Network Working Group L J Blunk J R Vollbrecht Internet Draft Merit expires in six months July 1994 PPP Kerberos version 4 Authentication Protocol (KAPv4) Status of this Memo This document is the product of the Point-to-Point Protocol Extensions Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the ietf-ppp@merit.edu mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Abstract The Point-to-Point Protocol (PPP) [1] provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP also defines an extensible Link Control Protocol, which allows negotiation of an Authentication Protocol for authenticating its peer before allowing Network Layer protocols to transmit over the link. This document defines the PPP Kerberos version 4 Authentication Protocol. Blunk & Vollbrecht expires in six months [Page i] DRAFT PPP KAPv4 July 1994 1. Introduction In order to establish communications over a point-to-point link, each end of the PPP link must first send LCP packets to configure the data link during Link Establishment phase. After the link has been established, PPP provides for an optional Authentication phase before proceeding to the Network-Layer Protocol phase. By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication-Protocol Configuration Option during Link Establishment phase. These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations. This document defines the PPP KAPv4 authentication protocol. The Link Establishment and Authentication phases, and the Authentication-Protocol Configuration Option, are defined in The Point-to-Point Protocol (PPP) [1]. 1.1. Specification of Requirements In this document, several words are used to signify the requirements of the specification. These words are often capitalized. MUST This word, or the adjective "required", means that the definition is an absolute requirement of the specification. MUST NOT This phrase means that the definition is an absolute prohibition of the specification. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications must be understood and carefully weighed before choosing a different course. MAY This word, or the adjective "optional", means that this item is one of an allowed set of alternatives. An implementation which does not include this option MUST be prepared to interoperate with another implementation which does include the option. Blunk & Vollbrecht expires in six months [Page 1] DRAFT PPP KAPv4 July 1994 1.2. Terminology This document frequently uses the following terms: authenticator The end of the link requiring the authentication. The authenticator specifies the authentication protocol to be used in the Configure-Request during Link Establishment phase. peer The other end of the point-to-point link; the end which is being authenticated by the authenticator. silently discard This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter. Blunk & Vollbrecht expires in six months [Page 2] DRAFT PPP KAPv4 July 1994 2. PPP Kerberos version 4 Authentication Protocol The PPP Kerberos version 4 Authentication Protocol (KAPv4) is used to verify the identity of a peer using the Kerberos version 4 Authentication System. Normally, Kerberos version 4 authentication requires that the peer possess an IP address. However, with PPP, the peer may not know the IP address prior to authentication. Given this constraint, the KAPv4 protocol is designed to operate over the PPP link prior to the IP Network Protocol having been negotiated. It is assumed that the authenticator has network connectivity to the Kerberos server(s) to be used for authentication. 1. After the Link Establishment phase is complete, the authenticator sends a request for the identity of the the peer. 2. The peer replies with its Kerberos principal identity. The peer may also optionally specify a service name and instance. It is recommended that ppp-kapv4 be used as the primary name for the service. An instance should generally not be required but MUST be configurable. If the peer does not present a service name, this indicates that it will not check the identity of service to which it is authenticating. 3. The authenticator then uses the Kerberos Authentication Service Protocol to request the Kerberos credentials to be used by the peer. These credentials are then forwarded to the peer along with a randon challenge. The challenge is used to prevent replay attacks. 4. The peer decrypts these credentials to obtain a ticket for the authenticator and a session key. The session key is used to encrypt the challenge. The peer then sends the ticket together with the response to the challenge back to the authenticator. It may optionally include a mutual challenge to verify the identity of the authenticator. 5. The authenticator then decrypts the ticket and checks the response to its challenge. If these are valid, the authentication is acknowledged with a success message; otherwise the authenticator replies with a failure response. The authenticator also replies with a response to the peer's challenge. Blunk & Vollbrecht expires in six months [Page 3] DRAFT PPP KAPv4 July 1994 Advantages KAPv4 provides an authentication mechanism which does not require passing a user's password in the clear. It also allows PPP authentication to leverage off of existing Kerberos authentication servers. The authenticator is not the repository for any peer secrets. This is a significant advantage when there are many peers. This authentication can be mutual. The ability of the peer to successfully decrypt the Kerberos credentials and generate a response to the challenge is the assurance to the authenticator that the peer is authentic. The ability of the authenticator to encrypt a response to a challenge using the session key is the assurance to the peer that the authenticator is also authentic. Disadvantages KAPv4 depends upon encryption technology which may be subject to export controls. Blunk & Vollbrecht expires in six months [Page 4] DRAFT PPP KAPv4 July 1994 2.1. Configuration Option Format A summary of the Authentication-Protocol Configuration Option format to negotiate the KAPv4 Authentication Protocol is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Authentication-Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 3 Length 4 Authentication-Protocol ???? for PPP Kerberos version 4 Authentication Protocol (KAPv4) Blunk & Vollbrecht expires in six months [Page 5] DRAFT PPP KAPv4 July 1994 2.2. Packet Format Exactly one PPP Kerberos version 4 Authentication