draft-ietf-nfsv4-ccm-01.txt   draft-ietf-nfsv4-ccm-02.txt 
Network Working Group M. Eisler Network Working Group M. Eisler
Internet-Draft Network Appliance, Inc. Internet-Draft Network Appliance, Inc.
N. Williams N. Williams
Sun Microsystems, Inc. Sun Microsystems, Inc.
May 2003 October 2003
The Channel Conjunction Mechanism (CCM) for GSS The Channel Conjunction Mechanism (CCM) for GSS
draft-ietf-nfsv4-ccm-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026. with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 2, line 7 skipping to change at page 2, line 7
independent upper layer protocols to leverage the data stream independent upper layer protocols to leverage the data stream
protections of lower layer protocols, without the inconvenience of protections of lower layer protocols, without the inconvenience of
modifying the upper layer protocol to do so. modifying the upper layer protocol to do so.
TABLE OF CONTENTS TABLE OF CONTENTS
1. Conventions Used in this Document . . . . . . . . . . . . . . . 3 1. Conventions Used in this Document . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Example Application of CCM . . . . . . . . . . . . . . . . . 4 3.1. Example Application of CCM . . . . . . . . . . . . . . . . . 4
3.2. A Suite of CCM Mechanisms . . . . . . . . . . . . . . . . . . 4 3.2. A Suite of CCM Mechanisms . . . . . . . . . . . . . . . . . . 5
3.3. QOPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. QOPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Token Formats . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Token Formats . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Mechanism Object Identifier . . . . . . . . . . . . . . . . . 6 4.1. Mechanism Object Identifier . . . . . . . . . . . . . . . . . 6
4.2. Tokens for the CCM-BIND mechanisms . . . . . . . . . . . . . 6 4.2. Tokens for the CCM-BIND mechanisms . . . . . . . . . . . . . 6
4.3. Context Establishment Tokens for CCM-BIND Mechanisms . . . . 6 4.3. Context Establishment Tokens for CCM-BIND Mechanisms . . . . 6
4.3.1. Initial Context Token for CCM-BIND . . . . . . . . . . . . 7 4.3.1. Initial Context Token for CCM-BIND . . . . . . . . . . . . 7
4.3.2. Subsequent Context Tokens for CCM-BIND . . . . . . . . . . 7 4.3.2. Subsequent Context Tokens for CCM-BIND . . . . . . . . . . 7
4.3.2.1. Subsequent Initiator Context Initialization Token for 4.3.2.1. Subsequent Initiator Context Initialization Token for
CCM-BIND . . . . . . . . . . . . . . . . . . . . . . . . 7 CCM-BIND . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3.2.2. Response Token for CCM-BIND . . . . . . . . . . . . . . . 7 4.3.2.2. Response Token for CCM-BIND . . . . . . . . . . . . . . . 7
skipping to change at page 2, line 38 skipping to change at page 2, line 38
4.9. MIC Token for CCM-MIC . . . . . . . . . . . . . . . . . . . 12 4.9. MIC Token for CCM-MIC . . . . . . . . . . . . . . . . . . . 12
4.10. Wrap Token for CCM-MIC . . . . . . . . . . . . . . . . . . 12 4.10. Wrap Token for CCM-MIC . . . . . . . . . . . . . . . . . . 12
4.11. Context Deletion Token . . . . . . . . . . . . . . . . . . 12 4.11. Context Deletion Token . . . . . . . . . . . . . . . . . . 12
4.12. Exported Context Token . . . . . . . . . . . . . . . . . . 12 4.12. Exported Context Token . . . . . . . . . . . . . . . . . . 12
4.13. Other Tokens for CCM-MIC . . . . . . . . . . . . . . . . . 12 4.13. Other Tokens for CCM-MIC . . . . . . . . . . . . . . . . . 12
5. GSS Channel Bindings for Common Secure Channel Protocols . . 12 5. GSS Channel Bindings for Common Secure Channel Protocols . . 12
5.1. GSS Channel Bindings for IKEv1 . . . . . . . . . . . . . . 13 5.1. GSS Channel Bindings for IKEv1 . . . . . . . . . . . . . . 13
5.2. GSS Channel Bindings for IKEv2 . . . . . . . . . . . . . . 13 5.2. GSS Channel Bindings for IKEv2 . . . . . . . . . . . . . . 13
