draft-ietf-p2psip-share-07.txt   draft-ietf-p2psip-share-08.txt 
P2PSIP Working Group A. Knauf P2PSIP Working Group A. Knauf
Internet-Draft T. Schmidt, Ed. Internet-Draft T. Schmidt, Ed.
Intended status: Standards Track HAW Hamburg Intended status: Standards Track HAW Hamburg
Expires: May 12, 2016 G. Hege Expires: September 21, 2016 G. Hege
daviko GmbH daviko GmbH
M. Waehlisch M. Waehlisch
link-lab & FU Berlin link-lab & FU Berlin
November 9, 2015 March 20, 2016
A Usage for Shared Resources in RELOAD (ShaRe) A Usage for Shared Resources in RELOAD (ShaRe)
draft-ietf-p2psip-share-07 draft-ietf-p2psip-share-08
Abstract Abstract
This document defines a RELOAD Usage for managing shared write access This document defines a RELOAD Usage for managing shared write access
to RELOAD Resources. Shared Resources in RELOAD (ShaRe) form a basic to RELOAD Resources. Shared Resources in RELOAD (ShaRe) form a basic
primitive for enabling various coordination and notification schemes primitive for enabling various coordination and notification schemes
among distributed peers. Access in ShaRe is controlled by a among distributed peers. Access in ShaRe is controlled by a
hierarchical trust delegation scheme maintained within an access hierarchical trust delegation scheme maintained within an access
list. A new USER-CHAIN-ACL access policy allows authorized peers to list. A new USER-CHAIN-ACL access policy allows authorized peers to
write a Shared Resource without owning its corresponding certificate. write a Shared Resource without owning its corresponding certificate.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 12, 2016. This Internet-Draft will expire on September 21, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 28 skipping to change at page 2, line 28
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Shared Resources in RELOAD . . . . . . . . . . . . . . . . . 4 3. Shared Resources in RELOAD . . . . . . . . . . . . . . . . . 4
3.1. Mechanisms for Isolating Stored Data . . . . . . . . . . 5 3.1. Mechanisms for Isolating Stored Data . . . . . . . . . . 5
4. Access Control List Definition . . . . . . . . . . . . . . . 6 4. Access Control List Definition . . . . . . . . . . . . . . . 6
4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 8 4.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 8
5. Extension for Variable Resource Names . . . . . . . . . . . . 9 5. Extension for Variable Resource Names . . . . . . . . . . . . 9
5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 9
5.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 10 5.2. Data Structure . . . . . . . . . . . . . . . . . . . . . 10
5.3. Overlay Configuration Document Extension . . . . . . . . 10 5.3. Overlay Configuration Document Extension . . . . . . . . 10
6. Access Control to Shared Resources . . . . . . . . . . . . . 11 6. Access Control to Shared Resources . . . . . . . . . . . . . 12
6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 12 6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 12
6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 13 6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 13
6.3. Validating Write Access through an ACL . . . . . . . . . 13 6.3. Validating Write Access through an ACL . . . . . . . . . 13
6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 14 6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 14
6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 14 6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 14
6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 14 6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 15
7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 15 7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 15 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16
8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 16 8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 16
8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 16 8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 16
8.3. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 16 8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 16
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8.4. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 17
9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 16 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 17
9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 17 9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 17
9.3. XML Name Space Registration . . . . . . . . . . . . . . . 17 9.3. XML Name Space Registration . . . . . . . . . . . . . . . 17
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
10.1. Normative References . . . . . . . . . . . . . . . . . . 17 10.1. Normative References . . . . . . . . . . . . . . . . . . 18
10.2. Informative References . . . . . . . . . . . . . . . . . 18 10.2. Informative References . . . . . . . . . . . . . . . . . 18
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
[RFC6940] defines the base protocol for REsource LOcation And [RFC6940] defines the base protocol for REsource LOcation And
Discovery (RELOAD) that allows for application-specific extensions by Discovery (RELOAD) that allows for application-specific extensions by
Usages. The present document defines such a RELOAD Usage for Usages. The present document defines such a RELOAD Usage for
managing shared write access to RELOAD Resources and a mechanism to managing shared write access to RELOAD Resources and a mechanism to
store Resources with a variable name. The Usage for Shared Resources store Resources with a variable name. The Usage for Shared Resources
in RELOAD (ShaRe) enables overlay users to share their exclusive in RELOAD (ShaRe) enables overlay users to share their exclusive
write access to specific Resource/Kind pairs with others. Shared write access to specific Resource/Kind pairs with others. Shared
Resources form a basic primitive for enabling various coordination Resources form a basic primitive for enabling various coordination
and notification schemes among distributed peers. Write permission and notification schemes among distributed peers. Write permission
is controlled by an Access Control List (ACL) Kind that maintains a is controlled by an Access Control List (ACL) Kind that maintains a
chain of Authorized Peers for a particular Shared Resource. A newly chain of Authorized Peers for a particular Shared Resource. A newly
defined USER-CHAIN-ACL access control policy enables shared write defined USER-CHAIN-ACL access control policy enables shared write
access in RELOAD. access in RELOAD.
