idnits 2.17.1 draft-ietf-krb-wg-kerberos-referrals-01.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 659 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2001) is 8315 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 424 looks like a reference -- Missing reference section? '2' on line 47 looks like a reference -- Missing reference section? '3' on line 51 looks like a reference -- Missing reference section? '0' on line 423 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Kerberos Working Group M. Swift 3 Internet Draft University of WA 4 Document: draft-ietf-krb-wg-kerberos-referrals-01.txt J. Brezak 5 Category: Standards Track Microsoft 6 J. Trostle 7 Cisco Systems 8 July 2001 10 Generating KDC Referrals to locate Kerberos realms 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026 [1]. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. Internet-Drafts are draft documents valid for a maximum of 21 six months and may be updated, replaced, or obsoleted by other 22 documents at any time. It is inappropriate to use Internet- Drafts 23 as reference material or to cite them other than as "work in 24 progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 1. Abstract 33 The draft documents a new method for a Kerberos Key Distribution 34 Center (KDC) to respond to client requests for kerberos tickets when 35 the client does not have detailed configuration information on the 36 realms of users or services. The KDC will handle requests for 37 principals in other realms by returning either a referral error or a 38 cross-realm TGT to another realm on the referral path. The clients 39 will use this referral information to reach the realm of the target 40 principal and then receive the ticket. 42 2. Conventions used in this document 44 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 45 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 46 this document are to be interpreted as described in RFC-2119 [2]. 48 3. Introduction 50 Current implementations of the Kerberos AS and TGS protocols, as 51 defined in RFC 1510 [3], use principal names constructed from a 52 known user or service name and realm. A service name is typically 54 Swift Category - Standards Track 1 56 KDC Referrals February 2001 58 constructed from a name of the service and the DNS host name of the 59 computer that is providing the service. Many existing deployments of 60 Kerberos use a single Kerberos realm where all users and services 61 would be using the same realm. However in an environment where there 62 are multiple trusted Kerberos realms, the client needs to be able to 63 determine what realm a particular user or service is in before 64 making an AS or TGS request. Traditionally this requires client 65 configuration to make this possible. 67 When having to deal with multiple trusted realms, users are forced 68 to know what realm they are in before they can obtain a ticket 69 granting ticket (TGT) with an AS request. However, in many cases the 70 user would like to use a more familiar name that is not directly 71 related to the realm of their Kerberos principal name. A good 72 example of this is an RFC-822 style email name. This document 73 describes a mechanism that would allow a user to specify a user 74 principal name that is an alias for the user's Kerberos principal 75 name. In practice this would be the name that the user specifies to 76 obtain a TGT from a Kerberos KDC. The user principal name no longer 77 has a direct relationship with the Kerberos principal or realm. Thus 78 the administrator is able to move the user's principal to other 79 realms without the user having to know that it happened. 81 Once a user has a TGT, they would like to be able to access services 82 in any trusted Kerberos realm. To do this requires that the client 83 be able to determine what realm the target service's host is in 84 before making the TGS request. Current implementations of Kerberos 85 typically have a table that maps DNS host names to corresponding 86 Kerberos realms. In order for this to work on the client, each 87 application canonicalizes the host name of the service by doing a 88 DNS lookup followed by a reverse lookup using the returned IP 89 address. The returned primary host name is then used in the 90 construction of the principal name for the target service. In order 91 for the correct realm to be added for the target host, the mapping 92 table [domain_to_realm] is consulted for the realm corresponding to 93 the DNS host name. The corresponding realm is then used to complete 94 the target service principal name. 96 This traditional mechanism requires that each client have very 97 detailed configuration information about the hosts that are 98 providing services and their corresponding realms. Having client 99 side configuration information can be very costly from an 100 administration point of view - especially if there are many realms 101 and computers in the environment. 