J.Breza Internet Draft T.Hain Document: draft-hain-rsvp-kerberos-msg-proc-00.txt Microsoft Category: Informational June 1999 Message processing for RSVP use of Kerberos Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document describes the sequence for processing RSVP messages which use Kerberos as the Identity authentication. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. Definitions RSVP Resource ReSerVation Protocol [3] XMIT Transmitting system RECV Receiving System PDP Policy Decision Point PEP Policy Enforcement Point GSS-API Generic Security Service Application Program Interface [4] Path request processing Hain Informational - December 1999 1 draft-hain-rsvp-kerberos-msg-proc-00.txt June 1999 1) The XMIT system sends a PATH request to the PDP. The request includes a service ticket for the PDP service withou t Kerberos [5] authdata. Included in the PATH request is the DN of the user encrypted using the session key (from the service ticket - GSS_wrap(conf=TRUE)) [6]. 2) The PDP should extract the Kerberos service ticket, decrypt it, and use the session key to decrypt the user's DN (GSS_unwrap the DN). The DN should be used for an LDAP search of the directory to get the user's policy for RSVP. The PDP is running as its service principal identity when querying the DS. Impersonation should not beused for this. All PDP's in a "domain" share the same account. All password changes for the PDP account must be synchronized. The PDP "domain" is the set of PDP's that can access a directory for a given DN. 3) The PDP uses the returned policy to configure the path for the user. It issues the PATH request on the network 4) The PEP's will intercept the PATH request and process it appropriately. The PEP sends the identity from the PATH request to a PDP to retrieve the policy for the user. As each request is processed it is sent along to the next hop toward the RECV system. Each PEP's IP address is added to the PATH request before sending it along. The DN of the user is encrypted using a key for the next hop. If this next hop is within the same realm, it will use a Kerberos service ticket for this server. The DN will be encrypted using the session key in the service ticket for the next hop. If the next hop is not in the realm, it may use a pre-shared key (or other mechanism) to encrypt the (current) PDP's identity (DN). In this case the original users identity is lost. 5) Eventually the RECV system gets the PATH request, it processes it and replies with a RESV response to the last PEP to process the PATH request. 6) Eventually the last PEP will send the RESV response to the XMIT system completing the bandwidth reservation setup. Security Considerations This draft discusses the security processing for RSVP messages using Kerberos. Applications should be aware that the originating users identity will be lost if the RSVP request crosses a Kerberos trust boundary. References Hain Informational - December 1999 2 draft-hain-rsvp-kerberos-msg-proc-00.txt June 1999 1 RFC 2026, Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, October 1996. 2 RFC 2119, Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, March 1997 3 RFC 2205, Braden, et.al., "Resource ReSerVation Protocol", September 1997 4 RFC 1508, Linn, "Generic Security Service Application Program Interface", September 1993 5 RFC 1510, Kohl, Neuman, "The Kerberos Network Authentication Service (V5)", September 1993 6 RFC 1964, Linn, "The Kerberos Version 5 GSS-API Mechanism", June 1996 Acknowledgments Author's Addresses John Breza Tony Hain Microsoft Microsoft One Microsoft Way One Microsoft Way Redmond, Wa. 98052 Redmond, Wa. 98052 Email: jbrezak@microsoft.com Email: tonyhain@microsoft.com Full Copyright Statement "Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into Hain Informational - December 1999 3