idnits 2.17.1
draft-ietf-uta-xmpp-06.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (April 14, 2015) is 3299 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
** Downref: Normative reference to an Informational RFC: RFC 4949
** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)
** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525)
== Outdated reference: A later version (-14) exists of
draft-ietf-dane-srv-12
== Outdated reference: A later version (-11) exists of
draft-ietf-xmpp-dna-10
== Outdated reference: A later version (-06) exists of
draft-ietf-xmpp-posh-04
-- Obsolete informational reference (is this intentional?): RFC 3920
(Obsoleted by RFC 6120)
Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group P. Saint-Andre
3 Internet-Draft &yet
4 Updates: 6120 (if approved) T. Alkemade
5 Intended status: Standards Track
6 Expires: October 16, 2015 April 14, 2015
8 Use of Transport Layer Security (TLS) in the Extensible Messaging and
9 Presence Protocol (XMPP)
10 draft-ietf-uta-xmpp-06
12 Abstract
14 This document provides recommendations for the use of Transport Layer
15 Security (TLS) in the Extensible Messaging and Presence Protocol
16 (XMPP). This document updates RFC 6120.
18 Status of This Memo
20 This Internet-Draft is submitted in full conformance with the
21 provisions of BCP 78 and BCP 79.
23 Internet-Drafts are working documents of the Internet Engineering
24 Task Force (IETF). Note that other groups may also distribute
25 working documents as Internet-Drafts. The list of current Internet-
26 Drafts is at http://datatracker.ietf.org/drafts/current/.
28 Internet-Drafts are draft documents valid for a maximum of six months
29 and may be updated, replaced, or obsoleted by other documents at any
30 time. It is inappropriate to use Internet-Drafts as reference
31 material or to cite them other than as "work in progress."
33 This Internet-Draft will expire on October 16, 2015.
35 Copyright Notice
37 Copyright (c) 2015 IETF Trust and the persons identified as the
38 document authors. All rights reserved.
40 This document is subject to BCP 78 and the IETF Trust's Legal
41 Provisions Relating to IETF Documents
42 (http://trustee.ietf.org/license-info) in effect on the date of
43 publication of this document. Please review these documents
44 carefully, as they describe your rights and restrictions with respect
45 to this document. Code Components extracted from this document must
46 include Simplified BSD License text as described in Section 4.e of
47 the Trust Legal Provisions and are provided without warranty as
48 described in the Simplified BSD License.
50 Table of Contents
52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
54 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3
55 3.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3
56 3.2. Compression . . . . . . . . . . . . . . . . . . . . . . . 3
57 3.3. Session Resumption . . . . . . . . . . . . . . . . . . . 3
58 3.4. Authenticated Connections . . . . . . . . . . . . . . . . 3
59 3.5. Server Name Indication . . . . . . . . . . . . . . . . . 4
60 3.6. Human Factors . . . . . . . . . . . . . . . . . . . . . . 5
61 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
62 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
63 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
64 6.1. Normative References . . . . . . . . . . . . . . . . . . 6
65 6.2. Informative References . . . . . . . . . . . . . . . . . 6
66 Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 8
67 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 8
68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
70 1. Introduction
72 The Extensible Messaging and Presence Protocol (XMPP) [RFC6120]
73 (along with its precursor, the so-called "Jabber protocol") has used
74 Transport Layer Security (TLS) [RFC5246] (along with its precursor,
75 Secure Sockets Layer or SSL) since 1999. Both [RFC6120] and its
76 predecessor [RFC3920] provided recommendations regarding the use of
77 TLS in XMPP. In order to address the evolving threat model on the
78 Internet today, this document provides stronger recommendations.
80 In particular, this document updates [RFC6120] by specifying that
81 XMPP implementations and deployments MUST follow the best current
82 practices documented in the "Recommendations for Secure Use of TLS
83 and DTLS" [I-D.ietf-uta-tls-bcp]. This includes stronger
84 recommendations regarding SSL/TLS protocol versions, fallback to
85 lower versions, TLS-layer compression, TLS session resumption, cipher
86 suites, public key lengths, forward secrecy, and other aspects of
87 using TLS with XMPP.
