Network Working Group S. Hollenbeck Internet-Draft VeriSign, Inc. Obsoletes: 3734 (if approved) September 6, 2005 Expires: March 10, 2006 Extensible Provisioning Protocol (EPP) Transport Over TCP draft-hollenbeck-epp-rfc3734bis-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 10, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document describes an Extensible Provisioning Protocol (EPP) extension mapping for the provisioning and management of Service Lookup System (SLS) data stored in a shared central repository. Specified in XML, the mapping defines EPP command syntax and semantics as applied to . Hollenbeck Expires March 10, 2006 [Page 1]
Internet-Draft EPP TCP Transport September 2005 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 2. Session Management . . . . . . . . . . . . . . . . . . . . . . 3 3. Message Exchange . . . . . . . . . . . . . . . . . . . . . . . 4 4. Data Unit Format . . . . . . . . . . . . . . . . . . . . . . . 5 5. Transport Considerations . . . . . . . . . . . . . . . . . . . 6 6. Internationalization Considerations . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . . 9 Appendix A. Changes from RFC 3734 . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 Intellectual Property and Copyright Statements . . . . . . . . . . 11 Hollenbeck Expires March 10, 2006 [Page 2]
Internet-Draft EPP TCP Transport September 2005 1. Introduction This document describes how the Extensible Provisioning Protocol (EPP) is mapped onto a single client-server TCP connection. Security services beyond those defined in EPP are provided by the Transport Layer Security (TLS) Protocol [RFC2246]. EPP is described in [I-D.hollenbeck-epp-rfc3730bis]. TCP is described in [RFC0793]. If approved, this document will obsolete RFC 3734 [RFC3734]. 1.1. Conventions Used In This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Session Management Mapping EPP session management facilities onto the TCP service is straight forward. An EPP session first requires creation of a TCP connection between two peers, one that initiates the connection request and one that responds to the connection request. The initiating peer is called the "client", and the responding peer is called the "server". An EPP server MUST listen for TCP connection requests on a standard TCP port assigned by IANA. The client MUST issue an active OPEN call, specifying the TCP port number on which the server is listening for EPP connection attempts. The server MUST respond with a passive OPEN call, which the client MUST acknowledge to establish the connection. The EPP server MUST return an EPP <greeting> to the client after the TCP session has been established. An EPP session is normally ended by the client issuing an EPP <logout> command. A server receiving an EPP <logout> command MUST end the EPP session and close the TCP connection through an active CLOSE call. The client MUST respond with a passive CLOSE call. A client MAY end an EPP session by issuing an active CLOSE call. A server SHOULD respond with a passive CLOSE call. A server MAY limit the life span of an established TCP connection. EPP sessions that are inactive for more than a server-defined period MAY be ended by a server issuing an active CLOSE call. A server MAY also close TCP connections that have been open and active for longer than a server-defined period. Peers SHOULD respond to an active CLOSE call with a passive CLOSE Hollenbeck Expires March 10, 2006 [Page 3]
Internet-Draft EPP TCP Transport September 2005 call. The closing peer MAY issue an ABORT call if the responding peer does not respond to the active CLOSE call. 3. Message Exchange With the exception of the EPP server greeting, EPP messages are initiated by the EPP client in the form of EPP commands. An EPP server MUST return an EPP response to an EPP command on the same TCP connection that carried the command. If the TCP connection is closed after a server receives and successfully processes a command but before the response can be returned to the client, the server MAY attempt to undo the effects of the command to ensure a consistent state between the client and the server. EPP commands are idempotent, so processing a command more than once produces the same net effect on the repository as successfully processing the command once. An EPP client streams EPP commands to an EPP server on an established TCP connection. A client MAY but SHOULD NOT establish multiple TCP connections to create multiple command exchange channels. A server SHOULD limit a client to a maximum number of TCP connections based on server capabilities and operational load. EPP describes client-server interaction as a command-response exchange where the client sends one command to the server and the server returns one response to the client. A client might be able to realize a slight performance gain by pipelining (sending more than one command before a response for the first command is received) commands with TCP transport, but this feature does not change the basic single command, single response operating mode of the core protocol. The amount of data that can be outstanding is limited to the current TCP window size. Each EPP data unit MUST contain a single EPP message. Commands MUST be processed independently and in the same order as sent from the client. A server SHOULD impose a limit on the amount of time required for a client to issue a well-formed EPP command. A server SHOULD end an EPP session and close an open TCP connection if a well-formed command is not received within the time limit. A general state machine for an EPP server is described in section 2 of [RFC3730]. General client-server message exchange using TCP transport is illustrated in Figure 1. Hollenbeck Expires March 10, 2006 [Page 4]
Internet-Draft EPP TCP Transport September 2005 Client Server | | | Connect | | >>------------------------------->> | | | | Send Greeting | | <<-------------------------------<< | | | | Send <login> | | >>------------------------------->> | | | | Send Response | | <<-------------------------------<< | | | | Send Command | | >>------------------------------->> | | | | Send Response | | <<-------------------------------<< | | | | Send Command X | | >>------------------------------->> | | | | Send Command Y | | >>---------------+ | | | | | | | | Send Response X | | <<---------------(---------------<< | | | | | | | | +--------------->> | | | | Send Response Y | | <<-------------------------------<< | | | | Send <logout> | | >>------------------------------->> | | | | Send Response & Disconnect | | <<-------------------------------<< | | | Figure 1: TCP Client-Server Message Exchange 4. Data Unit Format Hollenbeck Expires March 10, 2006 [Page 5]
