| Network Working Group | J. Silvera |
| Internet-Draft | M. Cox |
| Expires: December 31, 2012 | I. Pashov |
| O. Mazahir | |
| G. Montenegro | |
| Microsoft | |
| July 2012 |
Multilegged Authentication for HTTP Multiplexing
draft-montenegro-httpbis-multilegged-auth-01
In line with the HTTP compatibility goal for HTTP 2.0, HTTP 2.0 must also be compatible with currently deployed authentication schemes. This draft addresses this goal in the presence of multiplexing (expected to be part of HTTP 2.0), while addressing some of the issues currently encountered when performing multilegged authentication.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines multilegged authentication for HTTP multiplexing.
Without reliable support for Kerberos and other multilegged auth schemes, the reach of HTTP2.0 will be greatly diminished in corporations that rely on these authentication schemes to protect their intranet resources.
HTTP's architecture requires that messages be stateless; that is, that they are able to be interpreted in isolation, without relying upon state from "lower" layers, such as association between requests using the same TCP connection. To enable better support of multilegged authentication, we propose that the shared state for which some authentication schemes rely upon the TCP connection (thereby making messages stateful) be moved into the HTTP/2.0 session layer.
The following table summarizes widely deployed authentication schemes, their authentication types and the authentication level they provide:
Table 1:
+-----------+------------------------+----------------------+
| Scheme | Type of Authentication | Authentication Level |
+-----------+------------------------+----------------------+
| Basic | Per Request | Request |
| Digest | Per Request | Request |
| NTLM | Multilegged | Connection |
| Kerberos | Multilegged |Connection or Request |
| Negotiate | Multilegged |Connection or Request |
+-----------+------------------------+----------------------+
RFC 2616 defines HTTP as a stateless protocol and dictates that authentication schemes MUST be stateless. However, multilegged authentication support for multiplexing requires state to associate separate request/response pairs that are part of the same multilegged authentication process.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
As implied by its name, multilegged authentication requires multiple roundtrips to establish an authenticated communication channel between client and server. If the resource requested by a client requires authentication, the server initiates the authentication process as follows:
Figure 1: Multilegged authentication example:
Client Server
| |
| -------- (0) HTTP GET Request ----> |
| |
| <------- (1) HTTP 401 ------------- |
| |
| -------- (2) HTTP Get Request ----> |
| w Auth header |
| |
| <------- (3) HTTP 401 ------------- |
| |
| -------- (4) HTTP Get Request ----> |
| w Auth header |
| |
| <------- (5) HTTP 200 OK----------- |
| |
| |
v v
Multilegged authentication requires state to be communicated between multiple streams. Network flows 3 and 4 in Figure 1 need to share state in order for authentication to succeed. Some multilegged authentication schemes (i.e. Kerberos and Negotiate) can authenticate either a connection or individual requests, which has historically caused a lot if issues with multilegged authentication in HTTP 1.1.
Figure 2 below provides a detailed breakdown of proposed network flows to implement multilegged authentication for HTTP 2.0 multiplexing:
Figure 2 - Proposed multilegged authentication:
Multiplexing
Client HTTP Server
| |
| -------- HTTP GET Request ------> |
| |
| <------- (0) HTTP 401 ------------- |
| |
| -------- (1) HTTP Get Request ----> |
| w Auth header |[Auth-ID header
| | generated (1.5)]
| <------- (2) HTTP 401 ------------- |
| w Auth-ID header |
| |
| -------- (3) HTTP Get Request ----> |[Persisted-auth header
| w Auth header and | generated (3.5)]
| Auth-ID header |
| |
| <------- (4) HTTP 200 OK----------- |
| w optional |
| PersistedAuth header |
| |
| |
v v
Servers create and store security context information when they create the Auth-ID header. An Auth-ID header CANNOT be reused across sessions.
The Auth-ID mapping is destroyed when the authentication process completes. Completion of the authentication process can be a successful authentication or failure to authenticate. TBD: Should Auth-IDs be random numbers? The security vs look-up perf implications should be weighed.
Servers SHOULD limit the number of incomplete security contexts per session, to protect against misbehaving clients that cause the server to create multiple authentication contexts but never complete the authentication process. Servers SHOULD define a maximum number of incomplete security contexts and ignore SYN streams from misbehaving clients.
Per-session security contexts are transient and servers SHOULD discard them when request processing completes. There SHOULD only be one complete security context open per session.
HTTP proxies MUST add a new Remote-http-version header to inform the client of the HTTP version of the remote host. HTTP 2.0 clients can make authentication decisions based on the HTTP version of the target server. Proxy and gateway applications should take the consideration outlined by RFC 2616 when forwarding messages between client and servers with different protocol version capabilities.
Authentication from an HTTP 2.0 (or greater) client to an HTTP 2.0 (or greater) server will work without additional changes, other than those described in the Multilegged Authentication for HTTP multiplexing proposal section of this document. Proxies MUST bind the client-to-proxy and proxy-to-server connections.
HTTP 2.0 (or greater) clients that establish an authenticated connection to an HTTP 1.1 server (via a proxy) SHOULD downgrade HTTP version to HTTP 1.1, to avoid serialization.
HTTP 2.0 clients can multiplex streams within the authenticated HTTP 2.0 client-proxy session, but the proxy MUST serialize requests through the authenticated HTTP 1.1 proxy-server connection.
HTTP 2.0 clients could decide to downgrade all requests requiring authentication (via a proxy) to HTTP 1.1 servers or only downgrade authenticated sessions, as indicated by the presence of the Persisted-auth header.
No changes required to support this scenario as HTTP 1.1 clients ignore HTTP 2.0 headers.
The proposed authentication mechanism works only if there is a limit of one unique host per HTTP 2.0 session.
Implementers should be aware of the security considerations defined by the individual authentication schemes supported. The following are some general security considerations that are independent of the proposed authentication mechanism.
The proposed authentication mechanism is only used to provide authentication of a user to a server. It provides no facilities for protecting the HTTP headers or data including the Authorization and WWW-Authenticate headers that are used to implement this mechanism.
Alternate mechanisms such as TLS can be used to provide confidentiality. Hashes of the TLS certificates can be used as channel bindings to secure the channel. In this case clients would need to enforce that the channel binding information is valid.
If an HTTP proxy is used between the client and server, it MUST take care to not share authenticated connections between different authenticated clients to the same server. If this is not honored, then the server can easily lose track of security context associations.
A proxy that correctly honors client to server authentication integrity will supply the "Proxy-support: Session-Based-Authentication" HTTP header to the client in HTTP responses from the proxy.
Thanks to the following individuals who provided helpful feedback and contributed to discussions on this document: Paul Leach, Nathan Ide and Rob Trace.