draft-ietf-rap-rsvp-identity-03.txt   draft-ietf-rap-rsvp-identity-04.txt 
Internet Draft Satyendra Yadav Internet Draft Satyendra Yadav
Expiration: August 1999 Raj Yavatkar Expiration: December 1999 Raj Yavatkar
File: draft-ietf-rap-rsvp-identity-03.txt Intel File: draft-ietf-rap-rsvp-identity-04.txt Intel
Ramesh Pabbati Ramesh Pabbati
Peter Ford Peter Ford
Tim Moore Tim Moore
Microsoft Microsoft
Shai Herzog Shai Herzog
IPHighway IPHighway
Identity Representation for RSVP Identity Representation for RSVP
February 1999 July 1999
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at line 82 skipping to change at line 81
being reserved in each node along the data path. RSVP allows being reserved in each node along the data path. RSVP allows
particular users to obtain preferential access to network resources, particular users to obtain preferential access to network resources,
under the control of an admission control mechanism. Permission to under the control of an admission control mechanism. Permission to
make a reservation is based both upon the availability of the make a reservation is based both upon the availability of the
requested resources along the path of the data and upon satisfaction requested resources along the path of the data and upon satisfaction
of policy rules. Providing policy based admission control mechanism of policy rules. Providing policy based admission control mechanism
based on user identity or application is one of the prime based on user identity or application is one of the prime
requirements. requirements.
In order to solve these problems and implement identity based policy In order to solve these problems and implement identity based policy
control it is required to identify the user and/or application making control it is required to identify the user and/or application
a RSVP request. making a RSVP request.
This document proposes a mechanism for sending identification This document proposes a mechanism for sending identification
information in the RSVP messages and enables authorization decisions information in the RSVP messages and enables authorization decisions
based on policy and identity. based on policy and identity.
We describe the authentication policy element (AUTH_DATA) contained We describe the authentication policy element (AUTH_DATA) contained
in the POLICY_DATA object. User process can generate an AUTH_DATA in the POLICY_DATA object. User process can generate an AUTH_DATA
policy element and gives it to RSVP process (service) on the policy element and gives it to RSVP process (service) on the
originating host. RSVP service inserts AUTH_DATA into the RSVP originating host. RSVP service inserts AUTH_DATA into the RSVP
message to identify the owner (user and/or application) making the message to identify the owner (user and/or application) making the
request for network resources. Network elements, such as routers, request for network resources. Network elements, such as routers,
authenticate request using the credentials presented in the AUTH_DATA authenticate request using the credentials presented in the
and admit the RSVP message based on admission policy. After a request AUTH_DATA and admit the RSVP message based on admission policy.
has been authenticated, first hop router installs the RSVP state and After a request has been authenticated, first hop router installs
forwards the new policy element returned by the Policy Decision Point the RSVP state and forwards the new policy element returned by the
(PDP) [POL-FRAME]. Policy Decision Point (PDP) [POL-FRAME].
Yadav, et al. 2 Yadav, et al. 2
4. Policy Element for Authentication Data 4. Policy Element for Authentication Data
4.1 Policy Data Object Format 4.1 Policy Data Object Format
POLICY_DATA objects contain policy information and are carried by POLICY_DATA objects contain policy information and are carried by
RSVP messages. A detail description of the format of POLICY_DATA RSVP messages. A detail description of the format of POLICY_DATA
object can be found in "RSVP Extensions for Policy Control" [POL- object can be found in "RSVP Extensions for Policy Control" [POL-
skipping to change at line 126 skipping to change at line 125
list of authentication attributes. list of authentication attributes.
+-------------+-------------+-------------+-------------+ +-------------+-------------+-------------+-------------+
| Length | P-Type = Identity Type | | Length | P-Type = Identity Type |
+-------------+-------------+-------------+-------------+ +-------------+-------------+-------------+-------------+
// Authentication Attribute List // // Authentication Attribute List //
+-------------------------------------------------------+ +-------------------------------------------------------+
Length Length
The length of the policy element (including the Length and P- The length of the policy element (including the Length and P-
Type) is in number of octets (must be a multiple of 4) and Type) is in number of octets (MUST be a multiple of 4) and
indicates the end of the authentication attribute list. indicates the end of the authentication attribute list.
