--- 1/draft-ietf-p2psip-share-09.txt 2016-11-13 20:13:07.993374351 -0800 +++ 2/draft-ietf-p2psip-share-10.txt 2016-11-13 20:13:08.033375343 -0800 @@ -1,22 +1,22 @@ P2PSIP Working Group A. Knauf Internet-Draft T. Schmidt, Ed. Intended status: Standards Track HAW Hamburg -Expires: April 13, 2017 G. Hege +Expires: May 17, 2017 G. Hege daviko GmbH M. Waehlisch link-lab & FU Berlin - October 10, 2016 + November 13, 2016 A Usage for Shared Resources in RELOAD (ShaRe) - draft-ietf-p2psip-share-09 + draft-ietf-p2psip-share-10 Abstract This document defines a RELOAD Usage for managing shared write access to RELOAD Resources. Shared Resources in RELOAD (ShaRe) form a basic primitive for enabling various coordination and notification schemes among distributed peers. Access in ShaRe is controlled by a hierarchical trust delegation scheme maintained within an access list. A new USER-CHAIN-ACL access policy allows authorized peers to write a Shared Resource without owning its corresponding certificate. @@ -32,21 +32,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 13, 2017. + This Internet-Draft will expire on May 17, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -73,56 +73,56 @@ 6.1. Granting Write Access . . . . . . . . . . . . . . . . . . 12 6.2. Revoking Write Access . . . . . . . . . . . . . . . . . . 13 6.3. Validating Write Access through an ACL . . . . . . . . . 13 6.4. Operations of Storing Peers . . . . . . . . . . . . . . . 14 6.5. Operations of Accessing Peers . . . . . . . . . . . . . . 14 6.6. USER-CHAIN-ACL Access Policy . . . . . . . . . . . . . . 15 7. ACCESS-CONTROL-LIST Kind Definition . . . . . . . . . . . . . 15 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8.1. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 16 8.2. Malicious or Misbehaving Storing Peer . . . . . . . . . . 16 - 8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 16 + 8.3. Trust Delegation to a Malicious or Misbehaving Peer . . . 17 8.4. Privacy Issues . . . . . . . . . . . . . . . . . . . . . 17 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 9.1. Access Control Policy . . . . . . . . . . . . . . . . . . 17 9.2. Data Kind-ID . . . . . . . . . . . . . . . . . . . . . . 17 9.3. XML Name Space Registration . . . . . . . . . . . . . . . 18 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 10.2. Informative References . . . . . . . . . . . . . . . . . 18 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 1. Introduction [RFC6940] defines the base protocol for REsource LOcation And - Discovery (RELOAD) that allows for application-specific extensions by - Usages. The present document defines such a RELOAD Usage for + Discovery (RELOAD), which allows for application-specific extensions + by Usages. The present document defines such a RELOAD Usage for managing shared write access to RELOAD Resources and a mechanism to - store Resources with a variable name. The Usage for Shared Resources + store Resources with variable names. The Usage for Shared Resources in RELOAD (ShaRe) enables overlay users to share their exclusive write access to specific Resource/Kind pairs with others. Shared Resources form a basic primitive for enabling various coordination and notification schemes among distributed peers. Write permission is controlled by an Access Control List (ACL) Kind that maintains a chain of Authorized Peers for a particular Shared Resource. A newly defined USER-CHAIN-ACL access control policy enables shared write access in RELOAD. The Usage for Shared Resources in RELOAD is designed for jointly coordinated group applications among distributed peers (e.g., third - party registration, see [I-D.ietf-p2psip-sip], or distributed - conferencing). Of particular interest are rendezvous processes, - where a single identifier is linked to multiple, dynamic instances of - a distributed cooperative service. Shared write access is based on a - trust delegation mechanism. It transfers the authorization to write - a specific Kind data by storing logical Access Control Lists. An ACL + party registration, see [RFC7904], or distributed conferencing). Of + particular interest are rendezvous processes, where a single + identifier is linked to multiple, dynamic instances of a distributed + cooperative service. Shared write access is based on a trust + delegation mechanism that transfers