Next go around on 931
Mike StJohns <stjohns@umd5.umd.edu> Wed, 08 April 1992 14:15 UTC
Received: from nri.nri.reston.va.us by ietf.NRI.Reston.VA.US id aa01082; 8 Apr 92 10:15 EDT
Received: from nri.reston.va.us by NRI.Reston.VA.US id aa12108; 8 Apr 92 10:18 EDT
Received: from nri.reston.va.us by NRI.Reston.VA.US id aa12101; 8 Apr 92 10:18 EDT
Received: from umd5.umd.edu by NRI.Reston.VA.US id aa12096; 8 Apr 92 10:18 EDT
Received: by umd5.umd.edu id <AA09713@umd5.umd.edu>; Wed, 8 Apr 92 10:19:36 -0400
Message-Id: <9204081419.AA09713@umd5.umd.edu>
To: ident@nri.reston.va.us
Subject: Next go around on 931
Date: Wed, 08 Apr 1992 10:19:33 -0400
From: Mike StJohns <stjohns@umd5.umd.edu>
X-Mts: smtp
Here's the next version. Open issues include user id character sets, the relationship of the opsys field to the user id, some of the wording in the security considerations section. Mike Network Working Group Mike StJohns Request for Comments: DOD Supersedes: RFC912, RFC931 April 1992 Identification Server STATUS OF THIS MEMO INTRODUCTION The Identification Server Protocol provides a means to determine the identity of a user of a particular TCP connection. Given a TCP port number pair, it returns a character string which identifies the owner of that connection on the server's system. The Identification Server Protocol was formerly called the Authentication Server Protocol. It has been renamed to better reflect its function. OVERVIEW This is a connection based application on TCP. A server listens for TCP connections on TCP port 113 (decimal). Once a connection is established, the server reads one line of data which specifies the connection of interest. If it exists, the system dependent user identifier of the connection of interest is sent out the connection. The service closes the connection after sending the user identifier. RESTRICTIONS Queries are permitted only for fully specified connections. The query contains the local/foreign port pair -- the local/foreign address pair used to fully specify the connection is taken from the local and foreign address of query connection. This means a user on address A may only query the server on address B about connections between A and B. QUERY/RESPONSE FORMAT The server accepts simple text query requests of the form <local-port> , <foreign-port> where <local-port> is the TCP port (decimal) on the target (where the "ident" server is running) system, and <foreign-port> is the TCP port (decimal) on the source (client) system. N.B - "local" and "foreign" are relative. If there is a TCP connection from host A to host B, <local-port> on host A equals <foreign-port> on host B and <foreign-port> on host A equals <local-port> on host B. If a client on host A wants to ask a server on host B about a connection specified locally as 23, 6191 (an inbound TELNET connection), the client must actually ask about 6191, 23 - which is how the connection would be specified on host B. For example: 6191, 23 The response is of the form <local-port> , <foreign-port> : <response-type> : <additional-info> where <local-port>,<foreign-port> are the same pair as the query, <response-type> is a keyword identifying the type of response, and <additional info> is context dependent. The information returned is that associated with the fully specified TCP connection identified by <local-host>, <foreign-host>, <local-port>, <foreign-port>, where <local-host> and <foreign-host> are the local and foreign IP addresses of the querying connection -- i.e. the TCP connection to the Identity Protocol Server. (<local-port> and <foreign-port> are taken from the query.) For example: 6193, 23 : USERID : UNIX : stjohns 6195, 23 : ERROR : NO-USER RESPONSE TYPES A response can be one of two types: USERID In this case, <additional-info> is a string consisting of an operating system name, followed by a ":", followed by user identification string in a format peculiar to the system running the ident server. N.B. This is a change from the RFC931 specification. The user identification string returned by this protocol, its syntax, and relative meaning may vary from implementation to implementation and from host to host. [[[ I *don't* like this - I think its a mistake. Dan claims "current practice" so I put it in - but it will probably come back out again unless I hear reasons to the contrary]]] Permitted operating system names are specified in RFC-1060, "Assigned Numbers" or its successors. The only other name permitted is "OTHER" to specify any operating system not yet registered with the IANA (Internet Assigned Numbers Authority). "OTHER" should also be used to represent unregistered operating system types. It MAY optionally be used in place of a registered OS to hide such information. ERROR For some reason the owner of <TCP-port> could not be determined, <additional-info> tells why. The following are the permitted values of <additional-info> and their meanings: INVALID-PORT Either the local or foreign port was improperly specified. This should be returned if either or both of the port ids were out of range (TCP port #s are from 1-65535), negative integers, reals or in any fashion not recognized as a non-negative integer. NO-USER The connection specified by the port pair is not currently in use or currently not owned by an identifiable entity. UNKNOWN-ERROR Can't determine connection owner; reason unknown. Any error not covered above