Network Working Group                                          K. Luehrs
Request for Comments: 3634                                     CableLabs
Category: Standards Track                                      R. Woundy
                                                           Comcast Cable
                                                           J. Bevilacqua
                                                              N. Davoust
                                                         YAS Corporation
                                                           December 2003
        
Network Working Group                                          K. Luehrs
Request for Comments: 3634                                     CableLabs
Category: Standards Track                                      R. Woundy
                                                           Comcast Cable
                                                           J. Bevilacqua
                                                              N. Davoust
                                                         YAS Corporation
                                                           December 2003
        

Key Distribution Center (KDC) Server Address Sub-option for the Dynamic Host Configuration Protocol (DHCP) CableLabs Client Configuration (CCC) Option

动态主机配置协议(DHCP)CableLabs客户端配置(CCC)选项的密钥分发中心(KDC)服务器地址子选项

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2003). All Rights Reserved.

版权所有(C)互联网协会(2003年)。版权所有。

Abstract

摘要

This document defines a new sub-option for the CableLabs Client Configuration (CCC) Dynamic Host Configuration Protocol (DHCP) option code for conveying the network addresses of Key Distribution Center (KDC) servers.

本文档为CableLabs客户端配置(CCC)动态主机配置协议(DHCP)选项代码定义了一个新的子选项,用于传输密钥分发中心(KDC)服务器的网络地址。

1. Introduction
1. 介绍

A CableLabs Client Configuration (CCC) Dynamic Host Configuration Protocol (DHCP) Option code providing the Key Distribution Center (KDC) server address will be needed for CableHome-compliant residential gateways configured to use Kerberos for authentication as the first step in establishing a secure SNMPv3 link between the Portal Service (PS) logical element [2,3] in residential gateways, and the SNMP entity in the cable operator's data network.

CableHome兼容的住宅网关需要CableLabs客户端配置(CCC)动态主机配置协议(DHCP)选项代码提供密钥分发中心(KDC)服务器地址,配置为使用Kerberos进行身份验证,这是在门户服务(PS)之间建立安全SNMPv3链路的第一步住宅网关中的逻辑元素[2,3],以及电缆运营商数据网络中的SNMP实体。

The CCC DHCP option code will be used to address specific needs of CableLabs client devices during their configuration processes. This document proposes a sub-option for the CCC DHCP option.

CCC DHCP选项代码将用于在配置过程中满足CableLabs客户端设备的特定需求。本文件提出了CCC DHCP选项的子选项。

Configuration of a class of CableLabs client devices described in [2] and [3] will require a DHCP sub-option to provide the client with the network address of a KDC server in the cable operator's data network.

[2]和[3]中描述的CableLabs客户端设备类别的配置将需要DHCP子选项,以向客户端提供有线电视运营商数据网络中KDC服务器的网络地址。

The class of devices assumed in [2] and [3] is unlike the class of devices considered in [1], which perform a DNS lookup of the Kerberos Realm name to find the KDC server network address.

[2]和[3]中假定的设备类别与[1]中考虑的设备类别不同,后者执行Kerberos领域名称的DNS查找以查找KDC服务器网络地址。

This document proposes a sub-option of the CCC DHCP option code for use with CableLabs client devices. The proposed sub-option encodes an identifier for the network address of each of one or more Key Distribution Center servers with which the CableLabs client device exchanges security information.

本文档提出了CCC DHCP选项代码的子选项,用于CableLabs客户端设备。建议的子选项对CableLabs客户端设备与之交换安全信息的一个或多个关键配送中心服务器的网络地址的标识符进行编码。

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY" in this document are to be interpreted as described in BCP 14, RFC 2119 [4].

本文件中的关键词“必须”、“不得”、“应该”、“不应该”和“可能”应按照BCP 14、RFC 2119[4]中的描述进行解释。

2. Key Distribution Center IP Address Sub-option
2. 密钥分发中心IP地址子选项

CableHome specifications will specify the Key Distribution Center network address encoding as a sub-option of the CCC DHCP Option code. This field will be used to inform the client device of the network address of one or more Key Distribution Center servers.

