idnits 2.17.1
draft-ietf-uta-xmpp-07.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (April 23, 2015) is 3290 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
** Downref: Normative reference to an Informational RFC: RFC 4949
** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)
** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525)
== Outdated reference: A later version (-14) exists of
draft-ietf-dane-srv-13
== Outdated reference: A later version (-11) exists of
draft-ietf-xmpp-dna-10
== Outdated reference: A later version (-06) exists of
draft-ietf-xmpp-posh-04
-- Obsolete informational reference (is this intentional?): RFC 3920
(Obsoleted by RFC 6120)
Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group P. Saint-Andre
3 Internet-Draft &yet
4 Updates: 6120 (if approved) T. Alkemade
5 Intended status: Standards Track
6 Expires: October 25, 2015 April 23, 2015
8 Use of Transport Layer Security (TLS) in the Extensible Messaging and
9 Presence Protocol (XMPP)
10 draft-ietf-uta-xmpp-07
12 Abstract
14 This document provides recommendations for the use of Transport Layer
15 Security (TLS) in the Extensible Messaging and Presence Protocol
16 (XMPP). This document updates RFC 6120.
18 Status of This Memo
20 This Internet-Draft is submitted in full conformance with the
21 provisions of BCP 78 and BCP 79.
23 Internet-Drafts are working documents of the Internet Engineering
24 Task Force (IETF). Note that other groups may also distribute
25 working documents as Internet-Drafts. The list of current Internet-
26 Drafts is at http://datatracker.ietf.org/drafts/current/.
28 Internet-Drafts are draft documents valid for a maximum of six months
29 and may be updated, replaced, or obsoleted by other documents at any
30 time. It is inappropriate to use Internet-Drafts as reference
31 material or to cite them other than as "work in progress."
33 This Internet-Draft will expire on October 25, 2015.
35 Copyright Notice
37 Copyright (c) 2015 IETF Trust and the persons identified as the
38 document authors. All rights reserved.
40 This document is subject to BCP 78 and the IETF Trust's Legal
41 Provisions Relating to IETF Documents
42 (http://trustee.ietf.org/license-info) in effect on the date of
43 publication of this document. Please review these documents
44 carefully, as they describe your rights and restrictions with respect
45 to this document. Code Components extracted from this document must
46 include Simplified BSD License text as described in Section 4.e of
47 the Trust Legal Provisions and are provided without warranty as
48 described in the Simplified BSD License.
50 Table of Contents
52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
54 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3
55 3.1. Support for TLS . . . . . . . . . . . . . . . . . . . . . 3
56 3.2. Compression . . . . . . . . . . . . . . . . . . . . . . . 3
57 3.3. Session Resumption . . . . . . . . . . . . . . . . . . . 3
58 3.4. Authenticated Connections . . . . . . . . . . . . . . . . 4
59 3.5. Server Name Indication . . . . . . . . . . . . . . . . . 5
60 3.6. Human Factors . . . . . . . . . . . . . . . . . . . . . . 5
61 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
62 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
63 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
64 6.1. Normative References . . . . . . . . . . . . . . . . . . 6
65 6.2. Informative References . . . . . . . . . . . . . . . . . 7
66 Appendix A. Implementation Notes . . . . . . . . . . . . . . . . 8
67 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 8
68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
70 1. Introduction
72 The Extensible Messaging and Presence Protocol (XMPP) [RFC6120]
73 (along with its precursor, the so-called "Jabber protocol") has used
74 Transport Layer Security (TLS) [RFC5246] (along with its precursor,
75 Secure Sockets Layer or SSL) since 1999. Both [RFC6120] and its
76 predecessor [RFC3920] provided recommendations regarding the use of
77 TLS in XMPP. In order to address the evolving threat model on the
78 Internet today, this document provides stronger recommendations.
80 In particular, this document updates [RFC6120] by specifying that
81 XMPP implementations and deployments MUST follow the best current
82 practices documented in the "Recommendations for Secure Use of TLS
83 and DTLS" [I-D.ietf-uta-tls-bcp]. This includes stronger
84 recommendations regarding SSL/TLS protocol versions, fallback to
85 lower versions, TLS-layer compression, TLS session resumption, cipher
86 suites, public key lengths, forward secrecy, and other aspects of
87 using TLS with XMPP.