the authorization to write a + specific Kind data by storing logical Access Control Lists. An ACL contains the ID of the Kind to be shared and contains trust delegations from one authorized to another (previously unauthorized) user. Shared write access augments the RELOAD security model, which is based on the restriction that peers are only allowed to write resources at a small set of well defined locations (Resource-IDs) in the overlay. Using the standard access control rules in RELOAD, these locations are bound to the username or Node-ID in the peer's certificate. This document extends the base policies to enable a @@ -176,24 +176,24 @@ users. The mechanism to share those Resource/Kind pairs with a group of users consists of two basic steps. 1. Storage of the Resource/Kind pairs to be shared. 2. Storage of an Access Control List (ACL) associated with those Kinds. ACLs are created by the Resource Owner and contain ACL items, each delegating the permission of writing the shared Kind to a specific - user called Authorized Peer. For each shared Kind data, its Resource - owner stores a root item that initiates an Access Control List. - Trust delegation to the Authorized Peer can include the right to - further delegate the write permission, enabling a tree of trust + user called the Authorized Peer. For each shared Kind data, its + Resource owner stores a root item that initiates an Access Control + List. Trust delegation to the Authorized Peer can include the right + to further delegate the write permission, enabling a tree of trust delegations with the Resource Owner as trust anchor at its root. The Resource/Kind pair to be shared can be any RELOAD Kind that complies to the following specifications: Isolated Data Storage: To prevent concurrent writing from race conditions, each data item stored within a Shared Resource SHALL be exclusively maintained by the RELOAD user who created it. Hence, Usages that allow the storage of Shared Resources are REQUIRED to use either the array or dictionary data model and @@ -223,23 +223,23 @@ This section defines mechanisms to avoid race conditions while concurrently writing an array or dictionary of a Shared Resource. If a dictionary is used in the Shared Resource, the dictionary key MUST be the Node-ID of the certificate that will be used to sign the stored data. Thus data access is bound to the unique ID holder, and write concurrency does not occur. If the data model of the Shared Resource is an array, each Authorized - Peer SHALL obtain its exclusive range of the array indices. The - following algorithm will generate an array indexing scheme that - avoids collisions. + Peer that chooses to write data SHALL obtain its exclusive range of + the array indices. The following algorithm will generate an array + indexing scheme that avoids collisions. 1. Obtain the Node-ID of the certificate that will be used to sign the stored data 2. Take the least significant 24 bits of that Node-ID to prefix the array index 3. Append an 8 bit individual index value to those 24 bit of the Node-ID @@ -332,43 +332,43 @@ +-----------+------------------------------+-----------+ | 456def01 | to_user:Bob Kind:1234 ad:0 | Alice | +-----------+------------------------------+-----------+ | ... | ... | ... | +-----------+------------------------------+-----------+ Figure 1: Simplified example of an Access Control List including entries for two different Kind-IDs and varying delegation (ad) configurations - Implementations of ShaRe should be aware that the trust delegation in - an Access Control List need not be loop free. Self-contained - circular trust delegation from A to B and B to A are syntactically - possible, even though not very meaningful. + Implementors of ShaRe should be aware that the trust delegation in an + Access Control List need not be loop free. Self-contained circular + trust delegation from A to B and B to A are syntactically possible, + even though not very meaningful. 