|
||||
|
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. (If this document becomes part of an IETF working group activity, then it will be brought into full compliance with Section 10 of RFC2026.)
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 13, 2000.
Copyright (C) The Internet Society (2000). All Rights Reserved.
This memo describes a generic application protocol framework for connection-oriented, asynchronous request/response interactions. The framework permits multiplexing of independent request/response streams over a single transport connection, supporting both textual and binary messages.
To subscribe to the Blocks discussion list, send e-mail; there is also a developers' site.
The Blocks eXtensible eXchange Protocol(BXXP) provides a generic application protocol framework for connection-oriented, asynchronous request/response interactions over TCP[1]. Consult [2] for a description of the BXXP's design principles.
At the core of BXXP is a framing mechanism that allows for peer-to-peer exchanges of requests and responses. The framing mechanism permits multiplexing multiple, simultaneous, and independent exchanges over a single transport connection with flow control and segmentation. Requests and responses are either textual (structured using XML[3]) or arbitrary (structured using MIME[4]).
Frames are exchanged in the context of a "channel". Each channel has an associated "profile" that defines the syntax and semantics of the messages exchanged. Implicit in the operation of BXXP is the notion of channel management. In addition to defining BXXP's channel management profile, this document defines:
Other profiles, such as those used for data exchange, are defined by an application protocol designer. A registration template is provided for this purpose.BXXP is a message-oriented protocol. Arbitrary octets are encapsulated within a frame and tagged as either a request or a response. All interactions occur in the context of a channel -- a binding to a well-defined aspect of the application, such as transport security, user authentication, or data exchange.
During the creation of a channel, the requestor supplies one or more proposed profiles for that channel. If the responder creates the channel, it selects one of the profiles and returns it in a response; otherwise, it may indicate that none of the profiles are acceptable, and decline creation of the channel.
There are no other management capabilities for channels other than creation, as channel usage falls into one of two categories:
- initial tuning:
- these are used by profiles that perform initialization once the BXXP session is established (e.g., negotiating the use of transport security); although several request/response exchanges may be required to perform the initialization, these channels become inactive early in the BXXP session and remain so for the duration.
- continuous:
- these are used by profiles that support data exchange; typically, these channels are created after the initial tuning channels have gone quiet.
Although BXXP is a peer-to-peer protocol, it is convenient to label each peer in the context of the role it is performing at a given time:
In BXXP, there are three kinds of messages: requests, responses, and sequence updates.
Each request or response conveys data, which is segmented as the payload of one or more frames. Each frame consists of a header, the payload, and a trailer. The header and trailer are each represented using printable ASCII characters and are terminated with a CRLF pair. Between the header and the trailer is the payload, consisting of zero or more octets.
For example, here is a request message whose data is contained in a single frame that contains a payload of 81 octets spread over 3 lines (each line of the data is terminated with a CRLF pair):
C: REQ . 1 14 94 0 C: C: <start number='1'> C: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> C: </start> C: END
Note that the header is two lines long (the second line is blank signifying a lack of explicit MIME typing information).
The sequence update message is used to flow control request and response messages, and is represented using printable ASCII characters terminated by a CRLF pair.
For example, here is a sequence update message:
C: SEQ 1 0 65535
Note that the sequence update message doesn't have a header, payload, or trailer -- it's simply a single line.
The ABNF for a message is:
message = frame / seq frame = header payload trailer header = req / rsp req = "REQ" SP more SP serial SP seqno SP size SP channel CR LF [[mime] CR LF] rsp = "RSP" SP more SP serial SP seqno SP size SP status CR LF [[mime] CR LF] more = "." / "*" ; use of 0 for <serial> is reserved for the initial greeting serial = 0..2147483647 seqno = 0..4294967295 size = 0..2147483647 ; use of 0 for <channel> is reserved for BXXP channel management channel = 0..255 ; defaults are: ; ; Content-Type: text/xml ; Content-Transfer-Encoding: 8bit ; mime = <MIME Content {entity-headers} from RFC 2045> status = "+" / "-" payload = *OCTET trailer = "END" CR LF seq = "SEQ" SP channel SP ackno SP window CR LF ackno = seqno window = size
The frame header consists of a three-character keyword (one of: "REQ" or "RSP"), followed by a continuation indicator, a serial number, a sequence number, a payload size, and one additional parameter. A single space character (decimal code 32, " ") separates each component. The header is terminated with a CRLF pair.