103 There are also cases where specific DNS aliases (local names) have 104 been setup in an organization to refer to a server in another 105 organization (remote server). The server has different DNS names in 106 each organization and each organization has a Kerberos realm that is 107 configured to service DNS names within that organization. Ideally 108 users are able to authenticate to the server in the other 109 organization using the local server name. This would mean that the 110 local realm be able to produce a ticket to the remote server under 112 Swift Category - Standards Track 2 114 KDC Referrals February 2001 116 its name. You could give that remote server an identity in the local 117 realm and then have that remote server maintain a separate secret 118 for each alias it is known as. Alternatively you could arrange to 119 have the local realm issue a referral to the remote realm and notify 120 the requesting client of the server's remote name that should be 121 used in order to request a ticket. 123 This draft proposes a solution for these problems and simplifies 124 administration by minimizing the configuration information needed on 125 each computer using Kerberos. Specifically it describes a mechanism 126 to allow the KDC to handle Canonicalization of names, provide for 127 principal aliases for users and services and provide a mechanism for 128 the KDC to determine the trusted realm authentication path by being 129 able to generate referrals to other realms in order to locate 130 principals. 132 To rectify these problems, this draft introduces three new kinds of 133 KDC referrals: 135 1. AS ticket referrals, in which the client doesn't know which realm 136 contains a user account. 137 2. TGS ticket referrals, in which the client doesn't know which 138 realm contains a server account. 139 3. Cross realm shortcut referrals, in which the KDC chooses the next 140 path on a referral chain 142 4. Realm Organization Model 144 This draft assumes that the world of principals is arranged on 145 multiple levels: the realm, the enterprise, and the world. A KDC may 146 issue tickets for any principal in its realm or cross-realm tickets 147 for realms with which it has a direct trust relationship. The KDC 148 also has access to a trusted name service that can resolve any name 149 from within its enterprise into a realm. This trusted name service 150 removes the need to use an untrusted DNS lookup for name resolution. 152 For example, consider the following configuration, where lines 153 indicate trust relationships: 155 MS.COM 156 / \ 157 / \ 158 OFFICE.MS.COM NT.MS.COM 160 In this configuration, all users in the MS.COM enterprise could have 161 a principal name such as alice@MS.COM, with the same realm portion. 162 In addition, servers at MS.COM should be able to have DNS host names 163 from any DNS domain independent of what Kerberos realm their 164 principal resides in. 166 5. Client Principal Names 168 Swift Category - Standards Track 3 170 KDC Referrals February 2001 172 A client account may have multiple principal names. More useful, 173 though, is a globally unique name that allows unification of email 174 and security principal names. For example, all users at MS may have 175 a client principal name of the form "joe@MS.COM" even though the 176 principals are contained in multiple realms. This global name is 177 again an alias for the true client principal name, which indicates 178 what realm contains the principal. Thus, accounts "alice" in the 179 realm ntdev.MS.COM and "bob" in office.MS.COM may logon as 180 "alice@MS.COM" and "bob@MS.COM". 182 This utilizes a new client principal name type, as the AS-REQ 183 message only contains a single realm field, and the realm portion of 184 this name doesn't correspond to any Kerberos realm. Thus, the entire 185 name "alice@MS.COM" is transmitted in the client name field of the 186 AS-REQ message, with a name type of KRB-NT-ENTERPRISE-PRINCIPAL. 