idnits 2.17.1 draft-ietf-oncrpc-rpcsec_gss-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** Bad filename characters: the document name given in the document, 'draft-ietf-oncrpc-rpcsec_gss-02', contains other characters than digits, lowercase letters and dash. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 19 longer pages, the longest (page 2) being 61 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 189 has weird spacing: '...ue_auth cred;...' == Line 190 has weird spacing: '...ue_auth verf;...' == Line 642 has weird spacing: '...r octet lengt...' == Line 777 has weird spacing: '...sed for encry...' == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (February 1997) is 9931 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 210 == Outdated reference: A later version (-08) exists of draft-ietf-cat-snego-02 -- Possible downref: Non-RFC (?) normative reference: ref. 'Eisler' -- Possible downref: Non-RFC (?) normative reference: ref. 'Jaspan' ** Obsolete normative reference: RFC 2078 (ref. 'Linn') (Obsoleted by RFC 2743) ** Obsolete normative reference: RFC 1831 (ref. 'Srinivasan-rpc') (Obsoleted by RFC 5531) ** Obsolete normative reference: RFC 1832 (ref. 'Srinivasan-xdr') (Obsoleted by RFC 4506) Summary: 12 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 ONC RPC Working Group M. Eisler 2 Internet Draft A. Chiu 3 Document: draft-ietf-oncrpc-rpcsec_gss-02.txt L. Ling 4 February 1997 6 RPCSEC_GSS Protocol Specification 8 Abstract 10 This memo describes an ONC/RPC security flavor that allows RPC 11 protocols to access the Generic Security Services Application 12 Programming Interface (referred to henceforth as GSS-API). 14 Status of this Memo 16 This document is an Internet-Draft. Internet-Drafts are working 17 documents of the Internet Engineering Task Force (IETF), its areas, 18 and its working groups. Note that other groups may also distribute 19 working documents as Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six 22 months. This Internet-Draft expires in August 1997. Internet-Drafts 23 may be updated, replaced, or obsoleted by other documents at any 24 time. It is not appropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 To learn the current status of any Internet-Draft, please check the 28 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 29 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 30 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 31 ftp.isi.edu (US West Coast). 33 Comments on this document should be sent to the IETF ONCRPC Working 34 Group discussion list: 36 oncrpc-wg@sunroof.eng.sun.com 38 Distribution of this memo is unlimited. 40 Table of Contents 42 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 43 2. Review of the RPC Message Protocol . . . . . . . . . . . . . . 2 44 3. Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 5 45 4. New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 5 46 5. Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 6 47 5.1. Version Selection . . . . . . . . . . . . . . . . . . . . . 7 48 5.2. Context Creation . . . . . . . . . . . . . . . . . . . . . . 7 49 5.2.1. Mechanism and QOP Selection . . . . . . . . . . . . . . . 7 50 5.2.2. Context Creation Requests . . . . . . . . . . . . . . . . 8 51 5.2.3. Context Creation Responses . . . . . . . . . . . . . . . . 9 52 5.2.3.1. Context Creation Response - Successful Acceptance . . . 9 53 5.2.3.1.1. Client Processing of Successful Context Creation 54 Responses . . . . . . . . . . . . . . . . . . . . . 10 55 5.2.3.2. Context Creation Response - Unsuccessful Cases . . . . 10 56 5.3. RPC Data Exchange . . . . . . . . . . . . . . . . . . . . 11 57 5.3.1. RPC Request Header . . . . . . . . . . . . . . . . . . . 11 58 5.3.2. RPC Request Data . . . . . . . . . . . . . . . . . . . . 12 59 5.3.2.1. RPC Request Data - No Data Integrity . . . . . . . . . 12 60 5.3.2.2. RPC Request Data - With Data Integrity . . . . . . . . 12 61 5.3.2.3. RPC Request Data - With Data Privacy . . . . . . . . . 13 62 5.3.3. Server Processing of RPC Data Requests . . . . . . . . . 13 63 5.3.3.1. Context Management . . . . . . . . . . . . . . . . . . 13 64 5.3.3.2. Server Reply - Request Accepted . . . . . . . . . . . 14 65 5.3.3.3. Server Reply - Request Denied . . . . . . . . . . . . 15 66 5.3.3.4. Mapping of GSS-API Errors to Server Responses . . . . 16 67 5.3.3.4.1. GSS_GetMIC() Failure . . . . . . . . . . . . . . . . 16 68 5.3.3.4.2. GSS_VerifyMIC() Failure . . . . . . . . . . . . . . 16 69 5.3.3.4.3. GSS_Unwrap() Failure . . . . . . . . . . . . . . . . 17 70 5.3.3.4.4. GSS_Wrap() Failure . . . . . . . . . . . . . . . . . 17 71 5.4. Context Destruction . . . . . . . . . . . . . . . . . . . 17 72 6. Set of GSS-API Mechanisms . . . . . . . . . . . . . . . . . 17 73 7. Security Considerations . . . . . . . . . . . . . . . . . . 18 74 7.1. Privacy of Call Header . . . . . . . . . . . . . . . . . . 18 75 7.2. Sequence Number Attacks . . . . . . . . . . . . . . . . . 18 76 7.2.1. Sequence Numbers Above the Window . . . . . . . . . . . 18 77 7.2.2. Sequence Numbers Within or Below the Window . . . . . . 18 78 7.3. Message Stealing Attacks . . . . . . . . . . . . . . . . . 19 79 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 80 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 81 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . 20 83 1. Introduction 85 This document describes the protocol used by the RPCSEC_GSS security 86 flavor. Security flavors have been called authentication flavors for 87 historical reasons. This memo recognizes that there are two other 88 security services besides authentication, integrity, and privacy, and 89 so defines a new RPCSEC_GSS security flavor. 91 The protocol is described using the XDR language [Srinivasan-xdr]. 