Internet Engineering Task Force                                    T. Yu
Internet-Draft                                   MIT Kerberos Consortium
Updates: 4120 (if approved)                                     Feb 2013
Intended status: Standards Track
Expires: August 5, 2013


   Kerberos Ticket flag indicating KDC support for resolving hostname
                                aliases
              draft-yu-kitten-kerberos-kdc-does-aliases-00

Abstract

   This document specifies a Kerberos Ticket flag that indicates that
   the Key Distribution Center (KDC) can resolve hostname aliases in
   service principal names.  This document updates RFC 4120.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 5, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Yu                       Expires August 5, 2013                 [Page 1]

Internet-Draft          KDC-resolves-aliases flag               Feb 2013


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . . . 3
   3.  Motivation  . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.  KDC Behavior  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   5.  Client Behavior . . . . . . . . . . . . . . . . . . . . . . . . 3
   6.  Assigned numbers  . . . . . . . . . . . . . . . . . . . . . . . 4
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
   8.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 4
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     10.1.  Normative References . . . . . . . . . . . . . . . . . . . 4
     10.2.  Informative References . . . . . . . . . . . . . . . . . . 5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 5




































Yu                       Expires August 5, 2013                 [Page 2]

Internet-Draft          KDC-resolves-aliases flag               Feb 2013


1.  Introduction

   This document specifies a new Kerberos Ticket flag that indicates
   that the Key Distribution Center (KDC) is capable of resolving
   hostname aliases.  A Kerberos client can interpret the presence of
   this Ticket flag as a recommendation to avoid using potentially
   insecure DNS lookups to canonicalize hostnames when constructing
   Kerberos principal names.


2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


3.  Motivation

   When attempting to authenticate to a Kerberos application service,
   existing Kerberos client implementations typically perform hostname
   canonicalization when constructing the Kerberos service principal.
   In practice, these clients canonicalize using insecure DNS, contrary
   to the recommendations in RFC 4120 [RFC4120].  Implementations are
   not consistent about whether they use forward resolution (looking up
   an address record for the user-provided hostname and returning the
   accompanying canonical hostname) or reverse resolution (taking the IP
   address from a forward resolution and returning the reverse pointer
   (PTR) record) to canonicalize hostname components of Kerberos service
   principal names.


4.  KDC Behavior

   If a KDC has knowledge of all hostname aliases for host-based service
   principal names in its realm, it SHOULD set the kdc-resolves-aliases
   (number TBD) flag in the Ticket and EncKDCRepPart for all tickets it
   issues.


5.  Client Behavior

   If a client receives an EncKDCRepPart that has the flag kdc-resolves-
   aliases set, it SHOULD NOT attempt to canonicalize hostnames in
   service principal names for the realm whose KDC set that flag.
   Instead, the client SHOULD use the unchanged user-provided hostname
   when constructing the service principal name.  The following
   behaviors in RFC 4120 [RFC4120] are still permitted: clients MAY



Yu                       Expires August 5, 2013                 [Page 3]

Internet-Draft          KDC-resolves-aliases flag               Feb 2013


   append a statically configured domain name to unqualified hostname,
   and clients SHOULD fold the hostname to lowercase.


6.  Assigned numbers

   TBD


7.  IANA Considerations

   TBD.


8.  Security Considerations

   The new ticket flag described in this document allows Kerberos realm
   administrators to communicate a recommendation to clients that they
   not attempt any hostname canonicalization when constructing service
   principal names.  This avoids the use of insecure DNS to resolve
   hostnames, which can allow principal name substitution attacks in
   some environments.


9.  Acknowledgements

   Thanks to Sam Hartman, Love Hornquist Astrand, and many others who
   suggested this idea and contributed to its evolution.


10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
              Kerberos Network Authentication Service (V5)", RFC 4120,
              July 2005.

   [X.680]    ISO, "Information technology -- Abstract Syntax Notation
              One (ASN.1): Specification of basic notation -- ITU-T
              Recommendation X.680 (ISO/IEC International Standard 8824-
              1:2008)", 2008.

   [X.690]    ISO, "Information technology -- ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical



Yu                       Expires August 5, 2013                 [Page 4]

Internet-Draft          KDC-resolves-aliases flag               Feb 2013


              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER) -- ITU-T Recommendation X.690 (ISO/IEC International
              Standard 8825-1:2008)", 1997.

10.2.  Informative References

   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network
              Authentication Service (V5)", RFC 1510, September 1993.


Author's Address

   Tom Yu
   MIT Kerberos Consortium
   77 Massachusetts Ave
   Cambridge, Massachusetts
   USA

   Email: tlyu@mit.edu
































Yu                       Expires August 5, 2013                 [Page 5]