The Usage for Shared Resources in RELOAD is designed for jointly The Usage for Shared Resources in RELOAD is designed for jointly
coordinated group applications among distributed peers (e.g., third coordinated group applications among distributed peers (e.g., third
party registration, see [I-D.ietf-p2psip-sip], or distributed party registration, see [I-D.ietf-p2psip-sip], or distributed
conferencing, see[I-D.ietf-p2psip-disco]). Of particular interest conferencing). Of particular interest are rendezvous processes,
are rendezvous processes, where a single identifier is linked to where a single identifier is linked to multiple, dynamic instances of
multiple, dynamic instances of a distributed cooperative service. a distributed cooperative service. Shared write access is based on a
Shared write access is based on a trust delegation mechanism. It trust delegation mechanism. It transfers the authorization to write
transfers the authorization to write a specific Kind data by storing a specific Kind data by storing logical Access Control Lists. An ACL
logical Access Control Lists. An ACL contains the ID of the Kind to contains the ID of the Kind to be shared and contains trust
be shared and contains trust delegations from one authorized to delegations from one authorized to another (previously unauthorized)
another (previously unauthorized) user. user.
Shared write access augments the RELOAD security model, which is Shared write access augments the RELOAD security model, which is
based on the restriction that peers are only allowed to write based on the restriction that peers are only allowed to write
resources at a small set of well defined locations (Resource-IDs) in resources at a small set of well defined locations (Resource-IDs) in
the overlay. Using the standard access control rules in RELOAD, the overlay. Using the standard access control rules in RELOAD,
these locations are bound to the username or Node-ID in the peer's these locations are bound to the username or Node-ID in the peer's
certificate. This document extends the base policies to enable a certificate. This document extends the base policies to enable a
controlled write access for multiple users to a common Resource Id. controlled write access for multiple users to a common Resource Id.
Additionally, this specification defines an optional mechanism to Additionally, this specification defines an optional mechanism to
store Resources with a variable Resource Name. It enables the store Resources with a variable Resource Name. It enables the
storage of Resources whose name complies to a specific pattern. storage of Resources whose name complies to a specific pattern.
Definition of the pattern is arbitrary, but must contain the username Definition of the pattern is arbitrary, but must contain the user
of the Resource creator. name of the Resource creator.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
This document uses the terminology and definitions from the RELOAD This document uses the terminology and definitions from the RELOAD
base [RFC6940] and the peer-to-peer SIP concepts draft base [RFC6940] and [I-D.ietf-p2psip-concepts], in particular the
[I-D.ietf-p2psip-concepts], in particular the RELOAD Usage, Resource RELOAD Usage, Resource and Kind. Additionally, the following terms
and Kind. Additionally, the following terms are used: are used:
Shared Resource: The term Shared Resource in this document defines a Shared Resource: The term Shared Resource in this document defines a
RELOAD Resource with its associated Kinds, that can be written or RELOAD Resource with its associated Kinds, that can be written or
overwritten by multiple RELOAD users following the specifications overwritten by multiple RELOAD users following the specifications
in this document. in this document.
Access Control List: The term Access Control List in this document Access Control List: The term Access Control List in this document
defines a logical list of RELOAD users allowed to write a specific defines a logical list of RELOAD users allowed to write a specific
RELOAD Resource/Kind pair by following the specifications in this RELOAD Resource/Kind pair by following the specifications in this
document. The list items are stored as Access Control List Kinds document. The list items are stored as Access Control List Kinds
skipping to change at page 5, line 44 skipping to change at page 5, line 44
Otherwise the Kind data structure does not contain the Otherwise the Kind data structure does not contain the
ResourceNameExtension structure. ResourceNameExtension structure.
3.1. Mechanisms for Isolating Stored Data 3.1. Mechanisms for Isolating Stored Data
This section defines mechanisms to avoid race conditions while This section defines mechanisms to avoid race conditions while
concurrently writing an array or dictionary of a Shared Resource. concurrently writing an array or dictionary of a Shared Resource.
If a dictionary is used in the Shared Resource, the dictionary key If a dictionary is used in the Shared Resource, the dictionary key
MUST be the Node-ID of the certificate that will be used to sign the MUST be the Node-ID of the certificate that will be used to sign the
stored data. Thus data access is bound to the unique ID holder. stored data. Thus data access is bound to the unique ID holder, and
write concurrency does not occur.
If the data model of the Shared Resource is an array, each Authorized If the data model of the Shared Resource is an array, each Authorized
Peer SHALL obtain its exclusive range of the array indices. The Peer SHALL obtain its exclusive range of the array indices. The
following algorithm will generate an array indexing scheme that following algorithm will generate an array indexing scheme that
avoids collisions. avoids collisions.
1. Obtain the Node-ID of the certificate that will be used to sign 1. Obtain the Node-ID of the certificate that will be used to sign
the stored data the stored data
2. Take the least significant 24 bits of that Node-ID 2. Take the least significant 24 bits of that Node-ID to prefix the
array index
3. Append an 8 bit long short individual index value to those 24 bit 3. Append an 8 bit individual index value to those 24 bit of the
of the Node-ID Node-ID
The resulting 32 bits long integer MUST be used as the index for The resulting 32 bits long integer MUST be used as the index for
storing an array entry in a Shared Resource. The 8 bit individual storing an array entry in a Shared Resource. The 24 bits of the
index can be incremented individually for further array entries and Node-ID serve as a pseudo-random identifier. The 8 bit individual
allows for 256 distinct entries per Peer. index remain under the control of a single Peer and can be
incremented individually for further array entries. In total, each
Peer can generate 256 distinct entries for application-specific use.
The mechanism to create the array index is related to the pseudo- The mechanism to create the array index is related to the pseudo-
random algorithm to generate an SSRC identifier in RTP, see random algorithm to generate an SSRC identifier in RTP, see
Section 8.1 in [RFC3550] for calculating the probability of a Section 8.1 in [RFC3550] for calculating the probability of a
collision. collision (here L=24 is the length of the pseudo-random id).
