draft-ietf-dhc-pktc-kerb-tckt-00.txt   draft-ietf-dhc-pktc-kerb-tckt-01.txt 
Internet Engineering Task Force P. Duffy Internet Engineering Task Force P. Duffy
INTERNET DRAFT Cisco Systems INTERNET DRAFT Cisco Systems
DHC Working Group January 2003 DHC Working Group March 2003
Document: draft-ietf-dhc-pktc-kerb-tckt-00.txt Document: draft-ietf-dhc-pktc-kerb-tckt-01.txt
Kerberos Ticket Control Sub-option Security Ticket Control Sub-option
for the CableLabs Client Configuration Option. for the CableLabs Client Configuration Option.
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC 2026. with all provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
skipping to change at line 41 skipping to change at line 41
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
This document defines a new sub-option for the CableLabs Client This document defines a new sub-option for the CableLabs Client
Configuration (CCC) Option. This new sub-option will be used to Configuration (CCC) Option. This new sub-option will be used to
direct CableLabs Client Devices (CCDs) to invalidate locally direct CableLabs Client Devices (CCDs) to invalidate locally
persisted Kerberos tickets. persisted security tickets.
1. Conventions used in this document 1. Conventions used in this document
Duffy 1 Duffy 1
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
RFC 2119 [2]. RFC 2119 [2].
2. Terminology 2. Terminology
Definitions of terms/acronyms used throughout this document: Definitions of terms/acronyms used throughout this document:
CCC - CableLabs Client Configuration option, described in [1]. CCC - CableLabs Client Configuration option, defined in [1].
CCD - CableLabs Client Device. A PacketCable MTA is an example CCD - CableLabs Client Device. A PacketCable MTA is an example
of a CCD. of a CCD.
KTC - Kerberos Ticket Control. The CCC sub-option described in STC - Security Ticket Control. The CCC sub-option described in
this document. this document.
MTA - Media Terminal Adapter. The CCD specific to the PacketCable MTA - Media Terminal Adapter. The CCD specific to the PacketCable
architecture. architecture.
PacketCable - multimedia architecture developed by CableLabs. See PacketCable - multimedia architecture developed by CableLabs. See
[6] for full details. [7] for full details.
Security Ticket - a data object used to support establishment of
authentication and privacy relationships. Defined in the
PacketCable Security Specification[3].
3. Introduction 3. Introduction
The CableLabs Client Configuration Option [1] defines several sub- The CableLabs Client Configuration Option [1] defines several sub-
options used to configure devices deployed into CableLabs options used to configure devices deployed within CableLabs
architectures. These architectures employ the Kerberos protocol architectures. These architectures implement the PacketCable
[3] to support CCD authentication and establishment of security Security Specification [3] (based on Kerberos V5 [4]) to support
associations between CCDs and application servers. CCD authentication and establishment of security associations
between CCDs and application servers.
CCDs are permitted to locally persist Kerberos tickets. Thus a CCDs are permitted to retain security tickets in local persistent
power-cycled CCD is enabled to avoid expensive ticket acquisition storage. Thus a power-cycled CCD is enabled to avoid expensive
for locally persisted, non-expired tickets. This feature greatly ticket acquisition for locally persisted, non-expired tickets.
reduces the Kerberos overhead of a deployment. This feature greatly reduces the security overhead of a
deployment.
This sub-option allows the service provider to control the This sub-option allows the service provider to control the
lifetime of Kerberos tickets persisted locally on a CCD. The lifetime of tickets persisted locally on a CCD. The service
service provider requires this capability to support operational
functions such as disabling a subscriber's service, forcing re-
establishment of security associations, or for testing and remote
diagnostic of CCDs.
Duffy Expires July 2003 2 Duffy Expires September 2003 2
4. Kerberos Ticket Control Sub-option provider requires this capability to support operational
functions such as forcing authentication, remote testing, and
remote diagnostics of CCDs.
It should be noted that, although based on the Kerberos V5 RFC
[4], the PacketCable Security Specification is not a strict
implementation of this RFC. See [3] for details of the
PacketCable Security Specification.