92 The reader is assumed to be familiar with ONC RPC and the security 93 flavor mechanism [Srinivasan-rpc]. The reader is also assumed to be 94 familiar with the GSS-API framework [Linn]. The RPCSEC_GSS security 95 flavor uses GSS-API interfaces to provide security services that are 96 independent of the underlying security mechanism. 98 2. Review of the RPC Message Protocol 100 This memo refers to several fields of the RPC protocol. For 101 convenience of reviewers, as this document is in Internet-Draft 102 state, an XDR language description of the RPC message protocol is 103 provided here. 105 /* RPC message type */ 106 enum msg_type { 107 CALL = 0, 108 REPLY = 1 109 }; 111 /* Reply types */ 113 enum reply_stat { 114 MSG_ACCEPTED = 0, 115 MSG_DENIED = 1 116 }; 118 /* Security flavors */ 120 enum auth_flavor { 121 AUTH_NONE = 0, 122 AUTH_SYS = 1, 123 AUTH_SHORT = 2 124 }; 126 /* Status of accepted messages */ 128 enum accept_stat { 129 SUCCESS = 0, 130 PROG_UNAVAIL = 1, 131 PROG_MISMATCH = 2, 132 PROC_UNAVAIL = 3, 133 GARBAGE_ARGS = 4, 134 SYSTEM_ERR = 5 135 }; 137 /* Status of rejected messages */ 139 enum reject_stat { 140 RPC_MISMATCH = 0, 141 AUTH_ERROR = 1 142 }; 144 /* Why authentication failed */ 146 enum auth_stat { 147 AUTH_OK = 0, 149 /* failed at remote end */ 151 AUTH_BADCRED = 1, 152 AUTH_REJECTEDCRED = 2, 153 AUTH_BADVERF = 3, 154 AUTH_REJECTEDVERF = 4, 155 AUTH_TOOWEAK = 5, 157 /* failed locally */ 159 AUTH_INVALIDRESP = 6, 160 AUTH_FAILED = 7 161 }; 163 /* Opaque structure of credential and verifier */ 165 struct opaque_auth { 166 auth_flavor flavor; 167 opaque body<400>; 168 }; 170 /* The RPC message */ 172 struct rpc_msg { 173 unsigned int xid; 174 union switch (msg_type mtype) { 175 case CALL: 176 call_body cbody; 177 case REPLY: 178 reply_body rbody; 179 } body; 180 }; 182 /* Body of RPC call */ 184 struct call_body { 185 unsigned int rpcvers; 186 unsigned int prog; 187 unsigned int vers; 188 unsigned int proc; 189 opaque_auth cred; 190 opaque_auth verf; 192 /* procedure specific parameters start here */ 193 }; 195 /* Body of RPC reply */ 197 union reply_body switch (reply_stat stat) { 198 case MSG_ACCEPTED: 199 accepted_reply areply; 200 case MSG_DENIED: 201 rejected_reply rreply; 202 } reply; 204 /* Accepted reply */ 206 struct accepted_reply { 207 opaque_auth verf; 208 union switch (accept_stat stat) { 209 case SUCCESS: 210 opaque results[0]; 212 /* procedure-specific results start here */ 214 case PROG_MISMATCH: 215 struct { 216 unsigned int low; 217 unsigned int high; 218 } mismatch_info; 220 default: 222 /* 223 * Void. Cases include PROG_UNAVAIL, 224 * PROC_UNAVAIL, GARBAGE_ARGS, and 225 * SYSTEM_ERR. 226 */ 228 void; 229 } reply_data; 230 }; 232 /* Rejected reply */ 234 union rejected_reply switch (reject_stat stat) { 235 case RPC_MISMATCH: 236 struct { 237 unsigned int low; 238 unsigned int high; 239 } mismatch_info; 240 case AUTH_ERROR: 241 auth_stat stat; 242 }; 244 3. Flavor Number Assignment 246 The RPCSEC_GSS security flavor has been assigned the value of 6: 248 enum auth_flavor { 249 ... 250 RPCSEC_GSS = 6 /* RPCSEC_GSS security flavor */ 251 }; 253 4. New auth_stat Values 255 RPCSEC_GSS requires the addition of two new values to the auth_stat 256 enumerated type definition: 258 enum auth_stat { 259 ... 260 /* 261 * RPCSEC_GSS errors 262 */ 263 RPCSEC_GSS_CREDPROBLEM = 13, 264 RPCSEC_GSS_CTXPROBLEM = 14 265 }; 266 The descriptions of these two new values are defined later in this 267 memo. 269 5. Elements of the RPCSEC_GSS Security Protocol 271 An RPC session based on the RPCSEC_GSS security flavor consists of 272 three phases: context creation, RPC data exchange, and context 273 destruction. In the following discussion, protocol elements for 274 these three phases are described. 276 The following description of the RPCSEC_GSS protocol uses some of the 277 definitions within XDR language description of the RPC protocol. 279 Context creation and destruction use control messages that are not 280 dispatched to service procedures registered by an RPC server. The 281 program and version numbers used in these control messages are the 282 same as the RPC service's program and version numbers. The procedure 283 number used is NULLPROC (zero). A field in the credential 284 information (the gss_proc field which is defined in the 285 rpc_gss_cred_t structure below) specifies whether a message is to be 286 interpreted as a control message or a regular RPC message. If this 287 field is set to RPCSEC_GSS_DATA, no control action is implied; in 288 this case, it is a regular data message. If this field is set to any 289 other value, a control action is implied. This is described in the 290 following sections. 292 Just as with normal RPC data exchange messages, the transaction 293 identifier (the xid field in struct rpc_msg), should be set to unique 294 values on each call for context creation and context destruction. 296 The following definitions are used for describing the protocol. 298 /* RPCSEC_GSS control procedures */ 300 enum rpc_gss_proc_t { 301 RPCSEC_GSS_DATA = 0, 302 RPCSEC_GSS_INIT = 1, 303 RPCSEC_GSS_CONTINUE_INIT = 2, 304 RPCSEC_GSS_DESTROY = 3 305 }; 307 /* RPCSEC_GSS services */ 309 enum rpc_gss_service_t { 310 /* Note: the enumerated value for 0 is reserved. */ 311 rpc_gss_svc_none = 1, 312 rpc_gss_svc_integrity = 2, 313 rpc_gss_svc_privacy = 3 314 }; 316 /* Credential */ 318 /* 319 * Note: version 0 is reserved for possible future 320 * definition of a version negotiation protocol 321 * 322 */ 323 #define RPCSEC_GSS_VERS_1 1 325 struct rpc_gss_cred_t { 326 union switch (unsigned int version) { /* version of 327 RPCSEC_GSS */ 328 case RPCSEC_GSS_VERS_1: 329 struct { 330 rpc_gss_proc_t gss_proc; /* control procedure */ 331 unsigned int seq_num; /* sequence number */ 332 rpc_gss_service_t service; /* service used */ 333 opaque handle<>; /* context handle */ 334 } rpc_gss_cred_vers_1_t; 335 } 336 }; 338 /* Maximum sequence number value */ 340 #define MAXSEQ 0x80000000 342 5.1. Version Selection 344 This document defines just one protocol version (RPCSEC_GSS_VERS_1). 