openldap/doc/drafts/draft-zeilenga-ldap-turn-xx.txt

INTERNET-DRAFT                                   Kurt D. Zeilenga
Intended Category: Experimental                  OpenLDAP Foundation
Expires in six months                            28 October 2005



                           LDAP Turn Operation
                    <draft-zeilenga-ldap-turn-03.txt>


1.      Status of this Memo

  This document is intended to be, after appropriate review and
  revision, submitted to the RFC Editor for publication as an
  Experimental document.  Distribution of this memo is unlimited.
  Technical discussion of this document will take place on the IETF LDAP
  Extensions mailing list <ldapext@ietf.org>.  Please send editorial
  comments directly to the author <Kurt@OpenLDAP.org>.

  By submitting this Internet-Draft, each author represents that any
  applicable patent or other IPR claims of which he or she is aware have
  been or will be disclosed, and any of which he or she becomes aware
  will be disclosed, in accordance with Section 6 of BCP 79.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its areas, and its working groups. Note that other
  groups may also distribute working documents as Internet-Drafts.

  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time. It is inappropriate to use Internet-Drafts as reference material
  or to cite them other than as "work in progress."

  The list of current Internet-Drafts can be accessed at
  http://www.ietf.org/1id-abstracts.html

  The list of Internet-Draft Shadow Directories can be accessed at
  http://www.ietf.org/shadow.html


  Copyright (C) The Internet Society (2005).  All Rights Reserved.

  Please see the Full Copyright section near the end of this document
  for more information.


Abstract




Zeilenga                      LDAP Turn Op                      [Page 1]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


  This specification describes a Lightweight Directory Access Protocol
  (LDAP) extended operation to reverse (or "turn") the roles of client
  and server for subsequent protocol exchanges in the session, or to
  enable each peer to act as both client and server with respect to the
  other.


1. Background and Intent of Use

  The Lightweight Directory Access Protocol (LDAP) [Roadmap][Protocol]
  is a client-server protocol which typically operates over reliable
  octet-stream transports such as the Transport Control Protocol (TCP).
  Generally, the client initiates the stream by connecting to the
  server's listener at some well-known address.

  There are cases where it is desirable for the server to initiate the
  stream.  While it certainly is possible to write a technical
  specification detailing how to implement server-initiated LDAP
  sessions, this would require the design of new authentication and
  other security mechanisms to support server-initiated LDAP sessions.

  Instead, this document introduces an operation, the Turn operation,
  which may be used to reverse the client-servers roles of the protocol
  peers.  This allows the initiating protocol peer to become server
  (after the reversal).

  As an additional feature, the Turn operation may be used to allow both
  peers to act in both roles.  This is useful where both peers are
  directory servers that desire to request, as LDAP clients, operations
  be performed by the other.  This may be useful in replicated and/or
  distributed environments.

  This operation is intended to be used between protocol peers which
  have established a mutual agreement, by means outside of the protocol,
  which requires reversal of client-server roles, or allows both peers
  to act both as client and server.


1.1 Terminology

  Protocol elements are described using ASN.1 [X.680] with implicit
  tags.  The term "BER-encoded" means the element is to be encoded using
  the Basic Encoding Rules [X.690] under the restrictions detailed in
  Section 5.2 of [Protocol].


2. Turn Operation




Zeilenga                      LDAP Turn Op                      [Page 2]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


  The Turn operation is defined as a LDAP Extended Operation [Protocol,
  Section 4.12] identified by the IANA-ASSIGNED-OID.  The function of
  the Turn Operation is to request that the client-server roles be
  reversed, or, optionally to request that both protocol peers to be
  able to act both as client and server in respect to the other.


2.1. Turn Request

  The Turn request is an ExtendedRequest with the requestName field
  containing the IANA-ASSIGNED-OID and a requestValue field is a
  BER-encoded turnValue:

       turnValue ::= SEQUENCE {
            mutual         BOOLEAN DEFAULT FALSE,
            identifier     LDAPString
       }

  A TRUE mutual field value indicates a request to allow both peers to
  act both as client and server.  A FALSE mutual field value indicates a
  request to reserve the client and server roles.

