[DNSOP] a new draft?? Bounding of authentication and authorization
"Hosnieh Rafiee" <ietf@rozanak.com> Sun, 29 November 2015 22:52 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C7E91B3775; Sun, 29 Nov 2015 14:52:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.215
X-Spam-Level:
X-Spam-Status: No, score=0.215 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgnj8prXUkSk; Sun, 29 Nov 2015 14:52:16 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA0D01B3772; Sun, 29 Nov 2015 14:52:12 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id EB41425CA0C5; Sun, 29 Nov 2015 22:52:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VpuGYYBQAkK; Sun, 29 Nov 2015 23:51:38 +0100 (CET)
Received: from kopoli (p200300864F79670B18AC49435F038AE1.dip0.t-ipconnect.de [IPv6:2003:86:4f79:670b:18ac:4943:5f03:8ae1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 1637425CA074; Sun, 29 Nov 2015 23:51:38 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: dane@ietf.org
Date: Sun, 29 Nov 2015 23:51:32 +0100
Message-ID: <002301d12af8$7ea0d2e0$7be278a0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdEq+Hnm/LWOYFmVSraYug69QoUG3w==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/DX6Ak5P4GkuKJVT7oUo-6egskfc>
Cc: DNSOP@ietf.org
Subject: [DNSOP] a new draft?? Bounding of authentication and authorization
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2015 22:52:18 -0000
Dear All, Before writing a draft (since I have had some unused drafts so far and ... do not want to repeat the same mistake...), I would like to know the opinion of WG on the overview of an idea for the extension of DANE so that it can be used for other use cases beyond Email and web, especially for certificates based authentication (known as TLS based authentication) of single devices in the network where we have DANE as a complete option in place of PKI model and the first A of AAA model. In other word, the extension focuses on not only giving the TLSA record back to the verifier node but also the references of policy templates in resource policy storage. Let me give you an example to be clearer ( I did not use the real example so that it can be simpler to avoid the use of network related concept) In Alice's enterprise, instead of AAA method, we assume that it is TLS based authentication where authentication is based on the devices' certificates and not the username and password. Therefore, DANE is in use as a way to authenticate the Alice's laptop. Alice need to access business server C and B in her enterprise network after her laptop is being authenticated. For authentication, Alice can herself generates a public/private key and self-sign it. then it goes to the administrator of her enterprise network called Bob to generate the TLSA record of her certificate and store it in the DNS server so that later on business server C can verify Alice by query the DNS server. Further, Bob also creates two new templates in resource policy server and call them template AliceB and AliceC. Then in AliceB it includes the authorization access to business server B and in AliceC it defines Business server C. To provide the binding of the Alice template with the authentication information (certificates), Bob stores the template reference number of Alice policy in a new resource record so called Parent policy Indices (PP RR) on DNS server (This is the extension to DNS to bound the authentication and authorization). Now, Alice tries to access business server C, the business server C asks the certificates of Alice to establish a secure TLS channel. Alice's laptop submits its certificates to business server C. Business server C needs to verify this certificates, it queries the DNS server and asks for TLSA record of Alice. DNS server checks Alice's laptop FQDN that includes in the query of Business server C and retrieves Alice's laptop TLSA record. Further it needs to retrieve the authorization information of Alice's laptop. The extension is that business server C also retrieves the reference numbers that Bob stored it before in PP RR from DNS server along with TLSA record. Then it can query the resource policy storage based on this reference number that is the reference to the Alice template in resource policy and retrieves the ALiCE's authorization information to make sure Alice is authorized to use business server C. With this simple resource record, we added this bounding of authentication and authorization. There might be some questions here such as: 1- Why not to store the whole authorization information on DNS server instead of only storing the reference number Answer: because at the moment in most network infrastructure, there are already resource policy servers that stored the authorization information and it is so costly to restore them all again in a new place otherwise there is easy way of conversion. Further, since DNS is usually publicly available to its local network or global network, therefore, for security reason, not all nodes should be able to know the content of the authorization information. It might leak some critical information about the infrastructure and resources in the network which might be both security and privacy issue. This is why, only reference number and a small readable human text is enough for that. 2- Why not to store the TLSA record also in the resource policy so that the business server C (as in my example) query the resource policy based on the TLSA record. By doing that, we limit the DANE use case and it can no longer be used for some other use cases that we have in our mind for multi-tenancy where each tenants can create subdomain on its own zone and re-assign these policies to its sub-domain. This is because a resource policy usually cannot be shared with the tenant but DNS power allows a tenant to only access its own zone and update its own resources. Therefore, this tenant can also create a sub domain on its own zone and assign a part of its resources to third parties. In my example, Alice can allow David, her employee to access business server B but not business server C by updating DNS server with the TLSA record of David's laptop's certificate and in PP RR adding the template of business server B (AliceB). Therefore, Alice, without the need to ask Bob again, could authorize someone else to only access a part of its authorized resources in the network. The concept can be to some extend similar to OAuth, but the difference is that we want also to reduce CapEx in the network by eliminating the use of PKI infrastructure and any other extra servers or services and the idea is to use the existing resources that is supported by almost all networks for both authentication and authorization purposes. As I said the use case is for network infrastructure but it might have several other use cases that might come to your mind according to my simple example. It would be good to hear some other use cases and ideas. Therefore, the proposed extension is this PP record and the processes of this new resource record so that, TLSA and PP are able to be updated via the DDNS but only by authorized owner, further, PP RR is also given to the verifier node when a node query the TLSA record in case for instance, it sets a flag. I would love to hear your opinion about this and if you think this worth to write it as a draft , I would appreciate any volunteers for that. Thank you, Best, Hosnieh
- [DNSOP] a new draft?? Bounding of authentication … Hosnieh Rafiee