CableHome规范将密钥分发中心网络地址编码指定为CCC DHCP选项代码的子选项。此字段将用于通知客户端设备一个或多个关键配送中心服务器的网络地址。

The encoding of the KDC Server Address sub-option will adhere to the format of an IPv4 address. The minimum length for this option is 4 octets, and the length MUST always be a multiple of 4. If multiple KDC Servers are listed, they MUST be listed in decreasing order of priority. The format of the KDC Server Address sub-option of the CCC option code is as shown below:

KDC服务器地址子选项的编码将遵循IPv4地址的格式。此选项的最小长度为4个八位字节,长度必须始终为4的倍数。如果列出了多个KDC服务器,则必须按优先级降序列出它们。CCC选项代码的KDC服务器地址子选项的格式如下所示:

    SubOpt  Len      Address 1               Address 2
   +------+-----+-----+-----+-----+-----+-----+-----+--
   |  10  |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
   +------+-----+-----+-----+-----+-----+-----+-----+--
        
    SubOpt  Len      Address 1               Address 2
   +------+-----+-----+-----+-----+-----+-----+-----+--
   |  10  |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
   +------+-----+-----+-----+-----+-----+-----+-----+--
        
3. Security Considerations
3. 安全考虑

This document relies upon the DHCP protocol [5] for authentication and security, i.e., it does not provide security in excess of what DHCP is (or will be) providing. Potential exposures to attack in the DHCP protocol are discussed in section 7 of the DHCP protocol specification [5] and in Authentication for DHCP Messages [6].

本文档依赖DHCP协议[5]进行身份验证和安全性,即,它提供的安全性不超过DHCP正在(或将要)提供的安全性。DHCP协议规范[5]第7节和DHCP消息的身份验证[6]中讨论了DHCP协议中可能存在的攻击风险。

The CCC option can be used to misdirect network traffic by providing incorrect DHCP server addresses, incorrect provisioning server addresses, and incorrect Kerberos realm names to a CableLabs client

通过向CableLabs客户端提供不正确的DHCP服务器地址、不正确的配置服务器地址和不正确的Kerberos领域名称,CCC选项可用于误导网络流量

device. This misdirection can lead to several threat scenarios. A Denial of Service (DoS) attack can result from address information being simply invalid. A man-in-the-middle attack can be mounted by providing addresses to a potential snooper. A malicious service provider can steal customers from the customer selected service provider, by altering the Kerberos realm designation.

装置这种误导可能导致多种威胁情景。地址信息完全无效可能导致拒绝服务(DoS)攻击。中间人攻击可以通过向潜在的窥探者提供地址来发动。恶意服务提供商可以通过更改Kerberos领域名称从客户选择的服务提供商处窃取客户。

These threats are mitigated by several factors.

这些威胁通过几个因素得以缓解。

Within the cable delivery architecture required by CableLabs' PacketCable, DOCSIS, and CableHome specifications, the DHCP client is connected to a network through a cable modem and the Cable Modem Termination System (CMTS). The CMTS is explicitly configured with a set of DHCP servers to which DHCP requests are forwarded. Further, a correctly configured CMTS will only allow downstream traffic from specific IP addresses/ ranges.

在CableLabs的PacketCable、DOCSIS和CableHome规范要求的电缆交付体系结构中,DHCP客户端通过电缆调制解调器和电缆调制解调器终端系统(CMTS)连接到网络。CMTS被显式配置为一组DHCP服务器,DHCP请求被转发到这些服务器。此外,正确配置的CMT将只允许来自特定IP地址/范围的下游流量。

Assuming that server addresses were successfully spoofed to the point that a malicious client device was able to contact a KDC, the client device must still present valid certificates to the KDC before being service enabled. Given the computational overhead of the certificate validation process, this situation could present a DoS opportunity.

假设服务器地址被成功欺骗到恶意客户端设备能够联系KDC的程度,则在启用服务之前,客户端设备必须仍然向KDC提供有效证书。考虑到证书验证过程的计算开销,这种情况可能会带来拒绝服务的机会。

It is possible for a malicious (although certificate enabled) service provider to redirect a customer from the customer's selected service provider. It is assumed that all service providers permitted onto an access providers network are trusted entities that will cooperate to ensure peaceful coexistence. If a service provider is found to be redirecting customers, this should be handled as an administrative matter between the access provider and the service provider.

恶意(尽管已启用证书)服务提供商可能会从客户选择的服务提供商重定向客户。假定允许进入接入提供商网络的所有服务提供商都是可信的实体,将进行合作以确保和平共处。如果发现服务提供商正在重定向客户,则应将其作为访问提供商和服务提供商之间的管理事项处理。

Another safeguard that can be taken by service providers to limit their exposure to their KDC server(s) is to configure their network so that the KDC(s) reside on a separate subnetwork.

服务提供商可以采取的另一种保护措施是,对其网络进行配置,以使KDC驻留在单独的子网络上,从而限制其对KDC服务器的暴露。

Service providers can further protect their KDC server(s) by placing a firewall in front of the KDC(s) only allowing connections needed for its current provisioning processes. The IP temporary addresses given the client devices from the DHCP server could be sent directly to the firewall from the DHCP server to open a hole for Kerberos messages only for those particular IP addresses for a short period of time. If this was used it would be recommended that service providers authenticate their DHCP server to the KDC as well. This could be done via password authentication rather than digital certificate due to the co-location of the DHCP server to the KDC.

