RPCSEC_GSS Protocol Specification
RFC 2203
| Document | Type |
RFC - Proposed Standard
(September 1997; Errata)
Updated by RFC 5403
|
|
|---|---|---|---|
| Last updated | 2014-08-01 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2203 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group M. Eisler
Request for Comments: 2203 A. Chiu
Category: Standards Track L. Ling
September 1997
RPCSEC_GSS Protocol Specification
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This memo describes an ONC/RPC security flavor that allows RPC
protocols to access the Generic Security Services Application
Programming Interface (referred to henceforth as GSS-API).
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2
3. Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3
4. New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3
5. Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3
5.1. Version Selection . . . . . . . . . . . . . . . . . . . . . 5
5.2. Context Creation . . . . . . . . . . . . . . . . . . . . . . 5
5.2.1. Mechanism and QOP Selection . . . . . . . . . . . . . . . 5
5.2.2. Context Creation Requests . . . . . . . . . . . . . . . . 6
5.2.3. Context Creation Responses . . . . . . . . . . . . . . . . 8
5.2.3.1. Context Creation Response - Successful Acceptance . . . 8
5.2.3.1.1. Client Processing of Successful Context Creation
Responses . . . . . . . . . . . . . . . . . . . . . . 9
5.2.3.2. Context Creation Response - Unsuccessful Cases . . . . . 9
5.3. RPC Data Exchange . . . . . . . . . . . . . . . . . . . . 10
5.3.1. RPC Request Header . . . . . . . . . . . . . . . . . . . 10
5.3.2. RPC Request Data . . . . . . . . . . . . . . . . . . . . 11
5.3.2.1. RPC Request Data - No Data Integrity . . . . . . . . . 11
5.3.2.2. RPC Request Data - With Data Integrity . . . . . . . . 11
5.3.2.3. RPC Request Data - With Data Privacy . . . . . . . . . 12
5.3.3. Server Processing of RPC Data Requests . . . . . . . . . 12
5.3.3.1. Context Management . . . . . . . . . . . . . . . . . . 12
5.3.3.2. Server Reply - Request Accepted . . . . . . . . . . . 14
5.3.3.3. Server Reply - Request Denied . . . . . . . . . . . . 15
Eisler, et. al. Standards Track [Page 1]
RFC 2203 RPCSEC_GSS Protocol Specification September 1997
5.3.3.4. Mapping of GSS-API Errors to Server Responses . . . . 16
5.3.3.4.1. GSS_GetMIC() Failure . . . . . . . . . . . . . . . . 16
5.3.3.4.2. GSS_VerifyMIC() Failure . . . . . . . . . . . . . . 16
5.3.3.4.3. GSS_Unwrap() Failure . . . . . . . . . . . . . . . . 16
5.3.3.4.4. GSS_Wrap() Failure . . . . . . . . . . . . . . . . . 16
5.4. Context Destruction . . . . . . . . . . . . . . . . . . . 17
6. Set of GSS-API Mechanisms . . . . . . . . . . . . . . . . . 17
7. Security Considerations . . . . . . . . . . . . . . . . . . 18
7.1. Privacy of Call Header . . . . . . . . . . . . . . . . . . 18
7.2. Sequence Number Attacks . . . . . . . . . . . . . . . . . 18
7.2.1. Sequence Numbers Above the Window . . . . . . . . . . . 18
7.2.2. Sequence Numbers Within or Below the Window . . . . . . 18
7.3. Message Stealing Attacks . . . . . . . . . . . . . . . . . 19
Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . . 20
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction
This document describes the protocol used by the RPCSEC_GSS security
flavor. Security flavors have been called authentication flavors for
historical reasons. This memo recognizes that there are two other
security services besides authentication, integrity, and privacy, and
so defines a new RPCSEC_GSS security flavor.
The protocol is described using the XDR language [Srinivasan-xdr].
The reader is assumed to be familiar with ONC RPC and the security
flavor mechanism [Srinivasan-rpc]. The reader is also assumed to be
familiar with the GSS-API framework [Linn]. The RPCSEC_GSS security
flavor uses GSS-API interfaces to provide security services that are
independent of the underlying security mechanism.
2. The ONC RPC Message Protocol
This memo refers to the following XDR types of the ONC RPC protocol,
which are described in the document entitled Remote Procedure Call
Protocol Specification Version 2 [Srinivasan-rpc]:
msg_type
reply_stat
Show full document text