draft-ietf-krb-wg-tcp-expansion-01.txt   draft-ietf-krb-wg-tcp-expansion-02.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Internet-Draft SJD Internet-Draft SJD
Updates: 4120 (if approved) September 13, 2006 Updates: 4120 (if approved) May 2, 2007
Intended status: Standards Track Intended status: Standards Track
Expires: March 17, 2007 Expires: November 3, 2007
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges Over
TCP TCP
draft-ietf-krb-wg-tcp-expansion-01 draft-ietf-krb-wg-tcp-expansion-02
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 17, 2007. This Internet-Draft will expire on November 3, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document describes an extensibility mechanism for the Kerberos This document describes an extensibility mechanism for the Kerberos
V5 protocol when used over TCP transports. The mechanism uses the V5 protocol when used over TCP transports. The mechanism uses the
reserved high-bit in the length field. It can be used to negotiate reserved high-bit in the length field. It can be used to negotiate
TCP-specific Kerberos extensions. TCP-specific Kerberos extensions.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions used in this document . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . . 3
3. Extension Mechanism for TCP transport . . . . . . . . . . . . . 3 3. Extension Mechanism for TCP transport . . . . . . . . . . . . . 3
4. Interoperability Consideration . . . . . . . . . . . . . . . . 4 4. Interoperability Consideration . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
8. Normative References . . . . . . . . . . . . . . . . . . . . . 6 8. Normative References . . . . . . . . . . . . . . . . . . . . . 6
Appendix A. Copying conditions . . . . . . . . . . . . . . . . . . 6 Appendix A. Copying conditions . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6
Intellectual Property and Copyright Statements . . . . . . . . . . 7 Intellectual Property and Copyright Statements . . . . . . . . . . 7
1. Introduction 1. Introduction
The Kerberos V5 [3] specification, in section 7.2.2, reserve the high The Kerberos V5 [3] specification, in section 7.2.2, reserve the high
order bit in the initial length field for TCP transport for future order bit in the initial length field for TCP transport for future
expansion. This document update [3] to describe the behaviour when expansion. This document update [3] to describe the behaviour when
skipping to change at page 5, line 25 skipping to change at page 5, line 25
5. Security Considerations 5. Security Considerations
Because the initial length field is not protected, it is possible for Because the initial length field is not protected, it is possible for
an active attacker (i.e., one that is able to modify traffic between an active attacker (i.e., one that is able to modify traffic between
the client and the KDC) to make it appear to the client that the the client and the KDC) to make it appear to the client that the
server does not support this extension mechanism (a downgrade server does not support this extension mechanism (a downgrade
attack). Further, active attackers can also inferfere with the attack). Further, active attackers can also inferfere with the
negotiation of which extensions are supported, which may also result negotiation of which extensions are supported, which may also result
in a downgrade attack. This problem can be solved by having a policy in a downgrade attack. This problem can be solved by having a policy
in the clients and in the KDC to reject connections that does not in the clients and in the KDC to reject connections that does not
have the desired properties. have the desired properties. The problem can also be mitigated by
having the negotiated extension send a cryptographic checksum of the
offered extensions.
6. IANA Considerations 6. IANA Considerations
IANA needs to create a new registry for "Kerberos TCP Extensions". IANA needs to create a new registry for "Kerberos TCP Extensions".
The initial contents of this registry should be: The initial contents of this registry should be:
[[RFC Editor: Replace xxxx below with the number of this RFC.]] [[RFC Editor: Replace xxxx below with the number of this RFC.]]
Bit # Reference Bit # Reference
----- --------- ----- ---------
0..29 AVAILABLE for registration. 0..29 AVAILABLE for registration.
30 RESERVED. RFC XXXX 30 RESERVED. RFC XXXX
IANA will register values 0 to 29 after IESG Approval, as defined in IANA will register values 0 to 29 after IESG Approval, as defined in
BCP 64 [2]. Assigning value 30 requires a Standards Action that BCP 64 [2]. Assigning value 30 requires a Standards Action that
update or obsolete this document. update or obsolete this document.
Registration policy: The IESG will act as a steward for the
namespace, considering whether the registration is justified given
the limited size of the namespace. The IESG will also confirm that
proposed registrations are not harmful to the Internet.
7. Acknowledgements 7. Acknowledgements
Nicolas Williams and Jeffrey Hutzelman provided comments that Nicolas Williams, Jeffrey Hutzelman, and Sam Hartman provided
improved the protocol and document. comments that improved the protocol and document.
Thanks to Andrew Bartlett who pointed out that some implementations Thanks to Andrew Bartlett who pointed out that some implementations
(MIT Kerberos and Heimdal) did not follow RFC 4120 properly with (MIT Kerberos and Heimdal) did not follow RFC 4120 properly with
regards to the high bit, which resulted in an Interoperability regards to the high bit, which resulted in an Interoperability
Consideration. Consideration.
8. Normative References 8. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA [2] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[3] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos [3] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos
Network Authentication Service (V5)", RFC 4120, July 2005. Network Authentication Service (V5)", RFC 4120, July 2005.
Appendix A. Copying conditions Appendix A. Copying conditions
Copyright (C) 2005, 2006 Simon Josefsson
Regarding this entire document or any portion of it, the author makes Regarding this entire document or any portion of it, the author makes
no guarantees and is not responsible for any damage resulting from no guarantees and is not responsible for any damage resulting from
its use. The author grants irrevocable permission to anyone to use, its use. The author grants irrevocable permission to anyone to use,
modify, and distribute it in any way that does not diminish the modify, and distribute it in any way that does not diminish the
rights of anyone else to use, modify, and distribute it, provided rights of anyone else to use, modify, and distribute it, provided
that redistributed derivative works do not contain misleading author that redistributed derivative works do not contain misleading author
or version information. Derivative works need not be licensed under or version information. Derivative works need not be licensed under
similar terms. similar terms.
Author's Address Author's Address
Simon Josefsson Simon Josefsson
SJD SJD
Email: simon@josefsson.org Email: simon@josefsson.org
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
 End of changes. 12 change blocks. 
16 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/