Network Working Group Bernard Aboba INTERNET-DRAFT Microsoft Category: Experimental 13 February 2001 EAP GSS Authentication Protocol 1. Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. 2. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. 3. Abstract The Extensible Authentication Protocol (EAP) provides a standard mechanism for support of additional authentication methods within layer 2 protocols, including PPP and IEEE 802.1X. Through the use of EAP, support for a number of authentication schemes may be added, including public key, smart cards, Kerberos, One Time Passwords, and others. It is desirable to support GSS-API authentication methods within EAP, since this permits developers creating GSS-API compliant authentication methods to leverage their development efforts. This document describes how EAP-GSS, which includes support for fragmentation and reassembly, supports the use of GSS-API mechanisms within EAP. GSS-API provides for the negotiation of authentication methods through use of the SPNEGO mechanism. As a result, any GSS-API mechanism supported by SPNEGO and Aboba Experimental [Page 1] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 providing initial authentication can be used with EAP-GSS, including IAKERB. 4. Introduction The Extensible Authentication Protocol (EAP) [5] provides a standard mechanism for support of additional authentication methods within layer 2 protocols, including PPP [1] and IEEE 802.1X [27]. Through the use of EAP, support for a number of authentication schemes may be added, including public key [12], smart cards, Kerberos, One Time Passwords, and others. It is desirable to support GSS-API authentication methods within EAP, since this permits developers creating GSS-API compliant authentication methods to leverage their development efforts. This document describes how EAP-GSS, which includes support for fragmentation and reassembly, supports the use of GSS-API mechanisms within EAP. GSS-API, described in [15], provides for the negotiation of authentication methods through use of the SPNEGO mechanism, described in [19]. As a result, any GSS-API mechanism supported by SPNEGO and providing initial authentication can be used with EAP-GSS, including IAKERB [18]. 4.1. Requirements language In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [11]. 5. Protocol overview As described in [5], the EAP-GSS conversation will typically begin with the authenticator and the peer negotiating EAP. The authenticator will then typically send an EAP-Request/Identity packet to the peer, and the peer will respond with an EAP-Response/Identity packet to the authenticator, containing the peer's user-Id. >From here on, the EAP-GSS conversation may proceed in one of two ways. In the first mode, the peer acts as the GSS-API initiator, and the EAP server acts as the GSS-API target. In the second mode, which shortens the conversation by one round-trip, the EAP server acts as the GSS-API initiator, and the peer acts as the GSS-API target. We discuss each mode in turn. 5.1. EAP server as GSS-API initiator Once having received the peer's Identity, the EAP server responds with an EAP-Request packet of EAP-Type=EAP-GSS. Aboba Experimental [Page 2] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 If the EAP server knows the GSS-API method to be used with the peer a- priori, and that GSS-API method can be initiated by the EAP Server, then the EAP server MAY act as a GSS-API initiator with the peer acting as a GSS-API target. Since the EAP server cannot know whether it can act as initiator if the GSS-API method is to be negotiated, in this case the method must be selected a-priori and SPNEGO MUST NOT be used. To initiate the conversation, the EAP-Server sends an EAP-Request packet with EAP-Type=EAP-GSS. The data field of the packet will encapsulate a GSS-API token, created as a result of a call to GSS_Init_sec_context (). In this case mutual authentication MUST be requested (otherwise the peer would not be authenticated to the authenticator!) so that the the mutual_req_flag is set and the call to GSS_Init_sec-context() returns GSS_S_CONTINUE_NEEDED status. When it receives the EAP-Request, the peer will de-capsulate the received GSS-API token within the EAP-GSS frame, and will pass it as the input_token parameter to GSS_Accept_sec_context(). If GSS_Accept_sec_context indicates GSS_S_COMPLETE status, then the authenticator has been authenticated by the peer, and the authenticator's indicated identity is provided in the src_name result, along with an output_token to be encapsulated within an EAP-Response packet with EAP-Type=EAP-GSS, and passed back to the EAP-Server. The EAP server will then de-capsulate the GSS-API token within the EAP- Response message and pass it