4. Access Control List Definition 4. Access Control List Definition
4.1. Overview 4.1. Overview
An Access Control List (ACL) is a (self-managed) shared resource that An Access Control List (ACL) is a (self-managed) shared resource that
contains a list of AccessControlListItem structures as defined in contains a list of AccessControlListItem structures as defined in
Section 4.2. Each entry delegates write access for a specific Kind Section 4.2. Each entry delegates write access for a specific Kind
data to a single RELOAD user. An ACL enables the RELOAD user who is data to a single RELOAD user. An ACL enables the RELOAD user who is
authorized to write a specific Resource-ID to delegate his exclusive authorized to write a specific Resource-ID to delegate his exclusive
skipping to change at page 6, line 47 skipping to change at page 6, line 50
write access further for the Authorized Peer. Access Control Lists write access further for the Authorized Peer. Access Control Lists
are stored at the same overlay location as the Shared Resource and are stored at the same overlay location as the Shared Resource and
use the RELOAD array data model. They are initially created by the use the RELOAD array data model. They are initially created by the
Resource Owner. Resource Owner.
Figure 1 shows an example of an Access Control List. We omit the Figure 1 shows an example of an Access Control List. We omit the
res_name_ext field to simplify illustration. The array entry at res_name_ext field to simplify illustration. The array entry at
index 0x123abc001 displays the initial creation of an ACL for a index 0x123abc001 displays the initial creation of an ACL for a
Shared Resource of Kind-ID 1234 at the same Resource-ID. It Shared Resource of Kind-ID 1234 at the same Resource-ID. It
represents the root item of the trust delegation tree for this shared represents the root item of the trust delegation tree for this shared
RELOAD Kind. The root entry MUST contain the username of the RELOAD Kind. The root entry MUST contain the user name of the
Resource owner in the "to_user" field and can only be written by the Resource owner in the "to_user" field and can only be written by the
owner of the public key certificate associated with this Resource-ID. owner of the public key certificate associated with this Resource-ID.
The allow_delegation (ad) flag for a root ACL item is set to 1 by The allow_delegation (ad) flag for a root ACL item is set to 1 by
default. The array index is generated by using the mechanism for default. The array index is generated by using the mechanism for
isolating stored data as described in Section 3.1. Hence, the most isolating stored data as described in Section 3.1. Hence, the most
significant 24 bits of the array index (0x123abc) are the least significant 24 bits of the array index (0x123abc) are the least
significant 24 bits of the Node-ID of the Resource Owner. significant 24 bits of the Node-ID of the Resource Owner.
The array item at index 0x123abc002 represents the first trust The array item at index 0x123abc002 represents the first trust
delegation to an Authorized Peer that is thus permitted to write to delegation to an Authorized Peer that is thus permitted to write to
the Shared Resource of Kind-ID 1234. Additionally, the Authorized the Shared Resource of Kind-ID 1234. Additionally, the Authorized
peer Alice is also granted write access to the ACL as indicated by peer Alice is also granted write access to the ACL as indicated by
skipping to change at page 8, line 25 skipping to change at page 8, line 25
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
| 123abc004 | to_user:Carol Kind:4321 ad:0 | Owner | | 123abc004 | to_user:Carol Kind:4321 ad:0 | Owner |
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
| ... | ... | ... | | ... | ... | ... |
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
| 456def001 | to_user:Bob Kind:1234 ad:0 | Alice | | 456def001 | to_user:Bob Kind:1234 ad:0 | Alice |
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
| ... | ... | ... | | ... | ... | ... |
+-----------+------------------------------+-----------+ +-----------+------------------------------+-----------+
Figure 1: Simplified example of an Access Control including entries Figure 1: Simplified example of an Access Control List including
for two different Kind-IDs and varying delegation (ad) configurations entries for two different Kind-IDs and varying delegation (ad)
configurations
Implementations of ShaRe should be aware that the trust delegation in Implementations of ShaRe should be aware that the trust delegation in
an Access Control List need not be loop free. Self-contained an Access Control List need not be loop free. Self-contained
circular trust delegation from A to B and B to A are syntactically circular trust delegation from A to B and B to A are syntactically
possible, even though not very meaningful. possible, even though not very meaningful.
4.2. Data Structure 4.2. Data Structure
The Kind data structure for the Access Control List is defined as The Kind data structure for the Access Control List is defined as
follows: follows:
skipping to change at page 9, line 12 skipping to change at page 9, line 13
Resource with variable resource name. This name serves the Resource with variable resource name. This name serves the
storing peer for validating, whether a variable resources name storing peer for validating, whether a variable resources name
matches one of the predefined naming pattern from the matches one of the predefined naming pattern from the
configuration document for this Kind. The presence of this field configuration document for this Kind. The presence of this field
is bound to a variable resource name element in the corresponding is bound to a variable resource name element in the corresponding
kind-block of the configuration document whose "enable" attribute kind-block of the configuration document whose "enable" attribute
is set to true (see Section 5.3). Otherwise, if the "enable" is set to true (see Section 5.3). Otherwise, if the "enable"
attribute is false, the res_name_ext field SHALL NOT be present in attribute is false, the res_name_ext field SHALL NOT be present in
the Kind data structure. the Kind data structure.
to_user: This field contains the username of the RELOAD peer that to_user: This field contains the user name of the RELOAD peer that
obtains write permission to the Shared Resource. obtains write permission to the Shared Resource.
kind: This field contains the Kind-ID of the Shared Resource. kind: This field contains the Kind-ID of the Shared Resource.
allow_delegation: If true, this Boolean flag indicates that the allow_delegation: If true, this Boolean flag indicates that the
Authorized Peer in the 'to_user' field is allowed to add Authorized Peer in the 'to_user' field is allowed to add
additional entries to the ACL for the specified Kind-ID. additional entries to the ACL for the specified Kind-ID.
