I also believe there is a strong need to differentiate the authentication of
SIP network elements (trusted devices: typically SIP UA, both UAC&UAS) and
users (in the sense of end-user or service subscriber).
--- why?
When a VoIP gateway starts, it gets access to the network resources&services
as a trusted element in the VoIP network: the term "gateway registration"
could be used to differentiate from "end-user authentication". Typically,
once authenticated or registered to network services, the gateway gets
access to resources like a proxy server, location server, and services like
software updates, etc. For the VoIP network, it means the trusted gw is now
ready to originate (UAC) & terminate calls (UAS) so I can add it to my call
routing tables as a live GW.
The case of authenticating the SIP GW as a valid UAS helps to get away from
the subscriber-centric authentication.
End-user authentication is independent and it can be based on ANI, DNIS (all
calls to 1-800 from a trusted network element are ok or even all 911 calls
get through no matter what), etc. This is the typical debit card service
case of VoIP. The "end-user" authentication is more on a transaction basis
while the gw authentication scope can be beyond SIP transactions.
Finally, think about a network service provider in a wholesale context: the
nsp owns the network and network elements but allows other debit card
service providers to plug their debit card app. The nsp would still want
trusted network elements.
--- how?
The realm is doable; it would require to change the definition of realm in
2543bis ("realm: A string to be displayed to users so they know which
identity to use.")
--- various comments on the thread:
Jonathan wrote:
> Let me rephrase the problem. A user makes a call from a PSTN phone
> through a PSTN->SIP gateway. This call arrives at a proxy server, then
> gets routed to a UAS. Either or both of the proxy/UAS might challenge
> this request. In this case, who is being authenticated, the gateway
> itself, or the user calling in through the gateway? If its the user
> themselves, how would that work?
I would encourage us to use "end-user".
Mike Thomas wrote:
> I think it's a slippery slope trying to draw
> a difference between "gateway" and "user". A
I disagree (see above) and also simply because the scope "gateway"
authentication is beyond a pure "SIP transaction" which is the case of "user
authentication".
> for an identity in its realm. This is consistant
> with real life: I have a drivers license for
> driving, a credit card for buying dinner and
Sure.
You also have a car "registration" which allows multiple people to drive
your car and all of them have a license, right? The car registration in
some countries proves that you have a car insurance, that your car meet some
regulatory requirements (polution for e.g.), etc.
Jean-Francois Mule'
Clarent Corporation
