RPCSEC_GSS Protocol Specification
RFC 2203

Document Type RFC - Proposed Standard (September 1997; Errata)
Updated by RFC 5403
Last updated 2014-08-01
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2203 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          M. Eisler
Request for Comments: 2203                                       A. Chiu
Category: Standards Track                                        L. Ling
                                                          September 1997

                   RPCSEC_GSS Protocol Specification

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This memo describes an ONC/RPC security flavor that allows RPC
   protocols to access the Generic Security Services Application
   Programming Interface (referred to henceforth as GSS-API).

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  The ONC RPC Message Protocol . . . . . . . . . . . . . . . . . 2
   3.  Flavor Number Assignment . . . . . . . . . . . . . . . . . . . 3
   4.  New auth_stat Values . . . . . . . . . . . . . . . . . . . . . 3
   5.  Elements of the RPCSEC_GSS Security Protocol . . . . . . . . . 3
   5.1.  Version Selection  . . . . . . . . . . . . . . . . . . . . . 5
   5.2.  Context Creation . . . . . . . . . . . . . . . . . . . . . . 5
   5.2.1.  Mechanism and QOP Selection  . . . . . . . . . . . . . . . 5
   5.2.2.  Context Creation Requests  . . . . . . . . . . . . . . . . 6
   5.2.3.  Context Creation Responses . . . . . . . . . . . . . . . . 8
   5.2.3.1.  Context Creation Response - Successful Acceptance  . . . 8
   5.2.3.1.1.  Client Processing of Successful Context Creation
               Responses  . . . . . . . . . . . . . . . . . . . . . . 9
   5.2.3.2.  Context Creation Response - Unsuccessful Cases . . . . . 9
   5.3.  RPC Data Exchange  . . . . . . . . . . . . . . . . . . . .  10
   5.3.1.  RPC Request Header . . . . . . . . . . . . . . . . . . .  10
   5.3.2.  RPC Request Data . . . . . . . . . . . . . . . . . . . .  11
   5.3.2.1.  RPC Request Data - No Data Integrity . . . . . . . . .  11
   5.3.2.2.  RPC Request Data - With Data Integrity . . . . . . . .  11
   5.3.2.3.  RPC Request Data - With Data Privacy . . . . . . . . .  12
   5.3.3.  Server Processing of RPC Data Requests . . . . . . . . .  12
   5.3.3.1.  Context Management . . . . . . . . . . . . . . . . . .  12
   5.3.3.2.  Server Reply - Request Accepted  . . . . . . . . . . .  14
   5.3.3.3.  Server Reply - Request Denied  . . . . . . . . . . . .  15

Eisler, et. al.             Standards Track                     [Page 1]
RFC 2203           RPCSEC_GSS Protocol Specification      September 1997

   5.3.3.4.  Mapping of GSS-API Errors to Server Responses  . . . .  16
   5.3.3.4.1.  GSS_GetMIC() Failure . . . . . . . . . . . . . . . .  16
   5.3.3.4.2.  GSS_VerifyMIC() Failure  . . . . . . . . . . . . . .  16
   5.3.3.4.3.  GSS_Unwrap() Failure . . . . . . . . . . . . . . . .  16
   5.3.3.4.4.  GSS_Wrap() Failure . . . . . . . . . . . . . . . . .  16
   5.4.  Context Destruction  . . . . . . . . . . . . . . . . . . .  17
   6.  Set of GSS-API Mechanisms  . . . . . . . . . . . . . . . . .  17
   7.  Security Considerations  . . . . . . . . . . . . . . . . . .  18
   7.1.  Privacy of Call Header . . . . . . . . . . . . . . . . . .  18
   7.2.  Sequence Number Attacks  . . . . . . . . . . . . . . . . .  18
   7.2.1.  Sequence Numbers Above the Window  . . . . . . . . . . .  18
   7.2.2.  Sequence Numbers Within or Below the Window  . . . . . .  18
   7.3.  Message Stealing Attacks . . . . . . . . . . . . . . . . .  19
   Appendix A. GSS-API Major Status Codes . . . . . . . . . . . . .  20
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . .  22
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .  23

1.  Introduction

   This document describes the protocol used by the RPCSEC_GSS security
   flavor.  Security flavors have been called authentication flavors for
   historical reasons. This memo recognizes that there are two other
   security services besides authentication, integrity, and privacy, and
   so defines a new RPCSEC_GSS security flavor.

   The protocol is described using the XDR language [Srinivasan-xdr].
   The reader is assumed to be familiar with ONC RPC and the security
   flavor mechanism [Srinivasan-rpc].  The reader is also assumed to be
   familiar with the GSS-API framework [Linn].  The RPCSEC_GSS security
   flavor uses GSS-API interfaces to provide security services that are
   independent of the underlying security mechanism.

2.  The ONC RPC Message Protocol

   This memo refers to the following XDR types of the ONC RPC protocol,
   which are described in the document entitled Remote Procedure Call
   Protocol Specification Version 2 [Srinivasan-rpc]:

      msg_type
      reply_stat
Show full document text