5. Extension for Variable Resource Names 5. Extension for Variable Resource Names
5.1. Overview 5.1. Overview
In certain use cases such as conferencing (c.f. In certain use cases such as conferencing it is desirable to increase
[I-D.ietf-p2psip-disco]) it is desirable to increase the flexibility the flexibility of a peer in using Resource Names beyond those
of a peer in using Resource Names beyond those defined by the defined by the user name or Node-ID fields in its certificate. For
username or Node-ID fields in its certificate. For this purpose, this purpose, this document presents the concept for variable
this document presents the concept for variable Resources Names that Resources Names that enables providers of RELOAD instances to define
enables providers of RELOAD instances to define relaxed naming relaxed naming schemes for overlay Resources.
schemes for overlay Resources.
Each RELOAD node uses a certificate to identify itself using its user Each RELOAD node uses a certificate to identify itself using its user
name (or Node-ID) while storing data under a specific Resource-ID name (or Node-ID) while storing data under a specific Resource-ID
(see Section 7.3 in [RFC6940]). The specifications in this document (see Section 7.3 in [RFC6940]). The specifications in this document
scheme adhere to this paradigm, but enable a RELOAD peer to store scheme adhere to this paradigm, but enable a RELOAD peer to store
values of Resource Names that are derived from the username in its values of Resource Names that are derived from the user name in its
certificate. This is done by using a Resource Name with a variable certificate. This is done by using a Resource Name with a variable
substring that still matches the user name in the certificate using a substring that still matches the user name in the certificate using a
pattern defined in the overlay configuration document. Thus despite pattern defined in the overlay configuration document. Thus despite
being variable, an allowable Resource Name remains tied to the being variable, an allowable Resource Name remains tied to the
Owner's certificate. A sample pattern might be formed as follows. Owner's certificate. A sample pattern might be formed as follows.
Example Pattern: Example Pattern:
.*-conf-$USER@$DOMAIN .*-conf-$USER@$DOMAIN
When defining the pattern, care must be taken to avoid conflicts When defining the pattern, care must be taken to avoid conflicts
arising from two usernames of witch one is a substring of the other. arising from two user names of witch one is a substring of the other.
In such cases, the holder of the shorter name could threaten to block In such cases, the holder of the shorter name could threaten to block
the resources of the longer-named peer by choosing the variable part the resources of the longer-named peer by choosing the variable part
of a Resource Name to contain the entire longer username. This of a Resource Name to contain the entire longer user name. This
problem can easily be mitigated by delimiting the variable part of problem can easily be mitigated by delimiting the variable part of
the pattern from the username part by some fixed string, that by the pattern from the user name part by some fixed string, that by
convention is not part of a username (e.g., the "-conf-" in the above convention is not part of a user name (e.g., the "-conf-" in the
Example). above Example).
5.2. Data Structure 5.2. Data Structure
This section defines the optional ResourceNameExtension structure for This section defines the optional ResourceNameExtension structure for
every Kind that uses the USER-CHAIN-ACL access control policy. every Kind that uses the USER-CHAIN-ACL access control policy.
enum { pattern(1), (255)} ResourceNameType; enum { pattern(1), (255)} ResourceNameType;
struct { struct {
ResourceNameType type; ResourceNameType type;
skipping to change at page 10, line 49 skipping to change at page 10, line 49
being stored. The type "pattern" further indicates that the Resource being stored. The type "pattern" further indicates that the Resource
Name MUST match to one of the variable resource name pattern defined Name MUST match to one of the variable resource name pattern defined
for this Kind in the configuration document. for this Kind in the configuration document.
The ResourceNameType enum and the ResourceNameExtension structure can The ResourceNameType enum and the ResourceNameExtension structure can
be extended by further Usages to define other naming schemes. be extended by further Usages to define other naming schemes.
5.3. Overlay Configuration Document Extension 5.3. Overlay Configuration Document Extension
This section extends the overlay configuration document by defining This section extends the overlay configuration document by defining
new elements for patterns relating resource names to user names. new elements for patterns relating resource names to user names. It
Configurations in this overlay document MUST adhere in syntax and is noteworthy that additional constraints on the syntax and semantic
semantic of names as defined by the context of use. For example, AOR of names can apply according to specific Usages. For example, AOR
syntax restrictions apply when using P2PSIP[I-D.ietf-p2psip-sip], syntax restrictions apply when using P2PSIP[I-D.ietf-p2psip-sip],
while a more general naming is feasible in plain RELOAD. while a more general naming is feasible in plain RELOAD.
The <variable-resource-names> element serves as a container for one The <variable-resource-names> element serves as a container for one
or multiple <pattern> sub-elements. It is an additional parameter or multiple <pattern> sub-elements. It is an additional parameter
within the kind-block and has a boolean "enable" attribute that within the kind-block and has a boolean "enable" attribute that
indicates, if true, that the overlay provider allows variable indicates, if true, that the overlay provider allows variable
resource names for this Kind. The default value of the "enable" resource names for this Kind. The default value of the "enable"
attribute is "false". In the absence of a <variable-resource-names> attribute is "false". In the absence of a <variable-resource-names>
element for a Kind using the USER-CHAIN-ACL access policy (see element for a Kind using the USER-CHAIN-ACL access policy (see
Section 6.6), implementors SHOULD assume this default value. Section 6.6), implementors MUST assume this default value.