345 The client should assume that the server supports RPCSEC_GSS_VERS_1 346 and issue a Context Creation message (as described in the section 347 'Context Creation'). If the server does not support 348 RPCSEC_GSS_VERS_1, the RPC response will have a reply_stat of 349 MSG_DENIED, a rejection status of AUTH_ERROR, and an auth_stat of 350 AUTH_REJECTED_CRED. 352 5.2. Context Creation 354 Before RPC data is exchanged on a session using the RPCSEC_GSS 355 flavor, a context must be set up between the client and the server. 356 Context creation may involve zero or more RPC exchanges. The number 357 of exchanges depends on the security mechanism. 359 5.2.1. Mechanism and QOP Selection 361 There is no facility in the RPCSEC_GSS protocol to negotiate GSS-API 362 mechanism identifiers or QOP values. At minimum, it is expected that 363 implementations of the RPCSEC_GSS protocol provide interfaces in the 364 RPC programming layer to: 366 * specify mechanism identifiers, QOP values, and RPCSEC_GSS 367 service values on the client side, and to 369 * return mechanism identifiers, QOP values, and RPCSEC_GSS service 370 values on a per-request basis to the server side. 372 Additionally, implementations may depend on negotiation schemes 373 constructed as pseudo-mechanisms under the GSS-API, such as the 374 Simple GSS-API Negotiation Mechanism [Baize]. Because such schemes 375 are below the GSS-API layer, the RPCSEC_GSS protocol, as specified in 376 this document, can make use of them. 378 5.2.2. Context Creation Requests 380 The first RPC request from the client to the server initiates context 381 creation. Within the RPC message protocol's call_body structure, 382 rpcvers is set to 2. prog and vers are always those for the service 383 being accessed. The proc is always set to NULLPROC (zero). 385 Within the RPC message protocol's cred structure, flavor is set to 386 RPCSEC_GSS (6). The opaque data of the cred structure (the body 387 field) constituting the credential encodes the rpc_gss_cred_t 388 structure defined previously. 390 The values of the fields contained in the rpc_gss_cred_t structure 391 are set as follows. The version field is set to the version of the 392 RPCSEC_GSS protocol the client wants to use. The remainder of this 393 memo documents version RPCSEC_GSS_VERS_1 of RPCSEC_GSS, and so the 394 version field would be set to RPCSEC_GSS_VERS_1. The gss_proc field 395 must be set to RPCSEC_GSS_INIT for the first creation request. In 396 subsequent creation requests, the gss_proc field must be set to 397 RPCSEC_GSS_CONTINUE_INIT. In a creation request, the seq_num and 398 service fields are undefined and both must be ignored by the server. 399 In the first creation request, the handle field is NULL (opaque data 400 of zero length). In subsequent creation requests, handle must be 401 equal to the value returned by the server. The handle field serves 402 as the identifier for the context, and will not change for the 403 duration of the context, including responses to 404 RPCSEC_GSS_CONTINUE_INIT. 406 The verifier field in the RPC message header is also described by the 407 opaque_auth structure. All creation requests have the NULL verifier 408 (AUTH_NONE flavor with zero length opaque data). 410 Following the verifier are the call data (procedure specific 411 parameters). Note that the proc field of the call_body structure is 412 set to NULLPROC, and thus normally there would be zero octets 413 following the verifier. However, since there is no RPC data exchange 414 during a context creation, it is safe to transfer information 415 following the verifier. It is necessary to "overload" the call data 416 in this way, rather than pack the GSS-API token into the RPC header, 417 because RPC Version 2 restricts the amount of data that can be sent 418 in the header. The opaque body of the credential and verifier fields 419 can be each at most 400 octets long, and GSS tokens can be longer 420 than 800 octets. 422 The call data for a context creation request is described by the 423 following structure for all creation requests: 425 struct rpc_gss_init_arg { 426 opaque gss_token<>; 427 }; 429 Here, gss_token is the token returned by the call to GSS-API's 430 GSS_Init_sec_context() routine, opaquely encoded. The value of this 431 field will likely be different in each creation request, if there is 432 more than one creation request. If no token is returned by the call 433 to GSS_Init_sec_context(), the context must have been created 434 (assuming no errors), and there will not be any more creation 435 requests. 437 When GSS_Init_sec_context() is called, the parameters 438 replay_det_req_flag and sequence_req_flag must be turned off. The 439 reasons for this are: 441 * ONC RPC can be used over unreliable transports and provides no 442 layer to reliably re-assemble messages. Thus it is possible for 443 gaps in message sequencing to occur, as well as out of order 444 messages. 446 * RPC servers can be multi-threaded, and thus the order in which 447 GSS-API messages are signed or wrapped can be different from the 448 order in which the messages are verified or unwrapped, even if 449 the requests are sent on reliable transports. 451 * To maximize convenience of implementation, the order in which an 452 ONC RPC entity will verify the header and verify/unwrap the body 453 of an RPC call or reply is left unspecified. 