idnits 2.17.1 draft-ietf-xmpp-dna-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 15, 2013) is 3991 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-dane-srv-02 ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Obsolete normative reference: RFC 5785 (Obsoleted by RFC 8615) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) -- Possible downref: Non-RFC (?) normative reference: ref. 'XEP-0220' -- Obsolete informational reference (is this intentional?): RFC 3920 (Obsoleted by RFC 6120) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Saint-Andre 3 Internet-Draft M. Miller 4 Intended status: Standards Track Cisco Systems, Inc. 5 Expires: October 17, 2013 April 15, 2013 7 Domain Name Associations (DNA) in the Extensible Messaging and Presence 8 Protocol (XMPP) 9 draft-ietf-xmpp-dna-02 11 Abstract 13 This document improves the security of the Extensible Messaging and 14 Presence Protocol (XMPP) in two ways. First, it specifies how 15 "prooftypes" can establish a strong association between a domain name 16 and an XML stream. Second, it describes how to securely delegate a 17 source domain to a derived domain, which is especially important in 18 virtual hosting environments. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on October 17, 2013. 37 Copyright Notice 39 Copyright (c) 2013 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 4. A Simple Scenario . . . . . . . . . . . . . . . . . . . . . . 5 58 5. One-Way Authentication . . . . . . . . . . . . . . . . . . . 6 59 6. Piggybacking . . . . . . . . . . . . . . . . . . . . . . . . 7 60 6.1. Assertion . . . . . . . . . . . . . . . . . . . . . . . . 7 61 6.2. Supposition . . . . . . . . . . . . . . . . . . . . . . . 9 62 7. Alternative Prooftypes . . . . . . . . . . . . . . . . . . . 10 63 7.1. DANE . . . . . . . . . . . . . . . . . . . . . . . . . . 10 64 7.2. POSH . . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 8. Secure Delegation and Multi-Tenancy . . . . . . . . . . . . . 11 66 9. Prooftype Model . . . . . . . . . . . . . . . . . . . . . . . 12 67 10. Security Considerations . . . . . . . . . . . . . . . . . . . 12 68 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 69 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 70 12.1. Normative References . . . . . . . . . . . . . . . . . . 12 71 12.2. Informative References . . . . . . . . . . . . . . . . . 13 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 74 1. Introduction 76 The need to establish a strong association between a domain name and 77 an XML stream arises in both client-to-server and server-to-server 78 communication using the Extensible Messaging and Presence Protocol 79 (XMPP), because XMPP servers are typically identified by DNS domain 80 names. However, a client or peer server needs to verify the identity 81 of a server to which it connects. To date, such verification has 82 been established based on information obtained from the Domain Name 83 System (DNS), the Public Key Infrastructure (PKI), or similar 84 sources. This document (1) generalizes the model currently in use so 85 that additional prooftypes can be defined, (2) provides a basis for 86 modernizing some prooftypes to reflect progress in underlying 87 technologies such as DNS Security [RFC4033], and (3) describes the 88 flow of operations for establishing a domain name association. 90 Furthermore, the process for resolving the domain name of an XMPP 91 service into the IP address at which an XML stream will be negotiated 92 (defined in [RFC6120]) can involve delegation of a source domain 93 (say, example.com) to a derived domain (say, hosting.example.net). 94 If such delegation is not done in a secure manner, then the domain 95 name association cannot be authenticated. Therefore, this document 96 provides guidelines for defining secure delegation methods. 98 2. Terminology 100 This document inherits XMPP terminology from [RFC6120] and 101 [XEP-0220], DNS terminology from [RFC1034], [RFC1035], [RFC2782] and 102 [RFC4033], and security terminology from [RFC4949] and [RFC5280]. 103 The terms "source domain", "derived domain", "reference identity", 104 and "presented identity" are used as defined in the "CertID" 105 specification [RFC6125]. The terms "permissive federation", 106 "verified federation", and "encrypted federation" are derived from 107 [XEP-0238], although we substitute the term "authenticated 108 federation" for the term "trusted federation" from that document. 110 3. Flow Chart 112 The following flow chart illustrates the protocol flow for 113 establishing domain name associations between Server A and Server B, 114 as described in the remaining sections of this document. 