P-Type (Identity Type) P-Type (Identity Type)
Type of identity information contained in this Policy Element Type of identity information contained in this Policy Element
supplied as the Policy element type (P-type). The Internet supplied as the Policy element type (P-type). The Internet
Assigned Numbers Authority (IANA) acts as a registry for policy Assigned Numbers Authority (IANA) acts as a registry for policy
element types for identity as described in the [POL-EXT]. element types for identity as described in the [POL-EXT].
Initially, the registry contains the following P-Types for Initially, the registry contains the following P-Types for
identity: identity:
2 AUTH_USER Authentication scheme to identify users 1 AUTH_USER Authentication scheme to identify users
3 AUTH_APP Authentication scheme to identify 2 AUTH_APP Authentication scheme to identify
applications applications
Authentication Attribute List Authentication Attribute List
Authentication attributes contain information specific to Authentication attributes contain information specific to
authentication method and type of AUTH_DATA. The policy element authentication method and type of AUTH_DATA. The policy element
provides the mechanism for grouping a collection of provides the mechanism for grouping a collection of
authentication attributes. authentication attributes.
Yadav, et al. 3 Yadav, et al. 3
4.3 Authentication Attributes 4.3 Authentication Attributes
Authentication attributes must be encoded as a multiple of 4 octets, Authentication attributes MUST be encoded as a multiple of 4 octets,
attributes that are not a multiple of 4 octets long must be padded attributes that are not a multiple of 4 octets long MUST be padded
to a 4-octet boundary. to a 4-octet boundary.
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Length | A-Type |SubType | | Length | A-Type |SubType |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Value ... | Value ...
+--------+--------+--------+--------+ +--------+--------+--------+--------+
Length Length
The length field is two octets and indicates the actual length The length field is two octets and indicates the actual length
skipping to change at line 213 skipping to change at line 212
or application. Distinguished Name (DN) is unique for each User or or application. Distinguished Name (DN) is unique for each User or
application hence a DN is used as policy locator. application hence a DN is used as policy locator.
+-------+-------+-------+-------+ +-------+-------+-------+-------+
| Length |A-Type |SubType| | Length |A-Type |SubType|
+-------+-------+-------+-------+ +-------+-------+-------+-------+
| OctetString ... | OctetString ...
+-------+-------+-------+-------- +-------+-------+-------+--------
Length Length
Length of the attribute, which must be >= 4. Length of the attribute, which MUST be >= 4.
A-Type A-Type
POLICY_LOCATOR POLICY_LOCATOR
SubType SubType
Following sub types for POLICY_LOCATOR are defined. IANA acts as Following sub types for POLICY_LOCATOR are defined. IANA acts as
a registry for POLICY_LOCATOR sub types as described in the a registry for POLICY_LOCATOR sub types as described in the
section 9, IANA Considerations. Initially, the registry contains section 9, IANA Considerations. Initially, the registry contains
the following sub types for POLICY_LOCATOR: the following sub types for POLICY_LOCATOR:
skipping to change at line 265 skipping to change at line 264
A summary of the CREDENTIAL attribute format is shown below. The A summary of the CREDENTIAL attribute format is shown below. The
fields are transmitted from left to right. fields are transmitted from left to right.
+-------+-------+-------+-------+ +-------+-------+-------+-------+
| Length |A-Type |SubType| | Length |A-Type |SubType|
+-------+-------+-------+-------+ +-------+-------+-------+-------+
| OctetString ... | OctetString ...
+-------+-------+-------+-------- +-------+-------+-------+--------
Length Length
Length of the attribute, which must be >= 4. Length of the attribute, which MUST be >= 4.
