Network Working Group E. Ivov Internet-Draft SIP Communicator Intended status: Informational E. Marocco Expires: September 3, 2010 Telecom Italia March 2, 2010 Problem Statement and Possible Best Practices for Authentication of SIP+ XMPP Clients draft-ivov-sipxmpp-auth-01 Abstract This document discusses several mechanisms for simplifying authentication of dual-stack SIP+XMPP clients against the corresponding SIP and XMPP services. The text is not attempt to define a complex credential sharing protocol but rather to determine and eventually encourage use of a simple mechanism that would allow service providers to host a SIP+XMPP solution appearing as a single service to their users. In other words, the goal here is to agree on a set of recommendations that would encourage client developers to implement simple UIs that would only require users to provide an ID and a password when configuring their SIP+XMPP account for the first time (as opposed to having to do so separately for SIP and XMPP). Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 3, 2010. Ivov & Marocco Expires September 3, 2010 [Page 1] Internet-Draft Discovery and Authenticationfor SIP+XMPP March 2010 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Why it is important to have a common authentication mechanism. . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Simply stating it ... . . . . . . . . . . . . . . . . . . . . . 4 3. Using the domain in the auth header in SIP or XMPP . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Informative References . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5 Ivov & Marocco Expires September 3, 2010 [Page 2] Internet-Draft Discovery and Authenticationfor SIP+XMPP March 2010 1. Introduction [TODO:ref-to-charter] and [TODO:ref-to-draft] define the requirements and the semantics for combined use of SIP and XMPP servers. Among other things, the combination allows providers to easily use SIP server products with audio/video capabilities together with IM/ presence XMPP ones when building platforms that provide all these features in a single service. Both, the proposed charter, and the draft solution make it clear that server side components should be barely if at all modified and that the effort of making both protocols function as one should be delegated to client-side applications The issue discussed in this problem statement is related to how such client-side applications would be able to determine that a SIP and an XMPP server operate together and that (or if) it would be able to reuse the same set of user credentials (e.g. a user ID and a password) when connecting to both of them. The purpose of this document is to enumerate a ways that would allow this and discuss their various pros and cons. The document does not attempt to open the way for new protocol extensions. The ideal result of this work would be a section in a related specification, that defines a set of assumptions, which clients would be able to make when discovering and connecting to SIP+ XMPP networks, or a separate Best Practices document. 1.1. Why it is important to have a common authentication mechanism. During a previous discussion which took place on the DISPATCH mailing list, various individuals expressed the opinion that the issue at hand need not be explicitly stated in an IETF document. The Internet has already seen an example of a similar situation that was left without a solution. The SMTP [TODO:reference] protocol is often used in conjunction with either POP3 [TODO:reference] or IMAP [TODO:reference] without any explicitly defined relation. As a result, most e-mail clients require users to configure separately their inbound and outbound mail accounts. The concept is often quite confusing to inexperienced users. Some clients have therefore started proposing per-provider account creation wizards which only require users to fill in a user name and a password and then "fill in" the rest according to the setup of the specific provider. The above workaround is of course non-existent for average and small size providers, and it requires an extra effort from application developers that is clearly avoidable. Ivov & Marocco Expires September 3, 2010 [Page 3] Internet-Draft Discovery and Authenticationfor SIP+XMPP March 2010 The following sections of this document briefly discuss simple ways of addressing the issue. 2. Simply stating it ... One relatively simple way of making sure that a URI and a password would be enough to connect to a SIP+XMPP service would consist in allowing clients to make the following assumptions: o after applying the standard XMPP and SIP discovery mechanisms using the supplied URI (i.e. looking up the corresponding SRV DNS records), the client would discover the XMPP and SIP servers that should be used for the newly configured XMPP+SIP account. o The supplied URI and password could be used as authentication credentials for both the XMPP and the SIP service. Needless to say, clients may provide mechanisms (e.g. an "Advanced Configuration" form) that allow users to override the above assumptions and explicitly specify different connection points with different sets of credentials. The mechanism has the advantage of being relatively simple and require no other modifications to server side products other than making sure that user credentials would be valid for both the SIP and XMPP deployments. In many cases however, this would be resolvable through database synchronization and scripting, and hence be applicable to existing server-side implementations. 3. Using the domain in the auth header in SIP or XMPP Participants in the related discussions on the DISPATCH mailing list also suggested using the "domain" parameter of the 'WWW-Authenticate' headers used in SIP authentication challenges. If present such a "domain" parameter may be used as an indication that the target URI would allow XMPP connections with the same credentials. The main advantage of this mechanism is the fact that it allows for a discovery phase that is completely decoupled from the one used by regular SIP and XMPP. This means that service providers could use one set of servers to handle standard SIP and XMPP and then direct users to different addresses for their SIP+XMPP services. Contrary to the DNS-based mechanism however, relying on domain parameters is more likely to require implementation changes since it relies on the parameter being configurable. It hence represents more of a contradiction with the requirements that XMPP+SIP work was chartered with. Ivov & Marocco Expires September 3, 2010 [Page 4] Internet-Draft Discovery and Authenticationfor SIP+XMPP March 2010 Other issues worth noting, are the reliance of this mechanism on authentication methods that support the domain parameter, and the fact that it adds a sequential dependency between the SIP and XMPP authentication procedures. 4. Security Considerations 1. PENDING 5. IANA Considerations None. 6. Acknowledgments Simo Veikkolainen, Markus Isomaki, Peter St. Andre, Roni Even, Scott Lawrence, Spencer Dawkins, and several others provided helpful feedback in the related discussion that took place on the DISPATCH mailing list. 7. Informative References [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. Authors' Addresses Emil Ivov SIP Communicator Strasbourg 67000 France Email: emcho@sip-communicator.org Ivov & Marocco Expires September 3, 2010 [Page 5] Internet-Draft Discovery and Authenticationfor SIP+XMPP March 2010 Enrico Marocco Telecom Italia Via G. Reiss Romoli, 274 Turin 10148 Italy Email: enrico.marocco@telecomitalia.it Ivov & Marocco Expires September 3, 2010 [Page 6]