idnits 2.17.1 draft-ietf-cat-krb5-tcp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([RFC1510]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 40: '... Kerberos server MAY accept requests o...' Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1510 (Obsoleted by RFC 4120, RFC 6649) Summary: 12 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Assar Westerlund 2 SICS 3 Internet-Draft Johan Danielsson 4 November, 1997 PDC, KTH 5 Expire in six months 7 Kerberos over TCP 9 Status of this Memo 11 This document is an Internet-Draft. Internet-Drafts are working 12 documents of the Internet Engineering Task Force (IETF), its areas, 13 and its working groups. Note that other groups may also distribute 14 working documents as Internet-Drafts. 16 Internet-Drafts are draft documents valid for a maximum of six months 17 and may be updated, replaced, or obsoleted by other documents at any 18 time. It is inappropriate to use Internet- Drafts as reference 19 material or to cite them other than as "work in progress." 21 To view the entire list of current Internet-Drafts, please check the 22 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 23 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), 24 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 25 ftp.isi.edu (US West Coast). 27 Distribution of this memo is unlimited. Please send comments to the 28 mailing list. 30 Abstract 32 This document specifies how the communication should be done between 33 a client and a KDC using Kerberos [RFC1510] with TCP as the transport 34 protocol. 36 Specification 38 This draft specifies an extension to section 8.2.1 of RFC1510. 40 A Kerberos server MAY accept requests on TCP port 88 (decimal). 42 The data sent from the client to the KDC should consist of 4 bytes 43 containing the length, in network byte order, of the Kerberos 44 request, followed by the request (AS-REQ or TGS-REQ) itself. The 45 reply from the KDC should consist of the length of the reply packet 46 (4 bytes, network byte order) followed by the packet itself (AS-REP, 47 TGS-REP, or KRB-ERROR). 49 C->S: Open connection to TCP port 88 at the server 50 C->S: length of request 51 C->S: AS-REQ or TGS-REQ 52 S->C: length of reply 53 S->C: AS-REP, TGS-REP, or KRB-ERROR 55 Discussion 57 Even though the preferred way of sending kerberos packets is over UDP 58 there are several occasions when it's more practical to use TCP. 60 Mainly, it's usually much less cumbersome to get TCP through 61 firewalls than UDP. 63 In theory, there's no reason for having explicit length fields, that 64 information is already encoded in the ASN1 encoding of the Kerberos 65 packets. But having explicit lengths makes it unnecessary to have to 66 decode the ASN.1 encoding just to know how much data has to be read. 68 Another way of signaling the end of the request of the reply would be 69 to do a half-close after the request and a full-close after the 70 reply. This does not work well with all kinds of firewalls. 72 Security considerations 74 This memo does not introduce any known security considerations in 75 addition to those mentioned in [RFC1510]. 77 References 79 [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network 80 Authentication Service (V5)", RFC 1510, September 1993. 82 Authors' Addresses 84 Assar Westerlund 85 Swedish Institute of Computer Science 86 Box 1263 87 S-164 29 KISTA 88 Sweden 90 Phone: +46-8-7521526 91 Fax: +46-8-7517230 92 EMail: assar@sics.se 94 Johan Danielsson 95 PDC, KTH 96 S-100 44 STOCKHOLM 97 Sweden 99 Phone: +46-8-7907885 100 Fax: +46-8-247784 101 EMail: joda@pdc.kth.se