A-Type A-Type
CREDENTIAL CREDENTIAL
SubType SubType
IANA acts as a registry for CREDENTIAL sub types as described in IANA acts as a registry for CREDENTIAL sub types as described in
the section 9, IANA Considerations. Initially, the registry the section 9, IANA Considerations. Initially, the registry
contains the following sub types for CREDENTIAL: contains the following sub types for CREDENTIAL:
1 ASCII_ID OctetString contains user or application 1 ASCII_ID OctetString contains user or application
skipping to change at line 293 skipping to change at line 292
4 X509_V3_CERT OctetString contains X.509 V3 digital 4 X509_V3_CERT OctetString contains X.509 V3 digital
certificate [X.509]. certificate [X.509].
5 PGP_CERT OctetString contains PGP digital certificate. 5 PGP_CERT OctetString contains PGP digital certificate.
OctetString OctetString
The OctetString contains the user or application credential. The OctetString contains the user or application credential.
4.3.3 Digital Signature 4.3.3 Digital Signature
The DIGITAL_SIGNATURE attribute must be the last attribute in the The DIGITAL_SIGNATURE attribute MUST be the last attribute in the
attribute list and contains the digital signature of the AUTH_DATA attribute list and contains the digital signature of the AUTH_DATA
policy element. The digital signature signs all data in the policy element. The digital signature signs all data in the
AUTH_DATA policy element up to the DIGITAL_SIGNATURE. The algorithm AUTH_DATA policy element up to the DIGITAL_SIGNATURE. The algorithm
used to compute the digital signature depends on the authentication used to compute the digital signature depends on the authentication
method specified by the CREDENTIAL SubType field. method specified by the CREDENTIAL SubType field.
Yadav, et al. 6 Yadav, et al. 6
A summary of DIGITAL_SIGNATURE attribute format is described below. A summary of DIGITAL_SIGNATURE attribute format is described below.
+-------+-------+-------+-------+ +-------+-------+-------+-------+
| Length |A-Type |SubType| | Length |A-Type |SubType|
+-------+-------+-------+-------+ +-------+-------+-------+-------+
| OctetString ... | OctetString ...
+-------+-------+-------+-------- +-------+-------+-------+--------
Length Length
Length of the attribute, which must be >= 4. Length of the attribute, which MUST be >= 4.
A-Type A-Type
DIGITAL_SIGNATURE DIGITAL_SIGNATURE
SubType SubType
No sub types for DIGITAL_SIGNATURE are currently defined. This No sub types for DIGITAL_SIGNATURE are currently defined. This
field must be set to 0. field MUST be set to 0.
OctetString OctetString
OctetString contains the digital signature of the AUTH_DATA. OctetString contains the digital signature of the AUTH_DATA.
4.3.4 Policy Error Object 4.3.4 Policy Error Object
This attribute is used to specify any errors associated with the This attribute is used to specify any errors associated with the
policy element. When a RSVP policy node (local policy decision point policy element. When a RSVP policy node (local policy decision point
or remote PDP) encounters a request that fails policy control due to or remote PDP) encounters a request that fails policy control due to
its Authentication Policy Element, it may add a POLICY_ERROR_CODE its Authentication Policy Element, it MAY add a POLICY_ERROR_CODE
containing additional information about the reason the failure containing additional information about the reason the failure
occurred into the policy element. This will then cause an occurred into the policy element. This will then cause an
appropriate PATH_ERROR or RESV_ERROR message to be generated with appropriate PATH_ERROR or RESV_ERROR message to be generated with
the policy element and appropriate RSVP error code in the message, the policy element and appropriate RSVP error code in the message,
which is returned to the request's source. which is returned to the request's source.
The AUTH_DATA policy element in the PATH or RSVP message should not The AUTH_DATA policy element in the PATH or RSVP message SHOULD not
contain the POLICY_ERROR_OBJECT attribute. These are only inserted contain the POLICY_ERROR_OBJECT attribute. These are only inserted
into PATH_ERROR and RESV_ERROR messages when generated by policy into PATH_ERROR and RESV_ERROR messages when generated by policy
aware intermediate nodes. aware intermediate nodes.
+----------+----------+----------+----------+ +----------+----------+----------+----------+
| Length | A-Type |SubType(0)| | Length | A-Type |SubType(0)|
+----------+----------+----------+----------+ +----------+----------+----------+----------+
| 0 (Reserved) | ErrorValue | | 0 (Reserved) | ErrorValue |
+----------+----------+----------+----------+ +----------+----------+----------+----------+
| OctetString ... | OctetString ...