should return this error code value. Optionally, this code MAY be returned in lieu of "NO-USER" or "INVALID-PORT" to hide such information. If a server implements such a feature, it MUST be configurable and it MUST default to returning the proper error message. Other values may eventually be specified and defined in future revisions to this document. If an implementer has a need to specify a non-standard error code, that code must begin with "X-". In addition, the server is allowed to drop the query connection without responding. Any close, whether graceful or an abort should be considered to have the same meaning as "ERROR : UNKNOWN-ERROR". [[[Again - Dan claims current practice - I think its a mistake. If you blow up on query, you should tell the asker why, if only to keep him from asking again. In absence of a negative answer, how do you know when to stop asking? Closing the connection feels too much like laziness. Also, what happens if you close the connection halfway through the userid or maybe even half way through the OPSYS?]]] FORMAL SYNTAX <request> ::= <port-pair> <CR> <LF> <port-pair> ::= <integer> "," <integer> <reply> ::= <reply-text> <CR> <LF> <reply-text> ::= <error-reply> | <auth-reply> <error-reply> ::= <port-pair> ":" "ERROR" ":" <error-type> <auth-reply> ::= <port-pair> ":" "USERID" ":" <opsys> ":" <user-id> <error-type> ::= "INVALID-PORT" | "NO-USER" | "UNKNOWN-ERROR" / | <error-token> <opsys> ::= "OTHER" | "MULTICS" | "UNIX" | <token> ...etc. (See "Assigned Numbers") <user-id> ::= <octet-string> <token> ::= 1*64<token-characters> ; 1-64 characters <error-token> ::= "X"<token> <integer> ::= 1*5<digit> ; 1-5 digits. <digit> ::= "0" | "1" ... "8" | "9" ; 0-9 <token-characters> ::= <Any of these ASCII characters: a-z, A-Z, / - (dash), .!@#$%^&*()_=+.,<>/?"'~`{}[];\| > ; upper and lowercase a-z plus printables minus ; the colon ":" character. <octet-string> ::= 1*512<octet-characters> <octet-characters> ::= <any octet from 0 to '377 (octal) except for / ASCII NUL, CR and LF> [[[The subject of character sets is still an open one - at least in the userid string. Does anyone have objections to restricting everything except the userid to the NET-ASCII character set? I've changed userid from a token to octet string pending the closing of the character set issue.]]] Notes on Syntax: 1) White space (blanks and tab characters) between tokens is not important and may be ignored. White space may occur anywhere, except within a token -- specifically, any amount of white space is permitted at the beginning or end of a line both for queries and responses. Note that this does not apply for responses that contain a user ID -- everything after the colon after the operating system type until the terminating CR/LF is taken as part of the user ID. The terminating CR/LF is NOT considered part of the user ID. 2) Note that neither whitespace nor the ":" character may appear within a token. If there is a need to represent a colon or whitespace within a token, continguous whitespace within the value to be represented as a token should be replaced by a single dash (ASCII ?), and the ":" (colon) character should be replaced by ".." (period period - a colon on its side). 3) For purposes of comparison for all fields, uppercase is distinct from lower case. I.e. "Error" and "ERROR" are not the same value. 4) Any additional <error-type>s must also be <token>s. 5) The 512 character limit on user IDs and the 64 character limit on tokens should be understood to mean as follows: a) No new token (i.e. OPSYS or ERROR-TYPE) token will be defined that has a length greater than 64 and b) a server SHOULD NOT send more than 512 octets of user ID and a client MUST accept at least 512 octets of user ID. Because of this limitation, a server MUST return the most significant portion of the user ID in the first 512 octets. Notes on User Identifier: The user identifier returned by the server should be the standard one for the system. Usually, but not always, this has the same value and format as a users mailing address. Security Considerations: The information returned by this protocol is at most as trustworthy as the host providing it OR the organization operating the host. For example, a PC in an open lab has few if any controls on it to prevent a user from having this protocol return any identifier the user wants. Likewise, if the host has been compromised the information returned may be completely erroneous and misleading. The Identity Protocol is not a security protocol. At best it provides some additional auditing information with respect to TCP connections. At worse it can provide misleading, incorrect or maliciously incorrect information. UNDER NO CIRCUMSTANCES should information returned from an Identity Protocol server be used to make access control decisions - either as the primary method (i.e no other checks) or as an adjunct to other methods. A server for this protocol provides information roughly as revealing as that returned by the "finger" server and protocol. If you wouldn't run a "finger" server due to privacy considerations you may not want to run this protocol. ACKNOWLEDGEMENTS: Acknowledgement is given to Dan Bernstein who is primarily responsible for renewing interest in this protocol and for pointing out some annoying errors in RFC931.
- Next go around on 931 Mike StJohns
- Re: Next go around on 931 Peter Eriksson