Network Working Group L J Blunk
J R Vollbrecht
Internet Draft Merit
expires in six months March 1994
PPP Kerberos Authentication Protocol (KAP)
<draft-ietf-pppext-kap-auth-00.txt>
Status of this Memo
This document is the product of the Point-to-Point Protocol
Extensions Working Group of the Internet Engineering Task Force
(IETF). Comments should be submitted to the ietf-ppp@merit.edu
mailing list.
Distribution of this memo is unlimited.
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
Please check the 1id-abstracts.txt listing contained in the
internet-drafts Shadow Directories on nic.ddn.mil, ds.internic.net,
ftp.isi.edu, nic.nordu.net, or munnari.oz.au to learn the current
status of any Internet Draft.
Abstract
The Point-to-Point Protocol (PPP) [1] provides a standard method for
transporting multi-protocol datagrams over point-to-point links.
PPP also defines an extensible Link Control Protocol, which allows
negotiation of an Authentication Protocol for authenticating its peer
before allowing Network Layer protocols to transmit over the link.
This document defines the Kerberos Authentication Protocol.
Blunk & Vollbrecht expires in six months [Page i]
�DRAFT PPP KAP March 1994
1. Introduction
In order to establish communications over a point-to-point link, each
end of the PPP link must first send LCP packets to configure the data
link during Link Establishment phase. After the link has been
established, PPP provides for an optional Authentication phase before
proceeding to the Network-Layer Protocol phase.
By default, authentication is not mandatory. If authentication of
the link is desired, an implementation MUST specify the
Authentication-Protocol Configuration Option during Link
Establishment phase.
These authentication protocols are intended for use primarily by
hosts and routers that connect to a PPP network server via switched
circuits or dial-up lines, but might be applied to dedicated links as
well. The server can use the identification of the connecting host
or router in the selection of options for network layer negotiations.
This document defines the PPP KAP authentication protocol. The Link
Establishment and Authentication phases, and the Authentication-
Protocol Configuration Option, are defined in The Point-to-Point
Protocol (PPP) [1].
1.1. Specification of Requirements
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized.
MUST This word, or the adjective "required", means that the
definition is an absolute requirement of the specification.
MUST NOT This phrase means that the definition is an absolute
prohibition of the specification.
SHOULD This word, or the adjective "recommended", means that there
may exist valid reasons in particular circumstances to
ignore this item, but the full implications must be
understood and carefully weighed before choosing a
different course.
MAY This word, or the adjective "optional", means that this
item is one of an allowed set of alternatives. An
implementation which does not include this option MUST be
prepared to interoperate with another implementation which
does include the option.
Blunk & Vollbrecht expires in six months [Page 1]
�DRAFT PPP KAP March 1994
1.2. Terminology
This document frequently uses the following terms:
authenticator
The end of the link requiring the authentication. The
authenticator specifies the authentication protocol to be
used in the Configure-Request during Link Establishment
phase.
peer The other end of the point-to-point link; the end which is
being authenticated by the authenticator.
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.
Blunk & Vollbrecht expires in six months [Page 2]
�DRAFT PPP KAP March 1994
2. Kerberos Authentication Protocol
The Kerberos Authentication Protocol (KAP) is used to verify the
identity of a peer using the Kerberos Authentication System.
Normally, Kerberos authentication requires that the peer be on a
fully-connnected network. Given the nature of PPP, it is unlikely
that the peer being authenticated will have such connectivity. Given
this constraint, the KAP protocol is designed to operate over the PPP
link prior to any Network Protocols having been negotiated. It is
assumed that the authenticator has network connectivity to the
Kerberos server(s) to be used for authentication.
1. After the Link Establishment phase is complete, the
authenticator sends a request for the identity of the the peer.
2. The peer replys with a Kerberos principal to be used by the
authenticator to retrieve Kerberos credentials. The peer does
not specify the service principal identity. However, it is
recommended that the authenticator use ppp-kap as its primay
name so that the peer may check this value in the credentials.
This gives the peer some assurance that it is authenticating to
a service authorized to provide PPP access. The peer will not
likely need to know or verify the instance name of the
authenticator.
3. The authenticator then uses the Kerberos Authentication Service
Protocol to request the Kerberos credentials to be used by the
peer. These credentials are then forwarded to the peer
together with a challenge. The challenge is used to prevent
replay attacks in the case a ticket may have been captured.