+----------+----------+----------+----------+ +----------+----------+----------+----------+
Yadav, et al. 7
Length Length
Length of the attribute, which must be >= 8. Length of the attribute, which MUST be >= 8.
Yadav, et al. 7
A-Type A-Type
POLICY_ERROR_CODE POLICY_ERROR_CODE
ErrorValue ErrorValue
A 32-bit bit code containing the reason that the policy decision A 32-bit bit code containing the reason that the policy decision
point failed to process the policy element. Following values point failed to process the policy element. Following values
have been defined. have been defined.
1 ERROR_NO_MORE_INFO No information is available. 1 ERROR_NO_MORE_INFO No information is available.
2 UNSUPPORTED_CREDENTIAL_TYPE This type of credentials is
2 UNSUPPORTED_CREDENTIAL_TYPE This type of credentials are
not supported. not supported.
3 INSUFFICIENT_PRIVILEGES The credentials do not have 3 INSUFFICIENT_PRIVILEGES The credentials do not have
sufficient privilege. sufficient privilege.
4 EXPIRED_CREDENTIAL The credential has expired. 4 EXPIRED_CREDENTIAL The credential has expired.
5 IDENTITY_CHANGED Identity has changed. 5 IDENTITY_CHANGED Identity has changed.
OctetString OctetString
The OctetString field contains information from the policy The OctetString field contains information from the policy
decision point that may, optionally, contain additional decision point that MAY contain additional information about
information about the policy failure. For example, it may the policy failure. For example, it may include a human-
include a human-readable message in the ASCII text. readable message in the ASCII text.
5. Authentication Data Formats 5. Authentication Data Formats
Authentication attributes are grouped in a policy element to Authentication attributes are grouped in a policy element to
represent the identity credentials. represent the identity credentials.
5.1 Simple User Authentication 5.1 Simple User Authentication
In simple user authentication method the user login ID (in plain In simple user authentication method the user login ID (in plain
ASCII or UNICODE text) is encoded as CREDENTIAL attribute. A summary ASCII or UNICODE text) is encoded as CREDENTIAL attribute. A summary
skipping to change at line 498 skipping to change at line 496
The application authentication method encodes the application The application authentication method encodes the application
identification such as an executable filename as plain ASCII or identification such as an executable filename as plain ASCII or
UNICODE text. UNICODE text.
+----------------+--------------+--------------+--------------+ +----------------+--------------+--------------+--------------+
| Length | P-type = AUTH_APP | | Length | P-type = AUTH_APP |
+----------------+--------------+--------------+--------------+ +----------------+--------------+--------------+--------------+
| Length |POLICY_LOCATOR| SubType | | Length |POLICY_LOCATOR| SubType |
+----------------+--------------+--------------+--------------+ +----------------+--------------+--------------+--------------+
| OctetString (Application Identity attributes in the form of | OctetString (Application Identity attributes in
| a Distinguished Name) ... | the form of a Distinguished Name) ...
+----------------+--------------+--------------+--------------+ +----------------+--------------+--------------+--------------+
| Length | CREDENTIAL | ASCII_ID | | Length | CREDENTIAL | ASCII_ID |
+----------------+--------------+--------------+--------------+ +----------------+--------------+--------------+--------------+
| OctetString (Application Id, e.g., vic.exe) | OctetString (Application Id, e.g., vic.exe)
+----------------+--------------+--------------+--------------+ +----------------+--------------+--------------+--------------+
6. Operation 6. Operation
+-----+ +-----+ +-----+ +-----+
| PDP |-------+ | PDP | | PDP |-------+ | PDP |
skipping to change at line 527 skipping to change at line 525
Host A B C D Host A B C D
Figure 1: User and Application Authentication using AUTH_DATA PE Figure 1: User and Application Authentication using AUTH_DATA PE
Network nodes (hosts/routers) generate AUTH_DATA policy elements, Network nodes (hosts/routers) generate AUTH_DATA policy elements,
contents of which are depend on the identity type used and the contents of which are depend on the identity type used and the
authentication method used. These generally contain authentication authentication method used. These generally contain authentication
credentials (Kerberos ticket or digital certificate) and policy credentials (Kerberos ticket or digital certificate) and policy
locators (which can be the X.500 Distinguished Name of the user or locators (which can be the X.500 Distinguished Name of the user or
network node or application names). Network nodes generate AUTH_DATA network node or application names). Network nodes generate AUTH_DATA
policy element containing the authentication identity when making policy element containing the authentication identity when making the
the RSVP request or forwarding an RSVP message. RSVP request or forwarding a RSVP message.