4.2. Data Structure The Kind data structure for the Access Control List is defined as follows: struct { /* res_name_ext is optional, see documentation */ ResourceNameExtension res_name_ext; opaque to_user<0..2^16-1>; KindId kind; Boolean allow_delegation; } AccessControlListItem; The AccessControlListItem structure is composed of: res_name_ext: This optional field contains the Resource Name of a ResourceNameExtension (see Section 5.2) to be used by a Shared - Resource with variable resource name. This name serves the + Resource with variable resource name. This name is used by the storing peer for validating, whether a variable resources name matches one of the predefined naming pattern from the configuration document for this Kind. The presence of this field is bound to a variable resource name element in the corresponding kind-block of the configuration document whose "enable" attribute is set to true (see Section 5.3). Otherwise, if the "enable" attribute is false, the res_name_ext field SHALL NOT be present in the Kind data structure. to_user: This field contains the user name of the RELOAD peer that @@ -399,21 +399,21 @@ certificate. This is done by using a Resource Name with a variable substring that still matches the user name in the certificate using a pattern defined in the overlay configuration document. Thus despite being variable, an allowable Resource Name remains tied to the Owner's certificate. A sample pattern might be formed as follows. Example Pattern: .*-conf-$USER@$DOMAIN When defining the pattern, care must be taken to avoid conflicts - arising from two user names of witch one is a substring of the other. + arising from two user names of which one is a substring of the other. In such cases, the holder of the shorter name could threaten to block the resources of the longer-named peer by choosing the variable part of a Resource Name to contain the entire longer user name. For example, a "*$USER" pattern would allow user EVE to define a resource with name "STEVE" and to block the resource name for user STEVE through this. This problem can easily be mitigated by delimiting the variable part of the pattern from the user name part by some fixed string, that by convention is not part of a user name (e.g., the "-conf-" in the above Example). @@ -453,23 +453,22 @@ The ResourceNameType enum and the ResourceNameExtension structure can be extended by further Usages to define other naming schemes. 5.3. Overlay Configuration Document Extension This section extends the overlay configuration document by defining new elements for patterns relating resource names to user names. It is noteworthy that additional constraints on the syntax and semantic of names can apply according to specific Usages. For example, - Address of Record (AOR) syntax restrictions apply when using - P2PSIP[I-D.ietf-p2psip-sip], while a more general naming is feasible - in plain RELOAD. + Address of Record (AOR) syntax restrictions apply when using P2PSIP + [RFC7904], while a more general naming is feasible in plain RELOAD. The element serves as a container for one or multiple sub-elements. It is an additional parameter within the kind-block and has a boolean "enable" attribute that indicates, if true, that the overlay provider allows variable resource names for this Kind. The default value of the "enable" attribute is "false". In the absence of a element for a Kind using the USER-CHAIN-ACL access policy (see Section 6.6), implementors MUST assume this default value. @@ -550,22 +549,22 @@ A store request by an Authorized Peer that attempts to overwrite any ACL item signed by another Peer is unauthorized and causes an Error_Forbidden response from the Storing Peer. Such access conflicts could be caused by an array index collision. However, the probability of a collision of two or more identical array indices will be negligibly low using the mechanism for isolating stored data (see Section 3.1) 6.2. Revoking Write Access - Write permissions are revoked by storing a non-existent value - (see[RFC6940] Section 7.2.1) at the corresponding item of the Access + Write permissions are revoked by storing a non-existent value (see + [RFC6940] Section 7.2.1) at the corresponding item of the Access Control List. Revoking a permission automatically invalidates all delegations performed by that user including all subsequent delegations. This allows the invalidation of entire subtrees of the delegations tree with only a single operation. Overwriting the root item with a non-existent value of an Access List invalidates the entire delegations tree. An existing ACL item MUST only be overwritten by the user who initially stored the corresponding entry, or by the Resource Owner that is allowed to overwrite all ACL items for revoking write access. @@ -577,65 +576,66 @@ Access Control Lists are used to transparently validate authorization of peers for writing a data value at a Shared Resource. Thereby it is assumed that the validating peer is in possession of the complete and most recent ACL for a specific Resource/Kind pair. The corresponding procedure consists of recursively traversing the trust delegation tree with strings compared as binary objects. It proceeds as follows. 