as the input_token parameter to GSS_Init_sec_context(). If the call returns GSS_S_COMPLETE status, then the peer has been authenticated to the EAP-Server, then the EAP-Server responds with an EAP-Success message. If GSS_S_CONTINUE_NEEDED status is returned, then the EAP Server encapsulates the returned output_token with an EAP-Request packet of EAP-Type=EAP-GSS, and pass this back to the peer. Aboba Experimental [Page 3] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 The conversation (which can require as few as 2.5 round trips) appears as follows: Peer Authenticator ------ ------------- EAP/Identity <-------Request EAP/Identity Response --------> GSS_Init_sec_context(mutual_req_flag) returns GSS_S_CONTINUE_NEEDED, output_token <--------EAP Request EAP-GSS output_token GSS_Accept_sec_context(input_token) returns GSS_S_COMPLETE, output_token EAP Response --------> EAP-GSS output_token GSS_Init_sec_context(input_token) returns GSS_S_COMPLETE <--------EAP Success 5.2. Peer as GSS-API initiator If the EAP server is prepared to allow negotiation of the GSS-API method via SPNEGO [19], or if the EAP server knows the GSS-API method to be used, but cannot initiate it (e.g. IAKERB, Kerberos V), then the peer MUST act as a GSS-API initiator, with the EAP server acting as the GSS- API target. In this case, the EAP server MUST respond with an EAP-GSS/Start packet, which is an EAP-Request packet with EAP-Type=EAP-GSS, the Start (S) bit set, and no data. The per then calls GSS_Init_sec_context(), typically with mutual authentication requested so that the mutual_req_flag is set and the call returns GSS_S_CONTINUE_NEEDED status. The output_token is then encapsulated within an EAP-Response packet with EAP-Type=EAP-GSS and sent to the authenticator. If method negotiation is to be used, then an initial negotiation toekn for the Simple and Protected GSS-API Aboba Experimental [Page 4] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 Negotiation Mechanism (SPNEGO) [19] is transferred. This contains an ordered list of mechanisms, a set of options that should be supported by the selected mechanism and the initial security token for the mechanism preferred by the peer. The inclusion of the initial security token for the preferred method saves a round-trip, assuming that the authenticator agrees to the preferred mechanism. The EAP server then de-capsulates the GSS-API token contained within the EAP-Response of EAP-Type=EAP-GSS and uses this as the input_token parameter to a call to GSS_Accept_sec_context(). The output_token parameter will then contain a token, containing the result of the negotiation and in the case of accept, the agreed security mechanism and the response to the initial security token as described in [19]. This token is then encapsulated within an EAP-Request packet of EAP-Type=GSS- API, which is sent to the peer. This occurs whether the call completed with GSS_S_CONTINUE_NEEDED status or GSS_S_COMPLETE status. The peer then de-capsulates the GSS-API token contained within the EAP- Request packet with EAP-Type=EAP-GSS, and passes the input_token parameter to GSS_Init_sec_context(). The output_token is encapsulated within an EAP-Response packet with EAP-Type=EAP-GSS and sent to the EAP server. This occurs whether the call completed with GSS_S_CONTINUE_NEEDED status or GSS_S_COMPLETE status. If the previous call to GSS_Accept_sec_context() returned GSS_S_COMPLETE status, then the EAP-Server returns an EAP-Success message to the client. Otherwise, it de-capsulates the GSS-API token contained within the EAP-Request packet, and the conversation continues. Aboba Experimental [Page 5] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 The conversation (which can require as few as 3.5 round trips) appears as follows: Authenticating Peer Authenticator ------------------- ------------- EAP-Request/ <- Identity EAP-Response/ Identity (MyID) -> EAP-Request/ EAP-Type=EAP-GSS <- (GSS Start, S bit set) GSS_Init_sec_context(mutual_req_flag) returns GSS_S_CONTINUE_NEEDED, output_token (SPNEGO) EAP-Response/ EAP-Type=EAP-GSS output_token -> GSS_Accept_sec_context(input_token) returns GSS_S_COMPLETE, output_token (SPNEGO) EAP-Request/ EAP-Type=EAP-GSS <- output_token GSS_Init_sec_context(input_token) returns GSS_S_COMPLETE, output_token EAP-Response/ EAP-Type=EAP-GSS output_token -> <- EAP-Success 5.3. Topology While nominally the EAP conversation occurs between the authenticator and the peer, the authenticator MAY act as a pass-through device, with the EAP packets received from the peer being encapsulated for transmission to a RADIUS server or backend security server, such as a Kerberos KDC. In the discussion that follows, we will use the term "EAP server" to denote the ultimate endpoint