4. The peer decrypts these credentials to obtain a ticket for the
ppp-kap service and a session key. The session key is used to
encrypt the challenge. The peer then sends the ticket together
with the response to the challenge back to the authenticator.
5. The authenticator then decrypts the ticket and checks the
response to its challenge. If these are valid, the
authentication is acknowledged with a success message;
otherwise the authenticator replies with a failure response.
6. At random intervals, the authenticator may send a challenge to
the peer. The peer generates a response to the challenge by
encrypting it in the session key and forwards this back to the
authenticator. Likewise, the peer may send a challenge to the
authenticator. This assures the identity of the authenticator
to the peer.
Blunk & Vollbrecht expires in six months [Page 3]
�DRAFT PPP KAP March 1994
Advantages
KAP provides an authentication mechanism which does not require
passing a user's password in the clear. It also allows PPP
authentication to leverage off of existing Kerberos authentication
servers.
The authenticator is not the repository for any secrets. This is a
significant advantage when there are many peers.
The peer need only know its own secret and the primary name of the
service requesting authentication.
This authentication can be mutual. The ability of the peer to
successfully decrypt the Kerberos credentials and generate a response
to the challenge is the assurance to the authenticator that the peer
is authentic. The ability of the authenticator to encrypt a response
to a challenge using the session key is the assurance to the peer
that the authenticator is also authentic.
Disadvantages
KAP depends upon encryption technology which may be subject to export
controls.
Blunk & Vollbrecht expires in six months [Page 4]
�DRAFT PPP KAP March 1994
2.1. Configuration Option Format
A summary of the Authentication-Protocol Configuration Option format
to negotiate the Kerberos Authentication Protocol is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Authentication-Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Kerberos Type |
+-+-+-+-+-+-+-+-+
Type
3
Length
5
Authentication-Protocol
???? for Kerberos Authentication Protocol
Kerberos Type
0-3 Unused
4 Kerberos V4
5 Kerberos V5
Blunk & Vollbrecht expires in six months [Page 5]
�DRAFT PPP KAP March 1994
2.2. Packet Format
Exactly one Kerberos Authentication Protocol packet is encapsulated
in the Information field of a PPP Data Link Layer frame where the
protocol field indicates type hex ???? (Kerberos Authentication
Protocol). A summary of the KAP packet format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+
Code
The Code field is one octet and identifies the type of KAP packet.
KAP Codes are assigned as follows:
1 Initiate
2 Principal
3 Credentials
4 Ticket
5 Success
6 Failure
7 Challenge
8 Response
Identifier
The Identifier field is one octet and aids in matching replies
with requests and responses to challenges.
Length
The Length field is two octets and indicates the length of the KAP
packet including the Code, Identifier, Length and Data fields.
Octets outside the range of the Length field should be treated as
Data Link Layer padding and should be ignored on reception.
Data
The Data field is zero or more octets. The format of the Data
field is determined by the Code field.
Blunk & Vollbrecht expires in six months [Page 6]
�DRAFT PPP KAP March 1994
2.2.1. Initiate
Description
The Initiate packet is used to begin the Kerberos Authentication
Protocol. The authenticator MUST transmit a KAP packet with the
Code field set to 1 (Initiate). Additional Initiate packets MUST
be sent until a valid Response packet is received, or an optional
retry counter expires.
A summary of the Initiate packet format is shown below. The fields
are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
1
Identifier
The Identifier field is one octet. The Identifier field MUST be
changed each time an Initiate is sent.
Blunk & Vollbrecht expires in six months [Page 7]
�DRAFT PPP KAP March 1994
2.2.2. Principal
Description
The Principal packet is used to identify the peer to the
authenticator. It is sent in response to an Initiate packet. The
peer MUST transmit a KAP packet with the Code field set to 2
(Principal). The identifier of the Principal packet MUST match
the indentifier in the Initiate packet. The authenticator will
respond to the Principal packet with either a Credentials packet
or a Failure packet.
A summary of the Principal packet format is shown below. The fields
are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Name-Size | Name ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Instance-Size | Instance ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Realm-Size | Realm ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
2
Identifier
The Identifier field is one octet. The Principal Identifier MUST
be copied from the Identifier field of the Initiate which caused
the Response.