89 2. Terminology
91 Various security-related terms are to be understood in the sense
92 defined in [RFC4949].
94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
96 "OPTIONAL" in this document are to be interpreted as described in
97 [RFC2119].
99 3. Recommendations
101 The best current practices documented in the "Recommendations for
102 Secure Use of TLS and DTLS" [I-D.ietf-uta-tls-bcp] are included here
103 by reference. Instead of repeating those recommendations here, this
104 document mostly provides supplementary information regarding secure
105 implementation and deployment of XMPP technologies.
107 3.1. Support for TLS
109 Support for TLS (specifically, the XMPP profile of STARTTLS) is
110 mandatory for XMPP implementations, as already specified in [RFC6120]
111 and its predecessor [RFC3920].
113 The server (i.e., the XMPP receiving entity) to which a client or
114 peer server (i.e., the XMPP initiating entity) connects might not
115 offer a stream feature of . Although in general this stream feature indicates that
117 the server supports XMPP 1.0 and therefore supports TLS, that this
118 stream feature might be stripped out by an attacker (see Section 2.1
119 of [RFC7457]). Similarly, the child element of the
120 stream feature is used to indicate that negotiation of
121 TLS is mandatory, but could also be stripped out by an attacker.
122 Therefore, the initiating entity MUST NOT be deterred from attempting
123 TLS negotiation even if the receiving entity does not advertise
124 support for TLS. Instead, the initiating entity SHOULD (based on
125 local policy) proceed with the stream negotiation and attempt to
126 negotiate TLS.
128 3.2. Compression
130 XMPP supports an application-layer compression technology [XEP-0138].
131 Although this XMPP extension might have slightly stronger security
132 properties than TLS-layer compression (since it is enabled after SASL
133 authentication, as described in [XEP-0170]), this document neither
134 encourages nor discourages use of XMPP-layer compression.
136 3.3. Session Resumption
138 In XMPP, TLS session resumption can be used in concert with the XMPP
139 Stream Management extension; see [XEP-0198] for further details.
141 3.4. Authenticated Connections
143 Both the core XMPP specification [RFC6120] and the "CertID"
144 specification [RFC6125] provide recommendations and requirements for
145 certificate validation in the context of authenticated connections.
146 This document does not supersede those specifications (e.g., it does
147 not modify the recommendations in [RFC6120] regarding the Subject
148 Alternative Names or other certificate details that need to be
149 supported for authentication of XMPP connections using PKIX
150 certificates).
152 Wherever possible, it is best to prefer authenticated connections
153 (along with SASL [RFC4422]), as already stated in the core XMPP
154 specification [RFC6120]. In particular, clients MUST authenticate
155 servers and servers MUST authenticate clients.
157 This document does not mandate that servers need to authenticate peer
158 servers, although such authentication is strongly preferred and
159 servers SHOULD authenticate each other. Unfortunately, in multi-
160 tenanted environments it can be extremely difficult to obtain and
161 deploy PKIX certificates with the proper Subject Alternative Names
162 (see [I-D.ietf-xmpp-dna] and [I-D.ietf-xmpp-posh] for details). To
163 overcome that difficulty, the Domain Name Associations (DNA)
164 specification [I-D.ietf-xmpp-dna] describes a framework for XMPP
165 server authentication methods, which include not only PKIX but also
166 DNS-Based Authentication of Named Entities (DANE) as defined in
167 [I-D.ietf-dane-srv] and PKIX over Secure HTTP (POSH) as defined in
168 [I-D.ietf-xmpp-posh]. These methods can provide a basis for server
169 identity verification when appropriate PKIX certificates cannot be
170 obtained and deployed.