A <pattern> element MUST be present if the "enabled" attribute of its A <pattern> element MUST be present if the "enabled" attribute of its
parent element is set to true. Each <pattern> element defines a parent element is set to true. Each <pattern> element defines a
pattern for constructing extended resource names for a single Kind. pattern for constructing extended resource names for a single Kind.
It is of type xsd:string and interpreted as a regular expression It is of type xsd:string and interpreted as a regular expression
according to "POSIX Extended Regular Expression" (see the according to "POSIX Extended Regular Expression" (see the
specifications in [IEEE-Posix]). In this regular expression, $USER specifications in [IEEE-Posix]). In this regular expression, $USER
and $DOMAIN are used as variables for the corresponding parts of the and $DOMAIN are used as variables for the corresponding parts of the
string in the certificate user name field (with $USER preceding and string in the certificate user name field (with $USER preceding and
$DOMAIN succeeding the '@'). Both variables MUST be present in any $DOMAIN succeeding the '@'). Both variables MUST be present in any
given pattern definition. If no pattern is defined for a Kind or the given pattern definition. Furthermore, variable parts in <pattern>
"enable" attribute is false, allowable Resource Names are restricted elements defined in the overlay configuration document MUST remain
to the username of the signer for Shared Resource. syntactically separated from the user name part (e.g., by a dedicated
delimiter) to prevent collisions with other names of other users. If
no pattern is defined for a Kind, if the "enable" attribute is false,
or if the regular expression does not meet the requirements specified
in this section, the allowable Resource Names are restricted to the
user name of the signer for Shared Resource.
The Relax NG Grammar for the Variable Resource Names Extension reads: The Relax NG Grammar for the Variable Resource Names Extension reads:
# VARIABLE RESOURCE URN SUB-NAMESPACE # VARIABLE RESOURCE URN SUB-NAMESPACE
namespace share = "urn:ietf:params:xml:ns:p2p:config-base:share" namespace share = "urn:ietf:params:xml:ns:p2p:config-base:share"
# VARIABLE RESOURCE NAMES ELEMENT # VARIABLE RESOURCE NAMES ELEMENT
kind-parameter &= element share:variable-resource-names { kind-parameter &= element share:variable-resource-names {
skipping to change at page 12, line 4 skipping to change at page 12, line 6
kind-parameter &= element share:variable-resource-names { kind-parameter &= element share:variable-resource-names {
attribute enable { xsd:boolean }, attribute enable { xsd:boolean },
# PATTERN ELEMENT # PATTERN ELEMENT
element share:pattern { xsd:string }* element share:pattern { xsd:string }*
}? }?
6. Access Control to Shared Resources 6. Access Control to Shared Resources
6.1. Granting Write Access 6.1. Granting Write Access
Write access to a Kind that is intended to be shared with other Write access to a Kind that is intended to be shared with other
RELOAD users can solely be initiated by the Resource Owner. A RELOAD users can solely be initiated by the Resource Owner. A
Resource Owner can share RELOAD Kinds by using the following Resource Owner can share RELOAD Kinds by using the following
procedure. procedure.
o The Resource Owner stores an ACL root item at the Resource-ID of o The Resource Owner stores an ACL root item at the Resource-ID of
the Shared Resource. The root item contains the resource name the Shared Resource. The root item contains the resource name
extension field (see Section 5.2), the username of the Resource extension field (see Section 5.2), the user name of the Resource
Owner and Kind-ID of the Shared Resource. The allow_delegation Owner and Kind-ID of the Shared Resource. The allow_delegation
flag is set to 1. The index of array data structure MUST be flag is set to 1. The index of array data structure MUST be
generated as described in Section 3.1 generated as described in Section 3.1
o Further ACL items for this Kind-ID stored by the Resource Owner o Further ACL items for this Kind-ID stored by the Resource Owner
MAY delegate write access to Authorized Peers. These ACL items MAY delegate write access to Authorized Peers. These ACL items
contain the same resource name extension field, the username of contain the same resource name extension field, the user name of
the Authorized Peer and the Kind-Id of the Shared Resource. the Authorized Peer and the Kind-Id of the Shared Resource.
Optionally, the Resource Owner sets the "ad" to 1 (the default Optionally, the Resource Owner sets the "ad" to 1 (the default
equals 0) to enable the Authorized Peer to further delegate write equals 0) to enable the Authorized Peer to further delegate write
access. For each succeeding ACL item, the Resource Owner access. For each succeeding ACL item, the Resource Owner
increments its individual index value by one (see Section 3.1) so increments its individual index value by one (see Section 3.1) so
that items can be stored in the numerical order of the array index that items can be stored in the numerical order of the array index
starting with the index of the root item. starting with the index of the root item.
An Authorized Peer with delegation allowance ("ad"=1) can extend the An Authorized Peer with delegation allowance ("ad"=1) can extend the
access to an existing Shared Resource as follows. access to an existing Shared Resource as follows.
o An Authorized Peer can store additional ACL items at the Resource- o An Authorized Peer can store additional ACL items at the Resource-
ID of the Shared Resource. These ACL items contain the resource ID of the Shared Resource. These ACL items contain the resource
name extension field, the username of the newly Authorized Peer, name extension field, the user name of the newly Authorized Peer,
and the Kind-Id of the Shared Resource. Optionally, the "ad" flag and the Kind-Id of the Shared Resource. Optionally, the "ad" flag
is set to 1 for allowing the Authorized Peer to further delegate is set to 1 for allowing the newly Authorized Peer to further
write access. The array index MUST be generated as described in delegate write access. The array index MUST be generated as
Section 3.1. Each succeeding ACL item can be stored in the described in Section 3.1. Each succeeding ACL item can be stored
numerical order of the array index. in the numerical order of the array index.