188 KRB-NT-ENTERPRISE-PRINCIPAL 10 190 The KDC will recognize this name type and then transform the 191 requested name into the true principal name. The true principal name 192 can be using a name type different from the requested name type. 194 6. Requesting a referral 196 In order to request referrals, the Kerberos client must explicitly 197 request the canonicalize KDC option (bit 15) in the KDC options for 198 the TGS-REQ. This flag indicates to the KDC that the client is 199 prepared to receive a reply that is a cross-realm TGT. Thus, the 200 KDCOptions types is redefined as: 202 KDCOptions ::= BIT STRING { 203 reserved(0), 204 forwardable(1), 205 forwarded(2), 206 proxiable(3), 207 proxy(4), 208 allow-postdate(5), 209 postdated(6), 210 unused7(7), 211 renewable(8), 212 unused9(9), 213 unused10(10), 214 unused11(11), 215 canonicalize(15), 216 renewable-ok(27), 217 enc-tkt-in-skey(28), 218 renew(30), 219 validate(31) 220 } 222 6.1 Client Referrals 224 Swift Category - Standards Track 4 226 KDC Referrals February 2001 228 The simplest form of ticket referral is for a user requesting a 229 ticket using an AS-REQ. In this case, the client machine will send 230 the AS request to a convenient trusted realm, either the realm of 231 the client machine or the realm of the client name. In the case of 232 the name Alice@MS.COM, the client may optimistically choose to send 233 the request to MS.COM. 235 The client will send the string "alice@MS.COM" in the client 236 principal name field using the KRB-NT-ENTERPRISE-PRINCIPAL name type 237 with the crealm set to MS.COM. The KDC will try to lookup the name 238 in its local account database. If the account is present in the 239 realm of the request, it MUST return a KDC reply structure with the 240 appropriate ticket. If the account is not present in the realm 241 specified in the request and the canonicalize flag in the KDCoptions 242 is set, the KDC will try to lookup the entire name, Alice@MS.COM, 243 using a name service. If this lookup is unsuccessful, it MUST return 244 the error KDC_ERR_C_PRINCIPAL_UNKNOWN. If the lookup is successful, 245 it MUST return an error KDC_ERR_WRONG_REALM (0x44) and in the error 246 message the cname and crealm field will contain the client name and 247 the true realm of the client. If the KDC contains the account 248 locally, it MUST return a normal ticket. The client name and realm 249 portions of the ticket and KDC reply message MUST be the client's 250 true name in the realm, not the globally unique name. 252 If the client receives a KDC_ERR_WRONG_REALM error, it will issue a 253 new AS request with the same client principal name used to generate 254 the first referral to the realm specified by the realm field of the 255 kerberos error message from the first request. This request MUST 256 produce a valid AS response with a ticket for the canonical user 257 name. The ticket MUST also include the ticket extension containing 258 the TE-REFERRAL-DATA with the referred-names set to the name from 259 the AS request. Any other error or referral will terminate the 260 request and result in a failed AS request. 262 [Discussion: Can a PA-REFERRAL-DATA be used instead of a ticket 263 extension?] 265 6.2 Server Referrals 267 The server referral mechanism is a bit more complex than the client 268 referral mechanism. The primary problem is that the KDC must return 269 a referral ticket rather than an error message. There needs to be a 270 place to include in the TGS response information about what realm 271 contains the service. This is done by returning information about 272 the server name in the pre-auth data field of the KDC reply. 274 If the KDC resolves the server principal name into a principal in 275 its realm, it will return a normal ticket. If the canonicalize flag 276 in the KDCoptions is not set, then the KDC MUST only look up the 277 name as a normal principal name. 279 If the canonicalize flag in the KDCoptions is set and the KDC 280 doesn't find the principal locally, the KDC can return a cross-realm 282 Swift Category - Standards Track 5 284 KDC Referrals February 2001 286 ticket granting ticket to the next hop on the trust path towards a 287 realm that may be able to resolve the principal name. 289 If the KDC can determine the service principal's realm, it SHOULD 290 return the server realm as ticket extension data. The ticket 291 extension MUST be encrypted using the session key from the ticket, 292 and the same etype as is used to protect the TGS reply body. 294 [Discussion: Can preauth data be used instead of a ticket-extension 295 for this purpose?] 297 The data itself is an ASN.1 encoded structure containing the 298 server's realm, and if known, canonical principal name. 300 TE-REFERRAL-INFO 20 302 TE-REFERRAL-DATA ::= SEQUENCE { 303 referred-server-realm[0] KERB-REALM 304 referred-name[1] PrincipalName OPTIONAL 305 } 307 In order to facilitate cross-realm interoperability, a client SHOULD 308 NOT send short names in TGS requests to the KDC. A short name is 309 defined as a Kerberos name that includes a DNS name that is not 310 fully qualified. The client MAY use forward DNS lookups to obtain 311 the long name that corresponds to the user entered short name (the 312 short name will be a prefix of the corresponding long name). 