One document matched: draft-hain-rsvp-kerberos-msg-proc-00.txt
Message processing for RSVP use of Kerberos
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document describes the sequence for processing RSVP messages
which use Kerberos as the Identity authentication.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119 [2].
Definitions
RSVP Resource ReSerVation Protocol [3]
XMIT Transmitting system
RECV Receiving System
PDP Policy Decision Point
PEP Policy Enforcement Point
GSS-API Generic Security Service Application Program Interface [4]
Path request processing
Hain Informational - December 1999 1
draft-hain-rsvp-kerberos-msg-proc-00.txt June 1999
1) The XMIT system sends a PATH request to the PDP. The request
includes a service ticket for the PDP service
withou
t Kerberos [5]
authdata. Included in the PATH request is the DN of the user
encrypted using the session key (from the service ticket -
GSS_wrap(conf=TRUE)) [6].
2) The PDP should extract the Kerberos service ticket, decrypt it,
and use the session key to decrypt the user's DN (GSS_unwrap the
DN). The DN should be used for an LDAP search of the directory to
get the user's policy for RSVP. The PDP is running as its service
principal identity when querying the DS. Impersonation should not
beused for this. All PDP's in a "domain" share the same account. All
password changes for the PDP account must be synchronized. The PDP
"domain" is the set of PDP's that can access a directory for a given
DN.
3) The PDP uses the returned policy to configure the path for the
user. It issues the PATH request on the network
4) The PEP's will intercept the PATH request and process it
appropriately. The PEP sends the identity from the PATH request to a
PDP to retrieve the policy for the user. As each request is
processed it is sent along to the next hop toward the RECV system.
Each PEP's IP address is added to the PATH request before sending it
along.
The DN of the user is encrypted using a key for the next hop. If
this next hop is within the same realm, it will use a Kerberos
service ticket for this server. The DN will be encrypted using the
session key in the service ticket for the next hop. If the next hop
is not in the realm, it may use a pre-shared key (or other
mechanism) to encrypt the (current) PDP's identity (DN). In this
case the original users identity is lost.
5) Eventually the RECV system gets the PATH request, it processes it
and replies with a RESV response to the last PEP to process the PATH
request.
6) Eventually the last PEP will send the RESV response to the XMIT
system completing the bandwidth reservation setup.
Security Considerations
This draft discusses the security processing for RSVP messages using
Kerberos. Applications should be aware that the originating users
identity will be lost if the RSVP request crosses a Kerberos trust
boundary.
References
Hain Informational - December 1999 2
draft-hain-rsvp-kerberos-msg-proc-00.txt June 1999
1 RFC 2026, Bradner, S., "The Internet Standards Process --
Revision 3", BCP 9, October 1996.
2 RFC 2119, Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, March 1997
3 RFC 2205, Braden, et.al., "Resource ReSerVation Protocol",
September 1997
4 RFC 1508, Linn, "Generic Security Service Application Program
Interface", September 1993
5 RFC 1510, Kohl, Neuman, "The Kerberos Network Authentication
Service (V5)", September 1993
6 RFC 1964, Linn, "The Kerberos Version 5 GSS-API Mechanism", June
1996
Acknowledgments
Author's Addresses
John Breza Tony Hain
Microsoft Microsoft
One Microsoft Way One Microsoft Way
Redmond, Wa. 98052 Redmond, Wa. 98052
Email: jbrezak@microsoft.com Email: tonyhain@microsoft.com
Full Copyright Statement
"Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into
Hain Informational - December 1999 3
| PAFTECH AB 2003-2026 | 2026-04-23 04:18:35 |