  The value of the identifier field is a locally-defined policy
  identifier (typically associated with a mutual agreement for which
  this turn is be executed as part of).


2.2. Turn Response

  A Turn response is an ExtendedResponse where the responseName and
  responseValue fields are absent.  A resultCode of success is returned
  if and only if the responder is willing and able to turn the session
  as requested.  Otherwise, a different resultCode is returned.


3. Authentication

  This extension's authentication model assumes separate authentication
  of the peers in each of their roles.  A separate Bind exchange is
  expected between the peers in their new roles to establish identities
  in these roles.

  Upon completion of the Turn, the responding peer in its new client
  role has an anonymous association at the initiating peer in its new
  server role.  If the turn was mutual, the authentication association
  of the initiating peer in its pre-existing client role is left intact
  at the responding peer in its pre-existing server role.  If the turn
  was not mutual, this association is void.



Zeilenga                      LDAP Turn Op                      [Page 3]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


  The responding peer may establish its identity in its client role by
  requesting and successfully completing a Bind operation.

  The remainder of this section discuss some authentication scenarios.
  In the protocol exchange illustrations, A refers to the initiating
  peer (the original client) and B refers to the responding peer (the
  original server).

3.1. Use with TLS and Simple Authentication

      A->B: StartTLS Request
      B->A: StartTLS(success) Response
      A->B: Bind(Simple(cn=B,dc=example,dc=net,B's secret)) Request
      B->A: Bind(success) Response
      A->B: Turn(TRUE,"XXYYZ") Request
      B->A: Turn(success) Response
      A->B: Bind(Simple(DN/Password)) Request
      B->A: Bind(Simple(cn=A,dc=example,dc=net,A's secret)) Request
      A->B: Bind(success) Response

  In this scenario, TLS (Transport Layer Security) [TLS] is started and
  the initiating peer (the original client) establishes its identity
  with the responding peer prior to the Turn using the the DN/password
  mechanism of the Simple method of the Bind operation.  After the turn,
  the responding peer in its new client role establishes its identity
  with the initiating peer in its new server role.


3.2. Use with TLS and SASL EXTERNAL

      A->B: StartTLS Request
      B->A: StartTLS(success) Response
      A->B: Bind(SASL(EXTERNAL)) Request
      B->A: Bind(success) Response
      A->B: Turn(TRUE,"XXYYZ") Request
      B->A: Turn(success) Response
      B->A: Bind(SASL(EXTERNAL)) Request
      A->B: Bind(success) Response

  In this scenario, TLS is started prior with each peer providing a
  valid certificate and the initiating peer (the original client)
  establishes its identity through the use of the EXTERNAL mechanism of
  the SASL (Simple Authentication and Security Layer) [SASL] method of
  the Bind operation prior to the Turn.  After the turn, the responding
  peer in its new client role establishes its identity with the
  initiating peer in its new server role.





Zeilenga                      LDAP Turn Op                      [Page 4]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


3.3. Use of mutual authentication and SASL EXTERNAL

  A number of SASL mechanisms, such as GSSAPI [GSSAPI] and DIGEST-MD5
  [DIGEST-MD5], support mutual authentication.  The initiating peer, it
  its new server role, may use the identity of the responding peer
  established by a prior authentication exchange, as its source for
  "external" identity in subsequent EXTERNAL exchange.

      A->B: Bind(SASL(GSSAPI)) Request
      <intermediate messages>
      B->A: Bind(success) Response
      A->B: Turn(TRUE,"XXYYZ") Request
      B->A: Turn(success) Response
      B->A: Bind(SASL(EXTERNAL)) Request
      A->B: Bind(success) Response

  In this scenario, a GSSAPI mutual-authentication exchange is completed
  between the initiating peer (the original client) and the the
  responding server (the original server) prior to the turn.  After the
  turn, the responding peer in its new client role requests the
  initiating peer utilize an "external" identity to establish its LDAP
  authorization identity.