1. Obtain the user name of the certificate used for signing the data - stored at the Shared Resource. + stored at the Shared Resource. This is the user who requested + the write operation. 2. Validate that an item of the corresponding ACL (i.e., for this Resource/Kind pair) contains a "to_user" field whose value equals the user name obtained in step 1. If the Shared Resource under examination is an Access Control List Kind, further validate if the "ad" flag is set to 1. 3. Select the user name of the certificate that was used to sign the - ACL item obtained in step 2. + ACL item obtained in the previous step. 4. Validate that an item of the corresponding ACL contains a "to_user" field whose value equals the user name obtained in step 3. Additionally validate that the "ad" flag is set to 1. 5. Repeat steps 3 and 4 until the "to_user" value is equal to the - user name of the signer of the previously selected ACL item. - This final ACL item is expected to be the root item of this ACL - which MUST be further validated by verifying that the root item - was signed by the owner of the ACL Resource. + user name of the signer of the ACL in the selected item. This + final ACL item is expected to be the root item of this ACL which + MUST be further validated by verifying that the root item was + signed by the owner of the ACL Resource. The trust delegation chain is valid if and only if all verification steps succeed. In this case, the creator of the data value of the Shared Resource is an Authorized Peer. Note that the ACL validation procedure can be omitted whenever the creator of data at a Shared Resource is the Resource Owner itself. The latter can be verified by its public key certificate as defined in Section 6.6. 6.4. Operations of Storing Peers - Storing peers at which Shared Resource and ACL are physically stored, - are responsible for controlling storage attempts to a Shared Resource - and its corresponding Access Control List. To assert the USER-CHAIN- - ACL access policy (see Section 6.6), a storing peer MUST perform the - access validation procedure described in Section 6.3 on any incoming - store request using the most recent Access Control List for every - Kind that uses the USER-CHAIN-ACL policy. It SHALL further ensure - that only the Resource Owner stores new ACL root items for Shared - Resources. + Storing peers, at which Shared Resource and ACL are physically + stored, are responsible for controlling storage attempts to a Shared + Resource and its corresponding Access Control List. To assert the + USER-CHAIN-ACL access policy (see Section 6.6), a storing peer MUST + perform the access validation procedure described in Section 6.3 on + any incoming store request using the most recent Access Control List + for every Kind that uses the USER-CHAIN-ACL policy. It SHALL further + ensure that only the Resource Owner stores new ACL root items for + Shared Resources. 6.5. Operations of Accessing Peers - Accessing peers, i.e., peers that fetch a Shared Resource, MAY + Accessing peers, i.e., peers that fetch a Shared Resource, can validate that the originator of a Shared Resource was authorized to store data at this Resource-ID by processing the corresponding ACL. To enable an accessing peer to perform the access validation procedure described in Section 6.3, it first needs to obtain the most recent Access Control List in the following way. 1. Send a Stat request to the Resource-ID of the Shared Resource to obtain all array indexes of stored ACL Kinds (as per [RFC6940], Section 7.4.3.) @@ -652,44 +652,46 @@ This document specifies an additional access control policy to the RELOAD base document [RFC6940]. The USER-CHAIN-ACL policy allows Authorized Peers to write a Shared Resource, even though they do not own the corresponding certificate. Additionally, the USER-CHAIN-ACL