116 | 117 | 118 (Section 4: A Simple Scenario) 119 | 120 | 121 DNS RESOLUTION ETC. 122 | 123 +-------------STREAM HEADERS--------------------+ 124 | | 125 | A: | 126 | | 127 | B: | 128 | | 129 +-----------------------------------------------+ 130 | 131 +-------------TLS NEGOTIATION-------------------+ 132 | | 133 | B: Server Certificate | 134 | [B: Certificate Request] | 135 | [A: Client Certificate] | 136 | | 137 +-----------------------------------------------+ 138 | 139 (A establishes DNA for b.example!) 140 | 141 +-------------AUTHENTICATION--------------------+ 142 | | | 143 | {client certificate?} ----+ | 144 | | | | 145 | | yes no | | 146 | v | | 147 | SASL EXTERNAL | | 148 | (mutual auth!) | | 149 +------------------------------------|----------+ 150 | 151 +----------------+ 152 | B needs to auth A 153 | 154 (Section 5: One-Way Authentication) 155 | 156 | 157 DNS RESOLUTION ETC. 158 | 159 +-------------STREAM HEADERS--------------------+ 160 | | 161 | B: | 162 | | 163 | A: | 164 | | 165 +-----------------------------------------------+ 166 | 167 +-------------TLS NEGOTIATION-------------------+ 168 | | 169 | A: Server Certificate | 170 | | 171 +-----------------------------------------------+ 172 | 173 (B establishes DNA for a.example!) 174 | 175 | 176 (Section 6.1: Piggybacking Assertion) 177 | 178 | 179 +----------DIALBACK IDENTITY ASSERTION----------+ 180 | | 181 | B: | 183 | | 184 +-----------------------------------------------+ 185 | 186 +-----------DNA DANCE AS ABOVE------------------+ 187 | | 188 | DNS RESOLUTION, STREAM HEADERS, | 189 | TLS NEGOTIATION, AUTHENTICATION | 190 | | 191 +-----------------------------------------------+ 192 | 193 +----------DIALBACK IDENTITY VERIFICATION-------+ 194 | | 195 | A: | 198 | | 199 +-----------------------------------------------+ 200 | 201 | 202 (Section 6.2: Piggybacking Supposition) 203 | 204 | 205 +-----------SUBSEQUENT CONNECTION---------------+ 206 | | 207 | B: | 209 | | 210 | A: | 212 | | 213 +-----------------------------------------------+ 214 | 215 +-----------DNA DANCE AS ABOVE------------------+ 216 | | 217 | DNS RESOLUTION, STREAM HEADERS, | 218 | TLS NEGOTIATION, AUTHENTICATION | 219 | | 220 +-----------------------------------------------+ 221 | 222 +-----------DIALBACK OPTIMIZATION---------------+ 223 | | 224 | B: | 226 | | 227 | B: | 230 | | 231 +-----------------------------------------------+ 233 4. A Simple Scenario 235 To illustrate the problem, consider the simplified order of events 236 (see [RFC6120] for details) in establishing an XML stream between 237 Server A (a.example) and Server B (b.example): 239 1. Server A resolves the DNS domain name b.example. 241 2. Server A opens a TCP connection to the resolved IP address. 243 3. Server A sends an initial stream header to Server B, asserting 244 that it is a.example: 246 248 4. Server B sends a response stream header to Server A, asserting 249 that it is b.example: 251 253 5. The servers attempt TLS negotiation, during which Server B 254 (acting as a TLS server) presents a PKIX certificate proving that 255 it is b.example and Server A (acting as a TLS client) presents a 256 PKIX certificate proving that it is a.example. 258 6. Server A checks the PKIX certificate that Server B provided and 259 Server B checks the PKIX certificate that Server A provided; if 260 these proofs are consistent with the XMPP profile of the matching 261 rules from [RFC6125], each server accepts that there is a strong 262 domain name association between its stream to the other party and 263 the DNS domain name of the other party. 265 Several simplifying assumptions underlie the happy scenario just 266 outlined: 268 o Server A presents a PKIX certificate during TLS negotiation, which 269 enables the parties to complete mutual authentication. 271 o There are no additional domains associated with Server A and 272 Server B (say, a subdomain chatrooms.a.example on Server A or a 273 second domain c.example on Server B). 275 o The server administrators are able to obtain PKIX certificates in 276 the first place. 278 o The server administrators are running their own XMPP servers, 279 rather than using hosting services. 281 Let's consider each of these "wrinkles" in turn. 283 5. One-Way Authentication 285 If Server A does not present its PKIX certificate during TLS 286 negotiation (perhaps because it wishes to verify the identity of 287 Server B before presenting its own credentials), Server B is unable 288 to mutually authenticate Server A. Therefore, Server B needs to 289 negotiate and authenticate a stream to Server A, just as Server A has 290 done: 292 1. Server B resolves the DNS domain name a.example. 