5.3. GSS Channel Bindings for SSHv2 . . . . . . . . . . . . . . 13 5.3. GSS Channel Bindings for SSHv2 . . . . . . . . . . . . . . 13
5.4. GSS Channel Bindings for TLS . . . . . . . . . . . . . . . 13 5.4. GSS Channel Bindings for TLS . . . . . . . . . . . . . . . 13
6. Use of Channel Bindings with CCM-BIND and SPKM . . . . . . . 13 6. Use of Channel Bindings with CCM-BIND and SPKM . . . . . . . 14
7. CCM-KEY and Anonymous IPsec . . . . . . . . . . . . . . . . . 14 7. CCM-KEY and Anonymous IPsec . . . . . . . . . . . . . . . . . 14
8. Other Protocol Issues for CCM . . . . . . . . . . . . . . . . 14 8. Other Protocol Issues for CCM . . . . . . . . . . . . . . . . 14
9. Implementation Issues . . . . . . . . . . . . . . . . . . . . 15 9. Implementation Issues . . . . . . . . . . . . . . . . . . . . 15
9.1. Management of gss_targ_ctx . . . . . . . . . . . . . . . . 15 9.1. Management of gss_targ_ctx . . . . . . . . . . . . . . . . 15
9.2. CCM-BIND Versus CCM-MIC . . . . . . . . . . . . . . . . . . 15 9.2. CCM-BIND Versus CCM-MIC . . . . . . . . . . . . . . . . . . 15
9.3. Initiating CCM-MIC Contexts . . . . . . . . . . . . . . . . 16 9.3. Initiating CCM-MIC Contexts . . . . . . . . . . . . . . . . 16
9.4. Accepting CCM-MIC Contexts . . . . . . . . . . . . . . . . 17 9.4. Accepting CCM-MIC Contexts . . . . . . . . . . . . . . . . 17
9.5. Non-Token Generating GSS-API Routines . . . . . . . . . . . 17 9.5. Non-Token Generating GSS-API Routines . . . . . . . . . . . 17
9.6. CCM-MIC and GSS_Delete_sec_context() . . . . . . . . . . . 17 9.6. CCM-MIC and GSS_Delete_sec_context() . . . . . . . . . . . 17
9.7. GSS Status Codes . . . . . . . . . . . . . . . . . . . . . 18 9.7. GSS Status Codes . . . . . . . . . . . . . . . . . . . . . 18
skipping to change at page 3, line 12 skipping to change at page 3, line 12
9.7.2.1. CCM-MIC: GSS_Accept_sec_context() status codes . . . . 18 9.7.2.1. CCM-MIC: GSS_Accept_sec_context() status codes . . . . 18
9.7.2.2. CCM-MIC: GSS_Init_sec_context() status codes . . . . . 19 9.7.2.2. CCM-MIC: GSS_Init_sec_context() status codes . . . . . 19
9.8. Channel Bindings on the Target . . . . . . . . . . . . . . 20 9.8. Channel Bindings on the Target . . . . . . . . . . . . . . 20
10. Advice for NFSv4 Implementors . . . . . . . . . . . . . . . 21 10. Advice for NFSv4 Implementors . . . . . . . . . . . . . . . 21
11. Man in the Middle Attacks without CCM-KEY . . . . . . . . . 21 11. Man in the Middle Attacks without CCM-KEY . . . . . . . . . 21
12. Security Considerations . . . . . . . . . . . . . . . . . . 22 12. Security Considerations . . . . . . . . . . . . . . . . . . 22
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 25 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 25
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
15. Normative References . . . . . . . . . . . . . . . . . . . . 27 15. Normative References . . . . . . . . . . . . . . . . . . . . 27
16. Informative References . . . . . . . . . . . . . . . . . . . 28 16. Informative References . . . . . . . . . . . . . . . . . . . 28
17. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 28 17. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 29
18. IPR Notices . . . . . . . . . . . . . . . . . . . . . . . . 29 18. IPR Notices . . . . . . . . . . . . . . . . . . . . . . . . 29
19. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . 29 19. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . 29
1. Conventions Used in this Document 1. Conventions Used in this Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Introduction 2. Introduction
skipping to change at page 4, line 18 skipping to change at page 4, line 18
CCM is a "wrapper" mechanism over the set of all other GSS CCM is a "wrapper" mechanism over the set of all other GSS
