| Network Working Group | V. Dukhovni |
| Internet-Draft | N. Williams, Ed. |
| Intended status: Best Current Practice | Cryptonector |
| Expires: September 05, 2014 | March 04, 2014 |
Using Wildcard A and AAAA Resource Records in the DNS for Per-User Host-Based Services
draft-dukhovni-using-wildcard-a-rrsets-00
This document describes how the use of wildcard A and AAAA resource records (RRs) in the Domain Name System (DNS), optionally coupled with self-service key management for host names that match the wildcards, to create per-user services. This memo describes what should be a best current practice.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 05, 2014.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Often users need to run services (often on multi-user systems) that need host-based service principal names. We describe a method for arranging this without having to share sensitive cryptographic host credentials with users:
This allows users to publish “<username>.<hostname-FQDN>” as their services' hostname.
For the rest of this document we shorten “per-user host-based service principal” to “PUHBSP”.
And that's it. The difficult part, of course, is (2), but it is possible to adjust existing provisioning systems and/or build new ones to address this. See Section 3
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Existing standard and non-standard Kerberos [RFC4120] administration and PKIX [RFC5280] online certification authority (CA) protocols may be used for self-service key management of PUHBSP credentials with minimal changes. The main change that is needed is an authorization change on the server-side.
Example protocols whose services may be modified to suit this purpose:
The principle is general, applying to any authentication mechanism that can authenticate host-based services, not just Kerberos or PKIX.
Three different sorts of authorization decisions are involved:
For example, a host might authenticate local users using traditional operating system facilities (e.g., processes' credentials), then decide whether the local user gets to have a requested sub-domain of the host's hostname.
In our deployment it is trivial for users to run their own web services:
In this use case no credential acquisition protocols were modified. Instead their services were modified to permit clients with host-based service credentials to acquire credentials for PUHBSPs whose hostname component is a sub-domain of the actual host's.
Some hostnames may be meaningful (e.g., “irc.foo.bar.example” might be taken to mean that an IRC [RFC2812] server is located at that hostname). Users may need to be educated as to how to determine that a fully-qualified hostname is a per-user one.
Credential issuers SHOULD keep white-lists of users and hostnames that are permitted to have PUHBSPs, though not necessarily white-lists of {username, hostname} that are permitted to have PUHBSPs.
Self-service key management services for PKIX [RFC5280] SHOULD use an intermediate, online certification authority (CA), rather than a top-level CA, so as to make it possible to revoke the online CA's certificate. (This is good advice for any CA anyways.)
Note that this scheme does not support users from more than one realm having PUHBSPs on the same host.
Note that a large number of port numbers for running services are available to all users on most operating systems. This means that a local user could start a proxy on one port and forward to another port on the same host, where the second port is a service run by a different user. Mutual authentication generally protects against this attack.
Hypertext Transfer Protocol (HTTP) [RFC2616] used with the SPNEGO-based [RFC4178] HTTP authentication method [RFC4559] is quite common in some environments. Negotiate does not make use of session keys to protect HTTP data and metadata. To safeguard against this, per-user HTTP services MUST use Transport Layer Security (TLS) [RFC5246], not just SPNEGO.
There are no IANA considerations in this document.
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |