MIDCOM Working Group C.Aoun Internet Draft Nortel Networks Category: Informational June 2002 Expires on December 2002 Potential solution for authorization token authentication Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document describe a potential solution that could be used to authenticate authorization tokens used in the context of Middle Box discovery and control. Table of Contents 1. Introduction..................................................2 2. Conventions used in this document.............................2 3. Used terminology and acronyms.................................2 4. Used concepts.................................................3 5. Practical example in a small network..........................4 6. Security Considerations.......................................7 7. Conclusion....................................................7 8. References....................................................8 9. Author's Addresse.............................................8 10. Intellectual Property Statement..............................8 Aoun Informational Expires - January 2003 [Page 1] Potential solution for authorization June 2002 token authentication 11. Full Copyright Statement.....................................9 1. Introduction This document describes a potential solution that could be used to authenticate authorization tokens used in the context of Middle Box discovery and control. [Caoun] and [Caoun2] discuss proposals that will allow Midcom agents, as defined in [MDCMFW] to locate and communicate with Middle Box deployed on the media path between application endpoints. One of the major security issues in [Caoun] and [Caoun2] is how to authenticate the authorization tokens sent by the Discovery Client or Combo Clients without having any prior relation with the end points hosting these functions. This draft tries to answer this issue. The model is primarily inspired from the GSM network authentication model, analogy could be also found with Kerberos [Kerberos]. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. 3. Used terminology and acronyms MB: Middle Box- ref to the used terminology in [FRMWRK] MA: Midcom Agent - ref to the used terminology in [FRMWRK] AC: Application Client AS: Application Server- In this document the used terminology covers the application server function as well as its host. AP: Application Proxy DC: Discovery Client - Entity responsible for sending/receiving discovery messages DN: Discovery Node - Function that sits in a Middle Box, updates a discovery message. CC: Combo Client - Entity responsible for sending/receiving combo protocol messages Aoun Informational Expires - January 2003 [Page 2] Potential solution for authorization June 2002 token authentication CN: Combo Node - Function that sits in a Middle Box, updates (and replies to) combo protocol messages. AH: Application Host- Computing platform hosting an application 4. Used concepts The authorization framework to allow MAs to request policy rules in the combo model ([Caoun2]) or to discover the MBs (as discussed in [Caoun]) is based on [Lhamer]). The authorization token will have 2 parts, one part that is sent in clear and signed, it provides the contact information of the authorizing entity (the Application Policy server); the other part is encrypted with temporary session key created or allocated by the Application Policy server. The encrypted part of the token includes the discovery request if used as in [Caoun] or the policy rule request/discovery when used as in [Caoun2]. Upon request for an application session, the AH will request its AP to find the remote end AH contact information; the AP will then request the Policy Server to check for application specific policies (subscriber services etc) and in the same time to provide an authorization token specific to this application session. Once the PS has generated the authorization token, it will send it to the AP, which in turn will send it through the application protocol. When the CC hosted on the AH sends the discovery message or the combo protocol message it includes the token in it, the token can't be modified or replaced by the AH as the MB's policy server will query the authorizing policy server: -When an MB is traversed by the message, it will extract the authorization token and query the authorizing policy server (either directly or through its policy server). As there is an existing relation between the application server policy domain and the MB policy domain, the MB policy server should have already a security association with the authorizing policy server; therefore the MB's policy server could request securely the authorizing policy server to provide the temporary key used to encrypt the token. The same key will be used to update the token and re-encrypt the token (and sign) when required. Aoun Informational Expires - January 2003 [Page 3] Potential solution for authorization June 2002 token authentication As there is an interaction with an AH that is in a different policy domain, the remote AH application policy server will need to provide an authorization token to be used with the remote end MB policy server. 5. Practical example in a small network +--Foo.com-----------------+ +--Bar.com-----------+ | +++++ DMZ | +DMZ +++++ + | +MA1+- MB1 | + MB4 +MA2+ + | +AC + PS1 |The NET +PS2 +AC + + | +CC + MB2 | + MB5 +CC + + | +++++ AP1 | + AP2 +++++ + | AH1 MB3 | + MB6 AH2 + +--------------------------+ +--------------------+ In the used example for simplicity reasons, the application and the MBs have the same policy server in both the foo.com and bar.com policy domains. MB1 and MB5 apply NAT and packet filtering on the traversed packet stream. Discovery model A concepts are used without the edge MB concept. The shown message sequences are similar to those found in [Caoun2] when the combo model is used, with the addition of the token exchange messages, and the temporary session key requests. Aoun Informational Expires - January 2003 [Page 4] Potential solution for authorization June 2002 token authentication AC1/CC1 MB1 AP1 PS1 PS2 AP2 MB5 AC2/CC2 1- App session request ------------------ > 2- App session remote end information ------------------------ > 3-Remote end contact information(CC2 contact info) < ------------------------ 4-Token request(local AH information, remote AH information) -------> 5-Token_request(remote end contact information_ack) ------ > 6- Request_session_match(remote end contact information) ----- > 7- Session_match_ack < ------- 8- Token_ack(CC2Token) < ------- 9-Token_ack(CC1Token, CC2Token) < ------ 10- Token_ack ------ > 11- App_session_ack(CC1Token, CC2Token) < ------------------- 12- App_session_ack -------------------- > 13-Combo_resrcreqst(CC1Token,CC2Token,CC2) ---------> Aoun Informational Expires - January 2003 [Page 5] Potential solution for authorization June 2002 token authentication AC1/CC1 MB/CN1 AP1 PS1 PS2 AP2 MB/CN5 AC2/CC2 14- Policy_check(CC1Token,CC2Token) ---------------> 15- Policy_check(valid_request,CC1Token_tempkey) < -------------- 16- Combo_resrcreqst (CC1Token,CC2Token,CC2,{CN1,NAT, updated stream information}) ---------------------------------------> 17-Policy_check(CC1Token,CC2Token) <-------------- 18-Tempsession_keyreqst(CC1Token) < ----- 19-Tempsession_keyreqst(CC1Token, tempkey) ------- > 20- Policy_check(valid_request,CC1Token_tempkey) ------------ > 21- Combo_resrcreqst (CC1Token,CC2Token,CC2,{CN1,NAT, updated stream information}) -------------> 22-Combo_resrcreqst_returnpath (CC1Token,CC2Token,CC2, {Combo_resrcreqst(CC1Token,CC2Token,CC2, {CN1,NAT, updated stream information}}) < ----------- 23-Policy_check(CC1Token,CC2Token) <-------------- 24- Policy_check(valid_request, CC2Token_tempkey) ------------- > 25- Combo_resrcreqst_returnpath (CC1Token,CC2Token,CC2,{CN7,NAT, updated stream information},{Combo_resrcreqst(CC1Token,CC2Token,CC2, {CN3,NAT, updated stream information}) < -------------------------------- 26-Policy_check(CC1Token,CC2Token) Aoun Informational Expires - January 2003 [Page 6] Potential solution for authorization June 2002 token authentication --------------> 27-Tempsession_keyreqst(CC1Token) ------ > 28-Tempsession_keyreqst(CC2Token, tempkey) < ------- 25-Policy_check(valid_request, CC2Token_tempkey) <-------------- 26- Combo_ resrcreqst_returnpath (CC1Token,CC2Token,CC2,{CN7,NAT, updated stream information},{Combo_resrcreqst(CC1Token,CC2Token,CC2, {CN3,NAT, updated stream information}) < --- Each time an MB is traversed by a combo protocol message, it analyses the associated authorization token, looks for the authorizing policy server; sends a query to its own policy server to get in touch with the authorizing policy server. The local MB policy server will get an answer from the authorizing policy server and see if the AH is authorized to request for policy rules installation. In the example this will be the case in messages 14 and 15 and 23 and 24. The local policy server will also provide the used key to decrypt the token and allow the MB to re-encrypt the token after updating it if required. 6. Security Considerations This draft proposes one of the fixes to the security issues by providing means to keep the AH completely in the dark and prevent it from modifying the token. One of the current assumptions of the draft is that the MB policy servers have a pre-established security association with the Application Policy server authorizing the application traversal. The pre-established security association could use pre-shared keys or PKI. The next version of the draft will discuss the various scenarios to establish these associations. 7. Conclusion Aoun Informational Expires - January 2003 [Page 7] Potential solution for authorization June 2002 token authentication The draft provides a simple mechanism based on transitive trust to secure the authorization token and prevent the AH to modify it. 8. References [Caoun] C.Aoun,L-N Hamer " Potential Solutions to the Middle Box discovery problem ", draft-aoun-midcom-discovery-01.txt, work in progress [Caoun2] C.Aoun, "Middle Box discovery integration solutions within the Midcom architecture", draft-aoun-middlebox-discovery-comparison-00.txt, work in progress [FRMWRK] P.Srisuresh et all," MIDCOM Architecture & Framework", Internet draft, draft-ietf-midcom-framework-07.txt [Kerberos] J. Kohl, C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993 [LHamer] Hamer, L-N. and Gage, B, "Framework for session setup with media authorization", Internet-Draft, draft-hamer-rap-session-auth-03.txt, February 2002 9. Author's Addresse Cedric Aoun Nortel Networks FRANCE Email: cedric.aoun@nortelnetworks.com 10. Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in RFC 2026. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made Aoun Informational Expires - January 2003 [Page 8] Potential solution for authorization June 2002 token authentication to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 11. Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Aoun Informational Expires - January 2003 [Page 9]