服务提供商可以通过在KDC前面放置防火墙进一步保护其KDC服务器,仅允许其当前配置过程所需的连接。DHCP服务器提供给客户机设备的IP临时地址可以从DHCP服务器直接发送到防火墙,以便在短时间内仅为这些特定IP地址打开Kerberos消息的漏洞。如果使用这种方法,建议服务提供商也向KDC验证其DHCP服务器。这可以通过密码身份验证而不是数字证书来完成,因为DHCP服务器与KDC位于同一位置。

Finally, Kerberos requires mutual client-server authentication. Therefore, the client device must authenticate itself with its digital certificate and the KDC is required to authenticate it to the client device. If a hacker tries to redirect the client device by replacing the service provider-configured KDC Server Address sub-option with another IP address, it is not likely to be a valid service provider's KDC server and authentication will fail.

最后,Kerberos需要相互的客户机-服务器身份验证。因此,客户端设备必须使用其数字证书对自身进行身份验证,并且需要KDC向客户端设备进行身份验证。如果黑客试图通过将服务提供商配置的KDC服务器地址子选项替换为另一个IP地址来重定向客户端设备,则该设备不太可能是有效的服务提供商的KDC服务器,身份验证将失败。

4. IANA Considerations
4. IANA考虑

The KDC Server Address sub-option described in this document is intended to be a sub-option of the CableLabs Client Configuration (CCC) option described in [1]. IANA has assigned and registered sub-option code 10 of the CCC option to the KDC Server Address sub-option.

本文档中描述的KDC服务器地址子选项是[1]中描述的CableLabs客户端配置(CCC)选项的子选项。IANA已将CCC选项的子选项代码10分配并注册到KDC服务器地址子选项。

5. Intellectual Property Statement
5. 知识产权声明

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。

6. Normative References
6. 规范性引用文件

[1] Beser, B. and P. Duffy, "DHCP Option for CableLabs Client Configuration", RFC 3495, March 2003.

[1] Beser,B.和P.Duffy,“CableLabs客户端配置的DHCP选项”,RFC 3495,2003年3月。

[2] "CableHome 1.1 Specification", CableLabs, http://www.cablelabs.com/projects/cablehome/specifications/.

[2] “CableHome 1.1规范”,CableLabs,http://www.cablelabs.com/projects/cablehome/specifications/.

[3] "CableHome 1.0 Specification", CableLabs, http://www.cablelabs.com/projects/cablehome/specifications/.

[3] “CableHome 1.0规范”,CableLabs,http://www.cablelabs.com/projects/cablehome/specifications/.

[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[4] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[5] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.

[5] Droms,R.,“动态主机配置协议”,RFC 2131,1997年3月。

[6] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001

[6] Droms,R.和W.Arbaugh,“DHCP消息的身份验证”,RFC31182001年6月

7. Authors' Addresses
7. 作者地址

Kevin Luehrs CableLabs 858 Coal Creek Circle Louisville, CO 80027

Kevin Luehrs CableLabs 858煤炭溪环路易斯维尔,科罗拉多州,80027

Phone: (303) 661-9100 EMail: k.luehrs@cablelabs.com

电话:(303)661-9100电子邮件:k。luehrs@cablelabs.com

Richard Woundy Comcast Cable 27 Industrial Drive Chelmsford, MA 01824

马萨诸塞州切姆斯福德工业大道27号Richard Woundy Comcast电缆,邮编01824

Phone: (978) 244-4010 EMail: richard_woundy@cable.comcast.com

电话:(978)244-4010电子邮件:richard_woundy@cable.comcast.com

John Bevilacqua YAS Corporation 300 Brickstone Square Andover, MA 01810

约翰·贝维拉卡·亚斯公司,马萨诸塞州安多弗布里克斯通广场300号,邮编01810

Phone: (978) 749-9999 EMail: john@yas.com

电话:(978)749-9999电子邮件:john@yas.com

Nancy Davoust YAS Corporation 300 Brickstone Square Andover, MA 01810

南希·达沃斯·亚斯公司,马萨诸塞州安多弗布里克斯通广场300号,邮编01810

Phone: (978) 749-9999 EMail: nancy@yas.com

电话:(978)749-9999电子邮件:nancy@yas.com

8. Full Copyright Statement
8. 完整版权声明

Copyright (C) The Internet Society (2003). All Rights Reserved.

版权所有(C)互联网协会(2003年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。