conversing with the peer. For use with EAP-GSS, two topologies are likely, one with a RADIUS backend as well as a Kerberos KDC backend, and other using solely a Aboba Experimental [Page 6] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 Kerberos KDC backend. We discuss each of these topologies in turn. In the other topology, EAP-GSS is used along with the GSS-API IAKERB [18] or Kerberos V [20] mechanisms. Where IAKERB is used, the authenticator functions as an IAKERB proxy, de-capsulating EAP- GSS/IAKERB messages and passing them on to the KDC. In addition, where the peer already has a valid TGT and ticket to the NAS, it may choose to use the Kerberos V mechanism within EAP. Note that in the case of 802.11, the Kerberos AP_REQ/AP_REP messages are carried in messages outside the conventional EAP exchange [34] so that use of the Kerberos V mechanism within EAP is not necessary. In the alternate topology, messages from the KDC are encapsulated within EAP-GSS/IAKERB and sent to the peer. In this case, the authenticator needs to understand the EAP-GSS, GSS-API IAKERB, as well as GSS-API Kerberos V mechanisms. In the examples below, conversations are provided for each topology. Aboba Experimental [Page 7] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 5.3.1. RADIUS backend In the RADIUS backend topology, the authenticator functions as an EAP- passthrough device, encapsulating EAP messages received from the peer within RADIUS as described in [33], and passing them on to the RADIUS server. In turn, EAP-Message attributes received from the RADIUS server are de-capsulated by the authenticator and sent to the peer. In this topology, the authenticator need not have knowledge of specific EAP or GSS-API methods. A successful EAP-GSS/IAKERB authentication occuring in a topology with an authenticator acting as an IAKERB proxy to a Kerberos KDC will appear as below. Peer Authenticator RADIUS KDC ------ ------------- --------- ------ EAP/Identity <-Request EAP/Identity Response -> EAP/Identity Response -> Access-Challenge EAP-GSS Request <- (Start) <-EAP-GSS Request(Empty) EAP-GSS Response [1] (SPNEGO) -> EAP-GSS Response (SPNEGO) -> Access-Challenge EAP-GSS Request <-(SPNEGO) EAP-GSS Request <-(SPNEGO) EAP-GSS IAKERB Response [2] (AS_REQ) -> EAP-GSS IAKERB Aboba Experimental [Page 8] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 Response (AS_REQ) -> AS_REQ -> <- AS_REP Access-Challenge EAP-GSS IAKERB Request <-(AS_REP) EAP-GSS IAKERB Request <-(AS_REP) EAP-GSS IAKERB Response [3] (TGS_REQ) -> EAP-GSS IAKERB Response (TGS_REQ) -> TGS_REQ -> <- TGS_REP Access-Challenge EAP-GSS IAKERB Request <-(TGS_REP) EAP-GSS IAKERB Request <-(TGS_REP) EAP-GSS IAKERB Response (Empty) -> EAP-GSS IAKERB Response (Empty) -> Access-Accept [4] <- EAP-Success <- EAP-Success AP_REQ -> <- AP_REP [5] Notes: Aboba Experimental [Page 9] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 1. IAKERB may be requested by the EAP-GSS client without the need for negotiation, or SPNEGO may be used. 2. The AS_REQ requests a TGT from the KDC. It may or may not include PADATA. As a result, the AS_REQ may not authenticate the peer to the KDC, but the AS_REP authenticates the KDC to the peer. 3. The TGS_REQ requests a ticket to the authenticator service. The ticket is encrypted with the authenticator's key so that it can only be validated by the authenticator. 4. On receiving a TGS_REP from the KDC rather than a KRB_ERROR, the RADIUS server can conclude that the peer has succesfully authenticated, and thus that it is appropriate to reply to the authenticator with an Access-Accept encapsulating an EAP-Success. 5. The IAKERB exchange ends before the AP_REQ/AP_REP exchange occurs. As a result, the AP_REQ/AP_REP exchange either will not occur (preventing mutual authentication between peer and authenticator or transport of the session key from peer to authenticator), will occur out-of-band (e.g. after access is granted), or will occur in a subsequent EAP-GSS conversation (e.g. using the GSS-API Kerberos V method). Aboba Experimental [Page 10] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 5.3.2. Kerberos backend In the solely Kerberos-based topology, EAP-GSS is used along with the GSS-API IAKERB [18] or Kerberos V [20] mechanisms. Where IAKERB is used, the authenticator functions as an IAKERB proxy, de-capsulating EAP-GSS/IAKERB messages and passing them on to the KDC. In addition, where the peer already has a valid TGT and ticket to the NAS, it may choose to use the Kerberos V mechanism within EAP. Note that in the case of 802.11, the Kerberos AP_REQ/AP_REP messages are carried in messages outside the conventional EAP exchange [34] so that use of the Kerberos V mechanism within EAP is not necessary. In the Kerberos-only