The "REQ" keyword indicates that this frame is part of a request message. Following the "REQ" keyword, the continuation indicator, the serial number, the sequence number, and the payload size is the channel number for the request.
The "RSP" keyword indicates that this frame is part of a response message. Following the "RSP" keyword, the continuation indicator, the serial number, the sequence number, and the payload size is the status indicator for the response.
The continuation indicator (one of: decimal code 42, "*", or decimal code 46, ".") specifies whether this is the final frame of the message:
- intermediate ("*"):
- at least one other frame follows for the message; or,
- complete ("."):
- this frame completes the data for the message.
The serial number must be a non-negative integer (in the range 0..2147483647) and have a different value than all other outstanding request messages (regardless of channel number).
The sequence number must be a non-negative integer (in the range 0..4294967295) and specifies the sequence number of the first octet in the payload, for the associated channel.
The payload size must be a non-negative integer (in the range 0..2147483647) and specifies the exact number of octets in the payload. (This does not include the trailer.)
The status indicator (one of: decimal code 43, "+", or decimal code 45, "-"), specifies whether the request corresponding to this response was performed:
- positive ("+"):
- the request was performed and the response's data contains the corresponding the results; or,
- negative ("-"):
- the request could not be performed (either for transient or permanent reasons) and the response's data contains the corresponding error information.
There are several rules for identifying poorly-formed frames:
The final frame in a message has a continuation indicator of complete ("."), whilst all earlier frames (if any) have a continuation indicator of intermediate ("*"). Note that any of these frames may have an empty payload, e.g.,
S: RSP * 1 284 25 + S: S: ... S: ... S: ... S: END S: RSP . 1 309 0 + S: S: END
The data conveyed with a message is structured according to the rules of MIME. Accordingly, the header of the first frame for a message may include "entity-headers" (c.f., MIME[4]'s Section 3). If none, or only some, of the entity-headers are present:
Note that the "entity-headers" (and the empty line that follows) are part of the of the header, not the payload. Thus, they do not contribute to the size of the payload.
The frame trailer consists of "END" followed by a CRLF pair.
When receiving a frame, if the characters immediately following the payload don't correspond to a trailer, then the connection is closed without generating a response, and it is recommended that a diagnostic entry be logged.
The semantics of the payload of each frame is channel-specific. Accordingly, the profile associated with a channel must define:
Note that if a profile uses XML to structure its messages, then only XML's baseline facilities (as described in the XML 1.0 specification[3]) are allowed. Additional XML features (e.g., namespaces) are made available only by being referenced and allowed in a given profile's specification.
In particular this limitation allows use of only the five predefined general entities references ("&", "<", ">", "'", and """) and numeric entity references in the messages exchanged.
Finally, because the profile registration template defines the messages exchanged over a channel, the XML documents exchanged in each message needn't have either a "XML" declaration (e.g., <?xml version="1.0" ?>) or a "DOCTYPE" declaration (e.g., <!DOCTYPE ...>). Of course, all other XML 1.0 instructions (e.g., CDATA blocks, processing instructions, and so on) are allowed.
When a BXXP session starts, only channel number 0 is defined, which is used for channel management. BXXP Channel Management contains the profile registration for BXXP channel management.
When a BXXP peer wants to create a channel, it sends a "start" element as data on channel 0, e.g.,
I: REQ . 1 14 94 0 I: I: <start number='1'> I: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> I: </start> I: END
The "start" element has a "number" attribute, an optional "serverName" attribute, and one or more "profile" elements:
To avoid conflict in assigning channel numbers when requesting the creation of a channel, BXXP peers acting in the initiating role use only positive integers that are odd-numbered; similarly, BXXP peers acting in the listening role use only positive integers that are even-numbered.
The "serverName" attribute for the first successful "start" element received by a BXXP peer is memorable. (If the attribute isn't present or it's value is empty, then the sending BXXP peer is requesting a configuration-specific default value.) The BXXP peer decides whether to operate as the indicated "serverName"; if not, an "error" element is returned as data in a negative "RSP" message.
When a BXXP peer receives a "start" element as data on channel 0, it examines each of the proposed profiles, and decides whether to use one of them to create the channel. If so, the appropriate "profile" element is returned as data in a positive "RSP" message; otherwise, an "error" element is returned as data in a negative "RSP" message.
When creating the channel, the value of the "serverName" attribute from the first successful "start" element is consulted to provide configuration information, e.g., the desired server-side certificate when starting the TLS transport security profile.