4. Security Ticket Control Sub-option
This sub-option defines a Ticket Control Mask (TCM) that This sub-option defines a Ticket Control Mask (TCM) that
instructs the CCD to validate/invalidate specific application instructs the CCD to validate/invalidate specific application
server tickets. The sub-option is encoded as follows: server tickets. The sub-option is encoded as follows:
Code Len TCM Code Len TCM
+-----+-----+-----+-----+ +-----+-----+-----+-----+
| TBD | 2 | m1 | m2 | | TBD | 2 | m1 | m2 |
+-----+-----+-----+-----+ +-----+-----+-----+-----+
The length MUST be 2. The TCM field is encoded as an unsigned 16 The length MUST be 2. The TCM field is encoded as an unsigned 16
bit quantity per network byte-ordering rules. Each bit of the TCM bit quantity per network byte-ordering rules. Each bit of the TCM
is assigned to a specific server or server group. A bit value of 0 is assigned to a specific server or server group. A bit value of
means the CCD MUST NOT invalidate the locally persisted ticket for 0 means the CCD MUST apply normal invalidation rules (defined in
the server/server group. A bit value of 1 means the CCD MUST [3]) to the locally persisted ticket for the server/server group.
invalidate the locally persisted ticket for the server/server A bit value of 1 means the CCD MUST immediately invalidate the
group. locally persisted ticket for the server/server group.
Bit #0 is the least significant bit of the field. The bit Bit #0 is the least significant bit of the field. The bit
positions are assigned as follows. positions are assigned as follows.
Bit #0 - the PacketCable Provisioning Server used by the CCD. Bit #0 - the PacketCable Provisioning Server used by the CCD.
Bit #1 - the group of all PacketCable Call Management Servers Bit #1 - the group of all PacketCable Call Management Servers
used by the CCD. used by the CCD.
Bit #2 - #15. Reserved and MUST be set to 0. Bit #2 - #15. Reserved and MUST be set to 0.
If a CCD does not locally persist Kerberos tickets, it MUST If a CCD does not locally persist tickets, it MUST ignore this
ignore this sub-option. sub-option.
5. IANA Considerations 5. IANA Considerations
Duffy Expires September 2003 3
IANA is requested to assign a sub-option code to this sub-option IANA is requested to assign a sub-option code to this sub-option
from the "CableLabs Client Configuration" sub-option number space from the "CableLabs Client Configuration" sub-option number space
(maintained within the BOOTP-DHCP Parameters Registry). (maintained within the BOOTP-DHCP Parameters Registry).
6. Security Considerations 6. Security Considerations
Potential DHCP protocol attack exposure is discussed in section 7 Potential DHCP protocol attack exposure is discussed in section 7
of the DHCP protocol specification [4] and in Authentication for of the DHCP protocol specification [5] and in Authentication for
DHCP Messages [5]. Additional CCC attack exposure is discussed DHCP Messages [6]. Additional CCC attack exposure is discussed
in [1]. in [1].
Duffy Expires July 2003 3 The STC sub-option could be used to disrupt a CableLabs
The KTC sub-option could be used to disrupt a CableLabs
architecture deployment. In the specific case of PacketCable architecture deployment. In the specific case of PacketCable
[6], a deployment could be disrupted if a large number of MTAs [7], a deployment could be disrupted if a large number of MTAs
are reset/power cycled, initiate their provisioning flow [7], and are reset/power cycled, initiate their provisioning flow [8], and
are instructed by a malicious DHCP server to invalidate all are instructed by a malicious DHCP server to invalidate all
Kerberos tickets. This could lead to a Denial of Service (DoS) security tickets. This could lead to a Denial of Service (DoS)
condition as this large set of MTAs simultaneously attempt to condition as this large set of MTAs simultaneously attempt to
authenticate and obtain tickets from the Kerberos infrastructure. authenticate and obtain tickets from the security infrastructure.
However, the scenario described above is unlikely to occur. However, the scenario described above is unlikely to occur.
Within the cable delivery architecture required by PacketCable Within the cable delivery architecture required by the various
(and other CableLabs architectures), the DHCP client is connected CableLabs projects, the DHCP client is connected to a network
to a network through a cable modem and the CMTS (head-end). The through a cable modem and the CMTS (head-end). The CMTS is
CMTS is explicitly configured with a set of DHCP servers to which explicitly configured with a set of DHCP servers to which DHCP
DHCP requests are forwarded. Further, a correctly configured requests are forwarded. Further, a correctly configured CMTS
CMTS will only allow downstream traffic from specific IP will only allow downstream traffic from specific IP
addresses/ranges. addresses/ranges.
7. References 7. References
7.1. Normative 7.1. Normative
[1] B. Beser and P. Duffy, "DHCP Option for CableLabs Client [1] B. Beser and P. Duffy, "DHCP Option for CableLabs Client
Configuration", http://www.ietf.org/internet-drafts/draft-ietf- Configuration", http://www.ietf.org/internet-drafts/draft-ietf-
dhc-packetcable-06.txt, January 2003. dhc-packetcable-06.txt, January 2003.