294 2. Server B opens a TCP connection to the resolved IP address. 296 3. Server B sends an initial stream header to Server A, asserting 297 that it is b.example: 299 301 4. Server A sends a response stream header to Server B, asserting 302 that it is a.example: 304 306 5. The servers attempt TLS negotiation, during which Server A 307 (acting as a TLS server) presents a PKIX certificate proving that 308 it is a.example. 310 6. Server B checks the PKIX certificate that Server A provided; if 311 it is consistent with the XMPP profile of the matching rules from 312 [RFC6125], Server B accepts that there is a strong domain name 313 association between its stream to Server A and the DNS domain 314 name a.example. 316 Unfortunately, now the servers are using two TCP connections instead 317 of one, which is somewhat wasteful. However, there are ways to tie 318 the authentication achieved on the second TCP connection to the first 319 TCP connection; see [XEP-0288] for further discussion. 321 6. Piggybacking 323 6.1. Assertion 325 Consider the common scenario in which Server B hosts not only 326 b.example but also a second domain c.example. If a user of Server B 327 associated with c.example wishes to communicate with a friend at 328 a.example, Server B needs to send XMPP stanzas from the domain 329 c.example rather than b.example. Although Server B could open an new 330 TCP connection and negotiate new XML streams for the domain pair of 331 c.example and a.example, that too is wasteful. Server B already has 332 a connection to a.example, so how can it assert that it would like to 333 add a new domain pair to the existing connection? 335 The traditional method for doing so is the Server Dialback protocol, 336 first specified in [RFC3920] and since moved to [XEP-0220]. Here, 337 Server B can send a element for the new domain pair over 338 the existing stream. 340 341 some-dialback-key 342 344 This element functions as Server B's assertion that it is (also) 345 c.example, and thus is functionally equivalent to the 'from' address 346 of an initial stream header as previously described. 348 In response to this assertion, Server A needs to obtain some kind of 349 proof that Server B really is also c.example. It can do the same 350 thing that it did before: 352 1. Server A resolves the DNS domain name c.example. 354 2. Server A opens a TCP connection to the resolved IP address (which 355 might be the same IP address as for b.example). 357 3. Server A sends an initial stream header to Server B, asserting 358 that it is a.example: 360 362 4. Server B sends a response stream header to Server A, asserting 363 that it is c.example: 365 367 5. The servers attempt TLS negotiation, during which Server B 368 (acting as a TLS server) presents a PKIX certificate proving that 369 it is c.example. 371 6. Server A checks the PKIX certificate that Server B provided; if 372 it is consistent with the XMPP profile of the matching rules from 373 [RFC6125], Server A accepts that there is a strong domain name 374 association between its stream to Server B and the DNS domain 375 name c.example. 377 Now that Server A accepts the domain name association, it informs 378 Server B of that fact: 380 382 The parties can then terminate the second connection, since it was 383 used only for Server A to associate a stream over the same IP:port 384 combination with the domain name c.example (dialback key links the 385 original stream to the new association). 387 6.2. Supposition 389 Piggybacking can also occur in the other direction. Consider the 390 common scenario in which Server A provides XMPP services not only for 391 a.example but also for a subdomain such as a groupchat service at 392 chatrooms.a.example (see [XEP-0045]). If a user from c.example at 393 Server B wishes to join a room on the groupchat sevice, Server B 394 needs to send XMPP stanzas from the domain c.example to the domain 395 chatrooms.a.example rather than a.example. Therefore, Server B needs 396 to negotiate and authenticate a stream to chatrooms.a.example: 398 1. Server B resolves the DNS domain name chatrooms.a.example. 400 2. Server B opens a TCP connection to the resolved IP address. 402 3. Server B sends an initial stream header to Server A acting as 403 chatrooms.a.example, asserting that it is b.example: 405 407 4. Server A sends a response stream header to Server B, asserting 408 that it is chatrooms.a.example: 410 412 5. The servers attempt TLS negotiation, during which Server A 413 (acting as a TLS server) presents a PKIX certificate proving that 414 it is chatrooms.a.example. 