For example, a successful channel creation might look like this:
I: REQ . 1 14 171 0 I: I: <start number='1'> I: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> I: <profile I: uri='http://xml.resource.org/profiles/sasl/ANONYMOUS' /> I: </start> I: END L: RSP . 1 284 61 + L: L: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> L: END
Similarly, an unsuccessful channel creation might look like this:
I: REQ . 1 14 94 0 I: I: <start number='2'> I: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> I: </start> I: END L: RSP . 1 284 89 - L: L: <error code='501'>number attribute L: in <start> element must be odd-valued</error> L: END
Finally, here's an example in which an initialization element is exchanged during channel creation:
C: REQ . 1 14 120 0 C: C: <start number='1'> C: <profile uri='http://xml.resource.org/profiles/TLS'> C: <ready /> C: </profile> C: </start> C: END S: RSP . 1 84 83 + S: S: <profile uri='http://xml.resource.org/profiles/TLS'> S: <proceed /> S: </profile> S: END
When a BXXP session is established, each BXXP peer signifies its availability by immediately sending a positive "RSP" message with a serial number of zero that contains a "greeting" element, e.g.,
L: <wait for incoming connection> I: <open connection> L: RSP . 0 0 84 + L: L: <greeting> L: <profile uri='http://xml.resource.org/profiles/TLS' /> L: </greeting> L: END I: RSP . 0 0 14 + I: I: <greeting /> I: END
Note that this example implies that the BXXP peer in the initiating role waits until the BXXP peer in the listening role sends its greeting this is an artifact of the presentation; in fact, both BXXP peers send their response messages independently.
The "greeting" element has two optional attributes ("features" and "localize") and zero or more "profile" elements, one for each profile supported by the BXXP peer acting in a server role:
At present, there are no optional features defined for the channel management profile.
Each token in the value of the "localize" attribute is defined according to [7]. If not present, the default is "i-default".
When a BXXP peer declines the creation of a channel, it returns an "error" element as data in a negative "RSP" message, e.g.,
I: REQ . 1 14 89 0 I: I: <start number='2'> I: <profile uri='http://xml.resource.org/profiles/FOO' /> I: </start> I: END L: RSP . 1 284 67 - L: L: <error code='550'>all requested profiles are L: unsupported</error> L: END
The "error" element has a "code" attribute, an optional "xml:lang" attribute, and an optional textual diagnostic as its content:
In addition, a BXXP peer returns an "error" element whenever:
When a BXXP session is established, each BXXP peer signifies its availability by immediately sending a positive "RSP" message with a serial number of zero that contains a "greeting" element, e.g.,
L: <wait for incoming connection> I: <open connection> L: RSP . 0 0 84 + L: L: <greeting> L: <profile uri='http://xml.resource.org/profiles/TLS' /> L: </greeting> L: END I: RSP . 0 0 14 + I: I: <greeting /> I: END
which, for the BXXP peer acting in the listening role, indicates that it is available.
Alternatively, if the BXXP peer acting in the listening role is unavailable, it returns a negative response, e.g.,
L: <wait for incoming connection> I: <open connection> L: RSP . 0 0 22 - L: L: <error code='421' /> L: END I: <close connection> L: <close connection> L: <wait for next connection>
and the "greeting" element sent by the BXXP peer acting in the initiating role is ignored. It is recommended that a diagnostic entry be logged by both BXXP peers.
When a BXXP peer wants to release the BXXP session, it sends a "REQ" message on channel 0 with no data. The other BXXP peer may accept the request (by sending a positive "RSP" message), e.g.,
C: REQ . 1 14 0 0 C: C: END S: RSP . 1 284 0 + S: S: END C: <close connection> S: <close connection> L: <wait for next connection>
If the other BXXP peer sends a negative "RSP" message, then the connection should remain open, if possible.
Although the underlying transport service imposes flow control on a per-connection basis, if multiple channels are simultaneously in use on a connection, BXXP must provide a mechanism to avoid starvation and deadlock. To achieve this, BXXP re-introduces mechanisms used by the TCP: sequence numbers and window-based flow control. Briefly, each channel has a sliding window that indicates the number of payload octets that a peer may transmit before receiving further permission.
Every payload octet sent in each direction on a channel has an associated sequence number. Numbering of payload octets within a frame is such that the first payload octet is the lowest numbered, and the following payload octets are numbered consecutively.