A store request by an Authorized Peer that attempts to overwrite any A store request by an Authorized Peer that attempts to overwrite any
ACL item signed by another Peer is unauthorized and causes an ACL item signed by another Peer is unauthorized and causes an
Error_Forbidden response from the Storing Peer. Such access Error_Forbidden response from the Storing Peer. Such access
conflicts could be caused by an array index collision. However, the conflicts could be caused by an array index collision. However, the
probability of a collision of two or more identical array indices probability of a collision of two or more identical array indices
will be negligibly low using the mechanism for isolating stored data will be negligibly low using the mechanism for isolating stored data
(see Section 3.1) (see Section 3.1)
6.2. Revoking Write Access 6.2. Revoking Write Access
skipping to change at page 13, line 20 skipping to change at page 13, line 20
delegations performed by that user including all subsequent delegations performed by that user including all subsequent
delegations. This allows to invalidate entire subtrees of the delegations. This allows to invalidate entire subtrees of the
delegations tree with only a single operation. Overwriting the root delegations tree with only a single operation. Overwriting the root
item with a non-existent value of an Access List invalidates the item with a non-existent value of an Access List invalidates the
entire delegations tree. entire delegations tree.
An existing ACL item MUST only be overwritten by the user who An existing ACL item MUST only be overwritten by the user who
initially stored the corresponding entry, or by the Resource Owner initially stored the corresponding entry, or by the Resource Owner
that is allowed to overwrite all ACL items for revoking write access. that is allowed to overwrite all ACL items for revoking write access.
To protect the privacy of the users, the Resource Owner SHOULD
overwrite all subtrees that have been invalidated.
6.3. Validating Write Access through an ACL 6.3. Validating Write Access through an ACL
Access Control Lists are used to transparently validate authorization Access Control Lists are used to transparently validate authorization
of peers for writing a data value at a Shared Resource. Thereby it of peers for writing a data value at a Shared Resource. Thereby it
is assumed that the validating peer is in possession of the complete is assumed that the validating peer is in possession of the complete
and most recent ACL for a specific Resource/Kind pair. The and most recent ACL for a specific Resource/Kind pair. The
corresponding procedure consists of recursively traversing the trust corresponding procedure consists of recursively traversing the trust
delegation tree and proceeds as follows. delegation tree with strings compared as binary objects. It proceeds
as follows.
1. Obtain the username of the certificate used for signing the data 1. Obtain the user name of the certificate used for signing the data
stored at the Shared Resource. stored at the Shared Resource.
2. Validate that an item of the corresponding ACL (i.e., for this 2. Validate that an item of the corresponding ACL (i.e., for this
Resource/Kind pair) contains a "to_user" field whose value equals Resource/Kind pair) contains a "to_user" field whose value equals
the username obtained in step 1. If the Shared Resource under the user name obtained in step 1. If the Shared Resource under
examination is an Access Control List Kind, further validate if examination is an Access Control List Kind, further validate if
the "ad" flag is set to 1. the "ad" flag is set to 1.
3. Select the username of the certificate that was used to sign the 3. Select the user name of the certificate that was used to sign the
ACL item obtained in step 2. ACL item obtained in step 2.
4. Validate that an item of the corresponding ACL contains a 4. Validate that an item of the corresponding ACL contains a
"to_user" field whose value equals the username obtained in step "to_user" field whose value equals the user name obtained in step
3. Additionally validate that the "ad" flag is set to 1. 3. Additionally validate that the "ad" flag is set to 1.
5. Repeat steps 3 and 4 until the "to_user" value is equal to the 5. Repeat steps 3 and 4 until the "to_user" value is equal to the
username of the signer of the previously selected ACL item. This user name of the signer of the previously selected ACL item.
final ACL item is expected to be the root item of this ACL which This final ACL item is expected to be the root item of this ACL
SHALL be further validated by verifying that the root item was which MUST be further validated by verifying that the root item
signed by the owner of the ACL Resource. was signed by the owner of the ACL Resource.
The trust delegation chain is valid if and only if all verification The trust delegation chain is valid if and only if all verification
steps succeed. In this case, the creator of the data value of the steps succeed. In this case, the creator of the data value of the
Shared Resource is an Authorized Peer. Shared Resource is an Authorized Peer.
Note that the ACL validation procedure can be omitted whenever the Note that the ACL validation procedure can be omitted whenever the
creator of data at a Shared Resource is the Resource Owner itself. creator of data at a Shared Resource is the Resource Owner itself.
The latter can be verified by its public key certificate as defined The latter can be verified by its public key certificate as defined
in Section 6.6. in Section 6.6.
skipping to change at page 15, line 16 skipping to change at page 15, line 22
following one of the specified naming pattern. Hence, on an inbound following one of the specified naming pattern. Hence, on an inbound
store request on a Kind that uses the USER-CHAIN-ACL access policy, store request on a Kind that uses the USER-CHAIN-ACL access policy,
the following rules MUST be applied: the following rules MUST be applied:
In the USER-CHAIN-ACL policy, a given value MUST be written or In the USER-CHAIN-ACL policy, a given value MUST be written or
overwritten, if either one of USER-MATCH or USER-NODE-MATCH overwritten, if either one of USER-MATCH or USER-NODE-MATCH
(mandatory if the data model is dictionary) access policies of the (mandatory if the data model is dictionary) access policies of the
base document [RFC6940] applies. base document [RFC6940] applies.