89 2. Terminology
91 Various security-related terms are to be understood in the sense
92 defined in [RFC4949].
94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
96 "OPTIONAL" in this document are to be interpreted as described in
97 [RFC2119].
99 3. Recommendations
101 The best current practices documented in the "Recommendations for
102 Secure Use of TLS and DTLS" [I-D.ietf-uta-tls-bcp] are included here
103 by reference. Instead of repeating those recommendations here, this
104 document mostly provides supplementary information regarding secure
105 implementation and deployment of XMPP technologies.
107 3.1. Support for TLS
109 Support for TLS (specifically, the XMPP profile of STARTTLS) is
110 mandatory for XMPP implementations, as already specified in [RFC6120]
111 and its predecessor [RFC3920].
113 The server (i.e., the XMPP receiving entity) to which a client or
114 peer server (i.e., the XMPP initiating entity) connects might not
115 offer a stream feature of . Although in general this stream feature indicates that
117 the server supports XMPP 1.0 and therefore supports TLS, that this
118 stream feature might be stripped out by an attacker (see Section 2.1
119 of [RFC7457]). Similarly, the child element of the
120 stream feature is used to indicate that negotiation of
121 TLS is mandatory, but could also be stripped out by an attacker.
122 Therefore, the initiating entity MUST NOT be deterred from attempting
123 TLS negotiation even if the receiving entity does not advertise
124 support for TLS. Instead, the initiating entity SHOULD (based on
125 local policy) proceed with the stream negotiation and attempt to
126 negotiate TLS.
128 3.2. Compression
130 XMPP supports an application-layer compression technology [XEP-0138].
131 Although this XMPP extension might have slightly stronger security
132 properties than TLS-layer compression (since it is enabled after SASL
133 authentication, as described in [XEP-0170]), this document neither
134 encourages nor discourages use of XMPP-layer compression.
136 3.3. Session Resumption
138 To improve the reliability of communications over XMPP, it is common
139 practice for clients and servers to implement the stream management
140 extension [XEP-0198]. Although that specification includes a method
141 for resumption of XMPP streams at the application layer, also using
142 session resumption at the TLS layer further optimizes the overall
143 process of resuming an XMPP session (see [XEP-0198] for detailed
144 information). Whether or not XEP-0198 is used for application-layer
145 session resumption, implementations MUST follow the recommendations
146 provided in [I-D.ietf-uta-tls-bcp] regarding TLS-layer session
147 resumption.
149 3.4. Authenticated Connections
151 Both the core XMPP specification [RFC6120] and the "CertID"
152 specification [RFC6125] provide recommendations and requirements for
153 certificate validation in the context of authenticated connections.
154 This document does not supersede those specifications (e.g., it does
155 not modify the recommendations in [RFC6120] regarding the Subject
156 Alternative Names or other certificate details that need to be
157 supported for authentication of XMPP connections using PKIX
158 certificates).
160 Wherever possible, it is best to prefer authenticated connections
161 (along with SASL [RFC4422]), as already stated in the core XMPP
162 specification [RFC6120]. In particular:
164 o Clients MUST authenticate servers.
166 o Servers MUST authenticate clients.
168 o Servers SHOULD authenticate other servers.
170 This document does not mandate that servers need to authenticate peer
171 servers, although such authentication is strongly preferred.
