Internet Engineering Task Force P. Duffy
INTERNET DRAFT Cisco Systems
DHC Working Group June 2003
Document: draft-ietf-dhc-pktc-kerb-tckt-03.txt
PacketCable Security Ticket Control Sub-option
for the DHCP CableLabs Client Configuration Option.
Status of this Memo
This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as "work
in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document defines a new sub-option for the DHCP CableLabs
Client Configuration (CCC) Option. This new sub-option will be
used to direct CableLabs Client Devices (CCDs) to invalidate
security tickets stored in CCD non volatile memory (i.e. locally
persisted security tickets).
1. Conventions used in this document
Duffy 1 �
Internet Draft Security Ticket Control June 2003
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
RFC 2119 [2].
2. Terminology
Definitions of terms/acronyms used throughout this document:
CCC - CableLabs Client Configuration option, described in [1].
CCD - CableLabs Client Device. A PacketCable MTA is an example
of a CCD.
STC - Security Ticket Control. The CCC sub-option described in
this document.
MTA - Media Terminal Adapter. The CCD specific to the PacketCable
architecture.
PacketCable - multimedia architecture developed by CableLabs. See
[8] for full details.
3. Introduction
The CableLabs Client Configuration Option [1] defines several sub-
options used to configure devices deployed into CableLabs
architectures. These architectures implement the PacketCable
Security Specification [4] (based on Kerberos V5 [5]), to
support CCD authentication and establishment of security
associations between CCDs and application servers.
CCDs are permitted to retain security tickets in local
persistent storage. Thus a power-cycled CCD is enabled to avoid
expensive ticket acquisition for locally persisted, non-expired
tickets. This feature greatly reduces the security overhead of
a deployment.
This sub-option allows the service provider to control the
lifetime of tickets persisted locally on a CCD. The service
provider requires this capability to support operational
functions such as forcing re-establishment of security
associations, remote testing, and remote diagnostic of CCDs.
Duffy Expires December 2003 2 �
Internet Draft Security Ticket Control June 2003
It should be noted that, although based on the Kerberos V5 RFC
[5], the PacketCable Security Specification is not a strict
implementation of this RFC. See [4] for details of the
PacketCable Security Specification.
4. Security Ticket Control Sub-option
This sub-option defines a Ticket Control Mask (TCM) that
instructs the CCD to validate/invalidate specific application
server tickets. The sub-option is encoded as follows:
Code Len TCM
+-----+-----+-----+-----+
| TBD | 2 | m1 | m2 |
+-----+-----+-----+-----+
The length MUST be 2. The TCM field is encoded as an unsigned 16
bit quantity per network byte order. Each bit of the TCM is
assigned to a specific server or server group. A bit value of 0
means the CCD MUST apply normal invalidation rules (defined in
[4]) to the locally persisted ticket for the server/server group.
A bit value of 1 means the CCD MUST immediately invalidate the
locally persisted ticket for the server/server group.
Bit #0 is the least significant bit of the field. The bit
positions are assigned as follows.
Bit #0 - the PacketCable Provisioning Server used by the CCD.
Bit #1 - the group of all PacketCable Call Management Servers
used by the CCD.
Bit #2 - #15. Reserved and MUST be set to 0.
If a CCD does not locally store tickets, it MUST ignore this sub-
option. Bit values not known to the CCD MUST be ignored.
5. IANA Considerations
IANA is requested to assign a sub-option code to this sub-option
from the "CableLabs Client Configuration" sub-option number space
(maintained within the BOOTP-DHCP Parameters Registry).
Duffy Expires December 2003 3 �
Internet Draft Security Ticket Control June 2003
IANA is also requested to maintain a new number space of
"CableLabs Client Configuration Option Ticket Control Mask Bit
Definitions", located in the BOOTP-DHCP Parameters Registry. The
initial bit definitions are described in section 4 of this
document. IANA is requested to register future bit mask
definitions via an "IETF Consensus" approval policy as described
in RFC 2434 [3].