416 6. Server B checks the PKIX certificate that Server A provided; if 417 it is consistent with the XMPP profile of the matching rules from 418 [RFC6125], Server B accepts that there is a strong domain name 419 association between its stream to Server A and the DNS domain 420 name chatrooms.a.example. 422 As before, the parties now have two TCP connections open. So that 423 they can close the now-redundant connection, Server B sends a 424 dialback key to Server A over the new connection. 426 427 some-dialback-key 428 430 Server A then informs Server B that it accepts the domain name 431 association: 433 435 Server B can now close the connection over which it tested the domain 436 name association for chatrooms.a.example. 438 7. Alternative Prooftypes 440 The foregoing protocol flows assumed that domain name associations 441 were proved using the standard PKI prooftype specified in [RFC6120]: 442 that is, the server's proof consists of a PKIX certificate that is 443 checked according to a profile of the matching rules from [RFC6125], 444 the client's verification material is obtained out of band in the 445 form of a trusted root, and secure DNS is not necessary. 447 However, sometimes XMPP server administrators are unable or unwilling 448 to obtain valid PKIX certificates for their servers (e.g., the 449 administrator of im.cs.podunk.example can't receive certification 450 authority verification messages sent to 451 mailto:hostmaster@podunk.example, or hosting.example.net does not 452 want to take on the liability of holding the certificate and private 453 key for example.com). In these circumstances, prooftypes other than 454 PKIX are desirable. Two alternatives have been defined so far: DANE 455 and POSH. 457 7.1. DANE 459 In the DANE prooftype, the server's proof consists of a PKIX 460 certificate that is compared as an exact match or a hash of either 461 the SubjectPublicKeyInfo or the full certificate, and the client's 462 verification material is obtained via secure DNS. 464 The DANE prooftype is based on [I-D.ietf-dane-srv]. For XMPP 465 purposes, the following rules apply: 467 o If there is no SRV resource record, pursue the fallback methods 468 described in [RFC6120]. 470 o Use the 'to' address of the initial stream header to determine the 471 domain name of the TLS client's reference identifier (since use of 472 the TLS Server Name Indication is purely discretionary in XMPP, as 473 mentioned in [RFC6120]). 475 7.2. POSH 476 In the POSH (PKIX Over Secure HTTP) prooftype, the server's proof 477 consists of a PKIX certificate that is checked according to the rules 478 from [RFC6120] and [RFC6125], the client's verification material is 479 obtained by retrieving the PKIK certificate over HTTPS at a well- 480 known URI [RFC5785], and secure DNS is not necessary since the HTTPS 481 retrieval mechanism relies on the chain of trust from the public key 482 infrastructure. 484 POSH is fully defined in [I-D.miller-xmpp-posh-prooftype]. 486 8. Secure Delegation and Multi-Tenancy 488 One common method for deploying XMPP services is multi-tenancy or 489 virtual hosting: e.g., the XMPP service for example.com is actually 490 hosted at hosting.example.net. Such an arrangement is relatively 491 convenient in XMPP given the use of DNS SRV records [RFC2782], such 492 as the following pointer from example.com to hosting.example.net: 494 _xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net 496 Secure connections with multi-tenancy can work using the PKIX 497 prooftype on a small scale if the provider itself wishes to host 498 several domains (e.g., several related domains such as jabber- 499 de.example and jabber-ch.example). However, in practice the security 500 of multi-tenancy has been found to be unwieldy when the provider 501 hosts large numbers of XMPP services on behalf of multiple customers. 502 Typically there are two main reasons for this state of affairs: the 503 service provider (say, hosting.example.net) wishes to limit its 504 liability and therefore does not wish to hold the certificate and 505 private key for the customer (say, example.com) and the customer 506 wishes to improve the security of the service and therefore does not 507 wish to share its certificate and private key with service provider. 