RPCSEC_GSS Protocol Specification
RFC 2203
Document | Type |
RFC - Proposed Standard
(September 1997; Errata)
Updated by RFC 5403
|
|
---|---|---|---|
Authors | Mike Eisler , Lin Ling , Alex Chiu | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2203 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group M. Eisler Request for Comments: 2203 A. Chiu Category: Standards Track L. Ling September 1997 RPCSEC_GSS Protocol Specification Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This memo describes an ONC/RPC security flavor that allows RPC protocols to access the Generic Security Services Application Programming Interface (referred to henceforth as GSS-API). Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2 3. Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3 4. New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3 5. Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3 5.1. Version Selection . . . . . . . . . . . . . . . . . . . . . 5 5.2. Context Creation . . . . . . . . . . . . . . . . . . . . . . 5 5.2.1. Mechanism and QOP Selection . . . . . . . . . . . . . . . 5 5.2.2. Context Creation Requests . . . . . . . . . . . . . . . . 6 5.2.3. Context Creation Responses . . . . . . . . . . . . . . . . 8 5.2.3.1. Context Creation Response - Successful Acceptance . . . 8 5.2.3.1.1. Client Processing of Successful Context Creation Responses . . . . . . . . . . . . . . . . . . . . . . 9 5.2.3.2. Context Creation Response - Unsuccessful Cases . . . . . 9 5.3. RPC Data Exchange . . . . . . . . . . . . . . . . . . . . 10 5.3.1. RPC Request Header . . . . . . . . . . . . . . . . . . . 10 5.3.2. RPC Request Data . . . . . . . . . . . . . . . . . . . . 11 5.3.2.1. RPC Request Data - No Data Integrity . . . . . . . . . 11 5.3.2.2. RPC Request Data - With Data Integrity . . . . . . . . 11 5.3.2.3. RPC Request Data - With Data Privacy . . . . . . . . . 12 5.3.3. Server Processing of RPC Data Requests . . . . . . . . . 12 5.3.3.1. Context Management . . . . . . . . . . . . . . . . . . 12 5.3.3.2. Server Reply - Request Accepted . . . . . . . . . . . 14 5.3.3.3. Server Reply - Request Denied . . . . . . . . . . . . 15 Eisler, et. al. Standards Track [Page 1] RFC 2203 RPCSEC_GSS Protocol Specification September 1997 5.3.3.4. Mapping of GSS-API Errors to Server Responses . . . . 16 5.3.3.4.1. GSS_GetMIC() Failure . . . . . . . . . . . . . . . . 16 5.3.3.4.2. GSS_VerifyMIC() Failure . . . . . . . . . . . . . . 16 5.3.3.4.3. GSS_Unwrap() Failure . . . . . . . . . . . . . . . . 16 5.3.3.4.4. GSS_Wrap() Failure . . . . . . . . . . . . . . . . . 16 5.4. Context Destruction . . . . . . . . . . . . . . . . . . . 17 6. Set of GSS-API Mechanisms . . . . . . . . . . . . . . . . . 17 7. Security Considerations . . . . . . . . . . . . . . . . . . 18 7.1. Privacy of Call Header . . . . . . . . . . . . . . . . . . 18 7.2. Sequence Number Attacks . . . . . . . . . . . . . . . . . 18 7.2.1. Sequence Numbers Above the Window . . . . . . . . . . . 18 7.2.2. Sequence Numbers Within or Below the Window . . . . . . 18 7.3. Message Stealing Attacks . . . . . . . . . . . . . . . . . 19 Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . . 20 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction This document describes the protocol used by the RPCSEC_GSS security flavor. Security flavors have been called authentication flavors for historical reasons. This memo recognizes that there are two other security services besides authentication, integrity, and privacy, and so defines a new RPCSEC_GSS security flavor. The protocol is described using the XDR language [Srinivasan-xdr]. The reader is assumed to be familiar with ONC RPC and the security flavor mechanism [Srinivasan-rpc]. The reader is also assumed to be familiar with the GSS-API framework [Linn]. The RPCSEC_GSS security flavor uses GSS-API interfaces to provide security services that are independent of the underlying security mechanism. 2. The ONC RPC Message Protocol This memo refers to the following XDR types of the ONC RPC protocol, which are described in the document entitled Remote Procedure Call Protocol Specification Version 2 [Srinivasan-rpc]: msg_type reply_statShow full document text