172 Unfortunately, in multi-tenanted environments it can be extremely
173 difficult to obtain and deploy PKIX certificates with the proper
174 Subject Alternative Names (see [I-D.ietf-xmpp-dna] and
175 [I-D.ietf-xmpp-posh] for details). To overcome that difficulty, the
176 Domain Name Associations (DNA) specification [I-D.ietf-xmpp-dna]
177 describes a framework for XMPP server authentication methods, which
178 include not only PKIX but also DNS-Based Authentication of Named
179 Entities (DANE) as defined in [I-D.ietf-dane-srv] and PKIX over
180 Secure HTTP (POSH) as defined in [I-D.ietf-xmpp-posh]. These methods
181 can provide a basis for server identity verification when appropriate
182 PKIX certificates cannot be obtained and deployed.
184 Given the pervasiveness of eavesdropping [RFC7258], even an encrypted
185 but unauthenticated connection might be better than an unencrypted
186 connection in these scenarios (this is similar to the "better than
187 nothing security" approach for IPsec [RFC5386]). Encrypted but
188 unauthenticated connections include connections negotiated using
189 anonymous Diffie-Hellman mechanisms or using self-signed
190 certificates, among others. In particular for XMPP server-to-server
191 interactions, it can be reasonable for XMPP server implementations to
192 accept encrypted but unauthenticated connections when Server Dialback
193 keys [XEP-0220] are used; such keys on their own provide only weak
194 identity verification (made stronger through the use of DNSSEC
195 [RFC4033]), but this at least enables encryption of server-to-server
196 connections. The DNA prooftypes described above are intended to
197 mitigate the residual need for encrypted but unauthenticated
198 connections in these scenarios.
200 3.5. Server Name Indication
202 Although there is no harm in supporting the TLS Server Name
203 Indication (SNI) extension [RFC6066], this is not necessary since the
204 same function is served in XMPP by the 'to' address of the initial
205 stream header as explained in Section 4.7.2 of [RFC6120].
207 3.6. Human Factors
209 It is strongly encouraged that XMPP clients provide ways for end
210 users (and that XMPP servers provide ways for administrators) to
211 complete the following tasks:
213 o Determine if a given incoming or outgoing XML stream is encrypted
214 using TLS.
216 o Determine the version of TLS used for encryption of a given
217 stream.
219 o If authenticated encryption is used, determine how the connection
220 was authenticated or verified (e.g., via PKI, DANE, POSH, or
221 Server Dialback).
223 o Inspect the certificate offered by an XMPP server.
225 o Determine the cipher suite used to encrypt a connection.
227 o Be warned if the certificate changes for a given server.
229 4. IANA Considerations
231 This document requests no actions of the IANA.
233 5. Security Considerations
235 The use of TLS can help limit the information available for
236 correlation between the XMPP application layer and the underlying
237 network and transport layers. As typically deployed, XMPP
238 technologies do not leave application-layer routing data (such as
239 XMPP 'to' and 'from' addresses) at rest on intermediate systems,
240 since there is only one hop between any two given XMPP servers. As a
241 result, encrypting all hops (sender's client to sender's server,
242 sender's server to recipient's server, recipient's server to
243 recipient's client) can help to limit the amount of "metadata" that
244 might leak.
246 It is possible that XMPP servers themselves might be compromised. In
247 that case, per-hop encryption would not protect XMPP communications,
248 and even end-to-end encryption of (parts of) XMPP stanza payloads
249 would leave addressing information and XMPP roster data in the clear.
250 By the same token, it is possible that XMPP clients (or the end-user
251 devices on which such clients are installed) could also be
252 compromised, leaving users utterly at the mercy of an adversary.
254 This document and related actions to strengthen the security of the
255 XMPP network are based on the assumption that XMPP servers and
256 clients have not been subject to widespread compromise. If this
257 assumption is valid, then ubiquitous use of per-hop TLS channel
258 encryption and more significant deployment of end-to-end object
259 encryption technologies will serve to protect XMPP communications to
260 a measurable degree, compared to the alternatives.
262 This document covers only communication over the XMPP network and
263 does not take into account gateways to non-XMPP networks. As an
264 example, for security considerations related to gateways between XMPP
265 and the Session Initiation Protocol (SIP) see [RFC7247] and
266 [I-D.ietf-stox-im].
268 6. References
270 6.1. Normative References
272 [I-D.ietf-uta-tls-bcp]
273 Sheffer, Y., Holz, R., and P. Saint-Andre,
274 "Recommendations for Secure Use of TLS and DTLS", draft-
275 ietf-uta-tls-bcp-11 (work in progress), February 2015.
277 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
278 Requirement Levels", BCP 14, RFC 2119, March 1997.
280 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC
281 4949, August 2007.
