Network Working Group S. Drach
Request for Comments: 2485 Sun Microsystems
Category: Standards Track January 1999
Network Working Group S. Drach
Request for Comments: 2485 Sun Microsystems
Category: Standards Track January 1999
DHCP Option for The Open Group's User Authentication Protocol
开放组用户身份验证协议的DHCP选项
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
Abstract
摘要
This document defines a DHCP [1] option that contains a list of pointers to User Authentication Protocol servers that provide user authentication services for clients that conform to The Open Group Network Computing Client Technical Standard [2].
本文档定义了一个DHCP[1]选项,该选项包含指向用户身份验证协议服务器的指针列表,这些服务器为符合开放组网络计算客户端技术标准[2]的客户端提供用户身份验证服务。
Introduction
介绍
The Open Group Network Computing Client Technical Standard, a product of The Open Group's Network Computing Working Group (NCWG), defines a network computing client user authentication facility named the User Authentication Protocol (UAP).
开放组网络计算客户端技术标准是开放组网络计算工作组(NCWG)的产品,它定义了一种名为用户认证协议(UAP)的网络计算客户端用户认证设施。
UAP provides two levels of authentication, basic and secure. Basic authentication uses the Basic Authentication mechanism defined in the HTTP 1.1 [3] specification. Secure authentication is simply basic authentication encapsulated in an SSLv3 [4] session.
UAP提供两个级别的身份验证:基本身份验证和安全身份验证。基本身份验证使用HTTP 1.1[3]规范中定义的基本身份验证机制。安全身份验证只是封装在SSLv3[4]会话中的基本身份验证。
In both cases, a UAP client needs to obtain the IP address and port of the UAP service. Additional path information may be required, depending on the implementation of the service. A URL [5] is an excellent mechanism for encapsulation of this information since many UAP servers will be implemented as components within legacy HTTP/SSL servers.
在这两种情况下,UAP客户端都需要获取UAP服务的IP地址和端口。根据服务的实现,可能需要额外的路径信息。URL[5]是封装此信息的一种极好的机制,因为许多UAP服务器将作为遗留HTTP/SSL服务器中的组件实现。
Most UAP clients have no local state and are configured when booted through DHCP. No existing DHCP option [6] has a data field that contains a URL. Option 72 contains a list of IP addresses for WWW servers, but it is not adequate since a port and/or path can not be specified. Hence there is a need for an option that contains a list of URLs.
大多数UAP客户端没有本地状态,并且在通过DHCP引导时进行配置。现有DHCP选项[6]没有包含URL的数据字段。选项72包含WWW服务器的IP地址列表,但由于无法指定端口和/或路径,因此该选项并不足够。因此,需要一个包含URL列表的选项。
User Authentication Protocol Option
用户身份验证协议选项
This option specifies a list of URLs, each pointing to a user authentication service that is capable of processing authentication requests encapsulated in the User Authentication Protocol (UAP). UAP servers can accept either HTTP 1.1 or SSLv3 connections. If the list includes a URL that does not contain a port component, the normal default port is assumed (i.e., port 80 for http and port 443 for https). If the list includes a URL that does not contain a path component, the path /uap is assumed.
此选项指定URL列表,每个URL指向能够处理用户身份验证协议(UAP)中封装的身份验证请求的用户身份验证服务。UAP服务器可以接受HTTP 1.1或SSLv3连接。如果列表中包含不包含端口组件的URL,则假定为正常默认端口(即,http为端口80,https为端口443)。如果列表包含不包含路径组件的URL,则假定为path/uap。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | URL list
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | URL list
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code 98
代码98
Length The length of the data field (i.e., URL list) in bytes.
长度数据字段(即URL列表)的长度,以字节为单位。
URL list A list of one or more URLs separated by the ASCII space character (0x20).
URL列表由ASCII空格字符(0x20)分隔的一个或多个URL的列表。
References
工具书类
[1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[1] Droms,R.,“动态主机配置协议”,RFC 2131,1997年3月。
[2] Technical Standard: Network Computing Client, The Open Group, Document Number C801, October 1998.
[2] 技术标准:网络计算客户端,开放组,文件号C801,1998年10月。
[3] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, January 1997.
[3] 菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC 2068,1997年1月。
[4] Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol, Version 3.0", Netscape Communications Corp., November 1996. Standards Information Base, The Open Group, http://www.db.opengroup.org/sib.htm#SSL_3.
[4] Freier,A.,Karlton,P.和P.Kocher,“SSL协议,3.0版”,网景通信公司,1996年11月。标准信息库,开放组,http://www.db.opengroup.org/sib.htm#SSL_3.
[5] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform Resource Locators (URL)", RFC 1738, December 1994.
[5] Berners Lee,T.,Masinter,L.,和M.McCahill,“统一资源定位器(URL)”,RFC 17381994年12月。
[6] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997.
[6] Alexander,S.和R.Droms,“DHCP选项和BOOTP供应商扩展”,RFC 21321997年3月。
Security Considerations
安全考虑
DHCP currently provides no authentication or security mechanisms. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification.
DHCP目前不提供身份验证或安全机制。DHCP协议规范第7节讨论了潜在的攻击风险。
The User Authentication Protocol does not have a means to detect whether or not the client is communicating with a rogue authentication service that the client contacted because it received a forged or otherwise compromised UAP option from a DHCP service whose security was compromised. Even secure authentication does not provide relief from this type of attack. This security exposure is mitigated by the environmental assumptions documented in the Network Computing Client Technical Standard.
用户身份验证协议没有检测客户端是否正在与客户端所联系的恶意身份验证服务通信的方法,因为客户端从安全性受到损害的DHCP服务接收到伪造或以其他方式受到损害的UAP选项。即使是安全身份验证也不能缓解这种类型的攻击。网络计算客户端技术标准中记录的环境假设缓解了这种安全风险。
Author's Address
作者地址
Steve Drach Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA 94303
Steve Drach Sun Microsystems,Inc.加利福尼亚州帕洛阿尔托市圣安东尼奥路901号,邮编94303
Phone: (650) 960-1300 EMail: drach@sun.com
电话:(650)960-1300电子邮件:drach@sun.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。