455 The RPCSEC_GSS protocol provides for protection from replay attack, 456 yet tolerates out-of-order delivery or processing of messages and 457 tolerates dropped requests. 459 5.2.3. Context Creation Responses 461 5.2.3.1. Context Creation Response - Successful Acceptance 463 The response to a successful creation request has an MSG_ACCEPTED 464 response with a status of SUCCESS. The results field encodes result 465 argument that has the following structure: 467 struct rpc_gss_init_res { 468 opaque handle<>; 469 unsigned int gss_major; 470 unsigned int gss_minor; 471 unsigned int seq_window; 472 opaque gss_token<>; 473 }; 475 Here, handle is non-NULL opaque data that serves as the context 476 identifier. The client must use this value in all subsequent requests 477 (whether control messages or otherwise). The gss_major and gss_minor 478 fields contain the results of the call to GSS_Accept_sec_context() 479 executed by the server. If gss_major is not one of GSS_S_COMPLETE or 480 GSS_S_CONTINUE_NEEDED, the context setup has failed; in this case 481 handle and gss_token must be set to NULL by the server. The value of 482 gss_minor is dependent on the value of gss_major and the security 483 mechanism used. The gss_token field contains any token returned by 484 the GSS_Accept_sec_context() call executed by the server. A token 485 may be returned for both successful values of gss_major. If the 486 value is GSS_S_COMPLETE, it indicates that the server is not 487 expecting any more tokens, and the RPC Data Exchange phase must begin 488 on the subsequent request from the client. If the value is 489 GSS_S_CONTINUE_NEEDED, the server is expecting another token. Hence 490 the client must send at least one more creation request (with 491 gss_proc set to RPCSEC_GSS_CONTINUE_INIT in the request's credential) 492 carrying the required token. 494 In a successful response, the seq_window field is set to the sequence 495 window length supported by the server for this context. This window 496 specifies the maximum number of client requests that may be 497 outstanding for this context. The server will accept "seq_window" 498 requests at a time, and these may be out of order. The client may 499 use this number to determine the number of threads that can 500 simultaneously send requests on this context. 502 If gss_major is GSS_S_COMPLETE, the verifier's (the verf element in 503 the response) flavor field to to RPCSEC_GSS, and the body field set 504 to the checksum of the seq_window (in network order). The QOP used 505 for this checksum is 0 (zero), which is the default QOP. For all 506 other values of gss_major, a NULL verifier (AUTH_NONE flavor with 507 zero-length opaque data) is used. 509 5.2.3.1.1. Client Processing of Successful Context Creation Responses 511 If the value of gss_major in the response is GSS_S_CONTINUE_NEEDED, 512 then the client, per the GSS-API specification, must invoke 513 GSS_Init_sec_context() using the token returned in gss_token in the 514 context creation response. The client must then generate a context 515 creation request, with gss_proc set to RPCSEC_GSS_CONTINUE_INIT. 517 If the value of gss_major in the response is GSS_S_COMPLETE, and if 518 the client's previous invocation of GSS_Init_sec_context() returned a 519 gss_major value of GSS_S_CONTINUE_NEEDED, then the client, per the 520 GSS-API specification, must invoke GSS_Init_sec_context() using the 521 token returned in gss_token in the context creation response. If 522 GSS_Init_sec_context() returns GSS_S_COMPLETE, the context is 523 successfully set up, and the RPC data exchange phase must begin on 524 the subsequent request from the client. 526 5.2.3.2. Context Creation Response - Unsuccessful Cases 528 An MSG_ACCEPTED reply (to a creation request) with an acceptance 529 status of other than SUCCESS has a NULL verifier (flavor set to 530 AUTH_NONE, and zero length opaque data in the body field), and is 531 formulated as usual for different status values. 533 An MSG_DENIED reply (to a creation request) is also formulated as 534 usual. Note that MSG_DENIED could be returned because the server's 535 RPC implementation does not recognize the RPCSEC_GSS security flavor. 536 RFC 1831 does not specify the appropriate reply status in this 537 instance. Solaris 2 implementations return a rejection status of 538 AUTH_ERROR with an auth_stat of AUTH_REJECTEDCRED. Even though two 539 new values (RPCSEC_GSS_CREDPROBLEM and RPCSEC_GSS_CTXPROBLEM) have 540 been defined for the auth_stat type, neither of these two can be 541 returned in responses to context creation requests. The new values 542 are relevant to for responses to normal (data) requests. This is 543 described later. 545 MSG_DENIED might also be returned if the RPCSEC_GSS version number in 546 the credential is not supported on the server. In that case, the 547 server returns a rejection status of AUTH_ERROR, with an auth_stat of 548 AUTH_REJECTED_CRED. 550 5.3. RPC Data Exchange 552 The data exchange phase is entered after a context has been 553 successfully set up. The format of the data exchanged depends on the 554 security service used for the request. Although clients can change 555 the security service and QOP used on a per-request basis, this may 556 not be acceptable to all RPC services; some RPC services may "lock" 557 the data exchange phase into using the the QOP and service used on 558 the first data exchange message. For all three modes of service (no 559 data integrity, data integrity, data privacy), the RPC request header 560 has the same format. 562 5.3.1. RPC Request Header 564 The credential has the opaque_auth structure described earlier. The 565 flavor field is set to RPCSEC_GSS. The credential body is created by 566 XDR encoding the rpc_gss_cred_t structure listed earlier into an 567 octet stream, and then opaquely encoding this octet stream as the 568 body field. 