draft-ietf-kitten-gss-loop-03.txt   draft-ietf-kitten-gss-loop-04.txt 
Network Working Group B. Kaduk Network Working Group B. Kaduk
Internet-Draft MIT Internet-Draft MIT
Intended status: Informational December 31, 2014 Intended status: Informational January 4, 2015
Expires: July 4, 2015 Expires: July 8, 2015
Structure of the GSS Negotiation Loop Structure of the GSS Negotiation Loop
draft-ietf-kitten-gss-loop-03 draft-ietf-kitten-gss-loop-04
Abstract Abstract
This document specifies the generic structure of the negotiation loop This document specifies the generic structure of the negotiation loop
to establish a GSS security context between initiator and acceptor. to establish a GSS security context between initiator and acceptor.
The control flow of the loop is indicated for both parties, including The control flow of the loop is indicated for both parties, including
error conditions, and indications are given for where application- error conditions, and indications are given for where application-
specific behavior must be specified. specific behavior must be specified.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 4, 2015. This Internet-Draft will expire on July 8, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 24 skipping to change at page 2, line 24
3.5. GSS_Accept_sec_context . . . . . . . . . . . . . . . . . 7 3.5. GSS_Accept_sec_context . . . . . . . . . . . . . . . . . 7
3.6. Sending from Acceptor to Initiator . . . . . . . . . . . 8 3.6. Sending from Acceptor to Initiator . . . . . . . . . . . 8
3.7. Initiator input validation . . . . . . . . . . . . . . . 8 3.7. Initiator input validation . . . . . . . . . . . . . . . 8
3.8. Continue the Loop . . . . . . . . . . . . . . . . . . . . 9 3.8. Continue the Loop . . . . . . . . . . . . . . . . . . . . 9
4. After Security Context Negotiation . . . . . . . . . . . . . 9 4. After Security Context Negotiation . . . . . . . . . . . . . 9
4.1. Authorization Checks . . . . . . . . . . . . . . . . . . 10 4.1. Authorization Checks . . . . . . . . . . . . . . . . . . 10
4.2. Using Partially Complete Security Contexts . . . . . . . 10 4.2. Using Partially Complete Security Contexts . . . . . . . 10
4.3. Additional Context Tokens . . . . . . . . . . . . . . . . 10 4.3. Additional Context Tokens . . . . . . . . . . . . . . . . 10
5. Sample Code . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Sample Code . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1. GSS Application Sample Code . . . . . . . . . . . . . . . 12 5.1. GSS Application Sample Code . . . . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7.1. Normative References . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.2. Informational References . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . 19
8.2. Informational References . . . . . . . . . . . . . . . . 19
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 20 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 20
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
The Generic Security Service Application Program Interface version 2 The Generic Security Service Application Program Interface version 2
[RFC2743] provides a generic interface for security services, in the [RFC2743] provides a generic interface for security services, in the
form of an abstraction layer over the underlying security mechanisms form of an abstraction layer over the underlying security mechanisms
that an application may use. A GSS initiator and acceptor exchange that an application may use. A GSS initiator and acceptor exchange
messages, called tokens, until a security context is established. messages, called tokens, until a security context is established.
skipping to change at page 11, line 18 skipping to change at page 11, line 18
normal security context tokens and processed by normal security context tokens and processed by
GSS_Init_sec_context() or GSS_Accept_sec_context(), as appropriate. GSS_Init_sec_context() or GSS_Accept_sec_context(), as appropriate.
With the GSS-API version 2, it is not recommended to use security With the GSS-API version 2, it is not recommended to use security
context deletion tokens, so error tokens are expected to be the most context deletion tokens, so error tokens are expected to be the most
common form of additional context token for new application common form of additional context token for new application
protocols. protocols.
GSS_Process_context_token() may indicate an error in its major_status GSS_Process_context_token() may indicate an error in its major_status
field if an error is encountered locally during token processing, or field if an error is encountered locally during token processing, or
to indicate that an error was encountered on the peer and conveyed in to indicate that an error was encountered on the peer and conveyed in
an error token. [RFC2743E4151] Regardless of the major_status output an error token. See [RFC2743] Errata #4151. Regardless of the
of GSS_Process_context_token(), GSS_Inquire_context() should be used major_status output of GSS_Process_context_token(),
after processing the extra token, to query the status of the security GSS_Inquire_context() should be used after processing the extra
context and whether it can supply the features necessary for the token, to query the status of the security context and whether it can
application protocol. supply the features necessary for the application protocol.
At present, all tokens which should be handled by At present, all tokens which should be handled by
GSS_Process_context_token() will lead to the security context being GSS_Process_context_token() will lead to the security context being
effectively unusable. Future extensions to the GSS-API may allow for effectively unusable. Future extensions to the GSS-API may allow for
applications to continue to function after a call to applications to continue to function after a call to
GSS_Process_context_token(), and it is expected that the outputs of GSS_Process_context_token(), and it is expected that the outputs of
GSS_Inquire_context() will indicate whether it is safe to do so. GSS_Inquire_context() will indicate whether it is safe to do so.