The actual sequence number space is finite, though very large, ranging from 0..4294967295 (2**32 - 1). Since the space is finite, all arithmetic dealing with sequence numbers is performed modulo 2**32. This unsigned arithmetic preserves the relationship of sequence numbers as they cycle from 2**32 - 1 to 0 again.
When a channel is created, the sequence number associated with the first payload octet of the first frame is 0, and the initial window size for that channel is 4096 octets. After channel creation, a BXXP peer may update the window size by sending a "SEQ" message.
If a BXXP peer is requested to create a channel and it is unable to allocate at least 4096 octets for that channel, it must decline creation of the channel. Similarly, during establishment of the BXXP session, if the BXXP peer acting in the listening role is unable to allocate at least 4096 octets for channel 0, then it must return a negative response instead of a greeting.
Before a message is sent, the sending BXXP peer must ensure that the size of the payload is within the window advertised by the receiving BXXP peer. If not, it has three choices:
When a frame is received, the sum of its sequence number and payload size, modulo 4294967296 (2**32), gives the expected sequence number associated with the first payload octet of the next frame received. Accordingly, when receiving a frame if the sequence number isn't the expected value for this channel, then the BXXP peers have lost synchronization, then the connection is closed without generating a response, and it is recommended that a diagnostic entry be logged.
As an application accepts responsibility for incoming frames, its BXXP peer should send "SEQ" messages to advertise a new window.
The "SEQ" message has three parameters:
When a "SEQ" message is received, if any of the channel number, acknowledgement number, or window size cannot be determined or is invalid, then the connection is closed without generating a response, and it is recommended that a diagnostic entry be logged.
The key to successful use of flow control within BXXP is to balance performance and fairness:
Finally, implementations may wish to provide queue management facilities to the application using BXXP, e.g., channel priorities. In particular, implementations should not allow a given channel to monopolize the underlying transport window (e.g., slow readers should get small windows).
A BXXP peer acting in the client role may send multiple "REQ" messages for the same channel without waiting to receive the corresponding "RSP" messages. A BXXP peer acting in the server role must process all "REQ" messages for a given channel in the same order as they are received. As a consequence, that BXXP peer must generate the corresponding "RSP" messages in the same order as the "REQ" messages are received.
A BXXP peer acting in the client role may send multiple "REQ" messages for different channels without waiting to receive the corresponding "RSP" messages. A BXXP peer acting in the server role may process "REQ" messages received for different channels in parallel. As a consequence, although the "RSP" messages for a given channel are generating according to the order in which the corresponding "REQ" messages are received, there is no ordering constraint between "RSP" messages for different channels.
A BXXP peer acting in the server role may send a negative response to a request before it receives the final "REQ" frame of a request. If it does so, that BXXP peer is obliged to ignore any subsequent "REQ" frames for that request, up to and including the final "REQ" frame.
If a BXXP peer acting in the client role receives a negative "RSP" frame before it sends the final "REQ" frame for a request, then it is required to send a "REQ" frame with a continuation status of complete (".") and having a zero-length payload.
If the processing of a particular frame has sequencing impacts on other frames (either intra-channel or inter-channel), then the corresponding profile should define this behavior, e.g., a profile whose messages alter the underlying transport service.
BXXP is a peer-to-peer protocol as such both peers must be prepared to receive both "REQ" and "RSP" frames. Accordingly, an initiating BXXP peer capable of acting only in the client role must behave gracefully if it receives a "REQ" message. Accordingly, all profiles must provide an appropriate error message for responding to unwanted requests.
As a consequence of the peer-to-peer nature of BXXP, serial numbers are unidirectionally-significant. That is, the serial numbers in "REQ" messages sent by a BXXP peer acting in the initiating role are unrelated to the serial numbers in "REQ" messages sent by a BXXP peer acting in the listening role.
For example, these two frames
I: REQ . 1 14 94 0 I: I: <start number='1'> I: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> I: </start> I: END L: REQ . 1 284 89 0 L: L: <start number='2'> L: <profile uri='http://xml.resource.org/profiles/SEP' /> L: </start> L: END
have no fundamental relationship to each other.
When a BXXP session starts, plaintext transfer, without privacy, is provided. Accordingly, transport security in BXXP is achieved using an initial tuning profile.
This document defines one profile:
When a channel associated with transport security begins the underlying negotiation process, all channels (including channel 0), are closed on the BXXP session. Upon completion of the negotiation process, regardless of its outcome, a new greeting is issued by both BXXP peers.