4. TLS and SASL security layers

  As described in [Protocol], LDAP supports both Transport Layer
  Security (TLS) [TLS] and Simple Authentication and Security Layer
  (SASL) [SASL] security frameworks.  The following table illustrates
  the relationship between the LDAP message layer, SASL layer, TLS
  layer, and transport connection within an LDAP session.

                 +----------------------+
                 |  LDAP message layer  |
                 +----------------------+ > LDAP PDUs
                 +----------------------+ < data
                 |      SASL layer      |
                 +----------------------+ > SASL-protected data
                 +----------------------+ < data
                 |       TLS layer      |
     Application +----------------------+ > TLS-protected data
     ------------+----------------------+ < data
       Transport | transport connection |
                 +----------------------+

  This extension does not alter this relationship, nor does it remove
  the general restriction against multiple TLS layers, nor does it
  remove the general restriction against multiple SASL layers.



Zeilenga                      LDAP Turn Op                      [Page 5]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


  As specified in [Protocol], the StartTLS operation is used to initiate
  negotiation of a TLS layer.  If a TLS is already installed, the
  StartTLS operation must fail.  Upon establishment of the TLS layer,
  regardless of which peer issued the request to start TLS, the peer
  which initiated the LDAP session (the original client) performs the
  "server identity check" as described in Section 3.1.5 of [AuthMeth]
  treating itself as the "client" and its peer as the "server".

  As specified in [SASL], newly negotiated SASL security layer replace
  the installed SASL security layer.  Though the client/server roles in
  LDAP, and hence SASL, may be reversed in subsequent exchanges, only
  one SASL security layer may be installed at any instance.


5.  Security Considerations

  Implementors should be aware that the reversing of client/server roles
  and/or allowing both peers to act as client and server likely
  introduces security considerations not foreseen by the authors of this
  document.  In particular, the security implications of the design
  choices made in the authentication and data security models for this
  extension (discussed in sections 3 and 4, respectively) are not fully
  studied.  It is hoped that experimentation with this extension will
  lead to better understanding of the security implications of these
  models and other aspects of this extension, and that appropriate
  considerations will be documented in a future document.  The following
  security considerations are apparent at this time.

  Implementors should take special care to process LDAP, SASL, TLS, and
  other events the appropriate roles for the peers.  It is noted that
  while the Turn reverses the client/server roles with LDAP, and in SASL
  authentication exchanges, it does not reverse the roles within the TLS
  layer or the transport connection.

  The responding server (the original server) should restrict use of
  this operation to authorized clients.  Client knowledge of a valid
  identifier should not be the sole factor in determining authorization
  to turn.

  Where the peers except to establish TLS, TLS should be started prior
  to the Turn and any request to authenticate via the Bind operation.

  LDAP security considerations [Protocol][AuthMeth] generally apply to
  this extension.


6.  IANA Considerations




Zeilenga                      LDAP Turn Op                      [Page 6]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


  Registration of the following values [BCP64bis] is requested.


6.1.  Object Identifier

  It is requested that IANA assign an LDAP Object Identifier to identify
  the LDAP Turn Operation as defined in this document.

      Subject: Request for LDAP Object Identifier Registration
      Person & email address to contact for further information:
           Kurt Zeilenga <kurt@OpenLDAP.org>
      Specification: RFC XXXX
      Author/Change Controller: Author
      Comments:
           Identifies the LDAP Turn Operation


6.2.  LDAP Protocol Mechanism

  It is requested that IANA register the LDAP Protocol Mechanism
  described in this document.