mechanisms. When CCM creates a context, it invokes an underlying mechanisms. When CCM creates a context, it invokes an underlying
mechanism to create a child context. CCM determines the underlying mechanism to create a child context. CCM determines the underlying
mechanism by examining the mechanism object identifier (OID) that it mechanism by examining the mechanism object identifier (OID) that it
is called with. The prefix will always be the OID of CCM, and the is called with. The prefix will always be the OID of CCM, and the
suffix will be the OID of the underlying mechanism. The context suffix will be the OID of the underlying mechanism. The context
initiation and acceptance entry points of CCM wrap the resulting the initiation and acceptance entry points of CCM wrap the resulting the
context tokens with a CCM header. context tokens with a CCM header.
XXX - Note, as currently defined CCM-BIND has a problem with replay
attacks. Let's suppose the target does not implement a cache of
previously accepted context tokens. An attacker can replay the CCM-
BIND initial context token, and the target will accept it. What is
needed is proof that the initiator actually knows the context session
key. A future version of this i-d will specify a round trip for CCM-
BIND (and CCM-MIC) that will force the initiator to sign a nonce from
the target. See [Kasslin] for more information on the attack.
3.1. Example Application of CCM 3.1. Example Application of CCM
Let us use RPCSEC_GSS and NFSv4 [RFC3530] as our example. Basic Let us use RPCSEC_GSS and NFSv4 [RFC3530] as our example. Basic
understanding of the RPCSEC_GSS protocol is assumed. If an NFSv4 understanding of the RPCSEC_GSS protocol is assumed. If an NFSv4
client uses the wrong security mechanism, the server returns the client uses the wrong security mechanism, the server returns the
NFS4ERR_WRONGSEC error. The client can then use NFSv4's SECINFO NFS4ERR_WRONGSEC error. The client can then use NFSv4's SECINFO
operation to ask the server which GSS mechanism to use. operation to ask the server which GSS mechanism to use.
Let us say the client and server are using Kerberos V5 [RFC1964] to Let us say the client and server are using Kerberos V5 [RFC1964] to
secure the traffic. Suppose the TCP connection NFSv4 uses is secured secure the traffic. Suppose the TCP connection NFSv4 uses is secured
skipping to change at page 5, line 46 skipping to change at page 6, line 6
utilize the CCM_REAL_QOP (discussed later Overview section) in the utilize the CCM_REAL_QOP (discussed later Overview section) in the
value to generate and verify the MICs. The type of channel bindings value to generate and verify the MICs. The type of channel bindings
used when initiating CCM-MIC contexts MUST match that used when used when initiating CCM-MIC contexts MUST match that used when
creating the previously established context. creating the previously established context.
3.3. QOPs 3.3. QOPs
The CCM mechanisms provide two QOPs: the default QOP (0) that amounts The CCM mechanisms provide two QOPs: the default QOP (0) that amounts
to no protection, and a QOP (CCM_REAL_QOP, defined as value 1) that to no protection, and a QOP (CCM_REAL_QOP, defined as value 1) that
maps to the default QOP of the underlying GSS mechanism. The MIC maps to the default QOP of the underlying GSS mechanism. The MIC
tokens for CCM are zero length values. When qop_req is 0, the wrap tokens for CCM are a string of 4 octets, each zero filled. When
output tokens for CCM are equal to the input tokens. qop_req is 0, the wrap output token for CCM is equal to the
concatenation of the input token and a single octet (which is equal
[ XXX - We assume that applications can cope with zero length to zero).