A BXXP peer may choose to issue different greetings based on whether privacy is in use, e.g.,
L: <wait for incoming connection> I: <open connection> L: RSP . 0 0 84 + L: L: <greeting> L: <profile uri='http://xml.resource.org/profiles/TLS' /> L: </greeting> L: END I: RSP . 0 0 14 + I: I: <greeting /> I: END I: REQ . 1 14 120 0 I: I: <start number='1'> I: <profile uri='http://xml.resource.org/profiles/TLS'> I: <ready /> I: </profile> I: </start> I: END L: RSP . 1 84 83 + L: L: <profile uri='http://xml.resource.org/profiles/TLS'> L: <proceed /> L: </profile> L: END ... successful transport security negotation ... L: RSP . 0 0 224 + L: L: <greeting> L: <profile L: uri='http://xml.resource.org/profiles/sasl/ANONYMOUS' /> L: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> L: <profile uri='http://xml.resource.org/profiles/SEP' /> L: </greeting> L: END I: RSP . 0 0 14 + I: I: <greeting /> I: END
Of course, not all BXXP peers need be as single-minded:
L: <wait for incoming connection> I: <open connection> L: RSP . 0 0 284 + L: L: <greeting> L: <profile L: uri='http://xml.resource.org/profiles/sasl/ANONYMOUS' /> L: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> L: <profile uri='http://xml.resource.org/profiles/SEP' /> L: <profile uri='http://xml.resource.org/profiles/TLS' /> L: </greeting> L: END I: RSP . 0 0 14 + I: I: <greeting /> I: END I: REQ . 1 14 120 0 I: I: <start number='1'> I: <profile uri='http://xml.resource.org/profiles/TLS'> I: <ready /> I: </profile> I: </start> I: END L: RSP . 1 284 83 + L: L: <profile uri='http://xml.resource.org/profiles/TLS'> L: <proceed /> L: </profile> L: END ... failed transport security negotation ... L: RSP . 0 0 284 + L: L: <greeting> L: <profile L: uri='http://xml.resource.org/profiles/sasl/ANONYMOUS' /> L: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> L: <profile uri='http://xml.resource.org/profiles/SEP' /> L: <profile uri='http://xml.resource.org/profiles/TLS' /> L: </greeting> L: END I: RSP . 0 0 14 + I: I: <greeting /> I: END
TLS Transport Security Profile Registration contains the registration for this profile.
The TLS transport security profile is identified as:
http://xml.resource.org/profiles/TLS
in the BXXP "profile" element during channel creation.
During channel creation, the corresponding "profile" element in the BXXP "start" element may contain a "ready" element. If channel creation is successful, then before sending the corresponding "RSP" message, the BXXP peer processes the "ready" element and includes the resulting response in the "RSP" message, e.g.,
C: REQ . 1 14 120 0 C: C: <start number='1'> C: <profile uri='http://xml.resource.org/profiles/TLS'> C: <ready /> C: </profile> C: </start> C: END S: RSP . 1 84 83 + S: S: <profile uri='http://xml.resource.org/profiles/TLS'> S: <proceed /> S: </profile> S: END
Note that it is possible for the channel to be created, but for the encapsulated operation to fail, e.g.,
C: REQ . 1 14 135 0 C: C: <start number='1'> C: <profile uri='http://xml.resource.org/profiles/TLS'> C: <ready version="oops" /> C: </profile> C: </start> C: END S: RSP . 1 84 156 + S: S: <profile uri='http://xml.resource.org/profiles/TLS'> S: <error code='501'>version attribute S: poorly formed in <ready> element</error> S: </profile> S: END
In this case, a positive "RSP" message is returned (as channel creation succeeded), but the encapsulated response contains an indication as to why the operation failed.
TLS Transport Security Profile DTD defines the messages that are used in the TLS transport security profile:
The "ready" element has an optional "version" attribute and no content:
When a BXXP peer sends the "ready" element, it no longer sends any traffic on any channel until a corresponding "RSP" message is received; similarly, before processing a "ready" element, the receiving BXXP peer waits until any pending "RSP" messages have been generated and sent.
The "proceed" element has no attributes and no content. It is sent in response to the "ready" element. When a BXXP peer receives the "ready" element, it begins the underlying negotiation process for transport security.
When a BXXP session starts, anonymous access, without trace information, is provided. Accordingly, user authentication in BXXP is achieved using an initial tuning profile.