Otherwise, the value MUST be written if the certificate of the signer Otherwise, the value MUST be written if the certificate of the signer
contains a username that matches to one of the variable resource name contains a user name that matches to the user and domain portion in
pattern (c.f. Section 5) specified in the configuration document one of the variable resource name patterns (c.f. Section 5)
and, additionally, the hashed Resource Name matches the Resource-ID. specified in the configuration document and, additionally, the hashed
The Resource Name of the Kind to be stored MUST be taken from the Resource Name matches the Resource-ID. The Resource Name of the Kind
mandatory ResourceNameExtension field in the corresponding Kind data to be stored MUST be taken from the mandatory ResourceNameExtension
structure. field in the corresponding Kind data structure.
Otherwise, the value MUST be written if the ACL validation procedure Otherwise, the value MUST be written if the ACL validation procedure
described in Section 6.3 has been successfully applied. described in Section 6.3 has been successfully applied.
Otherwise, the store request MUST be denied.
7. ACCESS-CONTROL-LIST Kind Definition 7. ACCESS-CONTROL-LIST Kind Definition
This section defines the ACCESS-CONTROL-LIST Kind previously This section defines the ACCESS-CONTROL-LIST Kind previously
described in this document. described in this document.
Name: ACCESS-CONTROL-LIST Name: ACCESS-CONTROL-LIST
Kind IDs: The Resource Name for ACCESS-CONTROL-LIST Kind-ID is the Kind IDs: The Resource Name for ACCESS-CONTROL-LIST Kind-ID is the
Resource Name of the Kind that will be shared by using the ACCESS- Resource Name of the Kind that will be shared by using the ACCESS-
CONTROL-LIST Kind. CONTROL-LIST Kind.
skipping to change at page 16, line 33 skipping to change at page 16, line 38
small set of misbehaving peers. This is not different for Shared small set of misbehaving peers. This is not different for Shared
Resources since a small set of malicious peers does not disrupt the Resources since a small set of malicious peers does not disrupt the
functionality of the overlay in general, but may have implications functionality of the overlay in general, but may have implications
for the peers needing to store or access information at the specific for the peers needing to store or access information at the specific
locations in the ID space controlled by a malicious peer. A storing locations in the ID space controlled by a malicious peer. A storing
peer could withhold stored data which results in a denial of service peer could withhold stored data which results in a denial of service
to the group using the specific resource. But it could not return to the group using the specific resource. But it could not return
forged data, since the validity of any stored data can be forged data, since the validity of any stored data can be
independently verified using the attached signatures. independently verified using the attached signatures.
8.3. Privacy Issues 8.3. Trust Delegation to a Malicious or Misbehaving Peer
All data stored in the Shared Resource is publicly readable, thus A Resource Owner that erroneously delegated write access to a Shared
applications requiring privacy need to encrypt the data. The ACL Resource for a misbehaving peer enables this malicious member of the
needs to be stored unencrypted, thus the list members of a group overlay to interfere with the corresponding group application in
using a Shared Resource will always be publicly visible. several unwanted ways. Examples of destructive interferences range
from exhausting shared storage to dedicated application-specific
misuse. Additionally, a bogus peer that was granted delegation
rights may authorize further malicious collaborators to writing the
Shared Resource.
It is the obligation of the Resource Owner to bind trust delegation
to apparent trustworthiness. Additional measures to monitor proper
behavior may be applied. In any case, the Resource Owner will be
able to revoke trust delegation of an entire tree in a single
overwrite operation. It further holds the right to overwrite any
malicious contributions to the shared resource under misuse.
8.4. Privacy Issues
All data stored in the Shared Resource is readable by any node in the
overlay, thus applications requiring privacy need to encrypt the
data. The ACL needs to be stored unencrypted, thus the list members
of a group using a Shared Resource will always be publicly visible.
9. IANA Considerations 9. IANA Considerations
9.1. Access Control Policy 9.1. Access Control Policy
IANA shall register the following entry in the "RELOAD Access Control IANA shall register the following entry in the "RELOAD Access Control
Policies" Registry (cf., [RFC6940]) to represent the USER-CHAIN-ACL Policies" Registry (cf., [RFC6940]) to represent the USER-CHAIN-ACL
Access Control Policy, as described in Section 6.6. [NOTE TO IANA/ Access Control Policy, as described in Section 6.6. [NOTE TO IANA/
RFC-EDITOR: Please replace RFC-AAAA with the RFC number for this RFC-EDITOR: Please replace RFC-AAAA with the RFC number for this
specification in the following list.] specification in the following list.]
skipping to change at page 17, line 21 skipping to change at page 17, line 41
IANA shall register the following code point in the "RELOAD Data IANA shall register the following code point in the "RELOAD Data
Kind-ID" Registry (cf., [RFC6940]) to represent the ShaRe ACCESS- Kind-ID" Registry (cf., [RFC6940]) to represent the ShaRe ACCESS-
CONTROL-LIST kind, as described in Section 7. [NOTE TO IANA/RFC- CONTROL-LIST kind, as described in Section 7. [NOTE TO IANA/RFC-
EDITOR: Please replace RFC-AAAA with the RFC number for this EDITOR: Please replace RFC-AAAA with the RFC number for this
specification in the following list.] specification in the following list.]
