RADIUS Dynamic Authorization Client MIB
RFC 4672
Document | Type | RFC - Informational (September 2006) Errata | |
---|---|---|---|
Authors | Murtaza Chiba , Stefaan De Cnodder , Nagi Reddy Jonnala | ||
Last updated | 2022-12-08 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Dan Romascanu | |
Send notices to | (None) |
RFC 4672
CoRE Working Group M. Tiloca Internet-Draft RISE AB Intended status: Standards Track C. Amsuess Expires: 11 March 2024 P. van der Stok Consultant 8 September 2023 Discovery of OSCORE Groups with the CoRE Resource Directory draft-tiloca-core-oscore-discovery-14 Abstract Group communication over the Constrained Application Protocol (CoAP) can be secured by means of Group Object Security for Constrained RESTful Environments (Group OSCORE). At deployment time, devices may not know the exact security groups to join, the respective Group Manager, or other information required to perform the joining process. This document describes how a CoAP endpoint can use descriptions and links of resources registered at the CoRE Resource Directory to discover security groups and to acquire information for joining them through the respective Group Manager. A given security group may protect multiple application groups, which are separately announced in the Resource Directory as sets of endpoints sharing a pool of resources. This approach is consistent with, but not limited to, the joining of security groups based on the ACE framework for Authentication and Authorization in constrained environments. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Constrained RESTful Environments Working Group mailing list (core@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/core/. Source for this draft and an issue tracker can be found at https://gitlab.com/crimson84/draft-tiloca-core-oscore-discovery. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Tiloca, et al. Expires 11 March 2024 [Page 1] Internet-Draft OSCORE group discovery with the CoRE RD September 2023 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 11 March 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. Registration of Group Manager Endpoints . . . . . . . . . . . 6 2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Relation Link to Authorization Server . . . . . . . . . . 12 2.3. Registration Example . . . . . . . . . . . . . . . . . . 12 2.3.1. Example in Link Format . . . . . . . . . . . . . . . 13 2.3.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 13 3. Addition and Update of Security Groups . . . . . . . . . . . 14 3.1. Addition Example . . . . . . . . . . . . . . . . . . . . 14 3.1.1. Example in Link Format . . . . . . . . . . . . . . . 15 3.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 15 4. Discovery of Security Groups . . . . . . . . . . . . . . . . 17 4.1. Discovery Example #1 . . . . . . . . . . . . . . . . . . 18 4.1.1. Example in Link Format . . . . . . . . . . . . . . . 19 4.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 20 4.2. Discovery Example #2 . . . . . . . . . . . . . . . . . . 21 4.2.1. Example in Link Format . . . . . . . . . . . . . . . 21 4.2.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 22 5. Use Case Example With Full Discovery . . . . . . . . . . . . 23 Tiloca, et al. Expires 11 March 2024 [Page 2] Internet-Draft OSCORE group discovery with the CoRE RD September 2023 6. Security Considerations . . . . . . . . . . . . . . . . . . . 28 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 7.1. Link Relation Type Registry . . . . . . . . . . . . . . . 28 7.2. Target Attributes Registry . . . . . . . . . . . . . . . 28 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 8.1. Normative References . . . . . . . . . . . . . . . . . . 30 8.2. Informative References . . . . . . . . . . . . . . . . . 32 Appendix A. Use Case Example With Full Discovery (CoRAL) . . . . 34 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 1. Introduction The Constrained Application Protocol (CoAP) [RFC7252] supports group communication over IP multicast [I-D.ietf-core-groupcomm-bis] to improve efficiency and latency of communication and reduce bandwidth requirements. A set of CoAP endpoints constitutes an application group by sharing a common pool of resources, that can be efficiently accessed through group communication. The members of an application group may be members of a security group, thus sharing a common set of keying material to secure group communication. The security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) [I-D.ietf-core-oscore-groupcomm] builds on OSCORE [RFC8613] and protects CoAP messages end-to-end in group communication contexts through CBOR Object Signing and Encryption (COSE) [RFC9052][RFC9053]. An application group may rely on one or more security groups, and a same security group may be used by multiple application groups at the same time. A CoAP endpoint relies on a Group Manager (GM) to join a security group and get the group keying material. The joining process in [I-D.ietf-ace-key-groupcomm-oscore] is based on the ACE framework for Authentication and Authorization in constrained environments [RFC9200], with the joining endpoint and the GM acting as ACE Client and Resource Server, respectively. That is, the joining endpoint accesses the group-membership resource exported by the GM and associated with the security group to join. Typically, devices store a static X509 IDevID certificate installed at manufacturing time [RFC8995]. This is used at deployment time during an enrollment process that provides the devices with an Operational Certificate, possibly updated during the device lifetime. Operational Certificates may specify information to join security groups, especially a reference to the group-membership resources to access at the respective GMs. Tiloca, et al. Expires 11 March 2024 [Page 3] RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006 radiusDynAuthServerAddress and radiusDynAuthServerAddressType These can be used to determine the address of the DAS with which the DAC is communicating. This information could be useful in mounting an attack on the DAS. radiusDynAuthServerID This can be used to determine the Identifier of the DAS. This information could be useful in impersonating the DAS. radiusDynAuthServerClientPortNumber This can be used to determine the destination port number to which the DAC is sending. This information could be useful in mounting an attack on the DAS. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 6. IANA Considerations The IANA has assigned OID number 145 under mib-2. 7. Acknowledgements The authors would also like to acknowledge the following people for their comments on this document: Bernard Aboba, Alan DeKok, David Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg Weber, Bert Wijnen, and Glen Zorn. De Cnodder, et al. Informational [Page 20] RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003. [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 4001, February 2005. 8.2. Informative References [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet- Standard Management Framework", RFC 3410, December 2002. [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6", RFC 4669, August 2006. [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC 4671, August 2006. De Cnodder, et al. Informational [Page 21] RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006 [RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic Authorization Server MIB", RFC 4673, September 2006. Authors' Addresses Stefaan De Cnodder Alcatel Francis Wellesplein 1 B-2018 Antwerp Belgium Phone: +32 3 240 85 15 EMail: stefaan.de_cnodder@alcatel.be Nagi Reddy Jonnala Cisco Systems, Inc. Divyasree Chambers, B Wing, O'Shaugnessy Road Bangalore-560027, India Phone: +91 94487 60828 EMail: njonnala@cisco.com Murtaza Chiba Cisco Systems, Inc. 170 West Tasman Dr. San Jose CA, 95134 Phone: +1 408 525 7198 EMail: mchiba@cisco.com De Cnodder, et al. Informational [Page 22] RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). De Cnodder, et al. Informational [Page 23]