This document defines a family of profiles based on SASL mechanisms:
Whenever a successful authentication occurs, on any channel, the authenticated identity is updated for all existing and future channels on the BXXP session; further, no additional attempts at authentication are allowed.
Note that regardless of transport security and user authentication, authorization is an internal matter for each BXXP peer. As such, each peer may choose to restrict the operations it allows based on the authentication credentials provided (i.e., unauthorized operations are rejected with error code 530).
SASL Family of Profiles Registration contains the registration for this profile.
Note that SASL may provide both user authentication and transport security. Once transport security is successfully negotiated for a BXXP session, then a SASL security layer may not be negotiated; similarly, once any SASL negotiation is successful, a transport security profile may not be started or otherwise used.
Section 4 of the SASL specification[6] requires the following information be supplied by a protocol definition:
- service name:
- "bxxp" will be registered with the IANA as a GSSAPI service name when this draft is published as an RFC.
- initiation sequence:
- Creating a channel using a BXXP profile corresponding to a SASL mechanism starts the exchange. An optional parameter corresponding to the "initial response" sent by the client is carried within a "blob" element during channel creation.
- exchange sequence:
- "Challenges" and "responses" are carried in the "blob" element during data exchange. The "status" attribute of the "blob" element is used both by a server indicating a successful completion of the exchange, and a client aborting the exchange, The server indicates failure of the exchange by sending an "error" element.
- security layer negotiation:
- Prior to beginning the negotiation of a security layer, any pending "RSP" messages are generated and sent; further, once negotiation begins, no traffic is sent on any other channels until the negotiation completes.
If a security layer is successfully negotiated, it takes effect immediately following the message that concludes the server's successful completion reply. When a security layer takes effect, all channels (including channel 0), are closed on the BXXP session, and a new greeting is issued by both BXXP peers.- use of the authorization identity:
- This is made available to all channels for the duration of the BXXP session.
Each SASL mechanism registered with the IANA is identified as:
http://xml.resource.org/profiles/sasl/MECHANISM
where "MECHANISM" is the token assigned to that mechanism by the IANA.
Note that during channel creation, a BXXP peer may provide multiple profiles to the remote peer, e.g.,
C: REQ . 1 14 171 0 C: C: <start number='1'> C: <profile C: uri='http://xml.resource.org/profiles/sasl/ANONYMOUS' /> C: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> C: </start> C: END S: RSP . 1 284 61 + S: S: <profile uri='http://xml.resource.org/profiles/sasl/OTP' /> S: END
During channel creation, the corresponding "profile" element in the BXXP "start" element may provide data in a "blob" element. Note that it is possible for the channel to be created, but for the encapsulated operation to fail, e.g.,
C: REQ . 1 14 145 0 C: C: <start number='1'> C: <profile uri='http://xml.resource.org/profiles/sasl/OTP'> C: <blob>AGJsb2NrbWFzdGVy</blob> C: </profile> C: </start> C: END S: RSP . 1 284 140 + S: S: <profile uri='http://xml.resource.org/profiles/sasl/OTP'> S: <error code='534'>authentication mechanism is S: too weak</error> S: </profile> S: END
In this case, a positive "RSP" message is returned (as channel creation succeeded), but the encapsulated response contains an indication as to why the operation failed.
Otherwise, the server returns a challenge (or signifies success), e.g.,
C: REQ . 1 14 145 0 C: C: <start number='1'> C: <profile uri='http://xml.resource.org/profiles/sasl/OTP'> C: <blob>AGJsb2NrbWFzdGVy</blob> C: </profile> C: </start> C: END S: RSP . 1 284 144 + S: S: <profile uri='http://xml.resource.org/profiles/sasl/OTP'> S: <blob>b3RwLXNoYTEgOTk5NyBwaXh5bWlzYXM4NTgwNSBleHQ=</blob> S: </profile> S: END
If a challenge is received, then the client responds and awaits a reply, e.g.,
C: REQ . 2 159 67 1 C: C: <blob>d29yZDpmZXJuIGhhbmcgYnJvdyBib25nIGhlcmQgdG9n</blob> C: END S: RSP . 2 428 13 + S: S: <blob status='complete' /> S: END
Of course, the client could abort the authentication process by sending "<blob status='abort' />" instead.
