RADIUS Dynamic Authorization Client MIB
RFC 4672
| Document | Type | RFC - Informational (September 2006) Errata | |
|---|---|---|---|
| Authors | Murtaza Chiba , Stefaan De Cnodder , Nagi Reddy Jonnala | ||
| Last updated | 2022-12-08 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | Dan Romascanu | |
| Send notices to | (None) |
RFC 4672
CoRE Working Group M. Tiloca
Internet-Draft RISE AB
Intended status: Standards Track C. Amsuess
Expires: 11 March 2024
P. van der Stok
Consultant
8 September 2023
Discovery of OSCORE Groups with the CoRE Resource Directory
draft-tiloca-core-oscore-discovery-14
Abstract
Group communication over the Constrained Application Protocol (CoAP)
can be secured by means of Group Object Security for Constrained
RESTful Environments (Group OSCORE). At deployment time, devices may
not know the exact security groups to join, the respective Group
Manager, or other information required to perform the joining
process. This document describes how a CoAP endpoint can use
descriptions and links of resources registered at the CoRE Resource
Directory to discover security groups and to acquire information for
joining them through the respective Group Manager. A given security
group may protect multiple application groups, which are separately
announced in the Resource Directory as sets of endpoints sharing a
pool of resources. This approach is consistent with, but not limited
to, the joining of security groups based on the ACE framework for
Authentication and Authorization in constrained environments.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Constrained RESTful
Environments Working Group mailing list (core@ietf.org), which is
archived at https://mailarchive.ietf.org/arch/browse/core/.
Source for this draft and an issue tracker can be found at
https://gitlab.com/crimson84/draft-tiloca-core-oscore-discovery.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Tiloca, et al. Expires 11 March 2024 [Page 1]
Internet-Draft OSCORE group discovery with the CoRE RD September 2023
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 11 March 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Registration of Group Manager Endpoints . . . . . . . . . . . 6
2.1. Parameters . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Relation Link to Authorization Server . . . . . . . . . . 12
2.3. Registration Example . . . . . . . . . . . . . . . . . . 12
2.3.1. Example in Link Format . . . . . . . . . . . . . . . 13
2.3.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 13
3. Addition and Update of Security Groups . . . . . . . . . . . 14
3.1. Addition Example . . . . . . . . . . . . . . . . . . . . 14
3.1.1. Example in Link Format . . . . . . . . . . . . . . . 15
3.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 15
4. Discovery of Security Groups . . . . . . . . . . . . . . . . 17
4.1. Discovery Example #1 . . . . . . . . . . . . . . . . . . 18
4.1.1. Example in Link Format . . . . . . . . . . . . . . . 19
4.1.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 20
4.2. Discovery Example #2 . . . . . . . . . . . . . . . . . . 21
4.2.1. Example in Link Format . . . . . . . . . . . . . . . 21
4.2.2. Example in CoRAL . . . . . . . . . . . . . . . . . . 22
5. Use Case Example With Full Discovery . . . . . . . . . . . . 23
Tiloca, et al. Expires 11 March 2024 [Page 2]
Internet-Draft OSCORE group discovery with the CoRE RD September 2023
6. Security Considerations . . . . . . . . . . . . . . . . . . . 28
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
7.1. Link Relation Type Registry . . . . . . . . . . . . . . . 28
7.2. Target Attributes Registry . . . . . . . . . . . . . . . 28
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.1. Normative References . . . . . . . . . . . . . . . . . . 30
8.2. Informative References . . . . . . . . . . . . . . . . . 32
Appendix A. Use Case Example With Full Discovery (CoRAL) . . . . 34
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction
The Constrained Application Protocol (CoAP) [RFC7252] supports group
communication over IP multicast [I-D.ietf-core-groupcomm-bis] to
improve efficiency and latency of communication and reduce bandwidth
requirements. A set of CoAP endpoints constitutes an application
group by sharing a common pool of resources, that can be efficiently
accessed through group communication. The members of an application
group may be members of a security group, thus sharing a common set
of keying material to secure group communication.
The security protocol Group Object Security for Constrained RESTful
Environments (Group OSCORE) [I-D.ietf-core-oscore-groupcomm] builds
on OSCORE [RFC8613] and protects CoAP messages end-to-end in group
communication contexts through CBOR Object Signing and Encryption
(COSE) [RFC9052][RFC9053]. An application group may rely on one or
more security groups, and a same security group may be used by
multiple application groups at the same time.
A CoAP endpoint relies on a Group Manager (GM) to join a security
group and get the group keying material. The joining process in
[I-D.ietf-ace-key-groupcomm-oscore] is based on the ACE framework for
Authentication and Authorization in constrained environments
[RFC9200], with the joining endpoint and the GM acting as ACE Client
and Resource Server, respectively. That is, the joining endpoint
accesses the group-membership resource exported by the GM and
associated with the security group to join.
Typically, devices store a static X509 IDevID certificate installed
at manufacturing time [RFC8995]. This is used at deployment time
during an enrollment process that provides the devices with an
Operational Certificate, possibly updated during the device lifetime.
Operational Certificates may specify information to join security
groups, especially a reference to the group-membership resources to
access at the respective GMs.
Tiloca, et al. Expires 11 March 2024 [Page 3]
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
radiusDynAuthServerAddress and radiusDynAuthServerAddressType
These can be used to determine the address of the DAS with which
the DAC is communicating. This information could be useful in
mounting an attack on the DAS.
radiusDynAuthServerID
This can be used to determine the Identifier of the DAS. This
information could be useful in impersonating the DAS.
radiusDynAuthServerClientPortNumber
This can be used to determine the destination port number to which
the DAC is sending. This information could be useful in mounting
an attack on the DAS.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
6. IANA Considerations
The IANA has assigned OID number 145 under mib-2.
7. Acknowledgements
The authors would also like to acknowledge the following people for
their comments on this document: Bernard Aboba, Alan DeKok, David
Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg
Weber, Bert Wijnen, and Glen Zorn.
De Cnodder, et al. Informational [Page 20]
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Structure of Management Information Version 2 (SMIv2)",
STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Textual Conventions for SMIv2", STD 58, RFC 2579, April
1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 3576,
July 2003.
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and J.
Schoenwaelder, "Textual Conventions for Internet Network
Addresses", RFC 4001, February 2005.
8.2. Informative References
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC
2865, June 2000.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
[RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
RFC 4669, August 2006.
[RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
4671, August 2006.
De Cnodder, et al. Informational [Page 21]
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
[RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic
Authorization Server MIB", RFC 4673, September 2006.
Authors' Addresses
Stefaan De Cnodder
Alcatel
Francis Wellesplein 1
B-2018 Antwerp
Belgium
Phone: +32 3 240 85 15
EMail: stefaan.de_cnodder@alcatel.be
Nagi Reddy Jonnala
Cisco Systems, Inc.
Divyasree Chambers, B Wing, O'Shaugnessy Road
Bangalore-560027, India
Phone: +91 94487 60828
EMail: njonnala@cisco.com
Murtaza Chiba
Cisco Systems, Inc.
170 West Tasman Dr.
San Jose CA, 95134
Phone: +1 408 525 7198
EMail: mchiba@cisco.com
De Cnodder, et al. Informational [Page 22]
RFC 4672 RADIUS Dynamic Authorization Client MIB September 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
De Cnodder, et al. Informational [Page 23]