Protocol packet is encapsulated in the Information field of a PPP Data Link Layer frame where the protocol field indicates type hex ???? (PPP Kerberos version 4 Authentication Protocol). A summary of the KAPv4 packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+ Code The Code field is one octet and identifies the type of KAPv4 packet. KAPv4 Codes are assigned as follows: 1 Initiate 2 Principal 3 Credentials 4 Ticket 5 Success 6 Failure Identifier The Identifier field is one octet and aids in matching replies with requests and responses to challenges. Length The Length field is two octets and indicates the length of the KAPv4 packet including the Code, Identifier, Length and Data fields. Octets outside the range of the Length field should be treated as Data Link Layer padding and should be ignored on reception. Data The Data field is zero or more octets. The format of the Data field is determined by the Code field. Blunk & Vollbrecht expires in six months [Page 6] DRAFT PPP KAPv4 July 1994 2.2.1. Initiate Description The Initiate packet is used to begin the PPP Kerberos version 4 Authentication Protocol. The authenticator MUST transmit a KAPv4 packet with the Code field set to 1 (Initiate). Additional Initiate packets MUST be sent until a valid Response packet is received, or an optional retry counter expires. A summary of the Initiate packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 1 Identifier The Identifier field is one octet. The Identifier field MUST be changed each time an Initiate is sent. Blunk & Vollbrecht expires in six months [Page 7] DRAFT PPP KAPv4 July 1994 2.2.2. Principal Description The Principal packet is used to identify the peer to the authenticator. It is sent in response to an Initiate packet. The peer MUST transmit a KAPv4 packet with the Code field set to 2 (Principal). The identifier of the Principal packet MUST match the indentifier in the Initiate packet. The authenticator uses the supplied information to generate a KRB_AS_REQ message for the Kerberos Server. The authenticator responds to the Principal packet with either a Credentials packet or a Failure packet. A summary of the Principal packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Name-Size | Name ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Instance-Size | Instance ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Realm-Size | Realm ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sname-Size | Service Name ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sinstance-Size| Service Instance ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 2 Identifier The Identifier field is one octet. The Principal Identifier MUST be copied from the Identifier field of the Initiate which caused the Response. Principal fields The Name, Instance, and Realm fields are used to identify the Kerberos Principal. The Service Name is optional and specifies that the peer expects to authenticate to a particular service and Blunk & Vollbrecht expires in six months [Page 8] DRAFT PPP KAPv4 July 1994 will check this attribute when examining the credentials. If the peer does not care about the service identity, it should put a zero in the Service Name Size field. Blunk & Vollbrecht expires in six months [Page 9] DRAFT PPP KAPv4 July 1994 2.2.3. Credentials Description The Credentials packet is used to supply the peer with the needed credentials for authentication. It is sent in response to a Principal packet and contains a ticket for the authenticator and a session key. It also contains a random challenge to prevent replay attacks. The authenticator MUST transmit a KAPv4 packet with the Code field set to 3 (Credentials). Additional Credentials packets MUST be sent until a valid Response packet is received, or an optional retry counter expires. A summary of the Credentials packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Cred-Size | Credentials ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Chal-Size | Challenge ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 3 Identifier The Identifier field is one octet. The Identifier field MUST be changed each time a Credentials packet is sent. Credentials The Credentials field is copied from the KRB_AS_REP packet received by the authenticator from the Kerberos server. It takes the form: { T_(peer,authenticator), K_(peer, authenticator) }K_peer Challenge The Challenge Value is a variable length stream of octets. The Challenge Value MUST be changed each time a Credentials packet is Blunk & Vollbrecht expires in six months [Page 10] DRAFT PPP KAPv4 July 1994 sent. Blunk & Vollbrecht expires in six months [Page 11] DRAFT PPP KAPv4 July 1994 2.2.4. Ticket Description The Ticket packet is sent by the peer to the authenticator as verification of its authenticity. It is sent in response to a Credentials packet and contains a ticket for the authenticator and a response to the authenticator's challenge. The response for the challenge is generated by encrypting the challenge with the session key. The peer may also specicy a Mutual Challenge for the authenticator. This field should not be included if the peer does not wish to challenge the authenticator. The peer MUST transmit a KAPv4 packet with the Code field set to 4 (Ticket). A summary of the Ticket packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ticket-Size | Ticket ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Response-Size | Response ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MA_Chal-Size | MA_Challenge ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 4 Identifier The Identifier field is one octet. The Identifier field MUST match the Indentifier field of the Credentials packet that it is sent in response to. Ticket The Ticket field is copied from the Credentials data received from the authenticator. It takes the form: T_(peer,authenticator) Blunk & Vollbrecht expires in six months [Page 12] DRAFT PPP KAPv4 July 1994 Response The response field is generated by encrypting the challenge from the Credentials packets using the Session key. The DES PCBC encryption algorithm is used to generate this response. The Session key is used as the ivec. MA_Challenge The MA_Challenge field is a variable length string of octets used to mutually authenticate the authenticator. The peer should put a zero in the MA_Challenge size field if it does not with to challenge the authenticator. Blunk & Vollbrecht expires in six months [Page 13] DRAFT