Alternatively, the server might reject the response with an error: e.g.,
C: REQ . 2 159 67 1 C: C: <blob>d29yZDpmZXJuIGhhbmcgYnJvdyBib25nIGhlcmQgdG9n</blob> C: END S: RSP . 2 428 22 - S: S: <error code='535' /> S: END
Finally, depending on the SASL mechanism, an initialization element may be exchanged unidirectionally during channel creation, e.g.,
C: REQ . 1 14 107 0 C: C: <start number='1'> C: <profile C: uri='http://xml.resource.org/profiles/sasl/CRAM-MD5' /> C: </start> C: END S: RSP . 1 284 148 + S: S: <profile uri='http://xml.resource.org/profiles/sasl/CRAM-MD5'> S: <blob>PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+ </blob> S: </profile> S: END
Note that this example implies that the "blob" element in the server's reply appears on two lines this is an artifact of the presentation; in fact, only one line is used.
SASL Family of Profiles DTD defines the messages that are used for each profile in the SASL family:
The "blob" element has an optional "status" attribute, and arbitrary octets as its content:
- abort:
- used by a client to indicate that it is aborting the authentication process;
- complete:
- used by a server to indicate that the exchange is complete and succesful; or,
- continue:
- used by either a client or server, otherwise.
Finally, note that SASL's EXTERNAL mechanism works with an "external authentication" service, which is provided by one of:
When a profile is registered, the following information is supplied:
Note that "datatype" refers to any MIME media type, whilst "element" refers to any well-formed XML document.
- Profile Identification:
- specify a URI[8] that authoritatively identifies this profile.
- Elements Exchanged during Channel Creation:
- specify the elements that may be exchanged during channel creation (note that if the profile doesn't exchange XML elements, then initialization information may not be exchanged during channel creation).
- Messages in "REQ" frames:
- specify the datatypes that may be present in a request.
- Messages in positive "RSP" frames:
- specify the datatypes that may be present in a positive response.
- Messages in negative "RSP" frames:
- specify the datatypes that may be present in negative response.
- Message Syntax:
- specify the syntax of the datatypes exchanged by the profile.
- Message Semantics:
- specify the semantics of the datatypes exchanged by the profile.
- Profile Identification:
- not applicable
- Elements Exchanged during Channel Creation:
- not applicable
- Messages in "REQ" frames:
- "start"
- Messages in positive "RSP" frames:
- "greeting" or "profile"
- Messages in negative "RSP" frames:
- "error"
- Message Syntax:
- c.f., BXXP Channel Management DTD
- Message Semantics:
- c.f., Message Semantics
<!-- DTD for BXXP Channel Management, as of 2000-04-04 Copyright 1999, 2000 Invisible Worlds, Inc. This document is a DTD and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Refer to this DTD as: <!ENTITY % BXXP PUBLIC "-//Blocks//DTD BXXP//EN" "http://xml.resource.org/profiles/BXXP/bxxp.dtd"> %BXXP; --> <!-- DTD data types: entity syntax/reference example ====== ================ ======= a channel number PINT8 1..255 1 authoritative profile identification URI c.f., [RFC-2396] http://invisible.net/ one or more feature tokens, seperated by space FTRS NMTOKENS "magic" a language tag LANG c.f., [RFC-1766] "en", "en-US", etc. a 3-digit reply code XYZ [1-5][1-9][1-9] 500 --> <!ENTITY % PINT8 "CDATA"> <!ENTITY % DTD "CDATA"> <!ENTITY % FTRS "NMTOKENS"> <!ENTITY % LOCS "NMTOKENS"> <!ENTITY % XYZ "CDATA"> <!-- BXXP messages role REQ RSP ======= === === I and L +: greeting I or L start +: profile -: error --> <!ELEMENT greeting (profile)*> <!ATTLIST greeting features %FTRS; #IMPLIED localize %LOCS; "i-default"> <!ELEMENT start (profile)+> <!ATTLIST start number %PINT8; #REQUIRED serverName CDATA #IMPLIED> <!ELEMENT profile ANY> <!ATTLIST profile uri %URI; #REQUIRED> <!ELEMENT error (#PCDATA)*> <!ATTLIST error code %XYZ; #REQUIRED xml:lang %LANG; #IMPLIED>
- Profile Identification:
- http://xml.resource.org/profiles/TLS
- Elements Exchanged during Channel Creation:
- "ready"
- Messages in "REQ" frames:
- "ready"
- Messages in positive "RSP" frames:
- "proceed"
- Messages in negative "RSP" frames:
- "error"
- Message Syntax:
- c.f., TLS Transport Security Profile DTD
- Message Semantics:
- c.f., Message Semantics