570 Values of the fields contained in the rpc_gss_cred_t structure are 571 set as follows. The version field is set to same version value that 572 was used to create the context, which within the scope of this memo 573 will always be RPCSEC_GSS_VERS_1. The gss_proc field is set to 574 RPCSEC_GSS_DATA. The service field is set to indicate the desired 575 service (one of rpc_gss_svc_none, rpc_gss_svc_integrity, or 576 rpc_gss_svc_privacy). The handle field is set to the context handle 577 value received from the RPC server during context creation. The 578 seq_num field can start at any value below MAXSEQ, and must be 579 incremented (by one or more) for successive requests. Use of 580 sequence numbers is described in detail when server processing of the 581 request is discussed. 583 The verifier has the opaque_auth structure described earlier. The 584 flavor field is set to RPCSEC_GSS. The body field is set as follows. 585 The checksum of the RPC header (up to and including the credential) 586 is computed using the GSS_GetMIC() call with the desired QOP. This 587 returns the checksum as an opaque octet stream and its length. This 588 is encoded into the body field. Note that the QOP is not explicitly 589 specified anywhere in the request. It is implicit in the checksum or 590 encrypted data. The same QOP value as is used for the header 591 checksum must also be used for the data (for checksumming or 592 encrypting), unless the service used for the request is 593 rpc_gss_svc_none. 595 5.3.2. RPC Request Data 597 5.3.2.1. RPC Request Data - No Data Integrity 599 If the service specified is rpc_gss_svc_none, the data (procedure 600 arguments) are not integrity or privacy protected. They are sent in 601 exactly the same way as they would be if the AUTH_NONE flavor were 602 used (following the verifier). Note, however, that since the RPC 603 header is integrity protected, the sender will still be authenticated 604 in this case. 606 5.3.2.2. RPC Request Data - With Data Integrity 608 When data integrity is used, the request data is represented as 609 follows: 611 struct rpc_gss_integ_data { 612 opaque databody_integ<>; 613 opaque checksum<>; 614 }; 616 The databody_integ field is created as follows. A structure 617 consisting of a sequence number followed by the procedure arguments 618 is constructed. This is shown below as the type rpc_gss_data_t: 620 struct rpc_gss_data_t { 621 unsigned int seq_num; 622 proc_req_arg_t arg; 623 }; 625 Here, seq_num must have the same value as in the credential. The 626 type proc_req_arg_t is the procedure specific XDR type describing the 627 procedure arguments (and so is not specified here). The octet stream 628 corresponding to the XDR encoded rpc_gss_data_t structure and its 629 length are placed in the databody_integ field. Note that because the 630 XDR type of databody_integ is opaque, the XDR encoding of 631 databody_integ will include an initial four octet length field, 632 followed by the XDR encoded octet stream of rpc_gss_data_t. 634 The checksum field represents the checksum of the XDR encoded octet 635 stream corresponding to the XDR encoded rpc_gss_data_t structure 636 (note, this is not the checksum of the databody_integ field). This 637 is obtained using the GSS_GetMIC() call, with the same QOP as was 638 used to compute the header checksum (in the verifier). The 639 GSS_GetMIC() call returns the checksum as an opaque octet stream and 640 its length. The checksum field of struct rpc_gss_integ_data has an 641 XDR type of opaque. Thus the checksum length from GSS_GetMIC() is 642 encoded as a four octet length field, followed by the checksum, 643 padded to a multiple of four octets. 645 5.3.2.3. RPC Request Data - With Data Privacy 647 When data privacy is used, the request data is represented as 648 follows: 650 struct rpc_gss_priv_data { 651 opaque databody_priv<> 652 }; 654 The databody_priv field is created as follows. The rpc_gss_data_t 655 structure described earlier is constructed again in the same way as 656 for the case of data integrity. Next, the GSS_Wrap() call is invoked 657 to encrypt the octet stream corresponding to the rpc_gss_data_t 658 structure, using the same value for QOP (argument qop_req to 659 GSS_Wrap()) as was used for the header checksum (in the verifier) and 660 conf_req_flag (an argument to GSS_Wrap()) of TRUE. The GSS_Wrap() 661 call returns an opaque octet stream (representing the encrypted 662 rpc_gss_data_t structure) and its length, and this is encoded as the 663 databody_priv field. Since databody_priv has an XDR type of opaque, 664 the length returned by GSS_Wrap() is encoded as the four octet 665 length, followed by the encrypted octet stream (padded to a multiple 666 of four octets). 668 5.3.3. Server Processing of RPC Data Requests 670 5.3.3.1. Context Management 672 When a request is received by the server, the following are verified 673 to be acceptable: 675 * the version number in the credential 677 * the service specified in the credential 679 * the context handle specified in the credential 681 * the header checksum in the verifier (via GSS_VerifyMIC()) 683 * the sequence number (seq_num) specified in the credential (more 684 on this follows) 686 The gss_proc field in the credential must be set to RPCSEC_GSS_DATA 687 for data requests (otherwise, the message will be interpreted as a 688 control message). 690 The server maintains a window of "seq_window" sequence numbers, 691 starting with the last sequence number seen and extending backwards. 