172 Given the pervasiveness of eavesdropping [RFC7258], even an
173 unauthenticated connection might be better than an unencrypted
174 connection in these scenarios (this is similar to the "better than
175 nothing security" approach for IPsec [RFC5386]). Unauthenticated
176 connections include connections negotiated using anonymous Diffie-
177 Hellman mechanisms or using self-signed certificates, among others.
178 In particular for XMPP server-to-server interactions, it can be
179 reasonable for XMPP server implementations to accept unauthenticated
180 but encrypted connections when Server Dialback keys [XEP-0220] are
181 used; such keys on their own provide only weak identity verification
182 (made stronger through the use of DNSSEC [RFC4033]), but this at
183 least enables encryption of server-to-server connections. The DNA
184 prooftypes described above are intended to mitigate the residual need
185 for unauthenticated connections in these scenarios.
187 3.5. Server Name Indication
189 Although there is no harm in supporting the TLS Server Name
190 Indication (SNI) extension [RFC6066], this is not necessary since the
191 same function is served in XMPP by the 'to' address of the initial
192 stream header as explained in Section 4.7.2 of [RFC6120].
194 3.6. Human Factors
196 It is strongly encouraged that XMPP clients provide ways for end
197 users (and that XMPP servers provide ways for administrators) to
198 complete the following tasks:
200 o Determine if a given incoming or outgoing XML stream is encrypted
201 using TLS.
203 o Determine the version of TLS used for encryption of a given
204 stream.
206 o If authenticated encryption is used, determine how the connection
207 was authenticated or verified (e.g., via PKI, DANE, POSH, or
208 Server Dialback).
210 o Inspect the certificate offered by an XMPP server.
212 o Determine the cipher suite used to encrypt a connection.
214 o Be warned if the certificate changes for a given server.
216 4. IANA Considerations
218 This document requests no actions of the IANA.
220 5. Security Considerations
222 The use of TLS can help limit the information available for
223 correlation to the network and transport layer headers as opposed to
224 the application layer. As typically deployed, XMPP technologies do
225 not leave application-layer routing data (such as XMPP 'to' and
226 'from' addresses) at rest on intermediate systems, since there is
227 only one hop between any two given XMPP servers. As a result,
228 encrypting all hops (sender's client to sender's server, sender's
229 server to recipient's server, recipient's server to recipient's
230 client) can help to limit the amount of "metadata" that might leak.
232 It is possible that XMPP servers themselves might be compromised. In
233 that case, per-hop encryption would not protect XMPP communications,
234 and even end-to-end encryption of (parts of) XMPP stanza payloads
235 would leave addressing information and XMPP roster data in the clear.
236 By the same token, it is possible that XMPP clients (or the end-user
237 devices on which such clients are installed) could also be
238 compromised, leaving users utterly at the mercy of an adversary.
240 This document and related actions to strengthen the security of the
241 XMPP network are based on the assumption that XMPP servers and
242 clients have not been subject to widespread compromise. If this
243 assumption is valid, then ubiquitous use of per-hop TLS channel
244 encryption and more significant deployment of end-to-end object
245 encryption technologies will serve to protect XMPP communications to
246 a measurable degree, compared to the alternatives.
248 This document covers only communication over the XMPP network and
249 does not take into account gateways to non-XMPP networks. As an
250 example, for security considerations related to gateways between XMPP
251 and the Session Initiation Protocol (SIP) see [RFC7247] and
252 [I-D.ietf-stox-im].
254 6. References
256 6.1. Normative References
258 [I-D.ietf-uta-tls-bcp]
259 Sheffer, Y., Holz, R., and P. Saint-Andre,
260 "Recommendations for Secure Use of TLS and DTLS", draft-
261 ietf-uta-tls-bcp-11 (work in progress), February 2015.
263 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
264 Requirement Levels", BCP 14, RFC 2119, March 1997.
266 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC
267 4949, August 2007.