<!-- DTD for the TLS Transport Security Profile, as of 2000-03-03 Copyright 1999, 2000 Invisible Worlds, Inc. This document is a DTD and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Refer to this DTD as: <!ENTITY % TLS PUBLIC "-//Blocks//DTD TLS//EN" "http://xml.resource.org/profiles/TLS/tls.dtd"> %TLS; --> <!-- TLS messages role REQ RSP ====== === === I or L ready +: proceed -: error --> <!ELEMENT ready EMPTY> <!ATTLIST ready version CDATA "1"> <!ELEMENT proceed EMPTY>
- Profile Identification:
- http://xml.resource.org/profiles/sasl/MECHANISM, where "MECHANISM" is a token registered with the IANA
- Elements Exchanged during Channel Creation:
- "blob"
- Messages in "REQ" frames:
- "blob"
- Messages in positive "RSP" frames:
- "blob"
- Messages in negative "RSP" frames:
- "error"
- Message Syntax:
- c.f., SASL Family of Profiles DTD
- Message Semantics:
- c.f., Message Semantics
<!-- DTD for the SASL Family of Profiles, as of 2000-04-04 Copyright 1999, 2000 Invisible Worlds, Inc. This document is a DTD and is in full conformance with all provisions of Section 10 of RFC2026 except that the right to produce derivative works is not granted. Refer to this DTD as: <!ENTITY % SASL PUBLIC "-//Blocks//DTD SASL//EN" "http://xml.resource.org/profiles/sasl/sasl.dtd"> %SASL; --> <!-- SASL messages role REQ RSP ====== === === I or L blob +: blob -: error --> <!ELEMENT blob (#PCDATA)*> <!ATTLIST blob xml:space (default|preserve) "preserve" status (abort|complete|continue) "continue">
code meaning ==== ======= 421 service not available 450 requested action not taken (e.g., lock already in use) 451 requested action aborted (e.g., local error in processing) 454 temporary authentication failure 500 general syntax error (e.g., poorly-formed XML) 501 syntax error in parameters (e.g., non-valid XML) 504 parameter not implemented 530 authentication required 534 authentication mechanism insufficient (e.g., too weak, sequence exhausted, etc.) 535 authentication failure 537 action not authorized for user 538 authentication mechanism requires encryption 550 requested action not taken (e.g., no requested profiles are acceptable) 553 parameter invalid (e.g., invalid prevno for release operation) 554 transaction failed (e.g., policy violation)
The BXXP framing mechanism, per se, provides no protection against attack; however, judicious use of initial tuning profiles provides varying degrees of assurance:
The IANA maintains a list of:
In addition, prior to publication of this draft as an RFC, the IANA will be asked to register "bxxp" as a GSSAPI service name.
Marshall T. Rose | |
Invisible Worlds, Inc. | |
1179 North McDowell Boulevard | |
Petaluma, CA 94954-6559 | |
US | |
Phone: | +1 707 789 3700 |
EMail: | mrose@invisible.net |
URI: | http://invisible.net/ |
The author gratefully acknowledges the contributions of: David Clark, Dave Crocker, Steve Deering, Marco Gazzetta, Danny Goodman, Robert Herriot, Ben Laurie, Carl Malamud, Michael Mealling, Paul Mockapetris, RL 'Bob' Morgan, Frank Morton, Darren New, Chris Newman, Craig Partridge, Paul Vixie, and Daniel Woods. In particular, Dave Crocker provided helpful suggestions on the nature of flow control and segmentation in the framing protocol.
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Invisible Worlds expressly disclaims any and all warranties regarding this contribution including any warranty that (a) this contribution does not violate the rights of others, (b) the owners, if any, of other rights in this contribution have been informed of the rights and permissions granted to IETF herein, and (c) any required authorizations from such owners have been obtained. This document and the information contained herein is provided on an "AS IS" basis and INVISIBLE WORLDS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OFTHE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT WILL INVISIBLE WORLDS BE LIABLE TO ANY OTHER PARTY INCLUDING THE IETF AND ITS MEMBERS FOR THE COST OF PROCURING SUBSTITUTE GOODS OR SERVICES, LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL, INDIRECT, OR SPECIAL DAMAGES WHETHER UNDER CONTRACT, TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER AGREEMENT RELATING TO THIS DOCUMENT, WHETHER OR NOT SUCH PARTY HAD ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES.
Funding for the RFC editor function is currently provided by the Internet Society.
|
||||