[2] S. Bradner, "Key words for use in RFCs to Indicate Requirement [2] S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[3] "PacketCable Security Specification", PKT-SP-SEC-I07-021127,
http://www.packetcable.com/specifications.html
7.2. Informational 7.2. Informational
[3] J. Kohl and C. Neuman, "The Kerberos Network Authentication Duffy Expires September 2003 4
[4] J. Kohl and C. Neuman, "The Kerberos Network Authentication
Service (V5)", RFC 1510, September 1993. Service (V5)", RFC 1510, September 1993.
[4] R. Droms, "Dynamic Host Configuration Protocol", RFC 2131, [5] R. Droms, "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[5] R. Droms and W. Arbaugh, "Authentication for DHCP Messages", [6] R. Droms and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001 RFC 3118, June 2001
Duffy Expires July 2003 4 [7] "PacketCable Architecture Framework Technical Report", PKT-
[6] "PacketCable Architecture Framework Technical Report", PKT-
TR-ARCH-V01-991201, TR-ARCH-V01-991201,
http://www.packetcable.com/specifications.html http://www.packetcable.com/specifications.html
[7] "PacketCable MTA Device Provisioning Specification", PKT-SP- [8] "PacketCable MTA Device Provisioning Specification", PKT-SP-
PROV-I05-021127. http://www.packetcable.com/specifications.html PROV-I05-021127. http://www.packetcable.com/specifications.html
8. Acknowledgments 8. Acknowledgments
The author would like to acknowledge the effort of all those who The author would like to acknowledge the effort of all those who
contributed to the development of the PacketCable Provisioning contributed to the development of the PacketCable Provisioning
specifications: specifications:
Sumanth Channabasappa (Alopa Networks); Angela Lyda, Rick Morris, Sumanth Channabasappa (Alopa Networks); Angela Lyda, Rick Morris,
Rodney Osborne (Arris Interactive); Steven Bellovin and Chris Rodney Osborne (Arris Interactive); Steven Bellovin and Chris
Melle (AT&T); Eugene Nechamkin (Broadcom); John Berg, Maria Melle (AT&T); Eugene Nechamkin (Broadcom); John Berg, Maria
Stachelek, Matt Osman (CableLabs); Klaus Hermanns, Azita Kia, Stachelek, Matt Osman (CableLabs); Klaus Hermanns, Azita Kia,
Michael Thomas, Paul Duffy (Cisco); Deepak Patil (Com21); Jeff Michael Thomas, Paul Duffy (Cisco); Deepak Patil (Com21); Jeff
Ollis, Rick Vetter (General Instrument/Motorola); Roger Loots, Ollis, Rick Vetter (General Instrument/Motorola); Roger Loots,
David Walters (Lucent); Peter Bates (Telcordia); Patrick Meehan David Walters (Lucent); Peter Bates (Telcordia); Patrick Meehan
(Tellabs); Satish Kumar, Itay Sherman, Roy Spitzer (Telogy/TI), (Tellabs); Satish Kumar, Itay Sherman, Roy Spitzer (Telogy/TI),
Aviv Goren (Terayon); Prithivraj Narayanan (Wipro), and Burcak Aviv Goren (Terayon); Prithivraj Narayanan (Wipro), Burcak Beser
Beser (Juniper Networks). (Juniper Networks), and Rich Woundy (Comcast).
The author would also like to extend a special "thank you" to
Eugene Nechamkin (Broadcom), David Atwood (Motorola), and Eric
RosenFeld (CableLabs) for their thoughtful inputs.
9. Author's Addresses 9. Author's Addresses
Paul Duffy Paul Duffy
Cisco Systems Cisco Systems
300 Apollo Drive 300 Apollo Drive
Duffy Expires September 2003 5
Chelmsford, MA, 01824 Chelmsford, MA, 01824
Email: paduffy@cisco.com Email: paduffy@cisco.com
10. Full Copyright Statement 10. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared, explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to way, such as by removing the copyright notice or references to
Duffy Expires July 2003 5
the Internet Society or other Internet organizations, except as the Internet Society or other Internet organizations, except as
needed for the purpose of developing Internet standards in which needed for the purpose of developing Internet standards in which
case the procedures for copyrights defined in the Internet case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate Standards process must be followed, or as required to translate
it into languages other than English. it into languages other than English.
The limited permissions granted above are perpetual and will not The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns. be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on This document and the information contained herein is provided on
skipping to change at line 245 skipping to change at line 263
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. PURPOSE.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
Duffy Expires July 2003 6 Duffy Expires September 2003 6
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/