692 If a sequence number higher than the last number seen is received 693 (AND if GSS_VerifyMIC() on the header checksum from the verifier 694 returns GSS_S_COMPLETE), the window is moved forward to the new 695 sequence number. If the last sequence number seen is N, the server 696 is prepared to receive requests with sequence numbers in the range N 697 through (N - seq_window + 1), both inclusive. If the sequence number 698 received falls below this range, it is silently discarded. If the 699 sequence number is within this range, and the server has not seen it, 700 the request is accepted, and the server turns on a bit to "remember" 701 that this sequence number has been seen. If the server determines 702 that it has already seen a sequence number within the window, the 703 request is silently discarded. The server should select a seq_window 704 value based on the number requests it expects to process 705 simultaneously. For example, in a threaded implementation seq_window 706 might be equal to the number of server threads. There are no known 707 security issues with selecting a large window. The primary issue is 708 how much space the server is willing to allocate to keep track of 709 requests received within the window. 711 The reason for discarding requests silently is that the server is 712 unable to determine if the duplicate or out of range request was due 713 to a sequencing problem in the client, network, or the operating 714 system, or due to some quirk in routing, or a replay attack by an 715 intruder. Discarding the request allows the client to recover after 716 timing out, if indeed the duplication was unintentional or well 717 intended. Note that a consequence of the silent discard is that 718 clients may increment the seq_num by more than one. The effect of 719 this is that the window will move forward more quickly. It is not 720 believed that there is any benefit to doing this. 722 Note that the sequence number algorithm requires that the client 723 increment the sequence number even if it is retrying a request with 724 the same RPC transaction identifier. It is not infrequent for 725 clients to get into a situation where they send two or more attempts 726 and a slow server sends the reply for the first attempt. With 727 RPCSEC_GSS, each request and reply will have a unique sequence 728 number. If the client wishes to improve turn around time on the RPC 729 call, it can cache the RPCSEC_GSS sequence number of each request it 730 sends. Then when it receives a response with a matching RPC 731 transaction identifier, it can compute the checksum of each sequence 732 number in the cache to try to match the checksum in the reply's 733 verifier. 735 The data is decoded according to the service specified in the 736 credential. In the case of integrity or privacy, the server ensures 737 that the QOP value is acceptable, and that it is the same as that 738 used for the header checksum in the verifier. Also, in the case of 739 integrity or privacy, the server will reject the message (with a 740 reply status of MSG_ACCEPTED, and an acceptance status of 741 GARBAGE_ARGS) if the sequence number embedded in the request body is 742 different from the sequence number in the credential. 744 5.3.3.2. Server Reply - Request Accepted 746 An MSG_ACCEPTED reply to a request in the data exchange phase will 747 have the verifier's (the verf element in the response) flavor field 748 set to RPCSEC_GSS, and the body field set to the checksum (the output 749 of GSS_GetMIC()) of the sequence number (in network order) of the 750 corresponding request. The QOP used is the same as the QOP used for 751 the corresponding request. 753 If the status of the reply is not SUCCESS, the rest of the message is 754 formatted as usual. 756 If the status of the message is SUCCESS, the format of the rest of 757 the message depends on the service specified in the corresponding 758 request message. Basically, what follows the verifier in this case 759 are the procedure results, formatted in different ways depending on 760 the requested service. 762 If no data integrity was requested, the procedure results are 763 formatted as for the AUTH_NONE security flavor. 765 If data integrity was requested, the results are encoded in exactly 766 the same way as the procedure arguments were in the corresponding 767 request. See the section 'RPC Request Data - With Data Integrity.' 768 The only difference is that the structure representing the 769 procedure's result - proc_res_arg_t - must be substituted in place of 770 the request argument structure proc_req_arg_t. The QOP used for the 771 checksum must be the same as that used for constructing the reply 772 verifier. 774 If data privacy was requested, the results are encoded in exactly the 775 same way as the procedure arguments were in the corresponding 776 request. See the section 'RPC Request Data - With Data Privacy.' 777 The QOP used for encryption must be the same as that used for 778 constructing the reply verifier. 780 5.3.3.3. Server Reply - Request Denied 782 An MSG_DENIED reply (to a data request) is formulated as usual. Two 783 new values (RPCSEC_GSS_CREDPROBLEM and RPCSEC_GSS_CTXPROBLEM) have 784 been defined for the auth_stat type. When the reason for denial of 785 the request is a reject_stat of AUTH_ERROR, one of the two new 786 auth_stat values could be returned in addition to the existing 787 values. These two new values have special significance from the 788 existing reasons for denial of a request. 790 The server maintains a list of contexts for the clients that are 791 currently in session with it. Normally, a context is destroyed when 792 the client ends the session corresponding to it. However, due to 793 resource constraints, the server may destroy a context prematurely 794 (on an LRU basis, or if the server machine is rebooted, for example). 