6. Security Considerations
Potential DHCP protocol attack exposure is discussed in section 7
of the DHCP protocol specification [6] and in Authentication for
DHCP Messages [7]. Additional CCC attack exposure is discussed
in [1].
The STC sub-option could be used to disrupt a CableLabs
architecture deployment. In the specific case of PacketCable
[8], a deployment could be disrupted if a large number of MTAs
are reset/power cycled, initiate their provisioning flow [9], and
are instructed by a malicious DHCP server to invalidate all
security tickets. This could lead to a Denial of Service (DoS)
condition as this large set of MTAs simultaneously attempt to
authenticate and obtain tickets from the security infrastructure.
However, the scenario described above is unlikely to occur.
Within the cable delivery architecture required by the various
CableLabs projects, the DHCP client is connected to a network
through a cable modem and the CMTS (head-end router). The CMTS is
explicitly configured with a set of valid DHCP server addresses
to which DHCP requests are forwarded. Further, a correctly
configured CMTS will only allow DHCP downstream traffic from
specific DHCP server addresses.
It should be noted that the downstream filtering of DHCP packets
will not prevent spoofed DHCP servers behind the CMTS, but the
network infrastructure behind the CMTS is assumed to be closely
controlled by the service provider.
7. References
7.1. Normative
Duffy Expires December 2003 4 �
Internet Draft Security Ticket Control June 2003
[1] B. Beser and P. Duffy, "DHCP Option for CableLabs Client
Configuration", RFC 3495, March 2003.
[2] S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] T. Narten and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 2434, October 1998.
[4] "PacketCable Security Specification", PKT-SP-SEC-I08-030415,
http://www.packetcable.com/specifications.html
7.2. Informational
[5] J. Kohl and C. Neuman, "The Kerberos Network Authentication
Service (V5)", RFC 1510, September 1993.
[6] R. Droms, "Dynamic Host Configuration Protocol", RFC 2131,
March 1997.
[7] R. Droms and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001
[8] "PacketCable Architecture Framework Technical Report", PKT-
TR-ARCH-V01-991201,
http://www.packetcable.com/specifications.html
[9] "PacketCable MTA Device Provisioning Specification", PKT-SP-
PROV-I06-030415. http://www.packetcable.com/specifications.html
8. Acknowledgments
The author would like to acknowledge the effort of all those who
contributed to the development of the PacketCable Provisioning
specifications:
Sumanth Channabasappa (Alopa Networks); Angela Lyda, Rick Morris,
Rodney Osborne (Arris Interactive); Steven Bellovin and Chris
Melle (AT&T); Eugene Nechamkin (Broadcom); John Berg, Maria
Stachelek, Matt Osman, Venkatesh Sunkad (CableLabs); Klaus
Hermanns, Azita Kia, Michael Thomas, Paul Duffy (Cisco); Deepak
Patil (Com21); Jeff Ollis, Rick Vetter (General
Instrument/Motorola); Roger Loots, David Walters (Lucent); Peter
Duffy Expires December 2003 5 �
Internet Draft Security Ticket Control June 2003
Bates (Telcordia); Patrick Meehan (Tellabs); Satish Kumar, Itay
Sherman, Roy Spitzer (Telogy/TI), Aviv Goren (Terayon);
Prithivraj Narayanan (Wipro), and Burcak Beser (Juniper
Networks).
9. Author's Addresses
Paul Duffy
Cisco Systems
300 Apollo Drive
Chelmsford, MA, 01824
Email: paduffy@cisco.com
10. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any
way, such as by removing the copyright notice or references to
the Internet Society or other Internet organizations, except as
needed for the purpose of developing Internet standards in which
case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate
it into languages other than English.
The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on
an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE.
Acknowledgement
Duffy Expires December 2003 6 �
Internet Draft Security Ticket Control June 2003
Funding for the RFC Editor function is currently provided by the
Internet Society.
Duffy Expires December 2003 7 