topology, messages from the KDC are encapsulated within EAP-GSS/IAKERB and sent to the peer. In this case, the authenticator needs to understand the EAP-GSS, GSS-API IAKERB, as well as GSS-API Kerberos V mechanisms. A successful EAP-GSS/IAKERB authentication occuring in a topology with an authenticator acting as an IAKERB proxy to a Kerberos KDC will appear as follows: Peer Authenticator KDC ------ ------------- --------- EAP/Identity <-Request EAP/Identity Response -> <-EAP-GSS Start EAP-GSS IAKERB Response [1] (AS_REQ) -> AS_REQ -> <- AS_REP [2] EAP-GSS IAKERB Request <-AS_REP) EAP-GSS IAKERB Response [3] (TGS_REQ) -> TGS_REQ -> <- TGS_REP [4] Aboba Experimental [Page 11] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 EAP-GSS IAKERB Request <-(TGS_REP) EAP-GSS IAKERB Response (Empty) -> <- EAP-Success AP_REQ [5]-> <- AP_REP [6] Notes: 1. If PADATA is not used in the AS_REQ, then the peer does not authenticate to the KDC. 2. The KDC authenticates to the peer in the AS_REP. 3. The peer authenticates to the KDC via the TGS_REQ. 4. The KDC authenticates to the peer via the TGS_REP. The TGS_REP also provides the peer with a ticket and session-key for use with the authenticator. 5. Up until this point, the peer has not mutually authenticated with the authenticator, or exchanged a key with it. As a result, the peer and authenticator need to conclude an AP_REQ/AP_REP exchange. This can occur in-band or out-of-band. In the AP-REQ, the peer authenticates to the authenticator and provides it with a session key. 6. The authenticator authenticates to the peer using the AP_REP. 6. Detailed description of the EAP-GSS protocol 6.1. EAP GSS Packet Format A summary of the EAP GSS Request/Response packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Data... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code Aboba Experimental [Page 12] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 1 - Request 2 - Response Identifier The identifier field is one octet and aids in matching responses with requests. Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, Type, and Data fields. Octets outside the range of the Length field should be treated as Data Link Layer padding and should be ignored on reception. Type 14 - EAP GSS Data The format of the Data field is determined by the Code field. 6.2. EAP GSS Request Packet A summary of the EAP GSS Request packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Flags | GSS Message Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | GSS Message Length | GSS Data... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 1 Identifier The Identifier field is one octet and aids in matching responses with requests. The Identifier field MUST be changed on each Request packet. Aboba Experimental [Page 13] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, Type, and GSS Response fields. Type ? - EAP GSS Flags 0 1 2 3 4 5 6 7 8 +-+-+-+-+-+-+-+-+ |L M S R R R R R| +-+-+-+-+-+-+-+-+ L = Length included M = More fragments S = EAP-GSS start R = Reserved The L bit (length included) is set to indicate the presence of the four octet GSS Message Length field, and MUST be set for the first fragment of a fragmented GSS message or set of messages. The M bit (more fragments) is set on all but the last fragment. The S bit (EAP- GSS start) is set in an EAP-GSS Start message. This differentiates the EAP-GSS Start message from a fragment acknowledgment. GSS Message Length The GSS Message Length field is four octets, and is present only if the L bit is set. This field provides the total length of the GSS message or set of messages that is being fragmented. GSS data The GSS data consists of the encapsulated GSS packet. 6.3. EAP GSS Response Packet A summary of the EAP GSS Response packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | Aboba Experimental [Page 14] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Flags | GSS Message Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | GSS Message Length | GSS Data... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 2 Identifier The Identifier field is one octet and MUST match the Identifier field from the corresponding request. Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, Type, and GSS data fields. Type ? - EAP GSS Flags 0 1 2 3 4 5 6 7 8 +-+-+-+-+-+-+-+-+ |L M S R R R R R| +-+-+-+-+-+-+-+-+ L = Length included M = More fragments S = EAP-GSS start R = Reserved The L bit (length included) is set to indicate the presence of the four octet GSS Message Length field, and MUST be set for the first fragment of a fragmented GSS message or set of messages. The M bit (more fragments) is set on all but the last fragment. The S bit (EAP- GSS start) is set in an EAP-GSS Start message. This differentiates the EAP-GSS Start message from a fragment acknowledgment. GSS Message Length The GSS Message Length field is four octets, and is present only if the L bit is set. This field provides the total length of the GSS Aboba Experimental [Page 15] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 message or set of messages that is being fragmented. GSS data The GSS data consists of the encapsulated GSS packet. 