Network nodes generate user AUTH_DATA policy element using the Network nodes generate user AUTH_DATA policy element using the
following rules following rules
1. For unicast sessions the user policy locator is copied from 1. For unicast sessions the user policy locator is copied from the
the previous hop. The authentication credentials are for the previous hop. The authentication credentials are for the current
current network node identity. network node identity.
Yadav, et al. 11 Yadav, et al. 11
2. For multicast messages the user policy locator is for the current 2. For multicast messages the user policy locator is for the current
network node identity. The authentication credentials are for the network node identity. The authentication credentials are for the
current network node. current network node.
Network nodes generate application AUTH_DATA policy element using Network nodes generate application AUTH_DATA policy element using the
the following rules: following rules:
1. For unicast sessions the application AUTH_DATA is the copied from 1. For unicast sessions the application AUTH_DATA is copied from the
the previous hop. previous hop.
2. For multicast messages the application AUTH_DATA is either the 2. For multicast messages the application AUTH_DATA is either the
first application AUTH_DATA in the message or chosen by the PDP. first application AUTH_DATA in the message or chosen by the PDP.
7. Message Processing Rules 7. Message Processing Rules
7.1 Message Generation (RSVP Host) 7.1 Message Generation (RSVP Host)
An RSVP message is created as specified in [RFC2205] with following An RSVP message is created as specified in [RFC2205] with following
modifications. modifications.
1. RSVP message may contain multiple AUTH_DATA policy elements. 1. RSVP message MAY contain multiple AUTH_DATA policy elements.
2. Authentication policy element (AUTH_DATA) is created and the 2. Authentication policy element (AUTH_DATA) is created and the
IdentityType field is set to indicate the identity type in the IdentityType field is set to indicate the identity type in the
policy element. policy element.
DN is inserted as POLICY_LOCATOR attribute. - DN is inserted as POLICY_LOCATOR attribute.
Credentials such as Kerberos ticket or digital certificate are - Credentials such as Kerberos ticket or digital certificate
inserted as the CREDENTIAL attribute. are inserted as the CREDENTIAL attribute.
3. POLICY_DATA object (containing the AUTH_DATA policy element) is 3. POLICY_DATA object (containing the AUTH_DATA policy element) is
inserted in the RSVP message in appropriate place. If INTEGRITY inserted in the RSVP message in appropriate place. If INTEGRITY
object is not computed for the RSVP message then an INTEGRITY object is not computed for the RSVP message then an INTEGRITY
object must be computed for this POLICY_DATA object, as described object SHOULD be computed for this POLICY_DATA object, as
in the [POL_EXT], and must be inserted as a Policy Data option. described in the [POL_EXT], and SHOULD be inserted as a Policy
Data option.
7.2 Message Reception (Router) 7.2 Message Reception (Router)
RSVP message is processed as specified in [RFC2205] with following RSVP message is processed as specified in [RFC2205] with following
modifications. modifications.
1. If router is not policy aware then it should send the RSVP 1. If router is not policy aware then it SHOULD send the RSVP
message to the PDP and wait for response. If the router is policy message to the PDP and wait for response. If the router is policy
unaware then it ignores the policy data objects and continues unaware then it ignores the policy data objects and continues
processing the RSVP message. processing the RSVP message.
2. Reject the message if the response from the PDP is negative. 2. Reject the message if the response from the PDP is negative.