795 In this case, when a client request comes in, there may not be a 796 context corresponding to its handle. The server rejects the request, 797 with the reason RPCSEC_GSS_CREDPROBLEM in this case. Upon receiving 798 this error, the client must refresh the context - that is, 799 reestablish it after destroying the old one - and try the request 800 again. This error is also returned if the context handle matches 801 that of a different context that was allocated after the client's 802 context was destroyed (this will be detected by a failure in 803 verifying the header checksum). 805 If the GSS_VerifyMIC() call in the verifier (the header checksum) 806 fails to return GSS_S_COMPLETE, the server rejects the requests and 807 returns an auth_stat of RPCSEC_GSS_CREDPROBLEM. 809 When the client's sequence number exceeds the maximum the server will 810 allow, the server will reject the request with the reason 811 RPCSEC_GSS_CTXPROBLEM. Also, if security credentials become stale 812 while in use (due to ticket expiry in the case of the Kerberos V5 813 mechanism, for example), the failures which result cause the 814 RPCSEC_GSS_CTXPROBLEM reason to be returned. In these cases also, 815 the client must refresh the context, and retry the request. 817 For other errors, retrying will not rectify the problem and the 818 client must not refresh the context until the problem causing the 819 client request to be denied is rectified. 821 If the version field in the credential does not match the version of 822 RPCSEC_GSS that was used when the context was created, the 823 AUTH_BADCRED value is returned. 825 If there is a problem with the credential, such a bad length, illegal 826 control procedure, or an illegal service, the appropriate auth_stat 827 status is AUTH_BADCRED. 829 Other errors can be returned as appropriate. 831 5.3.3.4. Mapping of GSS-API Errors to Server Responses 833 During the data exchange phase, the server may invoke GSS_GetMIC(), 834 GSS_VerifyMIC(), GSS_Unwrap(), and GSS_Wrap(). If any of these 835 routines fail to return GSS_S_COMPLETE, then various unsuccessful 836 responses can be returned. The are described as follows for each of 837 the aforementioned four interfaces. 839 5.3.3.4.1. GSS_GetMIC() Failure 841 When GSS_GetMIC() is called to generate the verifier in the response, 842 a failure results in an RPC response with a reply status of 843 MSG_DENIED, reject status of AUTH_ERROR and an auth status of 844 RPCSEC_GSS_CTXPROBLEM. 846 When GSS_GetMIC() is called to sign the call results (service is 847 rpc_gss_svc_integrity), a failure results in no RPC response being 848 sent. Since ONC RPC server applications will typically control when a 849 response is sent, the failure indication will be returned to the 850 server application and it can take appropriate action (such as 851 logging the error). 853 5.3.3.4.2. GSS_VerifyMIC() Failure 855 When GSS_VerifyMIC() is called to verify the verifier in request, a 856 failure results in an RPC response with a reply status of MSG_DENIED, 857 reject status of AUTH_ERROR and an auth status of 858 RPCSEC_GSS_CREDPROBLEM. 860 When GSS_VerifyMIC() is called to verify the call arguments (service 861 is rpc_gss_svc_integrity), a failure results in an RPC response with 862 a reply status of MSG_ACCEPTED, and an acceptance status of 863 GARBAGE_ARGS. 865 5.3.3.4.3. GSS_Unwrap() Failure 867 When GSS_Unwrap() is called to decrypt the call arguments (service is 868 rpc_gss_svc_privacy), a failure results in an RPC response with a 869 reply status of MSG_ACCEPTED, and an acceptance status of 870 GARBAGE_ARGS. 872 5.3.3.4.4. GSS_Wrap() Failure 874 When GSS_Wrap() is called to encrypt the call results (service is 875 rpc_gss_svc_privacy), a failure results in no RPC response being 876 sent. Since ONC RPC server applications will typically control when a 877 response is sent, the failure indication will be returned to the 878 application and it can take appropriate action (such as logging the 879 error). 881 5.4. Context Destruction 883 When the client is done using the session, it must send a control 884 message informing the server that it no longer requires the context. 885 This message is formulated just like a data request packet, with the 886 following differences: the credential has gss_proc set to 887 RPCSEC_GSS_DESTROY, the procedure specified in the header is 888 NULLPROC, and there are no procedure arguments. The sequence number 889 in the request must be valid, and the header checksum in the verifier 890 must be valid, for the server to accept the message. 892 The server sends a response as it would to a data request. The 893 client and server must then destroy the context for the session. 895 If the request to destroy the context fails for some reason, the 896 client need not take any special action. The server must be prepared 897 to deal with situations where clients never inform the server that 898 they no longer are in session and so don't need the server to 899 maintain a context. An LRU mechanism or an aging mechanism should be 900 employed by the server to clean up in such cases. 902 6. Set of GSS-API Mechanisms 904 RPCSEC_GSS is effectively a "pass-through" to the GSS-API layer, and 905 as such it is inappropriate for the RPCSEC_GSS specification to 906 enumerate a minimum set of required security mechanisms and/or 907 quality of protections. 909 If an application protocol specification references RPCSEC_GSS, the 910 protocol specification must list a mandatory set of GSS-API 911 mechanisms and QOPs, such that an implementation cannot claim 912 conformance to the protocol specification unless it implements the 913 mandatory set of mechanisms and QOPs. Furthermore, the application 914 protocol specification must define rpc_gss_svc_integrity as one of 915 the required security services for each { mechanism, QOP } pair in 916 the mandatory set. 918 For example, a network filing protocol built on RPC that depends on 919 RPCSEC_GSS for security, might require that Kerberos V5 with the 920 default QOP using the rpc_gss_svc_integrity service be supported by 921 implementations conforming to the network filing protocol 922 specification. 