Principal fields
The Name, Instance, and Realm fields are used to identify the
Kerberos Principal.
Blunk & Vollbrecht expires in six months [Page 8]
�DRAFT PPP KAP March 1994
2.2.3. Credentials
Description
The Credentials packet is used to supply the peer with the needed
credentials for authentication. It is sent in response to a
Principal packet and contains a ticket for the authenticator and
a session key. The authenticator MUST transmit a KAP packet with
the Code field set to 3 (Credentials). Additional Credentials
packets MUST be sent until a valid Response packet is received, or
an optional retry counter expires.
A summary of the Credentials packet format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cred-Size | Credentials ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Chal-Size | Challenge ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
3
Identifier
The Identifier field is one octet. The Identifier field MUST be
changed each time a Credentials is sent.
Credentials
The Credentials field is copied from the KRB_AS_REP packet
received by the authenticator from the Kerberos server. It takes
the form:
{ T_(peer,authenticator), K_(peer, authenticator) }K_peer
Challenge
The Challenge Value is a variable stream of octets. The Challenge
Value MUST be changed each time a Credentials is sent.
Blunk & Vollbrecht expires in six months [Page 9]
�DRAFT PPP KAP March 1994
2.2.4. Ticket
Description
The Ticket packet is sent by the peer to the authenticator as
verification of its authenticity. It is sent in response to a
Credentials packet and contains a ticket for the authenticator and
a response to the authenticator's challenge. The response for the
challenge is generated by encrypting the challenge with the
session key. The peer MUST transmit a KAP packet with the Code
field set to 4 (Ticket).
A summary of the Ticket packet format is shown below. The fields are
transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ticket-Size | Ticket ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Response-Size | Response ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
4
Identifier
The Identifier field is one octet. The Identifier field MUST
match the Indentifier field of the Credentials packet that it is
sent in response to.
Ticket
The Ticket field is copied from the Credentials data received from
the authenticator. It takes the form:
T_(peer,authenticator)
Response
The response field is generated by encrypting the challenge from
the Credentials packets using the Session key.
Blunk & Vollbrecht expires in six months [Page 10]
�DRAFT PPP KAP March 1994
2.2.5. Success and Failure
Description
If the fields received in a Ticket match the expected values AND
the response to the challenge is correct, then the implementation
MUST transmit a KAP packet with the Code field set to 5 (Success).
If the fields received in a Ticket do NOT match the expected
values OR the response to the challenge does NOT match the
expected value, then the implementation MUST transmit a KAP packet
with the Code field set to 6 (Failure), and SHOULD take action to
terminate the link.
A summary of the Success and Failure packet format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
5 for Success;
6 for Failure.
Identifier
The Identifier field is one octet and aids in matching requests
and replies. The Identifier field MUST be copied from the
Identifier field of the Principal or Ticket packet which caused
this reply.
Message
The Message field is zero or more octets, and its contents are
implementation dependent. It is intended to be human readable,
and MUST NOT affect operation of the protocol. It is recommended
that the message contain displayable ASCII characters 32 through
126 decimal. Mechanisms for extension to other character sets are
the topic of future research. The size is determined from the
Length field.
Blunk & Vollbrecht expires in six months [Page 11]
�DRAFT PPP KAP March 1994
2.2.6. Challenge and Response
Description
The Challenge packet is used to periodically authenticate one peer
to the other. The peer may use the Challenge to mutually
authenticate the authenticator. The Challenge must be transmitted
as a KAP packet with the Code field set to 7 (Challenge).
A Challenge packet MAY be transmitted at any time during the
Network-Layer Protocol phase to ensure that the connection has not
been altered.
The peer or authenticator SHOULD expect Challenge packets during
the Authentication phase and the Network-Layer Protocol phase.
Whenever a Challenge packet is received, a KAP packet with the
Code field set to 8 (Response) must be transmitted.
Whenever a Response packet is received, the Response Value is
compared with the expected value. Based on this comparison, a
Success or Failure packet (described above) must be sent.
Implementation Note: Because the Success might be lost, the
authenticator MUST allow repeated Response packets after
completing the Authentication phase. To prevent discovery of
alternative Names and Secrets, any Response packets received
having the current Challenge Identifier MUST return the same
reply Code returned when the Authentication phase completed
(the message portion MAY be different). Any Response packets
received during any other phase MUST be silently discarded.