314 The client may use the referred-name field to tell if it already has 315 a ticket to the target server in its ticket cache. 317 The client can use this information to request a chain of cross- 318 realm ticket granting tickets until it reaches the realm of the 319 server, and can then expect to receive a valid service ticket. 320 However an implementation should limit the number of referrals that 321 it processes to avoid infinite referral loops. A suggested limit is 322 5 referrals before giving up. 324 7. Cross Realm Routing 326 The current Kerberos protocol requires the client to explicitly 327 request a cross-realm TGT for each pair of realms on a referral 328 chain. As a result, the client need to be aware of the trust 329 hierarchy and of any short-cut trusts (those that aren't parent- 330 child trusts). This requires more configurations on the client. 331 Instead, the client should be able to request a TGT to the target 332 realm from each realm on the route. The KDC will determine the best 333 path for the client and return a cross-realm TGT. The client has to 334 be aware that a request for a cross-realm TGT may return a TGT for a 335 realm different from the one requested. 337 Swift Category - Standards Track 6 339 KDC Referrals February 2001 341 For compatability, the client MUST use the canonicalize KDCoption if 342 it is able to use cross-realm routing from the KDC. 344 8. Security Considerations 346 The original Kerberos specification stated that the server principal 347 name in the KDC reply was the same as the server name in the 348 request. These protocol changes break that assumption, so the client 349 may be vulnerable to a denial of service attack by an attacker that 350 replays replies from previous requests. It can verify that the 351 request was one of its own by checking the client-address field or 352 authtime field, though, so the damage is limited and detectable. 354 For the AS exchange case, it is important that the logon mechanism 355 not trust a name that has not been used to authenticate the user. 356 For example, the name that the user enters as part of a logon 357 exchange may not be the name that the user authenticates as, given 358 that the KDC_ERR_WRONG_REALM error may have been returned. The 359 relevant Kerberos naming information for logon (if any), is the 360 client name and client realm in the service ticket targeted at the 361 workstation that was obtained using the user's initial TGT. 363 How the client name and client realm is mapped into a local account 364 for logon is a local matter, but the client logon mechanism MUST use 365 additional information such as the client realm and/or authorization 366 attributes from the service ticket presented to the workstation by 367 the user, when mapping the logon credentials to a local account on 368 the workstation. 370 9. Discussion 372 This section contains issues and suggestions that need to be 373 incorporated into this draft. From Ken Raeburn [raeburn@mit.edu]: 375 1) No means to do name canonicalization if you're not 376 authenticating. Is it okay to require credentials in order to do 377 canonicalization? If so, how about this: Send a TGS_REQ for the 378 service name you have. If you get back a TGS_REP for a service, 379 great; pull out the name and throw out the credentials. If you 380 get back a TGS_REP for a TGT service, ask again in the specified 381 realm. If you get back a KRB_ERROR because policy prohibits you 382 from authenticating to that service, we can add to the 383 specification that the {realm,sname} in the KRB_ERROR must be the 384 canonical name, and the checksum must be used. As long as the 385 checksum is present, it's still a secure exchange with the KDC. 387 If we have to be able to do name canonicalization without any 388 sort of credentials, either client-side (tickets) or server-side 389 (tickets automatically acquired via service key), I think we just 390 lose. But maybe GSSAPI should be changed if that's the case. 392 There are cases where GSSAPI is not able to know of a canonical 394 Swift Category - Standards Track 7 396 KDC Referrals February 2001 398 name even without the client name canonicalization proposed in 399 this draft. 