269 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
270 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
272 [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
273 Protocol (XMPP): Core", RFC 6120, March 2011.
275 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
276 Verification of Domain-Based Application Service Identity
277 within Internet Public Key Infrastructure Using X.509
278 (PKIX) Certificates in the Context of Transport Layer
279 Security (TLS)", RFC 6125, March 2011.
281 6.2. Informative References
283 [I-D.ietf-dane-srv]
284 Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
285 Based Authentication of Named Entities (DANE) TLSA records
286 with SRV and MX records.", draft-ietf-dane-srv-12 (work in
287 progress), March 2015.
289 [I-D.ietf-stox-im]
290 Saint-Andre, P., Houri, A., and J. Hildebrand,
291 "Interworking between the Session Initiation Protocol
292 (SIP) and the Extensible Messaging and Presence Protocol
293 (XMPP): Instant Messaging", draft-ietf-stox-im-13 (work in
294 progress), March 2015.
296 [I-D.ietf-xmpp-dna]
297 Saint-Andre, P. and M. Miller, "Domain Name Associations
298 (DNA) in the Extensible Messaging and Presence Protocol
299 (XMPP)", draft-ietf-xmpp-dna-10 (work in progress), March
300 2015.
302 [I-D.ietf-xmpp-posh]
303 Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP
304 (POSH)", draft-ietf-xmpp-posh-04 (work in progress),
305 February 2015.
307 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
308 Protocol (XMPP): Core", RFC 3920, October 2004.
310 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
311 Rose, "DNS Security Introduction and Requirements", RFC
312 4033, March 2005.
314 [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
315 Security Layer (SASL)", RFC 4422, June 2006.
317 [RFC5386] Williams, N. and M. Richardson, "Better-Than-Nothing
318 Security: An Unauthenticated Mode of IPsec", RFC 5386,
319 November 2008.
321 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
322 Extension Definitions", RFC 6066, January 2011.
324 [RFC7247] Saint-Andre, P., Houri, A., and J. Hildebrand,
325 "Interworking between the Session Initiation Protocol
326 (SIP) and the Extensible Messaging and Presence Protocol
327 (XMPP): Architecture, Addresses, and Error Handling", RFC
328 7247, May 2014.
330 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
331 Attack", BCP 188, RFC 7258, May 2014.
333 [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
334 Known Attacks on Transport Layer Security (TLS) and
335 Datagram TLS (DTLS)", RFC 7457, February 2015.
337 [XEP-0138]
338 Hildebrand, J. and P. Saint-Andre, "Stream Compression",
339 XSF XEP 0138, May 2009.
341 [XEP-0170]
342 Saint-Andre, P., "Recommended Order of Stream Feature
343 Negotiation", XSF XEP 0170, January 2007.
345 [XEP-0198]
346 Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F.,
347 Cridland, D., and M. Wild, "Stream Management", XSF XEP
348 0198, June 2011.
350 [XEP-0220]
351 Miller, J., Saint-Andre, P., and P. Hancke, "Server
352 Dialback", XSF XEP 0220, September 2013.
354 Appendix A. Implementation Notes
356 Some governments enforce legislation prohibiting the export of strong
357 cryptographic technologies. Nothing in this document ought to be
358 taken as advice to violate such prohibitions.
360 Appendix B. Acknowledgements
362 The authors would like to thank the following individuals for their
363 input: Dave Cridland, Philipp Hancke, Olle Johansson, Steve Kille,
364 Tobias Markmann, Matt Miller, and Rene Treffer.
366 Roni Even caught several important issues in his review on behalf of
367 the General Area Review Team.
369 Thanks to Leif Johansson and Orit Levin as chairs of the UTA WG, Ben
370 Campbell and Joe Hildebrand as chairs of the XMPP WG, and Stephen
371 Farrell as the sponsoring Area Director.
373 Authors' Addresses
375 Peter Saint-Andre
376 &yet
378 Email: peter@andyet.com
379 URI: https://andyet.com/
381 Thijs Alkemade
383 Email: me@thijsalkema.de