6.4. Fragmentation It is possible that EAP-GSS messages may exceed the link MTU size, the maximum RADIUS packet size of 4096 octets, or even the Multilink Maximum Received Reconstructed Unit (MRRU). As described in [2], within PPP the multi-link MRRU is negotiated via the Multilink MRRU LCP option, which includes an MRRU length field of two octets, and thus can support MRRUs as large as 64 KB. In order to protect against reassembly lockup and denial of service attacks, it may be desirable for an implementation to set a maximum size for a GSS-API token. Since a typical certificate chain is rarely longer than a few thousand octets, and no other field is likely to be anywhere near as long, a reasonable choice of maximum acceptable message length might be 64 KB. If this value is chosen, then for PPP links, fragmentation can be handled via the multi-link PPP fragmentation mechanisms described in [2]. While this is desirable, there may be cases in which multi-link or the MRRU LCP option cannot be negotiated. Also, since EAP methods must also be usable within IEEE 802.1X [27], an EAP-GSS implementation MUST provide its own support for fragmentation and reassembly. Since EAP is a simple ACK-NAK protocol, fragmentation support can be added in a simple manner. In EAP, fragments that are lost or damaged in transit will be retransmitted, and since sequencing information is provided by the Identifier field in EAP, there is no need for a fragment offset field as is provided in IP. EAP-GSS fragmentation support is provided through addition of a flags octet within the EAP-Response and EAP-Request packets, as well as a GSS Message Length field of four octets. Flags include the Length included (L), More fragments (M), and EAP-GSS Start (S) bits. The L flag is set to indicate the presence of the four octet GSS Message Length field, and MUST be set for the first fragment of a fragmented GSS message or set of messages. The M flag is set on all but the last fragment. The S flag is set only within the EAP-GSS start message sent from the EAP server to the peer. The GSS Message Length field is four octets, and provides the total length of the GSS-API token or set of messages that is being fragmented; this simplifies buffer allocation. Aboba Experimental [Page 16] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 When an EAP-GSS peer receives an EAP-Request packet with the M bit set, it MUST respond with an EAP-Response with EAP-Type=EAP-GSS and no data. This serves as a fragment ACK. The EAP server MUST wait until it receives the EAP-Response before sending another fragment. In order to prevent errors in processing of fragments, the EAP server MUST increment the Identifier field for each fragment contained within an EAP-Request, and the peer MUST include this Identifier value in the fragment ACK contained within the EAP-Response. Retransmitted fragments will contain the same Identifier value. Similarly, when the EAP server receives an EAP-Response with the M bit set, it MUST respond with an EAP-Request with EAP-Type=EAP-GSS and no data. This serves as a fragment ACK. The EAP peer MUST wait until it receives the EAP-Request before sending another fragment. In order to prevent errors in the processing of fragments, the EAP server MUST use increment the Identifier value for each fragment ACK contained within an EAP-Request, and the peer MUST include this Identifier value in the subsequent fragment contained within an EAP-Response. Aboba Experimental [Page 17] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 In the case where the EAP-GSS authentication is successful, and fragmentation is required, the conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- EAP-Request/ <- Identity EAP-Response/ Identity (MyID) -> EAP-Request/ EAP-Type=EAP-GSS <-(GSS Start, S bit set) GSS_Init_sec_context(mutual_req_flag) returns GSS_S_CONTINUE_NEEDED, output_token (SPNEGO) EAP-Response/ EAP-Type=EAP-GSS output_token -> GSS_Accept_sec_context(input_token) returns GSS_S_COMPLETE, output_token (SPNEGO) EAP-Request/ EAP-Type=EAP-GSS output_token <- (Fragment 1: L, M bits set) EAP-Response/ EAP-Type=EAP-GSS -> EAP-Request/ EAP-Type=EAP-GSS <- (Fragment 2: M bit set) EAP-Response/ EAP-Type=EAP-GSS -> EAP-Request/ EAP-Type=EAP-GSS <- (Fragment 3) GSS_Init_sec_context(input_token) returns GSS_S_COMPLETE, output_token EAP-Response/ EAP-Type=EAP-GSS output_token Aboba Experimental [Page 18] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 (Fragment 1: L, M bits set)-> EAP-Request/ <- EAP-Type=EAP-GSS EAP-Response/ EAP-Type=EAP-GSS (Fragment 2)-> <- EAP-Success 6.5. Retry behavior As with other EAP protocols, the EAP server is responsible for retry behavior. This means that if the EAP server does not receive a reply from the peer, it MUST resend the EAP-Request for which it has not yet received an EAP-Response. However, the peer MUST NOT resend EAP-Response packets without first being prompted by the EAP server. For example, if the initial EAP-GSS start packet sent by the EAP server were to be lost, then the peer would not receive this packet, and would not respond to it. As a result, the EAP-GSS start packet would be resent by the EAP server. Once the peer received the EAP-GSS start packet, it would send an EAP-Response encapsulating the client_hello message. If the EAP-Response were to be lost, then the EAP server would resend the initial EAP-GSS start, and the peer would resend the EAP-Response. As a result, it is possible that a peer will receive duplicate EAP- Request messages, and may send duplicate EAP-Responses. Both the peer and the EAP-Server should be engineered to handle this possibility. 6.6. Identity verification As part of the GSS-API conversation, it is possible that the server may present a certificate to the peer, or that the peer may present a certificate to the EAP server. If the peer has made a claim of identity in the EAP-Response/Identity (MyID) packet, the EAP server SHOULD verify that the claimed identity corresponds to the certificate presented by the peer. Typically this will be accomplished either by placing the userId within the peer certificate, or by providing a mapping between the peer certificate and the userId using a directory service. Similarly, the peer MUST verify the validity of the EAP server certificate, and SHOULD also examine the EAP server name presented in the certificate, in order to determine whether the EAP server can be trusted. Please note that in the case where the EAP authentication is remoted that the EAP server will not reside on the same machine as the authenticator, and therefore the name in the EAP server's certificate cannot be expected to match that of the intended destination. In this Aboba Experimental [Page 19] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 case, a more appropriate test might be whether the EAP server's certificate is signed by a CA controlling the intended destination and whether the EAP server exists within a target sub-domain. 6.7. Use of addresses When using EAP-GSS, the EAP client may not be able to include an address in an EAP-Response message, since prior to obtaining access the EAP client may not have an IP address. The IAKERB GSS-API method can explicitly handle this, as described in [18]. However, Where Kerberos V is negotiated [16], [20] the addresses field of the AS_REQ and TGS_REQ SHOULD be blank and the caddr field of the ticket SHOULD also be left blank. 6.8. Credential reuse Note that a peer with valid credentials may reuse those credentials in a subsequent authentication. For example, a peer initially using the IAKERB GSS-API method to obtain a TGT and a ticket to the authenticator may subsequently reuse that ticket in an AP_REQ/AP_REP exchange that may occur either in-band (e.g. via use of the Kerberos V GSS-API method) or out-of-band (e.g. via an 802.1X EAPOL-Key message). Typically in-band efficiency savings are modest (one round-trip saved using the Kerberos V GSS-API method versus IAKERB), while savings from out-of-band credential reuse can be more substantial. Credential reuse improves efficiency in a number of scenarios. Where the peer attempts to re-authenticate to an EAP server within a short period of time, the re-authentication time may be shortened. Also, where the peer roams to another authenticator willing to accept credentials from a previous authenticator, fast-handoff may be achieved. Credential reuse may also prove useful during multi-link authentication. The decision of whether to attempt to reuse credentials is left up to the peer, which needs to determine whether credential use is likely to succeed. The decision may be based on out-of-band information (such as probe/response messages exchanged via 802.11 [28], or the time elapsed since the previous authentication attempt. If the peer attempts to reuse credentials that are not valid for the authenticator, then no harm is done. The authenticator will respond with an error and the peer can then re-authenticate using the more complete sequence. For example, after an initial IAKERB authentication, the peer will have obtained a TGT from the