However, since there are no such extensions at present (error tokens However, since there are no such extensions at present (error tokens
and deletion tokens both result in the security context being and deletion tokens both result in the security context being
essentially unusable), there is no guidance to give to applications essentially unusable), there is no guidance to give to applications
skipping to change at page 18, line 35 skipping to change at page 18, line 35
pid = fork(); pid = fork();
if (pid == 0) if (pid == 0)
do_initiator(fd1, fd2, 0); do_initiator(fd1, fd2, 0);
else if (pid > 0) else if (pid > 0)
do_acceptor(fd2, fd1); do_acceptor(fd2, fd1);
else else
err(1, "fork() failed\n"); err(1, "fork() failed\n");
exit(0); exit(0);
} }
6. Security Considerations 6. IANA Considerations
This document makes no request of IANA.
7. Security Considerations
This document provides a (reasonably) concise description and example This document provides a (reasonably) concise description and example
for correct construction of the GSS-API security context negotiation for correct construction of the GSS-API security context negotiation
loop. Since everything relating to the construction and use of a GSS loop. Since everything relating to the construction and use of a GSS
security context is security-related, there are security-relevant security context is security-related, there are security-relevant
considerations throughout the document. It is useful to call out a considerations throughout the document. It is useful to call out a
few things in this section, though. few things in this section, though.
The GSS-API uses a request-and-check model for features. An The GSS-API uses a request-and-check model for features. An
application using the GSS-API requests certain features application using the GSS-API requests certain features
skipping to change at page 19, line 35 skipping to change at page 19, line 37
expecting to receive protected octet streams, this macro should not expecting to receive protected octet streams, this macro should not
be used on the result of per-message operations, as it omits checking be used on the result of per-message operations, as it omits checking
for supplementary status values such as GSS_S_DUPLICATE_TOKEN, for supplementary status values such as GSS_S_DUPLICATE_TOKEN,
GSS_S_OLD_TOKEN, etc.. Use of the GSS_ERROR() macro on the results GSS_S_OLD_TOKEN, etc.. Use of the GSS_ERROR() macro on the results
of GSS-API per-message operations has resulted in security of GSS-API per-message operations has resulted in security
vulnerabilities in existing software! vulnerabilities in existing software!
The security considerations from RFCs 2743 and 2744 remain applicable The security considerations from RFCs 2743 and 2744 remain applicable
to consumers of this document. to consumers of this document.
7. References 8. References
7.1. Normative References 8.1. Normative References
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : [RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
7.2. Informational References 8.2. Informational References
[RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
Extension for the Generic Security Service Application
Program Interface (GSS-API)", RFC 4401, February 2006.
[RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch, [RFC4462] Hutzelman, J., Salowey, J., Galbraith, J., and V. Welch,
"Generic Security Service Application Program Interface "Generic Security Service Application Program Interface
(GSS-API) Authentication and Key Exchange for the Secure (GSS-API) Authentication and Key Exchange for the Secure
Shell (SSH) Protocol", RFC 4462, May 2006. Shell (SSH) Protocol", RFC 4462, May 2006.
[RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
Extension for the Generic Security Service Application
Program Interface (GSS-API)", RFC 4401, February 2006.
[RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,
and R. Hall, "Generic Security Service Algorithm for and R. Hall, "Generic Security Service Algorithm for
Secret Key Transaction Authentication for DNS (GSS-TSIG)", Secret Key Transaction Authentication for DNS (GSS-TSIG)",
RFC 3645, October 2003. RFC 3645, October 2003.
[RFC5801] Josefsson, S. and N. Williams, "Using Generic Security [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security
Service Application Program Interface (GSS-API) Mechanisms Service Application Program Interface (GSS-API) Mechanisms
in Simple Authentication and Security Layer (SASL): The in Simple Authentication and Security Layer (SASL): The
GS2 Mechanism Family", RFC 5801, July 2010. GS2 Mechanism Family", RFC 5801, July 2010.
skipping to change at page 20, line 31 skipping to change at page 20, line 32
4752, November 2006. 4752, November 2006.
[RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol [RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol
Specification", RFC 2203, September 1997. Specification", RFC 2203, September 1997.
[RFC6680] Williams, N., Johansson, L., Hartman, S., and S. [RFC6680] Williams, N., Johansson, L., Hartman, S., and S.
Josefsson, "Generic Security Service Application Josefsson, "Generic Security Service Application
Programming Interface (GSS-API) Naming Extensions", RFC Programming Interface (GSS-API) Naming Extensions", RFC
6680, August 2012. 6680, August 2012.
[RFC2743E4151]
Williams, N., "RFC 2743 Errata 4151", November 2014.
Appendix A. Acknowledgements Appendix A. Acknowledgements
Thanks to Nico Williams and Jeff Hutzleman for prompting me to write Thanks to Nico Williams and Jeff Hutzleman for prompting me to write
this document. this document.
Author's Address Author's Address
Benjamin Kaduk Benjamin Kaduk
MIT Kerberos Consortium MIT Kerberos Consortium
 End of changes. 12 change blocks. 
25 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/