draft-ietf-dhc-options-uap-01.txt   rfc2485.txt 
Network Working Group S. Drach Network Working Group S. Drach
INTERNET-DRAFT Sun Microsystems Request for Comments: 2485 Sun Microsystems
Obsoletes: draft-ietf-dhc-options-uap-00.txt September 1998 Category: Standards Track January 1999
Expires March 1999
DHCP Option for User Authentication Protocol DHCP Option for The Open Group's User Authentication Protocol
<draft-ietf-dhc-options-uap-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document specifies an Internet standards track protocol for the
documents of the Internet Engineering Task Force (IETF), its areas, Internet community, and requests discussion and suggestions for
and its working groups. Note that other groups may also distribute improvements. Please refer to the current edition of the "Internet
working documents as Internet-Drafts. Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Internet-Drafts are draft documents valid for a maximum of six months Copyright Notice
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the Copyright (C) The Internet Society (1999). All Rights Reserved.
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Abstract Abstract
This document defines a DHCP [1] option that contains a list of This document defines a DHCP [1] option that contains a list of
pointers to User Authentication Protocol servers that provide user pointers to User Authentication Protocol servers that provide user
authentication services for clients that conform to The Open Group authentication services for clients that conform to The Open Group
Network Computing Client Technical Standard [2]. Network Computing Client Technical Standard [2].
Introduction Introduction
skipping to change at line 78 skipping to change at page 2, line 29
default port is assumed (i.e., port 80 for http and port 443 for default port is assumed (i.e., port 80 for http and port 443 for
https). If the list includes a URL that does not contain a path https). If the list includes a URL that does not contain a path
component, the path /uap is assumed. component, the path /uap is assumed.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | URL list | Code | Length | URL list
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code TBD Code 98
Length The length of the data field (i.e., URL list) in Length The length of the data field (i.e., URL list) in
bytes. bytes.
URL list A list of one or more URLs separated by the ASCII URL list A list of one or more URLs separated by the ASCII
space character (0x20). space character (0x20).
References References
Droms, R., "Dynamic Host Configuration Protocol", RFC-2131, March [1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
1997. March 1997.
Technical Standard: Network Computing Client, The Open Group, [2] Technical Standard: Network Computing Client, The Open Group,
Document Number C801, October 1998. Document Number C801, October 1998.
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and T. Berners-Lee, [3] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and T.
"Hypertext Transfer Protocol -- HTTP/1.1", RFC-2068, January 1997. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC
2068, January 1997.
Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol, Version [4] Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol,
3.0", Internet Draft, November 1996. Version 3.0", Netscape Communications Corp., November 1996.
Standards Information Base, The Open Group,
http://www.db.opengroup.org/sib.htm#SSL_3.
Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform Resource [5] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
Locators (URL)", RFC-1738, December 1994. Resource Locators (URL)", RFC 1738, December 1994.
Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [6] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC-2132, March 1997. Extensions", RFC 2132, March 1997.
Security Considerations Security Considerations
DHCP currently provides no authentication or security mechanisms. DHCP currently provides no authentication or security mechanisms.
Potential exposures to attack are discussed in section 7 of the DHCP Potential exposures to attack are discussed in section 7 of the DHCP
protocol specification. protocol specification.
The User Authentication Protocol does not have a means to detect
whether or not the client is communicating with a rogue
authentication service that the client contacted because it received
a forged or otherwise compromised UAP option from a DHCP service
whose security was compromised. Even secure authentication does not
provide relief from this type of attack. This security exposure is
mitigated by the environmental assumptions documented in the Network
Computing Client Technical Standard.
Author's Address Author's Address
Steve Drach Steve Drach
Sun Microsystems, Inc. Sun Microsystems, Inc.
901 San Antonio Road 901 San Antonio Road
Palo Alto, CA 94303 Palo Alto, CA 94303
Phone: (650) 960-1300 Phone: (650) 960-1300
EMail: drach@sun.com EMail: drach@sun.com
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 15 change blocks. 
32 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/