508 As a result, server-to-server communications to example.com go 509 unencrypted or the communications are TLS-encrypted but the 510 certificates are not checked (which is functionally equivalent to a 511 connection using an anonymous key exchange). This is also true of 512 client-to-server communications, forcing end users to override 513 certificate warnings or configure their clients to accept 514 certificates for hosting.example.net instead of example.com. The 515 fundamental problem here is that if DNSSEC is not used then the act 516 of delegation via DNS SRV records is inherently insecure. 518 [I-D.ietf-dane-srv] explains how to use DNSSEC for secure delegation 519 with the DANE prooftype and [I-D.miller-xmpp-posh-prooftype] explains 520 how to use HTTPS redirects for secure delegation with the POSH 521 prooftype. 523 9. Prooftype Model 525 In general, a DNA prooftype conforms to the following definition: 527 prooftype: A mechanism for proving an association between a domain 528 name and an XML stream, where the mechanism defines (1) the nature 529 of the server's proof, (2) the matching rules for comparing the 530 client's verification material against the server's proof, (3) how 531 the client obtains its verification material, and (4) whether the 532 mechanism depends on secure DNS. 534 The PKI, DANE, and POSH prooftypes adhere to this model. In 535 addition, other prooftypes are possible (examples might include PGP 536 keys rather than PKIX certificates, or a token mechanism such as 537 Kerberos or OAuth). 539 Some prooftypes depend on (or are enhanced by) secure DNS and 540 therefore also need to describe how secure delegation occurs for that 541 prooftype. 543 10. Security Considerations 545 This document supplements but does not supersede the security 546 considerations of [RFC6120] and [RFC6125]. Relevant security 547 considerations can also be found in [I-D.ietf-dane-srv] and 548 [I-D.miller-xmpp-posh-prooftype]. 550 11. IANA Considerations 552 This document has no actions for the IANA. 554 12. References 556 12.1. Normative References 558 [I-D.ietf-dane-srv] 559 Finch, T., "Using DNS-Based Authentication of Named 560 Entities (DANE) TLSA records with SRV and MX records.", 561 draft-ietf-dane-srv-02 (work in progress), February 2013. 563 [I-D.miller-xmpp-posh-prooftype] 564 Saint-Andre, P., "Using PKIX over Secure HTTP (POSH) as a 565 Prooftype for XMPP Domain Name Associations", draft- 566 miller-xmpp-posh-prooftype-03 (work in progress), February 567 2013. 569 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 570 STD 13, RFC 1034, November 1987. 572 [RFC1035] Mockapetris, P., "Domain names - implementation and 573 specification", STD 13, RFC 1035, November 1987. 575 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 576 specifying the location of services (DNS SRV)", RFC 2782, 577 February 2000. 579 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 580 Rose, "DNS Security Introduction and Requirements", RFC 581 4033, May 2005. 583 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 584 4949, August 2007. 586 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 587 Housley, R., and W. Polk, "Internet X.509 Public Key 588 Infrastructure Certificate and Certificate Revocation List 589 (CRL) Profile", RFC 5280, May 2008. 591 [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known 592 Uniform Resource Identifiers (URIs)", RFC 5785, April 593 2010. 595 [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence 596 Protocol (XMPP): Core", RFC 6120, March 2011. 598 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 599 Verification of Domain-Based Application Service Identity 600 within Internet Public Key Infrastructure Using X.509 601 (PKIX) Certificates in the Context of Transport Layer 602 Security (TLS)", RFC 6125, March 2011. 604 [XEP-0220] 605 Miller, J., Saint-Andre, P., and P. Hancke, "Server 606 Dialback", XSF XEP 0220, August 2012. 608 12.2. Informative References 610 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence 611 Protocol (XMPP): Core", RFC 3920, October 2004. 613 [XEP-0045] 614 Saint-Andre, P., "Multi-User Chat", XSF XEP 0045, February 615 2012. 617 [XEP-0238] 618 Saint-Andre, P., "XMPP Protocol Flows for Inter-Domain 619 Federation", XSF XEP 0238, March 2008. 621 [XEP-0288] 622 Hancke, P. and D. Cridland, "Bidirectional Server-to- 623 Server Connections", XSF XEP 0288, August 2012. 625 Authors' Addresses 627 Peter Saint-Andre 628 Cisco Systems, Inc. 629 1899 Wynkoop Street, Suite 600 630 Denver, CO 80202 631 USA 633 Email: psaintan@cisco.com 635 Matthew Miller 636 Cisco Systems, Inc. 637 1899 Wynkoop Street, Suite 600 638 Denver, CO 80202 639 USA 641 Email: mamille2@cisco.com