KDC via the AS_REP, and a ticket to the authenticator within the TGS_REP. The peer may subsequently attempt to negotiate the Kerberos V GSS-API method, so as to reuse the previously obtained credentials. Should a KRB_ERROR be returned by the authenticator, then the peer can negotiate IAKERB on its next attempt Aboba Experimental [Page 20] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 instead. Note that for credential reuse to be possible while roaming, it is necessary for authenticators to share the same key with the KDC. If this is not the case, then peers moving from one authenticator to another will not be able to reuse authenticator tickets. Similarly, if the EAP servers are set up in a rotary or made available via a round- robin technique, then the credentials also may not be reusable, unless the EAP authentication is remoted to a central authentication server. 6.9. ECP negotiation ECP, described in [6], supports unprotected cipher-suite negotiations within PPP and is thus vulnerable to attack. Since SPNEGO [19] supports protected cipher-suite negotiation in the case where the negotiated method provides authentication and integrity protection, use of SPNEGO is preferable to ECP. Peers completing the GSS-API SPNEGO negotiation will typically implicitly select a cipher-suite, which includes key strength, encryption and hashing methods. As a result, a subsequent Encryption Control Protocol (ECP) conversation [6], if it occurs, has a predetermined result. However, since the ECP-supported ciphersuites may not correspond to the ciphersuites implicitly negotiated as part of SPNEGO, it may not be possible for the ECP conversation to verify the ciphersuites implicitly selected via SPNEGO. For example, the ECP methods defined in [9]-[10] only support DES and 3DES transforms for confidentiality, and do not support authentication or integrity protection. Thus, there is no correspondence between existing ECP methods and the ciphersuites available within GSS-API methods such as Kerberos [16]-[17]. 7. References [1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)." STD 51, RFC 1661, July 1994. [2] Sklower, K., Lloyd, B., McGregor, G., Carr, D., and T. Coradetti, "The PPP Multilink Protocol (MP)." RFC 1990, August 1996. [3] Simpson, W., Editor, "PPP LCP Extensions." RFC 1570, January 1994. [4] Rivest, R., Dusse, S., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [5] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998. Aboba Experimental [Page 21] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 [6] Meyer, G., "The PPP Encryption Protocol (ECP)." RFC 1968, June 1996 [7] National Bureau of Standards, "Data Encryption Standard", FIPS PUB 46 (January 1977). [8] National Bureau of Standards, "DES Modes of Operation", FIPS PUB 81 (December 1980). [9] Sklower, K., Meyer, G., "The PPP DES Encryption Protocol, Version 2 (DESE-bis)", RFC 2419, September 1998. [10] Hummert, K., "The PPP Triple-DES Encryption Protocol (3DESE)", RFC 2420, September 1998. [11] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [12] Aboba, B., Simon, S.,"PPP EAP TLS Authentication Protocol", RFC 2716, October 1999. [13] D. Rand. "The PPP Compression Control Protocol." RFC 1962, Novell, June 1996. [14] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. [15] Linn, J., "Generic Security Service Application Program Interface, Version 2", RFC 2743, January 2000. [16] Kohl, J., Neuman, C., "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993. [17] Neuman, B. C., Ts'o, T., "Kerberos: An Authentication Service for Computer Networks", IEEE Communications, 32(9):33-38, September 1994. [18] Swift, M., Trostle, J., "Initial Authentication and Pass Through Authentication Using Kerberos V5 and the GSS-API (IAKERB)", Internet draft (work in progress), draft-ietf-cat-iakerb-05.txt, November 2000. [19] Baize, E., Pinkas., D., "The Simple and Protected GSS-API Negotiation Mechanism", RFC 2478, December 1998. [20] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, June 1996. Aboba Experimental [Page 22] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 [21] IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture, ANSI/IEEE Std 802, 1990. [22] ISO/IEC 10038 Information technology - Telecommunications and information exchange between systems - Local area networks - Media Access Control (MAC) Bridges, (also ANSI/IEEE Std 802.1D- 1993), 1993. [23] ISO/IEC Final CD 15802-3 Information technology - Tele- communications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3:Media Access Control (MAC) bridges, (current draft available as IEEE P802.1D/D15). [24] IEEE Standards for Local and Metropolitan Area Networks: Draft Standard for Virtual Bridged Local Area Networks, P802.1Q/D8, January 1998. [25] ISO/IEC 