allows the storage of Kinds with a variable resource name that are following one of the specified naming pattern. Hence, on an inbound store request on a Kind that uses the USER-CHAIN-ACL access policy, the following rules MUST be applied: - In the USER-CHAIN-ACL policy, a given value MUST be written or - overwritten, if either one of USER-MATCH or USER-NODE-MATCH + In the USER-CHAIN-ACL policy, a given value MUST NOT be written or + overwritten, if neither one of USER-MATCH or USER-NODE-MATCH (mandatory if the data model is dictionary) access policies of the base document [RFC6940] applies. - Otherwise, the value MUST be written if the certificate of the signer - contains a user name that matches to the user and domain portion in - one of the variable resource name patterns (c.f. Section 5) - specified in the configuration document and, additionally, the hashed - Resource Name matches the Resource-ID. The Resource Name of the Kind - to be stored MUST be taken from the mandatory ResourceNameExtension - field in the corresponding Kind data structure. + Additionally, the store request MUST be denied if the certificate of + the signer does not contain a user name that matches to the user and + domain portion in one of the variable resource name patterns (c.f. + Section 5) specified in the configuration document or if the hashed + Resource Name does not match the Resource-ID. The Resource Name of + the Kind to be stored MUST be taken from the mandatory + ResourceNameExtension field in the corresponding Kind data structure. - Otherwise, the value MUST be written if the ACL validation procedure - described in Section 6.3 has been successfully applied. + The store request MUST also be denied, if the access rights cannot be + verified according to the ACL validation procedure described in + Section 6.3. - Otherwise, the store request MUST be denied. + Otherwise, the store request can be processed further. 7. ACCESS-CONTROL-LIST Kind Definition This section defines the ACCESS-CONTROL-LIST Kind previously described in this document. Name: ACCESS-CONTROL-LIST + Kind IDs: The Resource Name for ACCESS-CONTROL-LIST Kind-ID is the Resource Name of the Kind that will be shared by using the ACCESS- CONTROL-LIST Kind. Data Model: The data model for the ACCESS-CONTROL-LIST Kind-ID is array. The array indexes are formed by using the mechanism for isolated stored data as described in Section 3.1 Access Control: USER-CHAIN-ACL (see Section 6.6) @@ -810,41 +812,42 @@ DOI 10.17487/RFC3688, January 2004, . [RFC6940] Jennings, C., Lowekamp, B., Ed., Rescorla, E., Baset, S., and H. Schulzrinne, "REsource LOcation And Discovery (RELOAD) Base Protocol", RFC 6940, DOI 10.17487/RFC6940, January 2014, . 10.2. Informative References - [I-D.ietf-p2psip-sip] - Jennings, C., Lowekamp, B., Rescorla, E., Baset, S., - Schulzrinne, H., and T. Schmidt, "A SIP Usage for RELOAD", - draft-ietf-p2psip-sip-21 (work in progress), April 2016. - [RFC7890] Bryan, D., Matthews, P., Shim, E., Willis, D., and S. Dawkins, "Concepts and Terminology for Peer-to-Peer SIP (P2PSIP)", RFC 7890, DOI 10.17487/RFC7890, June 2016, . + [RFC7904] Jennings, C., Lowekamp, B., Rescorla, E., Baset, S., + Schulzrinne, H., and T. Schmidt, Ed., "A SIP Usage for + REsource LOcation And Discovery (RELOAD)", RFC 7904, + DOI 10.17487/RFC7904, October 2016, + . + Acknowledgments This work was stimulated by fruitful discussions in the P2PSIP working group and the SAM research group. We would like to thank all active members for constructive thoughts and feedback. In particular, the authors would like to thank (in alphabetical order) - Emmanuel Baccelli, Alissa Cooper, Lothar Grimm, Russ Housley, Cullen - Jennings, Peter Musgrave, Joerg Ott, Marc Petit-Huguenin, Peter - Pogrzeba, and Jan Seedorf. This work was partly funded by the German - Federal Ministry of Education and Research, projects HAMcast, - Mindstone, and SAFEST. + Emmanuel Baccelli, Ben Campbell, Alissa Cooper, Lothar Grimm, Russ + Housley, Cullen Jennings, Matt Miller, Peter Musgrave, Joerg Ott, + Marc Petit-Huguenin, Peter Pogrzeba, and Jan Seedorf. This work was + partly funded by the German Federal Ministry of Education and + Research, projects HAMcast, Mindstone, and SAFEST. Authors' Addresses Alexander Knauf HAW Hamburg Berliner Tor 7 Hamburg D-20099 Germany Phone: +4940428758067