PPP KAPv4 July 1994 2.2.5. Success Description If the fields received in a Ticket match the expected values AND the response to the challenge is correct, then the implementation MUST transmit a KAPv4 packet with the Code field set to 5 (Success). The authenticator must also include a response to the MA_Challenge if the field was present in the Ticket packet. A summary of the Success packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message-Size | Message ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MA_Resp-Size | MA_Response ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 5 Identifier The Identifier field is one octet and aids in matching requests and replies. The Identifier field MUST be copied from the Identifier field of the Ticket packet which caused this reply. Message The Message field is zero or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain displayable ASCII characters 32 through 126 decimal. Mechanisms for extension to other character sets are the topic of future research. MA_Response The MA_Response contains the reponse to the peers MA_Challenge (if present). The MA_Response is the DES PCBC encryption of MA_Challenge using the Session Key. The Session Key is used as Blunk & Vollbrecht expires in six months [Page 14] DRAFT PPP KAPv4 July 1994 the ivec for the encryption. Blunk & Vollbrecht expires in six months [Page 15] DRAFT PPP KAPv4 July 1994 2.2.6. Failure Description If the fields received in a Ticket do NOT match the expected values OR the response to the challenge does NOT match the expected value, then the implementation MUST transmit a KAPv4 packet with the Code field set to 6 (Failure), and SHOULD take action to terminate the link. A Failure packet may also be sent in response to a Principal packet. The Failure would be sent in the case where the pricipal or service identity were unacceptable or an error was received in response to the authenticator KBR_AS_REQ message. A summary of the Challenge and Response packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message-Size | Message ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 6 Identifier The Identifier field is one octet and aids in matching requests and replies. The Identifier field MUST be copied from the Identifier field of the Ticket or Principal packet which caused this reply. Message-Size This field is one octet and indicates the length of the Message field. Message The Message field is zero or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain displayable ASCII characters 32 through Blunk & Vollbrecht expires in six months [Page 16] DRAFT PPP KAPv4 July 1994 126 decimal. Mechanisms for extension to other character sets are the topic of future research. Blunk & Vollbrecht expires in six months [Page 17] DRAFT PPP KAPv4 July 1994 Security Considerations Security issues are the primary topic of this RFC. The interaction of the authentication protocols within PPP are highly implementation dependent. This is indicated by the use of SHOULD throughout the document. For example, upon failure of authentication, some implementations do not terminate the link. Instead, the implementation limits the kind of traffic in the Network-Layer Protocols to a filtered subset, which in turn allows the user opportunity to update secrets or send mail to the network administrator indicating a problem. There is no provision for re-tries of failed authentication. However, the LCP state machine can renegotiate the authentication protocol at any time, thus allowing a new attempt. It is recommended that any counters used for authentication failure not be reset until after successful authentication, or subsequent termination of the failed link. There is no requirement that authentication be full duplex or that the same protocol be used in both directions. It is perfectly acceptable for different protocols to be used in each direction. This will, of course, depend on the specific protocols negotiated. In practice, within or associated with each PPP server, there is a database which associates "user" names with authentication information ("secrets"). It is not anticipated that a particular named user would be authenticated by multiple methods. This would make the user vulnerable to attacks which negotiate the least secure method from among a set (such as PAP rather than KAPv4). Instead, for each named user there should be an indication of exactly one method used to authenticate that user name. If a user needs to make use of different authentication methods under different circumstances, then distinct user names SHOULD be employed, each of which identifies exactly one authentication method. Blunk & Vollbrecht expires in six months [Page 18] DRAFT PPP KAPv4 July 1994 References [1] Simpson, W. A., "The Point-to-Point Protocol (PPP)", work in progress. [2] Reynolds, J., and J. Postel, "Assigned Numbers", RFC 1340, USC/Information Sciences Institute, July 1992. Acknowledgments Thanks to Bill Simpson for his initial work on this document. Chair's Address The working group can be contacted via the current chair: Fred Baker Advanced Computer Communications 315 Bollay Drive Santa Barbara, California, 93111 EMail: fbaker@acc.com Author's Address Questions about this memo can also be directed to: Larry J Blunk John R Vollbrecht EMail: ljb@merit.edu EMail: jrv@merit.edu Blunk & Vollbrecht expires in six months [Page 19] DRAFT PPP KAPv4 July 1994 Table of Contents 1. Introduction .......................................... 1 1.1 Specification of Requirements ................... 1 1.2 Terminology ..................................... 2 2. PPP Kerberos version 4 Authentication Protocol ........ 3 2.1 Configuration Option Format ..................... 5 2.2 Packet Format ................................... 6 2.2.1 Initiate ........................................ 7 2.2.2 Principal ....................................... 8 2.2.3 Credentials ..................................... 10 2.2.4 Ticket .......................................... 12 2.2.5 Success ......................................... 14 2.2.6 Failure ......................................... 16 SECURITY CONSIDERATIONS ...................................... 18 REFERENCES ................................................... 19 ACKNOWLEDGEMENTS ............................................. 19 CHAIR'S ADDRESS .............................................. 19 AUTHOR'S ADDRESS ............................................. 19