Internet-Draft EPP TCP Transport September 2005 The data field of the TCP header MUST contain an EPP data unit. The EPP data unit contains two fields: a 32-bit header that describes the total length of the data unit, and the EPP XML instance. EPP Data Unit Format (one tick mark represents one bit position): 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | EPP XML Instance | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+//-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Total Length (32 bits): The total length of the EPP data unit measured in octets in network (big endian) byte order. The octets contained in this field MUST be included in the total length calculation. EPP XML Instance (variable length): The EPP XML instance carried in the data unit. 5. Transport Considerations Section 2.1 of the EPP core protocol specification [RFC3730] describes considerations to be addressed by protocol transport mappings. This mapping addresses each of the considerations using a combination of features described in this document and features provided by TCP as follows: - TCP includes features to provide reliability, flow control, ordered delivery, and congestion control. Section 1.5 of RFC 793 [RFC793] describes these features in detail; congestion control principles are described further in RFC 2581 [RFC2581] and RFC 2914 [RFC2914]. TCP is a connection-oriented protocol, and Section 2 of this mapping describes how EPP sessions are mapped to TCP connections. - Sections 2 and 3 of this mapping describe how the stateful nature of EPP is preserved through managed sessions and controlled message exchanges. - Section 3 of this mapping notes that command pipelining is possible with TCP, though batch-oriented processing (combining multiple EPP commands in a single data unit) is not permitted. Hollenbeck Expires March 10, 2006 [Page 6]
Internet-Draft EPP TCP Transport September 2005 - Section 4 of this mapping describes features to frame data units by explicitly specifying the number of octets used to represent a data unit. 6. Internationalization Considerations This mapping does not introduce or present any internationalization r localization issues. 7. IANA Considerations System port number 700 has been assigned by the IANA for mapping EPP onto TCP. User port number 3121 (which was used for development and test purposes) has been reclaimed by the IANA. 8. Security Considerations EPP as-is provides only simple client authentication services using identifiers and plain text passwords. A passive attack is sufficient to recover client identifiers and passwords, allowing trivial command forgery. Protection against most other common attacks MUST be provided by other layered protocols. EPP provides protection against replay attacks through command idempotency. A replayed or repeated command will not change the state of any object in any way, though denial of service through consumption of connection resources is a possibility. When layered over TCP, the Transport Layer Security (TLS) Protocol described in [RFC2246] MUST be used to prevent eavesdropping, tampering, and command forgery attacks. Implementations of TLS often contain a US-exportable cryptographic mode that SHOULD NOT be used to protect EPP. Clients and servers desiring high security SHOULD instead use TLS with cryptographic algorithms that are less susceptible to compromise. Mutual client and server authentication using the TLS Handshake Protocol is REQUIRED. Signatures on the complete certificate chain for both client machine and server machine MUST be validated as part of the TLS handshake. Information included in the client and server certificates, such as validity periods and machine names, MUST also be validated. EPP service MUST NOT be granted until successful completion of a TLS handshake and certificate validation, ensuring Hollenbeck Expires March 10, 2006 [Page 7]
Internet-Draft EPP TCP Transport September 2005 that both the client machine and the server machine have been authenticated and cryptographic protections are in place. Authentication using the TLS Handshake Protocol confirms the identity of the client and server machines. EPP uses an additional client identifier and password to identify and authenticate the client's user identity to the server, supplementing the machine authentication provided by TLS. The identity described in the client certificate and the identity described in the EPP client identifier can differ, as a server can assign multiple user identities for use from any particular client machine. EPP TCP servers are vulnerable to common TCP denial of service attacks including TCP SYN flooding. Servers SHOULD take steps to minimize the impact of a denial of service attack using combinations of easily implemented solutions, such as deployment of firewall technology and border router filters to restrict inbound server access to known, trusted clients. 9. Acknowledgements This document was originally written as an individual submission Internet-Draft. The provreg working group later adopted it as a working group document and provided many invaluable comments and suggested improvements. The author wishes to acknowledge the efforts of WG chairs Edward Lewis and Jaap Akkerhuis for their process and editorial contributions. Specific suggestions that have been incorporated into this document were provided by Chris Bason, Randy Bush, Patrik Faltstrom, Ned Freed, James Gould, Dan Manley, and John Immordino. 10. References 10.1. Normative References [I-D.hollenbeck-epp-rfc3730bis] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", draft-hollenbeck-epp-rfc3730bis-00 (work in progress), September 2005. [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, September 1981. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Hollenbeck Expires March 10, 2006 [Page 8]
Internet-Draft EPP TCP Transport September 2005 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC2581] Allman, M., Paxson, V., and W. Stevens, "TCP Congestion Control", RFC 2581, April 1999. [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, RFC 2914, September 2000. 10.2. Informative References [RFC3734] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) Transport Over TCP", RFC 3734, March 2004. Appendix A. Changes from RFC 3734 1. Minor reformatting as a result of converting I-D source format from nroff to XML. 2. Updated EPP references. Hollenbeck Expires March 10, 2006 [Page 9]
Internet-Draft EPP TCP Transport September 2005 Author's Address Scott Hollenbeck VeriSign, Inc. 21345 Ridgetop Circle Dulles, VA 20166-6503 US Email: shollenbeck@verisign.com Hollenbeck Expires March 10, 2006 [Page 10]
Internet-Draft EPP TCP Transport September 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Hollenbeck Expires March 10, 2006 [Page 11]