+----------------------+------------+----------+ +----------------------+------------+----------+
| Kind | Kind-ID | RFC | | Kind | Kind-ID | RFC |
+----------------------+------------+----------+ +----------------------+------------+----------+
| ACCESS-CONTROL-LIST | 17 | RFC-AAAA | | ACCESS-CONTROL-LIST | TBD | RFC-AAAA |
+----------------------+------------+----------+ +----------------------+------------+----------+
9.3. XML Name Space Registration 9.3. XML Name Space Registration
This document registers the following URI for the config XML This document registers the following URI for the config XML name
namespace in the IETF XML registry defined in [RFC3688] space in the IETF XML registry defined in [RFC3688]
URI: urn:ietf:params:xml:ns:p2p:config-base:share URI: urn:ietf:params:xml:ns:p2p:config-base:share
Registrant Contact: The IESG Registrant Contact: The IESG
XML: N/A, the requested URI is an XML name space
XML: N/A, the requested URI is an XML namespace
10. References 10. References
10.1. Normative References 10.1. Normative References
[IEEE-Posix] [IEEE-Posix]
"IEEE Standard for Information Technology - Portable "IEEE Standard for Information Technology - Portable
Operating System Interface (POSIX) - Part 2: Shell and Operating System Interface (POSIX) - Part 2: Shell and
Utilities (Vol. 1)", IEEE Std 1003.2-1992, ISBN Utilities (Vol. 1)", IEEE Std 1003.2-1992, ISBN
1-55937-255-9, January 1993. 1-55937-255-9, January 1993.
skipping to change at page 18, line 19 skipping to change at page 18, line 35
[RFC6940] Jennings, C., Lowekamp, B., Ed., Rescorla, E., Baset, S., [RFC6940] Jennings, C., Lowekamp, B., Ed., Rescorla, E., Baset, S.,
and H. Schulzrinne, "REsource LOcation And Discovery and H. Schulzrinne, "REsource LOcation And Discovery
(RELOAD) Base Protocol", RFC 6940, DOI 10.17487/RFC6940, (RELOAD) Base Protocol", RFC 6940, DOI 10.17487/RFC6940,
January 2014, <http://www.rfc-editor.org/info/rfc6940>. January 2014, <http://www.rfc-editor.org/info/rfc6940>.
10.2. Informative References 10.2. Informative References
[I-D.ietf-p2psip-concepts] [I-D.ietf-p2psip-concepts]
Bryan, D., Matthews, P., Shim, E., Willis, D., and S. Bryan, D., Matthews, P., Shim, E., Willis, D., and S.
Dawkins, "Concepts and Terminology for Peer to Peer SIP", Dawkins, "Concepts and Terminology for Peer to Peer SIP",
draft-ietf-p2psip-concepts-07 (work in progress), May draft-ietf-p2psip-concepts-08 (work in progress), February
2015. 2016.
[I-D.ietf-p2psip-disco]
Knauf, A., Schmidt, T., Hege, G., and M. Waehlisch, "A
RELOAD Usage for Distributed Conference Control (DisCo)",
draft-ietf-p2psip-disco-02 (work in progress), July 2013.
[I-D.ietf-p2psip-sip] [I-D.ietf-p2psip-sip]
Jennings, C., Lowekamp, B., Rescorla, E., Baset, S., Jennings, C., Lowekamp, B., Rescorla, E., Baset, S.,
Schulzrinne, H., and T. Schmidt, "A SIP Usage for RELOAD", Schulzrinne, H., and T. Schmidt, "A SIP Usage for RELOAD",
draft-ietf-p2psip-sip-15 (work in progress), July 2015. draft-ietf-p2psip-sip-17 (work in progress), March 2016.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>. July 2003, <http://www.rfc-editor.org/info/rfc3550>.
Acknowledgments Acknowledgments
This work was stimulated by fruitful discussions in the P2PSIP This work was stimulated by fruitful discussions in the P2PSIP
working group and SAM research group. We would like to thank all working group and SAM research group. We would like to thank all
active members for constructive thoughts and feedback. In active members for constructive thoughts and feedback. In
particular, the authors would like to thank (in alphabetical order) particular, the authors would like to thank (in alphabetical order)
Emmanuel Baccelli, Lothar Grimm, Cullen Jennings, Peter Musgrave, Emmanuel Baccelli, Alissa Cooper Lothar Grimm, Cullen Jennings, Peter
Joerg Ott, Marc Petit-Huguenin, Peter Pogrzeba, and Jan Seedorf. Musgrave, Joerg Ott, Marc Petit-Huguenin, Peter Pogrzeba, and Jan
This work was partly funded by the German Federal Ministry of Seedorf. This work was partly funded by the German Federal Ministry
Education and Research, projects HAMcast, Mindstone, and SAFEST. of Education and Research, projects HAMcast, Mindstone, and SAFEST.
Authors' Addresses Authors' Addresses
Alexander Knauf Alexander Knauf
HAW Hamburg HAW Hamburg
Berliner Tor 7 Berliner Tor 7
Hamburg D-20099 Hamburg D-20099
Germany Germany
Phone: +4940428758067 Phone: +4940428758067
Email: alexanderknauf@gmail.com Email: alexanderknauf@gmail.com
Thomas C. Schmidt Thomas C. Schmidt
 End of changes. 54 change blocks. 
104 lines changed or deleted 135 lines changed or added

This html diff was produced by rfcdiff 1.44. The latest version is available from http://tools.ietf.org/tools/rfcdiff/