5) to the Diameter server. This request also makes the
Diameter server aware of the SIP or SIPS URI of SIP server 2, so as
to return subsequent requests of the same user to the same SIP server
2. The Diameter server responds with a Diameter
Multimedia-Auth-Answer (MAA) message (step 6), which includes a nonce
and all the rest of the parameters necessary for the designated
authentication algorithm associated with the user. Among others, the
MAA message includes a Digest-HA1 AVP that contains H(A1) (as defined
in RFC 2617 [RFC2617]), and that allows the Diameter client to
calculate the expected response. Then the Diameter client can
compare this expected response with the response to the challenge
sent from the SIP UA. The absence of the Digest-HA1 AVP in MAA
indicates that authentication and authorization take place in the
Diameter server, as per the scenario described in Section 6.2.