3. Continue processing the RSVP message. 3. Continue processing the RSVP message.
Yadav, et al. 12 Yadav, et al. 12
skipping to change at line 610 skipping to change at line 609
- Kerberos: Send the Kerberos ticket to the KDC to obtain the - Kerberos: Send the Kerberos ticket to the KDC to obtain the
session key. Using the session key authenticate the user. session key. Using the session key authenticate the user.
- Public Key: Validate the certificate that it was issued by a - Public Key: Validate the certificate that it was issued by a
trusted Certificate Authority (CA) and authenticate the user trusted Certificate Authority (CA) and authenticate the user
or application by verifying the digital signature. or application by verifying the digital signature.
8. Error Signaling 8. Error Signaling
If PDP fails to verify the AUTH_DATA policy element then it must If PDP fails to verify the AUTH_DATA policy element then it MUST
return Policy control failure (Error Code = 02) to PEP. The error return policy control failure (Error Code = 02) to the PEP. The
values are described in [RFC 2205] and [POL-EXT]. Also PDP must error values are described in [RFC 2205] and [POL-EXT]. Also PDP
supply a policy data object containing the AUTH_DATA Policy Element SHOULD supply a policy data object containing the AUTH_DATA Policy
with more details on the Policy Control failures in the policy error Element with more details on the Policy Control failures in the
object attribute. The PEP will include this Policy Data object in policy error object attribute. The PEP will include this Policy Data
the outgoing RSVP Error message. object in the outgoing RSVP Error message.
9. IANA Considerations 9. IANA Considerations
Following the policies outlined in [IANA-CONSIDERATIONS], Following the policies outlined in [IANA-CONSIDERATIONS],
authentication attribute types (A-Type)in the range 0-127 are authentication attribute types (A-Type)in the range 0-127 are
allocated an IETF Consensus action, A-Type values between 128-255 allocated an IETF Consensus action, A-Type values between 128-255
are reserved for Private Use and are not assigned by IANA. are reserved for Private Use and are not assigned by IANA.
Following the policies outlined in [IANA-CONSIDERATIONS], Following the policies outlined in [IANA-CONSIDERATIONS],
POLICY_LOCATOR SubType values in the range 0-127 are allocated an POLICY_LOCATOR SubType values in the range 0-127 are allocated an
skipping to change at line 672 skipping to change at line 671
12. References 12. References
[ASCII] Coded Character Set -- 7-Bit American Standard Code for [ASCII] Coded Character Set -- 7-Bit American Standard Code for
Information Interchange, ANSI X3.4-1986. Information Interchange, ANSI X3.4-1986.
[IANA-CONSIDERATIONS] Alvestrand, H. and T. Narten, "Guidelines for [IANA-CONSIDERATIONS] Alvestrand, H. and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 2434, October 1998. RFC 2434, October 1998.
[POL-EXT] Herzog, S., "RSVP Extensions for Policy Control." [POL-EXT] Herzog, S., "RSVP Extensions for Policy Control."
Internet-Draft, draft-ietf-rap-policy-ext-03.txt, Internet-Draft, draft-ietf-rap-policy-ext-06.txt, April
February 1999. 1999.
[POL-FRAME] Yavatkar, R., et.al. "A Framework for Policy-based [POL-FRAME] Yavatkar, R., et.al. "A Framework for Policy-based
Admission Control RSVP." Internet-Draft, draft-ietf-rap- Admission Control RSVP." Internet-Draft, draft-ietf-rap-
framework-01.txt, November 1998. framework-03.txt, April 1999.
[RFC 1510] The Kerberos Network Authentication Service (V5). Kohl [RFC 1510] The Kerberos Network Authentication Service (V5). Kohl
J., Neuman, C. RFC 1510. J., Neuman, C. RFC 1510.
[RFC 1704] On Internet Authentication. Haller, N, Atkinson, R., [RFC 1704] On Internet Authentication. Haller, N, Atkinson, R.,
RFC 1704. RFC 1704.
[RFC 1779] A String Representation of Distinguished Names. S. [RFC 1779] A String Representation of Distinguished Names. S.
Kille. RFC 1779 Kille. RFC 1779
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/