]>
Commit | Line | Data |
---|---|---|
74e55a1e TL |
1 | |
2 | ||
3 | ||
4 | ||
5 | ||
6 | ||
7 | Network Working Group S. Drach | |
8 | Request for Comments: 2485 Sun Microsystems | |
9 | Category: Standards Track January 1999 | |
10 | ||
11 | ||
12 | ||
13 | DHCP Option for The Open Group's User Authentication Protocol | |
14 | ||
15 | Status of this Memo | |
16 | ||
17 | This document specifies an Internet standards track protocol for the | |
18 | Internet community, and requests discussion and suggestions for | |
19 | improvements. Please refer to the current edition of the "Internet | |
20 | Official Protocol Standards" (STD 1) for the standardization state | |
21 | and status of this protocol. Distribution of this memo is unlimited. | |
22 | ||
23 | Copyright Notice | |
24 | ||
25 | Copyright (C) The Internet Society (1999). All Rights Reserved. | |
26 | ||
27 | Abstract | |
28 | ||
29 | This document defines a DHCP [1] option that contains a list of | |
30 | pointers to User Authentication Protocol servers that provide user | |
31 | authentication services for clients that conform to The Open Group | |
32 | Network Computing Client Technical Standard [2]. | |
33 | ||
34 | Introduction | |
35 | ||
36 | The Open Group Network Computing Client Technical Standard, a product | |
37 | of The Open Group's Network Computing Working Group (NCWG), defines a | |
38 | network computing client user authentication facility named the User | |
39 | Authentication Protocol (UAP). | |
40 | ||
41 | UAP provides two levels of authentication, basic and secure. Basic | |
42 | authentication uses the Basic Authentication mechanism defined in the | |
43 | HTTP 1.1 [3] specification. Secure authentication is simply basic | |
44 | authentication encapsulated in an SSLv3 [4] session. | |
45 | ||
46 | In both cases, a UAP client needs to obtain the IP address and port | |
47 | of the UAP service. Additional path information may be required, | |
48 | depending on the implementation of the service. A URL [5] is an | |
49 | excellent mechanism for encapsulation of this information since many | |
50 | UAP servers will be implemented as components within legacy HTTP/SSL | |
51 | servers. | |
52 | ||
53 | ||
54 | ||
55 | ||
56 | ||
57 | ||
58 | Drach Standards Track [Page 1] | |
59 | \f | |
60 | RFC 2485 DCHP Option for the Open Group's UAP January 1999 | |
61 | ||
62 | ||
63 | Most UAP clients have no local state and are configured when booted | |
64 | through DHCP. No existing DHCP option [6] has a data field that | |
65 | contains a URL. Option 72 contains a list of IP addresses for WWW | |
66 | servers, but it is not adequate since a port and/or path can not be | |
67 | specified. Hence there is a need for an option that contains a list | |
68 | of URLs. | |
69 | ||
70 | User Authentication Protocol Option | |
71 | ||
72 | This option specifies a list of URLs, each pointing to a user | |
73 | authentication service that is capable of processing authentication | |
74 | requests encapsulated in the User Authentication Protocol (UAP). UAP | |
75 | servers can accept either HTTP 1.1 or SSLv3 connections. If the list | |
76 | includes a URL that does not contain a port component, the normal | |
77 | default port is assumed (i.e., port 80 for http and port 443 for | |
78 | https). If the list includes a URL that does not contain a path | |
79 | component, the path /uap is assumed. | |
80 | ||
81 | 0 1 2 3 | |
82 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
83 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
84 | | Code | Length | URL list | |
85 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
86 | ||
87 | Code 98 | |
88 | ||
89 | Length The length of the data field (i.e., URL list) in | |
90 | bytes. | |
91 | ||
92 | URL list A list of one or more URLs separated by the ASCII | |
93 | space character (0x20). | |
94 | ||
95 | References | |
96 | ||
97 | [1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, | |
98 | March 1997. | |
99 | ||
100 | [2] Technical Standard: Network Computing Client, The Open Group, | |
101 | Document Number C801, October 1998. | |
102 | ||