924 7. Security Considerations 926 7.1. Privacy of Call Header 928 The reader will note that for the privacy option, only the call 929 arguments and results are encrypted. Information about the 930 application in the form of RPC program number, program version 931 number, and program procedure number is transmitted in the clear. 932 Encrypting these fields in the RPC call header would have changed the 933 size and format of the call header. This would have required revising 934 the RPC protocol which was beyond the scope of this proposal. Storing 935 the encrypted numbers in the credential would have obviated a 936 protocol change, but would have introduced more overloading of fields 937 and would have made implementations of RPC more complex. Even if the 938 fields were encrypted somehow, in most cases an attacker can 939 determine the program number and version number by examining the 940 destination address of the request and querying the rpcbind service 941 on the destination host [Srinivasan-bind]. In any case, even by not 942 encrypting the three numbers, RPCSEC_GSS still improves the state of 943 security over what existing RPC services have had available 944 previously. Implementors of new RPC services that are concerned about 945 this risk may opt to design in a "sub-procedure" field that is 946 included in the service specific call arguments. 948 7.2. Sequence Number Attacks 950 7.2.1. Sequence Numbers Above the Window 952 An attacker cannot coax the server into raising the sequence number 953 beyond the range the legitimate client is aware of (and thus engineer 954 a denial of server attack) without constructing an RPC request that 955 will pass the header checksum. If the cost of verifying the header 956 checksum is sufficiently large (depending on the speed of the 957 processor doing the checksum and the cost of checksum algorithm), it 958 is possible to envision a denial of service attack (vandalism, in the 959 form of wasting processing resources) whereby the attacker sends 960 requests that are above the window. The simplest method might be for 961 the attacker to monitor the network traffic and then choose a 962 sequence number that is far above the current sequence number. Then 963 the attacker can send bogus requests using the above window sequence 964 number. 966 7.2.2. Sequence Numbers Within or Below the Window 968 If the attacker sends requests that within or below the window, then 969 even if the header checksum is successfully verified, the server will 970 silently discard the requests because the server assumes it has 971 already processed the request. In this case, a server can optimize by 972 skipping the header checksum verification if the sequence number is 973 below the window, or if it is within the window, do not attempt the 974 checksum verification if the sequence number has already been seen. 976 7.3. Message Stealing Attacks 978 This proposal does not address attacks where an attacker can block or 979 steal messages without being detected by the server. To implement 980 such protection would be tantamount to assuming a state in the RPC 981 service. RPCSEC_GSS does not worsen this situation. 983 8. Acknowledgements 985 Much of protocol was based on the AUTH_GSSAPI security flavor 986 developed by Open Vision Technologies [Jaspan]. In particular, we 987 acknowledge Barry Jaspan, Marc Horowitz, John Linn, and Ellen 988 McDermott. 990 Raj Srinivasan designed RPCSEC_GSS [Eisler] with input from Mike 991 Eisler. Raj, Roland Schemers, Lin Ling, and Alex Chiu contributed to 992 SunSoft's implementation of RPCSEC_GSS. 994 Brent Callaghan, Marc Horowitz, Barry Jaspan, John Linn, Hilarie 995 Orman, Martin Rex, Ted Ts'o, and John Wroclawski analyzed the 996 specification and gave valuable feedback. 998 Steve Nahm and Kathy Slattery reviewed various drafts of this 999 specification. 1001 9. References 1003 [Baize] Baize, E., and Pinkas, D. (1996). 1004 draft-ietf-cat-snego-02.txt "Simple GSS-API 1005 Negotiation Mechanism," This is a work in progress 1006 which may be updated, replaced, or obsoleted at any 1007 time. 1009 [Eisler] Eisler, M., Schemers, R., and Srinivasan, R. (1996). 1010 "Security Mechanism Independence in ONC RPC," To be 1011 published in the Proceedings of 1996 Usenix Security 1012 Symposium. 1014 [Jaspan] Jaspan, B. (1995). "GSS-API Security for ONC RPC," 1015 `95 Proceedings of The Internet Society Symposium on 1016 Network and Distributed System Security, pp. 144- 1017 151. 1019 [Linn] Linn, J. (1997). RFC 2078, "Generic Security Service 1020 Application Program Interface, Version 2." 1022 [Srinivasan-bind] Srinivasan, R. (1995). RFC 1833, "Binding Protocols 1023 for ONC RPC Version 2." 1025 [Srinivasan-rpc] Srinivasan, R. (1995). RFC 1831, "RPC: Remote 1026 Procedure Call Protocol Specification Version 2." 1028 [Srinivasan-xdr] Srinivasan, R. (1995). RFC 1832, "XDR: External Data 1029 Representation Standard." 1031 10. Authors' Addresses 1033 Michael Eisler 1034 Sun Microsystems, Inc. 1035 M/S UCOS03 1036 2550 Garcia Avenue 1037 Mountain View, CA 94043 1039 Phone: +1 (719) 599-9026 1041 E-mail: mre@eng.sun.com 1043 Alex Chiu 1044 Sun Microsystems, Inc. 1045 M/S UMPK17-203 1046 2550 Garcia Avenue 1047 Mountain View, CA 94043 1049 Phone: +1 (415) 786-6465 1051 E-mail: hacker@eng.sun.com 1053 Lin Ling 1054 Sun Microsystems, Inc. 1055 M/S UMPK17-201 1056 2550 Garcia Avenue 1057 Mountain View, CA 94043 1059 Phone: +1 (415) 786-5084 1061 E-mail: lling@eng.sun.com