When the Failure is lost, and the authenticator terminates the
link, the LCP Terminate-Request and Terminate-Ack provide an
alternative indication that authentication failed.
Blunk & Vollbrecht expires in six months [Page 12]
�DRAFT PPP KAP March 1994
A summary of the Challenge and Response packet format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value-Size | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
7 for Challenge;
8 for Response.
Identifier
The Identifier field is one octet. The Identifier field MUST be
changed each time a Challenge is sent.
The Response Identifier MUST be copied from the Identifier field
of the Challenge which caused the Response.
Value-Size
This field is one octet and indicates the length of the Value
field.
Value
The Value field is one or more octets. The most significant octet
is transmitted first.
The Challenge Value is a variable stream of octets. The Challenge
Value MUST be changed each time a Challenge is sent. The length
of the Challenge Value depends upon the method used to generate
the octets.
The Response Value is the DES encryption of the Challenge Value.
The Session Key is used to perform the encryption on the
Challenge. The length of the Response Value depends upon the
length of the Challenge.
Blunk & Vollbrecht expires in six months [Page 13]
�DRAFT PPP KAP March 1994
Security Considerations
Security issues are the primary topic of this RFC.
The interaction of the authentication protocols within PPP are highly
implementation dependent. This is indicated by the use of SHOULD
throughout the document.
For example, upon failure of authentication, some implementations do
not terminate the link. Instead, the implementation limits the kind
of traffic in the Network-Layer Protocols to a filtered subset, which
in turn allows the user opportunity to update secrets or send mail to
the network administrator indicating a problem.
There is no provision for re-tries of failed authentication.
However, the LCP state machine can renegotiate the authentication
protocol at any time, thus allowing a new attempt. It is recommended
that any counters used for authentication failure not be reset until
after successful authentication, or subsequent termination of the
failed link.
There is no requirement that authentication be full duplex or that
the same protocol be used in both directions. It is perfectly
acceptable for different protocols to be used in each direction.
This will, of course, depend on the specific protocols negotiated.
In practice, within or associated with each PPP server, there is a
database which associates "user" names with authentication
information ("secrets"). It is not anticipated that a particular
named user would be authenticated by multiple methods. This would
make the user vulnerable to attacks which negotiate the least secure
method from among a set (such as PAP rather than KAP). Instead, for
each named user there should be an indication of exactly one method
used to authenticate that user name. If a user needs to make use of
different authentication methods under different circumstances, then
distinct user names SHOULD be employed, each of which identifies
exactly one authentication method.
Blunk & Vollbrecht expires in six months [Page 14]
�DRAFT PPP KAP March 1994
References
[1] Simpson, W. A., "The Point-to-Point Protocol (PPP)", work in
progress.
[2] Reynolds, J., and J. Postel, "Assigned Numbers", RFC 1340,
USC/Information Sciences Institute, July 1992.
Acknowledgments
Thanks to Bill Simpson for his initial work on this document.
Chair's Address
The working group can be contacted via the current chair:
Fred Baker
Advanced Computer Communications
315 Bollay Drive
Santa Barbara, California, 93111
EMail: fbaker@acc.com
Author's Address
Questions about this memo can also be directed to:
Larry J Blunk John R Vollbrecht
EMail: ljb@merit.edu EMail: jrv@merit.edu
Blunk & Vollbrecht expires in six months [Page 15]
�DRAFT PPP KAP March 1994
Table of Contents
1. Introduction .......................................... 1
1.1 Specification of Requirements ................... 1
1.2 Terminology ..................................... 2
2. Kerberos Authentication Protocol ...................... 3
2.1 Configuration Option Format ..................... 5
2.2 Packet Format ................................... 6
2.2.1 Initiate ........................................ 7
2.2.2 Principal ....................................... 8
2.2.3 Credentials ..................................... 9
2.2.4 Ticket .......................................... 10
2.2.5 Success and Failure ............................. 11
2.2.6 Challenge and Response .......................... 12
SECURITY CONSIDERATIONS ...................................... 14
REFERENCES ................................................... 15
ACKNOWLEDGEMENTS ............................................. 15
CHAIR'S ADDRESS .............................................. 15
AUTHOR'S ADDRESS ............................................. 15