8802-3 Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Common specifications - Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, (also ANSI/IEEE Std 802.3- 1996), 1996. [26] IEEE Standards for Local and Metropolitan Area Networks: Demand Priority Access Method, Physical Layer and Repeater Specification For 100 Mb/s Operation, IEEE Std 802.12-1995. [27] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Draft 802.1X/D8, November 2000. [28] Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std. 802.11-1997, 1997. [29] Rigney, C., Rubens, A., Simpson, W., Willens, S., "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [30] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [31] Zorn, G., Mitton, D., Aboba, B., "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000. [32] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., Goyret, I., "RADIUS Attributes for Tunnel Protocol Support", RFC Aboba Experimental [Page 23] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 2868, June 2000. [33] Rigney, C., Willats, W., Calhoun, P., "RADIUS Extensions", RFC 2869, June 2000. [34] Walker, J., "802.11 TGe Baseline Draft", work in progress, http://www.drizzle.com/~aboba/IEEE/1-18.zip 8. Security Considerations 8.1. Certificate revocation Since the EAP server is on the Internet during the EAP conversation, the server is capable of following a certificate chain or verifying whether the peer's certificate has been revoked. In contrast, the peer may or may not have Internet connectivity, and thus while it can validate the EAP server's certificate based on a pre-configured set of CAs, it may not be able to follow a certificate chain or verify whether the EAP server's certificate has been revoked. In the case where the peer is initiating a voluntary Layer 2 tunnel using PPTP or L2TP, the peer will typically already have a PPP interface and Internet connectivity established at the time of tunnel initiation. As a result, during the EAP conversation it is capable of checking for certificate revocation. However, in the case where the peer is initiating a connection, it will not have Internet connectivity and is therefore not capable of checking for certificate revocation until after the peer has access to the Internet. In this case, the peer SHOULD check for certificate revocation after connecting to the Internet. 8.2. Mutual authentication It is highly recommended that a GSS-API method supporting mutual authentication be selected during the SPNEGO negotiation. This addresses vulnerabilities associated with rogue EAP servers, as well as avoiding vulnerabilities associated with parallel one-way authentications. 8.3. Key management As a result of the EAP-GSS conversation, the EAP endpoints will mutually authenticate and derive a session key for subsequent use in PPP or 802.11 WEP [28] encryption. Since the peer and EAP client reside on the same machine, it is necessary for the EAP client module to pass the session key to the layer 2 encryption module. Aboba Experimental [Page 24] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 The situation may be more complex on the authenticator, which may or may not reside on the same machine as the EAP server. In the case where the EAP server and authenticator reside on different machines, there are several implications for security. Firstly, the mutual authentication defined in EAP-GSS will occur between the peer and the EAP server, not between the peer and the authenticator. This means that as a result of the EAP-GSS conversation, it is not possible for the peer to validate the identity of the device that it is speaking to. The second issue is that the session key negotiated between the peer and EAP server will need to be transmitted to the authenticator. Both issues can be addressed via addition of a followon exchange. For example, where the IAKERB GSS-API method is used for initial authentication, the Kerberos V GSS-API method can be used to mutually authenticate the peer and authenticator and transfer the session key from the peer to the authenticator. 9. Acknowledgments Thanks to Terence Spies, Paul Leach, and Mike Swift of Microsoft for useful discussions of this problem space. 10. Authors' Addresses Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052 Phone: +1 (425) 936-6605 EMail: bernarda@microsoft.com 11. Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards- related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. Aboba Experimental [Page 25] INTERNET-DRAFT EAP GSS Authentication Protocol 13 February 2001 The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 12. Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 13. Expiration Date This memo is filed as , and expires October 1, 2001. Aboba Experimental [Page 26]