MICs. We propose that implementations try and find out. We may
revisit this by requiring a small (8-32 bits) MIC token.
However, given that the C bindings of GSS allocates the MIC on
the heap, this could introduce an unnecessary and expensive
allocation, we suggest applications be fixed to deal with zero
length tokens. ]
4. Token Formats 4. Token Formats
This section discusses the protocol visible tokens that GSS consumers This section discusses the protocol visible tokens that GSS consumers
exchange when using CCM. exchange when using CCM.
4.1. Mechanism Object Identifier 4.1. Mechanism Object Identifier
There are two classes of Mechanism object identifiers (OIDs) for CCM. There are two classes of Mechanism object identifiers (OIDs) for CCM.
The first class consists of the channel binding specific OIDs, and The first class consists of the channel binding specific OIDs, and
skipping to change at page 26, line 52 skipping to change at page 26, line 52
TBD9 ccm-addr-lipkey 1.3.6.1.5.5.TBD1.1.2. 0 rpc_gss_svc_none TBD9 ccm-addr-lipkey 1.3.6.1.5.5.TBD1.1.2. 0 rpc_gss_svc_none
1.3.6.1.5.5.1.3 1.3.6.1.5.5.1.3
TBD10 ccm-addr-lipkey 1.3.6.1.5.5.TBD1.1.3. 0 rpc_gss_svc_none TBD10 ccm-addr-lipkey 1.3.6.1.5.5.TBD1.1.3. 0 rpc_gss_svc_none
1.3.6.1.5.5.1.3 1.3.6.1.5.5.1.3
14. Acknowledgements 14. Acknowledgements
Dave Noveck, for the observation that NFS version 4 servers could Dave Noveck, for the observation that NFS version 4 servers could
downgrade from integrity service to plain authentication service if downgrade from integrity service to plain authentication service if
IPsec was enabled. David Black, Peng Dai, Sam Hartman, and Julian IPsec was enabled. David Black, Peng Dai, Sam Hartman, Martin Rex,
Satran, for their critical comments. Much of the text for the and Julian Satran, for their critical comments. Much of the text for
"Security Considerations" section comes directly from David and Peng. the "Security Considerations" section comes directly from David and
Peng.
15. Normative References 15. Normative References
[RFC1832] [RFC1832]
R. Srinivasan, RFC1832, "XDR: External Data Representation R. Srinivasan, RFC1832, "XDR: External Data Representation
Standard", August, 1995. Standard", August, 1995.
[RFC2025] [RFC2025]
C. Adams, RFC2025: "The Simple Public-Key GSS-API Mechanism C. Adams, RFC2025: "The Simple Public-Key GSS-API Mechanism
(SPKM)," October 1996, Status: Standards Track. (SPKM)," October 1996, Status: Standards Track.
skipping to change at page 28, line 48 skipping to change at page 28, line 49
Eisler, D. Noveck, RFC3530, "Network File System (NFS) version 4 Eisler, D. Noveck, RFC3530, "Network File System (NFS) version 4
Protocol", April 2003. Protocol", April 2003.
[Black] [Black]
D. Black, EMail message on the NFSv4 working group alias, D. Black, EMail message on the NFSv4 working group alias,
February 28, 2003. February 28, 2003.
[DAFS] [DAFS]
Mark Wittle (Editor), "DAFS Direct Access File System Protocol, Mark Wittle (Editor), "DAFS Direct Access File System Protocol,
Version: 1.00", September 1, 2001. Version: 1.00", September 1, 2001.
[Kasslin]
Kasslin, K. "Attacks on Kerberos V in a Windows 2000
Environment", 2003.
http://www.hut.fi/~autikkan/hakkeri/docs/phase1/pdf/
LATEST_final_report.pdf
17. Authors' Addresses 17. Authors' Addresses
Mike Eisler Mike Eisler
5765 Chase Point Circle 5765 Chase Point Circle
Colorado Springs, CO 80919 Colorado Springs, CO 80919
USA USA
Phone: 719-599-9026 Phone: 719-599-9026
EMail: mike@eisler.com EMail: mike@eisler.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/