283 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
284 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
286 [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
287 Protocol (XMPP): Core", RFC 6120, March 2011.
289 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
290 Verification of Domain-Based Application Service Identity
291 within Internet Public Key Infrastructure Using X.509
292 (PKIX) Certificates in the Context of Transport Layer
293 Security (TLS)", RFC 6125, March 2011.
295 6.2. Informative References
297 [I-D.ietf-dane-srv]
298 Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
299 Based Authentication of Named Entities (DANE) TLSA records
300 with SRV and MX records.", draft-ietf-dane-srv-13 (work in
301 progress), April 2015.
303 [I-D.ietf-stox-im]
304 Saint-Andre, P., Houri, A., and J. Hildebrand,
305 "Interworking between the Session Initiation Protocol
306 (SIP) and the Extensible Messaging and Presence Protocol
307 (XMPP): Instant Messaging", draft-ietf-stox-im-13 (work in
308 progress), March 2015.
310 [I-D.ietf-xmpp-dna]
311 Saint-Andre, P. and M. Miller, "Domain Name Associations
312 (DNA) in the Extensible Messaging and Presence Protocol
313 (XMPP)", draft-ietf-xmpp-dna-10 (work in progress), March
314 2015.
316 [I-D.ietf-xmpp-posh]
317 Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP
318 (POSH)", draft-ietf-xmpp-posh-04 (work in progress),
319 February 2015.
321 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
322 Protocol (XMPP): Core", RFC 3920, October 2004.
324 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
325 Rose, "DNS Security Introduction and Requirements", RFC
326 4033, March 2005.
328 [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
329 Security Layer (SASL)", RFC 4422, June 2006.
331 [RFC5386] Williams, N. and M. Richardson, "Better-Than-Nothing
332 Security: An Unauthenticated Mode of IPsec", RFC 5386,
333 November 2008.
335 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions:
336 Extension Definitions", RFC 6066, January 2011.
338 [RFC7247] Saint-Andre, P., Houri, A., and J. Hildebrand,
339 "Interworking between the Session Initiation Protocol
340 (SIP) and the Extensible Messaging and Presence Protocol
341 (XMPP): Architecture, Addresses, and Error Handling", RFC
342 7247, May 2014.
344 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
345 Attack", BCP 188, RFC 7258, May 2014.
347 [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
348 Known Attacks on Transport Layer Security (TLS) and
349 Datagram TLS (DTLS)", RFC 7457, February 2015.
351 [XEP-0138]
352 Hildebrand, J. and P. Saint-Andre, "Stream Compression",
353 XSF XEP 0138, May 2009.
355 [XEP-0170]
356 Saint-Andre, P., "Recommended Order of Stream Feature
357 Negotiation", XSF XEP 0170, January 2007.
359 [XEP-0198]
360 Karneges, J., Saint-Andre, P., Hildebrand, J., Forno, F.,
361 Cridland, D., and M. Wild, "Stream Management", XSF XEP
362 0198, June 2011.
364 [XEP-0220]
365 Miller, J., Saint-Andre, P., and P. Hancke, "Server
366 Dialback", XSF XEP 0220, September 2013.
368 Appendix A. Implementation Notes
370 Some governments enforce legislation prohibiting the export of strong
371 cryptographic technologies. Nothing in this document ought to be
372 taken as advice to violate such prohibitions.
374 Appendix B. Acknowledgements
376 The authors would like to thank the following individuals for their
377 input: Dave Cridland, Philipp Hancke, Olle Johansson, Steve Kille,
378 Tobias Markmann, Matt Miller, and Rene Treffer.
380 Roni Even caught several important issues in his review on behalf of
381 the General Area Review Team.
383 Ben Campbell, Spencer Dawkins, and Barry Leiba provided helpful input
384 during IESG review.
386 Thanks to Leif Johansson and Orit Levin as chairs of the UTA WG, Ben
387 Campbell and Joe Hildebrand as chairs of the XMPP WG, and Stephen
388 Farrell as the sponsoring Area Director.
390 Authors' Addresses
392 Peter Saint-Andre
393 &yet
395 Email: peter@andyet.com
396 URI: https://andyet.com/
398 Thijs Alkemade
400 Email: me@thijsalkema.de