401 2) Secure canonicalization of service name in AS_REQ. If the 402 response is an AS_REP, we need a way to tell that the altered 403 server name wasn't a result of a MITM attack on the AS_REQ 404 message. Again, the KDC-REP extensible fields could have a new 405 required value added when name canonicalization happens, 406 indicating what the original principal name (in the AS_REQ 407 message) was, and signed using the same key as protects the 408 AS_REP. If it doesn't match what the client requested, the 409 messages were altered in transit. 411 3) Client name needs referral to another realm, and server name 412 needs canonicalization of some sort. The above fixes wouldn't 413 work for this case, and I'm not even sure which KDC should be 414 doing the canonicalization anyways. 416 The other-principal-name datum would probably look something like: 418 PrincipalAndNonce ::= SEQUENCE { 419 name[0] PrincipalName, 420 nonce[1] INTEGER -- copied from KDC_REQ 421 } 422 SignedPrincipal ::= SEQUENCE { 423 name-and-nonce[0] PrincipalAndNonce, 424 cksum[1] Checksum 425 } 426 {PA,TE}-ORIGINAL-SERVER-PRINCIPAL ::= SignedPrincipal 427 {PA,TE}-REMOTE-SERVER-PRINCIPAL ::= SignedPrincipal 429 with the checksum computed over the encoding of the 'name-and-nonce' 430 field, and appropriate PA- or TE- numbers assigned. I don't have a 431 strong opinion on whether it'd be a pa-data or ticket extension; 432 conceptually it seems like an abuse of either, but, well, I think 433 I'd rather abuse them than leave the facility both in and 434 inadequate. 436 The nonce is needed because multiple exchanges may be made with the 437 same key, and these extension fields aren't packed in with the other 438 encrypted data in the same response, so a MITM could pick apart 439 multiple messages and mix-and-match components. (In a TGS_REQ 440 exchange, a subsession key would help, but it's not required.) 442 The extension field would be required to prevent a MITM from 443 discarding the field from a response; a flag bit in a protected part 444 of the message (probably in 'flags' in EncKDCRepPart) could also let 445 us know of a cases where the information can be omitted, namely, 446 when no name change is done. Perhaps the bit should be set to 447 indicate that a name change *was* done, and clear if it wasn't, 448 making the no-change case more directly compatible with RFC1510. 450 Swift Category - Standards Track 8 452 KDC Referrals February 2001 454 10. References 456 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 457 9, RFC 2026, October 1996. 459 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement 460 Levels", BCP 14, RFC 2119, March 1997 462 3 Kohl, J., Neuman, C., "The Kerberos Network Authentication 463 Service (V5)", RFC 1510, September 1993 465 11. Author's Addresses 467 Michael Swift 468 University of Washington 469 Seattle, Washington 470 Email: mikesw@cs.washington.edu 472 John Brezak 473 Microsoft 474 One Microsoft Way 475 Redmond, Washington 476 Email: jbrezak@Microsoft.com 478 Jonathan Trostle 479 Cisco Systems 480 170 W. Tasman Dr. 481 San Jose, CA 95134 482 Email: jtrostle@cisco.com 484 Swift Category - Standards Track 9 486 KDC Referrals February 2001 488 Full Copyright Statement 490 Copyright (C) The Internet Society (1999). All Rights Reserved. 492 This document and translations of it may be copied and furnished to 493 others, and derivative works that comment on or otherwise explain it 494 or assist in its implementation may be prepared, copied, published 495 and distributed, in whole or in part, without restriction of any 496 kind, provided that the above copyright notice and this paragraph 497 are included on all such copies and derivative works. However, this 498 document itself may not be modified in any way, such as by removing 499 the copyright notice or references to the Internet Society or other 500 Internet organizations, except as needed for the purpose of 501 developing Internet standards in which case the procedures for 502 copyrights defined in the Internet Standards process must be 503 followed, or as required to translate it into languages other than 504 English. 506 The limited permissions granted above are perpetual and will not be 507 revoked by the Internet Society or its successors or assigns. 509 This document and the information contained herein is provided on an 510 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 511 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 512 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 513 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 514 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 516 Swift Category - Standards Track 10