      Subject: Request for LDAP Protocol Mechanism Registration
      Object Identifier: IANA-ASSIGNED-OID
      Description: LDAP Turn Operation
      Person & email address to contact for further information:
           Kurt Zeilenga <kurt@openldap.org>
      Usage: Extended Operation
      Specification: RFC XXXX
      Author/Change Controller: Author
      Comments: none


7. Author's Address

  Kurt D. Zeilenga
  OpenLDAP Foundation

  Email: Kurt@OpenLDAP.org


8. References

  [[Note to the RFC Editor: please replace the citation tags used in
  referencing Internet-Drafts with tags of the form RFCnnnn where
  possible.]]





Zeilenga                      LDAP Turn Op                      [Page 7]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


8.1. Normative References

  [Roadmap]     Zeilenga, K. (editor), "LDAP: Technical Specification
                Road Map", draft-ietf-ldapbis-roadmap-xx.txt, a work in
                progress.

  [Protocol]    Sermersheim, J. (editor), "LDAP: The Protocol",
                draft-ietf-ldapbis-protocol-xx.txt, a work in progress.

  [AuthMeth]    Harrison, R. (editor), "LDAP: Authentication Methods and
                Connection Level Security Mechanisms",
                draft-ietf-ldapbis-authmeth-xx.txt, a work in progress.

  [SASL]        Melnikov, A. (Editor), "Simple Authentication and
                Security Layer (SASL)",
                draft-ietf-sasl-rfc2222bis-xx.txt, a work in progress.

  [TLS]         Dierks, T. and, E. Rescorla, "The TLS Protocol Version
                1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
                progress.

  [X.680]       International Telecommunication Union -
                Telecommunication Standardization Sector, "Abstract
                Syntax Notation One (ASN.1) - Specification of Basic
                Notation", X.680(2002) (also ISO/IEC 8824-1:2002).

  [X.690]       International Telecommunication Union -
                Telecommunication Standardization Sector, "Specification
                of ASN.1 encoding rules: Basic Encoding Rules (BER),
                Canonical Encoding Rules (CER), and Distinguished
                Encoding Rules (DER)", X.690(2002) (also ISO/IEC
                8825-1:2002).


8.2. Informative References

  [BCP64bis]    Zeilenga, K., "IANA Considerations for LDAP",
                draft-ietf-ldapbis-bcp64-xx.txt, a work in progress.

                [GSSAPI]      Linn, J., "Generic Security Service
                Application Program Interface, Version 2, Update 1", RFC
                2743, January 2000.

  [DIGEST-MD5]  Leach, P., C. Newman, and A. Melnikov, "Using Digest
                Authentication as a SASL Mechanism",
                draft-ietf-sasl-rfc2831bis-xx.txt, a work in progress.





Zeilenga                      LDAP Turn Op                      [Page 8]

INTERNET-DRAFT         draft-zeilenga-ldap-turn-03       28 October 2005


Intellectual Property Rights

  The IETF takes no position regarding the validity or scope of any
  Intellectual Property Rights or other rights that might be claimed to
  pertain to the implementation or use of the technology described in
  this document or the extent to which any license under such rights
  might or might not be available; nor does it represent that it has
  made any independent effort to identify any such rights.  Information
  on the procedures with respect to rights in RFC documents can be found
  in BCP 78 and BCP 79.

  Copies of IPR disclosures made to the IETF Secretariat and any
  assurances of licenses to be made available, or the result of an
  attempt made to obtain a general license or permission for the use of
  such proprietary rights by implementers or users of this specification
  can be obtained from the IETF on-line IPR repository at
  http://www.ietf.org/ipr.

  The IETF invites any interested party to bring to its attention any
  copyrights, patents or patent applications, or other proprietary
  rights that may cover technology that may be required to implement
  this standard.  Please address the information to the IETF at
  ietf-ipr@ietf.org.



Full Copyright

  Copyright (C) The Internet Society (2005).

  This document is subject to the rights, licenses and restrictions
  contained in BCP 78, and except as set forth therein, the authors
  retain all their rights.

  This document and the information contained herein are provided on an
  "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
  OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
  ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.










Zeilenga                      LDAP Turn Op                      [Page 9]