Design Considerations for Protocol Extensions
draft-iab-extension-recs-17
The information below is for an old version of the document that is already published as an RFC.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 6709.
|
|
---|---|---|---|
Authors | Brian E. Carpenter , Dr. Bernard D. Aboba , Stuart Cheshire | ||
Last updated | 2013-02-12 (Latest revision 2012-06-27) | ||
RFC stream | Internet Architecture Board (IAB) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | IAB state | Published RFC | |
Consensus boilerplate | Unknown | ||
IAB shepherd | (None) |
draft-iab-extension-recs-17
Internet Engineering Task Force (IETF) M. Sahni, Ed. Request for Comments: 8954 Palo Alto Networks Updates: 6960 November 2020 Category: Standards Track ISSN: 2070-1721 Online Certificate Status Protocol (OCSP) Nonce Extension Abstract This document specifies the updated format of the Nonce extension in the Online Certificate Status Protocol (OCSP) request and response messages. OCSP is used to check the status of a certificate, and the Nonce extension is used to cryptographically bind an OCSP response message to a particular OCSP request message. This document updates RFC 6960. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8954. Copyright NoticeThis document shows some of the current implementations on the market have already outstripped the capabilities of the RADIUS protocol. A quite a few features have been developed completely outside the protocol. These features use the RADIUS protocol structure and format, but employ operations and semantics well beyond the RFC documents. The limited set of data types defined in [RFC2865] has lead to subsequent documents defining new data types. Since new data types are typically defined implicitly as part of defining a new attribute, and because RADIUS client and server implementations differ in their support of these additional specifications, there is no definitive registry of RADIUS data types and data type support has been inconsistent. To catalog commonly implemented data types as well as to provide guidance for implementers as well as attribute designers, "RADIUS Design Guidelines" [RFC6158] Section 2.1 includes advice on basic and complex data types. Unfortunately, these guidelines were published 14 years after the RADIUS protocol was first documented in [RFC2058]. Section 6.2 of the RADIUS specification [RFC2865] defines a mechanism for Vendor-Specific extensions (Attribute 26), and states that use of Vendor-Specific extensions: should be encouraged instead of allocation of global attribute types, for functions specific only to one vendor's implementation of RADIUS, where no interoperability is deemed useful. However, in practice usage of Vendor-Specific Attributes (VSAs) has been considerably broader than this. In particular, VSAs have been used by Standards Development Organizations (SDOs) to define their own extensions to the RADIUS protocol. This has caused a number of problems. One issue concerns the data model for VSAs. Since it was not envisaged that multi-vendor VSA implementations would need to interoperate, the RADIUS specification [RFC2865] does not define the data model for VSAs, and allows multiple sub-attributes to be included within a single Attribute of type 26. Since this enables VSAs to be defined which would not be supportable by current implementations if placed within the standard RADIUS attribute space, this has caused problems in standardizing widely deployed VSAs, as discussed in "RADIUS Design Guidelines" BCP 158 [RFC6158] Section 2.4: RADIUS attributes can often be developed within the vendor space without loss (and possibly even with gain) in functionality. As a result, translation of RADIUS attributes developed within the IAB Informational [Page 36] Internet-Draft Design Considerations for Extensions 26 June 2012 vendor space into the standard space may provide only modest benefits, while accelerating the exhaustion of the standard space. We do not expect that all RADIUS attribute specifications requiring interoperability will be developed within the IETF, and allocated from the standard space. A more scalable approach is to recognize the flexibility of the vendor space, while working toward improvements in the quality and availability of RADIUS attribute specifications, regardless of where they are developed. It is therefore NOT RECOMMENDED that specifications intended solely for use by a vendor or SDO be translated into the standard space. Another issue is how implementations should handle unknown VSAs. [RFC2865] Section 5.26 states: Servers not equipped to interpret the vendor-specific information sent by a client MUST ignore it (although it may be reported). Clients which do not receive desired vendor-specific information SHOULD make an attempt to operate without it, although they may do so (and report they are doing so) in a degraded mode. However, since VSAs do not contain a "mandatory" bit, RADIUS clients and servers may not know whether it is safe to ignore unknown VSAs. For example, in the case where VSAs pertain to security (e.g., Filters), it may not be safe to ignore them. As a result, "Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes" [RFC5080] Section 2.5 includes the following caution: To avoid misinterpretation of service requests encoded within VSAs, RADIUS servers SHOULD NOT send VSAs containing service requests to RADIUS clients that are not known to understand them. For example, a RADIUS server should not send a VSA encoding a filter without knowledge that the RADIUS client supports the VSA. In addition to extending RADIUS by use of VSAs, SDOs have also defined new values of the Service-Type attribute in order to create new RADIUS commands. Since the RADIUS specification [RFC2865] defined Service-Type values as being allocated First Come, First Served (FCFS), this permitted new RADIUS commands to be allocated without IETF review. This oversight has since been fixed in "IANA Considerations for RADIUS" [RFC3575]. A.3. TLS Extensions The Secure Sockets Layer (SSL) v2 protocol was developed by Netscape to be used to secure online transactions on the Internet. It was IAB Informational [Page 37] Internet-Draft Design Considerations for Extensions 26 June 2012 later replaced by SSL v3, also developed by Netscape. SSL v3 was then further developed by the IETF as the Transport Layer Security (TLS) 1.0 [RFC2246]. The SSL v3 protocol was not explicitly specified to be extended. Even TLS 1.0 did not define an extension mechanism explicitly. However, extension "loopholes" were available. Extension mechanisms were finally defined in "Transport Layer Security (TLS) Extensions" [RFC4366]: o New versions o New cipher suites o Compression o Expanded handshake messages o New record types o New handshake messages The protocol also defines how implementations should handle unknown extensions. Of the above extension methods, new versions and expanded handshake messages have caused the most interoperability problems. Implementations are supposed to ignore unknown record types but to reject unknown handshake messages. The new version support in SSL/TLS includes a capability to define new versions of the protocol, while allowing newer implementations to communicate with older implementations. As part of this functionality, some Key Exchange methods include functionality to prevent version rollback attacks. The experience with this upgrade functionality in SSL and TLS is decidedly mixed: o SSL v2 and SSL v3/TLS are not compatible. It is possible to use SSL v2 protocol messages to initiate a SSL v3/TLS connection, but it is not possible to communicate with a SSL v2 implementation using SSL v3/TLS protocol messages. o There are implementations that refuse to accept handshakes using newer versions of the protocol than they support. o There are other implementations that accept newer versions, but have implemented the version rollback protection clumsily. The SSL v2 problem has forced SSL v3 and TLS clients to continue to use SSL v2 Client Hellos for their initial handshake with almost all servers until 2006, much longer than would have been desirable, in order to interoperate with old servers. IAB Informational [Page 38] Internet-Draft Design Considerations for Extensions 26 June 2012 The problem with incorrect handling of newer versions has also forced many clients to actually disable the newer protocol versions, either by default, or by automatically disabling the functionality, to be able to connect to such servers. Effectively, this means that the version rollback protection in SSL and TLS is non-existent if talking to a fatally compromised older version. SSL v3 and TLS also permitted expansion of the Client Hello and Server Hello handshake messages. This functionality was fully defined by the introduction of TLS Extensions, which makes it possible to add new functionality to the handshake, such as the name of the server the client is connecting to, request certificate status information, indicate Certificate Authority support, maximum record length, etc. Several of these extensions also introduce new handshake messages. It has turned out that many SSL v3 and TLS implementations that do not support TLS Extensions, did not, as required by the protocol specifications, ignore the unknown extensions, but instead failed to establish connections. Several of the implementations behaving in this manner are used by high profile Internet sites, such as online banking sites, and this has caused a significant delay in the deployment of clients supporting TLS Extensions, and several of the clients that have enabled support are using heuristics that allow them to disable the functionality when they detect a problem. Looking forward, the protocol version problem, in particular, can cause future security problems for the TLS protocol. The strength of the digest algorithms (MD5 and SHA-1) used by SSL and TLS is weakening. If MD5 and SHA-1 weaken to the point where it is feasible to mount successful attacks against older SSL and TLS versions, the current error recovery used by clients would become a security vulnerability (among many other serious problems for the Internet). To address this issue, TLS 1.2 [RFC5246] makes use of a newer cryptographic hash algorithm (SHA-256) during the TLS handshake by default. Legacy ciphersuites can still be used to protect application data, but new ciphersuites are specified for data protection as well as for authentication within the TLS handshake. The hashing method can also be negotiated via a Hello extension. Implementations are encouraged to implement new ciphersuites, and to enable the negotiation of the ciphersuite used during a TLS session to be governed by policy, thus enabling a more rapid transition away from weakened ciphersuites. The lesson to be drawn from this experience is that it isn't sufficient to design extensibility carefully; it must also be implemented carefully by every implementer, without exception. Test IAB Informational [Page 39] Internet-Draft Design Considerations for Extensions 26 June 2012 suites and certification programs can help provide incentives for implementers to pay attention to implementing extensibility mechanisms correctly. A.4. L2TP Extensions Layer Two Tunneling Protocol (L2TP) [RFC2661] carries Attribute-Value Pairs (AVPs), with most AVPs having no semantics to the L2TP protocol itself. However, it should be noted that L2TP message types are identified by a Message Type AVP (Attribute Type 0) with specific AVP values indicating the actual message type. Thus, extensions relating to Message Type AVPs would likely be considered major extensions. L2TP also provides for Vendor-Specific AVPs. Because everything in L2TP is encoded using AVPs, it would be easy to define vendor- specific AVPs that would be considered major extensions. L2TP also provides for a "mandatory" bit in AVPs. Recipients of L2TP messages containing AVPs they do not understand but that have the mandatory bit set, are expected to reject the message and terminate the tunnel or session the message refers to. This leads to interesting interoperability issues, because a sender can include a vendor-specific AVP with the M-bit set, which then causes the recipient to not interoperate with the sender. This sort of behavior is counter to the IETF ideals, as implementations of the IETF standard should interoperate successfully with other implementations and not require the implementation of non-IETF extensions in order to interoperate successfully. Section 4.2 of the L2TP specification [RFC2661] includes specific wording on this point, though there was significant debate at the time as to whether such language was by itself sufficient. Fortunately, it does not appear that the potential problems described above have yet become a problem in practice. At the time of this writing, the authors are not aware of the existence of any vendor- specific AVPs that also set the M-bit. Change log [RFC Editor: please remove this section] -17: 2012-6-27. Resolved issue 133. -16: 2012-6-26. Resolved issue 176. -15: 2012-6-25. Resolved issues 174 and 175. -14: 2012-6-09. Resolved issue 169. -13: 2012-6-03. Resolved issue 166. -12: 2012-5-27. Resolved issues 127, 128, 129 and 161. -11: 2012-2-22. Resolved issue 126. -10: 2012-2-12. Resolved issues 106 and 108. -09: 2011-10-30. Resolved additional issues. IAB Informational [Page 40] Internet-Draft Design Considerations for Extensions 26 June 2012 -08: 2011-10-22. Resolved additional issues. -07: 2011-7-24. Resolved issues raised in Call for Comment. -06: 2011-3-01. Incorporated corrections and organizational updates. -05: 2011-2-04. Added to the Security Considerations section. -04: 2011-2-01. Added material on cryptographic agility. -03: 2011-1-25. Updates and reorganization. -02: 2010-7-12. Updates by Bernard Aboba. -01: 2010-4-07. Updates by Stuart Cheshire. -00: 2009-4-24. Updated boilerplate, author list. -04: 2008-10-24. Updated author addresses, editorial fixes. -03: 2008-10-17. Updated references, added material on versioning. -02: 2007-06-15. Reorganized Sections 2 and 3. -01: 2007-03-04. Updated according to comments, especially the wording about TLS, added various specific examples. draft-carpenter-extension-recs-00: original version, 2006-10-12. Derived from draft-iesg-vendor-extensions-02.txt dated 2004-06-04 by focusing on architectural issues; the procedural issues were moved to RFC 4775. Authors' Addresses Brian Carpenter Department of Computer Science University of Auckland PB 92019 Auckland, 1142 New Zealand Email: brian.e.carpenter@gmail.com Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052 EMail: bernard_aboba@hotmail.com Stuart Cheshire Apple Computer, Inc. 1 Infinite Loop Cupertino, CA 95014 EMail: cheshire@apple.com IAB Informational [Page 41]