draft-ietf-rserpool-threats-05.txt   draft-ietf-rserpool-threats-06.txt 
Internet Engineering Task Force Maureen Stillman(editor) Internet Engineering Task Force Maureen Stillman(editor)
INTERNET DRAFT Ram Gopal INTERNET DRAFT Ram Gopal
Senthil Sengodan Senthil Sengodan
Nokia Nokia
Erik Guttman Erik Guttman
Sun Microsystems Sun Microsystems
Matt Holdrege Matt Holdrege
Strix Systems Strix Systems
11 November 2006
expires January 4, 2006 expires May 11, 2007
Threats Introduced by Rserpool and Requirements for Security Threats Introduced by Rserpool and Requirements for Security
in response to Threats in response to Threats
<draft-ietf-rserpool-threats-05.txt> <draft-ietf-rserpool-threats-06.txt>
Status of This Memo Status of This Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of aware will be disclosed, in accordance with Section 6 of
BCP 79. BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 1, line 41 skipping to change at page 1, line 41
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 4, 2006. This Internet-Draft will expire on May 11, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved. Copyright (C) The Internet Society (2006). All Rights Reserved.
Abstract Abstract
Rserpool is an architecture and set of protocols for the management Rserpool is an architecture and set of protocols for the management
and access to server pools supporting highly reliable applications and access to server pools supporting highly reliable applications
and for client access mechanisms to a server pool. This Internet and for client access mechanisms to a server pool. This Internet
draft describes security threats to the Rserpool architecture and draft describes security threats to the Rserpool architecture and
presents requirements for security to thwart these threats. presents requirements for security to thwart these threats.
Contents Contents
skipping to change at page 3, line 25 skipping to change at page 3, line 25
session layer operates dynamically which imposes additional concerns for session layer operates dynamically which imposes additional concerns for
the overall security of the end-to-end application. This document the overall security of the end-to-end application. This document
explores the security implications of RSERPOOL, both due to its own explores the security implications of RSERPOOL, both due to its own
functions and due to its being interposed between applications and functions and due to its being interposed between applications and
transport interfaces. transport interfaces.
1.1 Definitions 1.1 Definitions
This document uses the following terms: This document uses the following terms:
ENRP Endpoint haNdlespace Redundancy Protocol: ENRP Endpoint Name Resolution Protocol (ENRP):
Within the operational scope of Rserpool, ENRP defines the Within the operational scope of Rserpool, ENRP defines the
procedures and message formats of a distributed fault-tolerant procedures and message formats of a distributed fault-tolerant
registry service for storing, bookkeeping, retrieving, and registry service for storing, bookkeeping, retrieving, and
distributing pool operation and membership information. distributing pool operation and membership information.
ASAP Aggregate Server Access Protocol: ASAP Aggregate Server Access Protocol:
A session layer protocol which uses the Endpoint haNdlespace A session layer protocol which uses ENRP to provide a high
Redundancy Protocol to provide a high availability availability handlespace. ASAP is responsible for the
handlespace. ASAP is responsible for the abstraction of the abstraction of the underlying transport technologies, load
underlying transport technologies, load distribution distribution management,fault management, as well as the
management,fault management, as well as the presentation to presentation to the upper layer (i.e., the ASAP user) a
the upper layer (i.e., the ASAP user) a unified primitive unified primitive interface.
interface.
Operational scope: Operational scope:
The part of the network visible to pool users by a specific The part of the network visible to pool users by a specific
instance of the reliable server pooling protocols. instance of the reliable server pooling protocols.
Pool (or server pool): Pool (or server pool):
A collection of servers providing the same application A collection of servers providing the same application
functionality. functionality.
Pool handle: Pool handle:
skipping to change at page 4, line 12 skipping to change at page 4, line 12
A cohesive structure of pool names and relations that may be A cohesive structure of pool names and relations that may be
queried by an internal or external agent. queried by an internal or external agent.
Pool element (PE): Pool element (PE):
A server entity that runs ASAP and has registered to a pool. A server entity that runs ASAP and has registered to a pool.
Pool user (PU): Pool user (PU):
A server pool user that runs ASAP. Note, a PU can also be a A server pool user that runs ASAP. Note, a PU can also be a
PE if it has registered itself to a pool. PE if it has registered itself to a pool.
ENRP handlespace server (or ENRP server): ENRP server:
Entity which runs ENRP and is responsible for managing and Entity which runs ENRP and is responsible for managing and
maintaining the handlespace within the operation scope. maintaining the handlespace within the operation scope.
2. Threats 2. Threats
2.1 PE Registration/Deregistration flooding -- non-existent PE 2.1 PE Registration/Deregistration flooding -- non-existent PE
Threat: A malicious node could send a stream of false Threat: A malicious node could send a stream of false
registrations/deregistrations on behalf of non-existent PEs to ENRP registrations/deregistrations on behalf of non-existent PEs to ENRP
servers at a very rapid rate and thereby create unnecessary state in an servers at a very rapid rate and thereby create unnecessary state in an
skipping to change at page 9, line 8 skipping to change at page 8, line 47
Threat 2.9) Re-establishing PU-PE security during failover Threat 2.9) Re-establishing PU-PE security during failover
Requirement: Either notify the application when fail over occurs so the Requirement: Either notify the application when fail over occurs so the
application can take appropriate action to establish a trusted application can take appropriate action to establish a trusted
relationship with PE B OR reestablish the security context relationship with PE B OR reestablish the security context
transparently. transparently.
Threat 2.10) Corrupted data which causes a PU to have misinformation Threat 2.10) Corrupted data which causes a PU to have misinformation
concerning a pool handle resolution concerning a pool handle resolution
Security mechanism in response: Security protocol which supports Security mechanism in response: Security protocol which supports
integrity protection. integrity protection
Threat 2.11) Eavesdropper snooping on handlespace information Threat 2.11) Eavesdropper snooping on handlespace information
Security mechanism in response: Security protocol which supports data Security mechanism in response: Security protocol which supports data
confidentiality confidentiality
To summarize the threats 2.1-2.12 require security mechanisms which To summarize the threats 2.1-2.12 require security mechanisms which
support authentication, integrity, data confidentiality and protection support authentication, integrity, data confidentiality and protection
from replay attacks. from replay attacks.
For Rserpool we need to authenticate the following: For Rserpool we need to authenticate the following:
skipping to change at page 12, line 9 skipping to change at page 12, line 9
Xie, Michael Tuexen, Aron Silverton, Sohrab Modi, Javier Pastor-Balbas, Xie, Michael Tuexen, Aron Silverton, Sohrab Modi, Javier Pastor-Balbas,
Xingang Guo, M. Piramanayagam, Bernard Aboba and Dhooria Manoj. Xingang Guo, M. Piramanayagam, Bernard Aboba and Dhooria Manoj.
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
7. Intellectual Property Statement 7. Intellectual Property Statement
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
skipping to change at page 13, line 5 skipping to change at page 13, line 5
of such proprietary rights by implementers or users of this of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr. at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org. IETF at ietf-ipr@ietf.org.
expires 04 January 2006
8. Author's Addresses 8. Author's Addresses
Ram Gopal Ram Gopal
Nokia Research Center Nokia Research Center
5 Wayside Road 5 Wayside Road
Burlington, MA 01803 Burlington, MA 01803
USA USA
email: ram.gopal@nokia.com email: ram.gopal@nokia.com
Erik Guttman Erik Guttman
 End of changes. 10 change blocks. 
18 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/