7 Network Working Group S. Drach
8 Request for Comments: 2485 Sun Microsystems
9 Category: Standards Track January 1999
13 DHCP Option for The Open Group's User Authentication Protocol
17 This document specifies an Internet standards track protocol for the
18 Internet community, and requests discussion and suggestions for
19 improvements. Please refer to the current edition of the "Internet
20 Official Protocol Standards" (STD 1) for the standardization state
21 and status of this protocol. Distribution of this memo is unlimited.
25 Copyright (C) The Internet Society (1999). All Rights Reserved.
29 This document defines a DHCP [1] option that contains a list of
30 pointers to User Authentication Protocol servers that provide user
31 authentication services for clients that conform to The Open Group
32 Network Computing Client Technical Standard [2].
36 The Open Group Network Computing Client Technical Standard, a product
37 of The Open Group's Network Computing Working Group (NCWG), defines a
38 network computing client user authentication facility named the User
39 Authentication Protocol (UAP).
41 UAP provides two levels of authentication, basic and secure. Basic
42 authentication uses the Basic Authentication mechanism defined in the
43 HTTP 1.1 [3] specification. Secure authentication is simply basic
44 authentication encapsulated in an SSLv3 [4] session.
46 In both cases, a UAP client needs to obtain the IP address and port
47 of the UAP service. Additional path information may be required,
48 depending on the implementation of the service. A URL [5] is an
49 excellent mechanism for encapsulation of this information since many
50 UAP servers will be implemented as components within legacy HTTP/SSL
58 Drach Standards Track [Page 1]
60 RFC 2485 DCHP Option for the Open Group's UAP January 1999
63 Most UAP clients have no local state and are configured when booted
64 through DHCP. No existing DHCP option [6] has a data field that
65 contains a URL. Option 72 contains a list of IP addresses for WWW
66 servers, but it is not adequate since a port and/or path can not be
67 specified. Hence there is a need for an option that contains a list
70 User Authentication Protocol Option
72 This option specifies a list of URLs, each pointing to a user
73 authentication service that is capable of processing authentication
74 requests encapsulated in the User Authentication Protocol (UAP). UAP
75 servers can accept either HTTP 1.1 or SSLv3 connections. If the list
76 includes a URL that does not contain a port component, the normal
77 default port is assumed (i.e., port 80 for http and port 443 for
78 https). If the list includes a URL that does not contain a path
79 component, the path /uap is assumed.
82 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
83 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
84 | Code | Length | URL list
85 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
89 Length The length of the data field (i.e., URL list) in
92 URL list A list of one or more URLs separated by the ASCII
93 space character (0x20).
97 [1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
100 [2] Technical Standard: Network Computing Client, The Open Group,
101 Document Number C801, October 1998.
103 [3] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and T.
104 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC
107 [4] Freier, A., Karlton, P., and P. Kocher, "The SSL Protocol,
108 Version 3.0", Netscape Communications Corp., November 1996.
109 Standards Information Base, The Open Group,
110 http://www.db.opengroup.org/sib.htm#SSL_3.
114 Drach Standards Track [Page 2]
116 RFC 2485 DCHP Option for the Open Group's UAP January 1999
119 [5] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
120 Resource Locators (URL)", RFC 1738, December 1994.
122 [6] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
123 Extensions", RFC 2132, March 1997.
125 Security Considerations
127 DHCP currently provides no authentication or security mechanisms.
128 Potential exposures to attack are discussed in section 7 of the DHCP
129 protocol specification.
131 The User Authentication Protocol does not have a means to detect
132 whether or not the client is communicating with a rogue
133 authentication service that the client contacted because it received
134 a forged or otherwise compromised UAP option from a DHCP service
135 whose security was compromised. Even secure authentication does not
136 provide relief from this type of attack. This security exposure is
137 mitigated by the environmental assumptions documented in the Network
138 Computing Client Technical Standard.
143 Sun Microsystems, Inc.
147 Phone: (650) 960-1300
170 Drach Standards Track [Page 3]
172 RFC 2485 DCHP Option for the Open Group's UAP January 1999
175 Full Copyright Statement
177 Copyright (C) The Internet Society (1999). All Rights Reserved.
179 This document and translations of it may be copied and furnished to
180 others, and derivative works that comment on or otherwise explain it
181 or assist in its implementation may be prepared, copied, published
182 and distributed, in whole or in part, without restriction of any
183 kind, provided that the above copyright notice and this paragraph are
184 included on all such copies and derivative works. However, this
185 document itself may not be modified in any way, such as by removing
186 the copyright notice or references to the Internet Society or other
187 Internet organizations, except as needed for the purpose of
188 developing Internet standards in which case the procedures for
189 copyrights defined in the Internet Standards process must be
190 followed, or as required to translate it into languages other than
193 The limited permissions granted above are perpetual and will not be
194 revoked by the Internet Society or its successors or assigns.
196 This document and the information contained herein is provided on an
197 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
198 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
199 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
200 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
201 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
226 Drach Standards Track [Page 4]