Internet Engineering Task Force T. Yu
Internet-Draft MIT Kerberos Consortium
Updates: 4120 (if approved) Feb 2013
Intended status: Standards Track

Kerberos Ticket flag indicating KDC support for resolving hostname aliases
draft-yu-kitten-kerberos-kdc-does-aliases-00

Abstract

This document specifies a Kerberos Ticket flag that indicates that the Key Distribution Center (KDC) can resolve hostname aliases in service principal names. This document updates RFC 4120.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

Copyright Notice

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction

This document specifies a new Kerberos Ticket flag that indicates that the Key Distribution Center (KDC) is capable of resolving hostname aliases. A Kerberos client can interpret the presence of this Ticket flag as a recommendation to avoid using potentially insecure DNS lookups to canonicalize hostnames when constructing Kerberos principal names.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

3. Motivation

When attempting to authenticate to a Kerberos application service, existing Kerberos client implementations typically perform hostname canonicalization when constructing the Kerberos service principal. In practice, these clients canonicalize using insecure DNS, contrary to the recommendations in RFC 4120 [RFC4120]. Implementations are not consistent about whether they use forward resolution (looking up an address record for the user-provided hostname and returning the accompanying canonical hostname) or reverse resolution (taking the IP address from a forward resolution and returning the reverse pointer (PTR) record) to canonicalize hostname components of Kerberos service principal names.

4. KDC Behavior

If a KDC has knowledge of all hostname aliases for host-based service principal names in its realm, it SHOULD set the kdc-resolves-aliases (number TBD) flag in the Ticket and EncKDCRepPart for all tickets it issues.

5. Client Behavior

If a client receives an EncKDCRepPart that has the flag kdc-resolves-aliases set, it SHOULD NOT attempt to canonicalize hostnames in service principal names for the realm whose KDC set that flag. Instead, the client SHOULD use the unchanged user-provided hostname when constructing the service principal name. The following behaviors in RFC 4120 [RFC4120] are still permitted: clients MAY append a statically configured domain name to unqualified hostname, and clients SHOULD fold the hostname to lowercase.

6. Assigned numbers

TBD

7. IANA Considerations

TBD.

8. Security Considerations

The new ticket flag described in this document allows Kerberos realm administrators to communicate a recommendation to clients that they not attempt any hostname canonicalization when constructing service principal names. This avoids the use of insecure DNS to resolve hostnames, which can allow principal name substitution attacks in some environments.

9. Acknowledgements

Thanks to Sam Hartman, Love Hornquist Astrand, and many others who suggested this idea and contributed to its evolution.

10. References

10.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4120] Neuman, C., Yu, T., Hartman, S. and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005.
[X.680] ISO, , "Information technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notation -- ITU-T Recommendation X.680 (ISO/IEC International Standard 8824-1:2008) ", 2008.
[X.690] ISO, , "Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) -- ITU-T Recommendation X.690 (ISO/IEC International Standard 8825-1:2008) ", 1997.

10.2. Informative References

[RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993.

Author's Address

Tom Yu MIT Kerberos Consortium 77 Massachusetts Ave Cambridge, Massachusetts USA EMail: tlyu@mit.edu