103 | [3] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and T. | |
104 | Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC | |
105 | 2068, January 1997. | |
106 | ||
107 | [4] Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol, | |
108 | Version 3.0", Netscape Communications Corp., November 1996. | |
109 | Standards Information Base, The Open Group, | |
110 | http://www.db.opengroup.org/sib.htm#SSL_3. | |
111 | ||
112 | ||
113 | ||
114 | Drach Standards Track [Page 2] | |
115 | \f | |
116 | RFC 2485 DCHP Option for the Open Group's UAP January 1999 | |
117 | ||
118 | ||
119 | [5] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform | |
120 | Resource Locators (URL)", RFC 1738, December 1994. | |
121 | ||
122 | [6] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor | |
123 | Extensions", RFC 2132, March 1997. | |
124 | ||
125 | Security Considerations | |
126 | ||
127 | DHCP currently provides no authentication or security mechanisms. | |
128 | Potential exposures to attack are discussed in section 7 of the DHCP | |
129 | protocol specification. | |
130 | ||
131 | The User Authentication Protocol does not have a means to detect | |
132 | whether or not the client is communicating with a rogue | |
133 | authentication service that the client contacted because it received | |
134 | a forged or otherwise compromised UAP option from a DHCP service | |
135 | whose security was compromised. Even secure authentication does not | |
136 | provide relief from this type of attack. This security exposure is | |
137 | mitigated by the environmental assumptions documented in the Network | |
138 | Computing Client Technical Standard. | |
139 | ||
140 | Author's Address | |
141 | ||
142 | Steve Drach | |
143 | Sun Microsystems, Inc. | |
144 | 901 San Antonio Road | |
145 | Palo Alto, CA 94303 | |
146 | ||
147 | Phone: (650) 960-1300 | |
148 | EMail: drach@sun.com | |
149 | ||
150 | ||
151 | ||
152 | ||
153 | ||
154 | ||
155 | ||
156 | ||
157 | ||
158 | ||
159 | ||
160 | ||
161 | ||
162 | ||
163 | ||
164 | ||
165 | ||
166 | ||
167 | ||
168 | ||
169 | ||
170 | Drach Standards Track [Page 3] | |
171 | \f | |
172 | RFC 2485 DCHP Option for the Open Group's UAP January 1999 | |
173 | ||
174 | ||
175 | Full Copyright Statement | |
176 | ||
177 | Copyright (C) The Internet Society (1999). All Rights Reserved. | |
178 | ||
179 | This document and translations of it may be copied and furnished to | |
180 | others, and derivative works that comment on or otherwise explain it | |
181 | or assist in its implementation may be prepared, copied, published | |
182 | and distributed, in whole or in part, without restriction of any | |
183 | kind, provided that the above copyright notice and this paragraph are | |
184 | included on all such copies and derivative works. However, this | |
185 | document itself may not be modified in any way, such as by removing | |
186 | the copyright notice or references to the Internet Society or other | |
187 | Internet organizations, except as needed for the purpose of | |
188 | developing Internet standards in which case the procedures for | |
189 | copyrights defined in the Internet Standards process must be | |
190 | followed, or as required to translate it into languages other than | |
191 | English. | |
192 | ||
193 | The limited permissions granted above are perpetual and will not be | |
194 | revoked by the Internet Society or its successors or assigns. | |
195 | ||
196 | This document and the information contained herein is provided on an | |
197 | "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING | |
198 | TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING | |
199 | BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION | |
200 | HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF | |
201 | MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |
202 | ||
203 | ||
204 | ||
205 | ||
206 | ||
207 | ||
208 | ||
209 | ||
210 | ||
211 | ||
212 | ||
213 | ||
214 | ||
215 | ||
216 | ||
217 | ||
218 | ||
219 | ||
220 | ||
221 | ||
222 | ||
223 | ||
224 | ||
225 | ||
226 | Drach Standards Track [Page 4] | |
227 | \f |