|
| 1 | + |
| 2 | + |
| 3 | + |
| 4 | + |
| 5 | + |
| 6 | + |
| 7 | +Network Working Group K. Zeilenga, Ed. |
| 8 | +Request for Comments: 4505 OpenLDAP Foundation |
| 9 | +Obsoletes: 2245 June 2006 |
| 10 | +Category: Standards Track |
| 11 | + |
| 12 | + |
| 13 | + Anonymous Simple Authentication and Security Layer (SASL) Mechanism |
| 14 | + |
| 15 | +Status of This Memo |
| 16 | + |
| 17 | + This document specifies an Internet standards track protocol for the |
| 18 | + Internet community, and requests discussion and suggestions for |
| 19 | + improvements. Please refer to the current edition of the "Internet |
| 20 | + Official Protocol Standards" (STD 1) for the standardization state |
| 21 | + and status of this protocol. Distribution of this memo is unlimited. |
| 22 | + |
| 23 | +Copyright Notice |
| 24 | + |
| 25 | + Copyright (C) The Internet Society (2006). |
| 26 | + |
| 27 | +Abstract |
| 28 | + |
| 29 | + On the Internet, it is common practice to permit anonymous access to |
| 30 | + various services. Traditionally, this has been done with a plain- |
| 31 | + text password mechanism using "anonymous" as the user name and using |
| 32 | + optional trace information, such as an email address, as the |
| 33 | + password. As plain-text login commands are not permitted in new IETF |
| 34 | + protocols, a new way to provide anonymous login is needed within the |
| 35 | + context of the Simple Authentication and Security Layer (SASL) |
| 36 | + framework. |
| 37 | + |
| 38 | +1. Introduction |
| 39 | + |
| 40 | + This document defines an anonymous mechanism for the Simple |
| 41 | + Authentication and Security Layer ([SASL]) framework. The name |
| 42 | + associated with this mechanism is "ANONYMOUS". |
| 43 | + |
| 44 | + Unlike many other SASL mechanisms, whose purpose is to authenticate |
| 45 | + and identify the user to a server, the purpose of this SASL mechanism |
| 46 | + is to allow the user to gain access to services or resources without |
| 47 | + requiring the user to establish or otherwise disclose their identity |
| 48 | + to the server. That is, this mechanism provides an anonymous login |
| 49 | + method. |
| 50 | + |
| 51 | + This mechanism does not provide a security layer. |
| 52 | + |
| 53 | + This document replaces RFC 2245. Changes since RFC 2245 are detailed |
| 54 | + in Appendix A. |
| 55 | + |
| 56 | + |
| 57 | + |
| 58 | +Zeilenga Standards Track [Page 1] |
| 59 | +� |
| 60 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 61 | + |
| 62 | + |
| 63 | +2. The Anonymous Mechanism |
| 64 | + |
| 65 | + The mechanism consists of a single message from the client to the |
| 66 | + server. The client may include in this message trace information in |
| 67 | + the form of a string of [UTF-8]-encoded [Unicode] characters prepared |
| 68 | + in accordance with [StringPrep] and the "trace" stringprep profile |
| 69 | + defined in Section 3 of this document. The trace information, which |
| 70 | + has no semantical value, should take one of two forms: an Internet |
| 71 | + email address, or an opaque string that does not contain the '@' |
| 72 | + (U+0040) character and that can be interpreted by the system |
| 73 | + administrator of the client's domain. For privacy reasons, an |
| 74 | + Internet email address or other information identifying the user |
| 75 | + should only be used with permission from the user. |
| 76 | + |
| 77 | + A server that permits anonymous access will announce support for the |
| 78 | + ANONYMOUS mechanism and allow anyone to log in using that mechanism, |
| 79 | + usually with restricted access. |
| 80 | + |
| 81 | + A formal grammar for the client message using Augmented BNF [ABNF] is |
| 82 | + provided below as a tool for understanding this technical |
| 83 | + specification. |
| 84 | + |
| 85 | + message = [ email / token ] |
| 86 | + ;; to be prepared in accordance with Section 3 |
| 87 | + |
| 88 | + UTF1 = %x00-3F / %x41-7F ;; less '@' (U+0040) |
| 89 | + UTF2 = %xC2-DF UTF0 |
| 90 | + UTF3 = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) / |
| 91 | + %xED %x80-9F UTF0 / %xEE-EF 2(UTF0) |
| 92 | + UTF4 = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) / |
| 93 | + %xF4 %x80-8F 2(UTF0) |
| 94 | + UTF0 = %x80-BF |
| 95 | + |
| 96 | + TCHAR = UTF1 / UTF2 / UTF3 / UTF4 |
| 97 | + ;; any UTF-8 encoded Unicode character |
| 98 | + ;; except '@' (U+0040) |
| 99 | + |
| 100 | + email = addr-spec |
| 101 | + ;; as defined in [IMAIL] |
| 102 | + |
| 103 | + token = 1*255TCHAR |
| 104 | + |
| 105 | + Note to implementors: |
| 106 | + The <token> production is restricted to 255 UTF-8-encoded Unicode |
| 107 | + characters. As the encoding of a characters uses a sequence of 1 |
| 108 | + to 4 octets, a token may be as long as 1020 octets. |
| 109 | + |
| 110 | + |
| 111 | + |
| 112 | + |
| 113 | + |
| 114 | +Zeilenga Standards Track [Page 2] |
| 115 | +� |
| 116 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 117 | + |
| 118 | + |
| 119 | +3. The "trace" Profile of "Stringprep" |
| 120 | + |
| 121 | + This section defines the "trace" profile of [StringPrep]. This |
| 122 | + profile is designed for use with the SASL ANONYMOUS Mechanism. |
| 123 | + Specifically, the client is to prepare the <message> production in |
| 124 | + accordance with this profile. |
| 125 | + |
| 126 | + The character repertoire of this profile is Unicode 3.2 [Unicode]. |
| 127 | + |
| 128 | + No mapping is required by this profile. |
| 129 | + |
| 130 | + No Unicode normalization is required by this profile. |
| 131 | + |
| 132 | + The list of unassigned code points for this profile is that provided |
| 133 | + in Appendix A of [StringPrep]. Unassigned code points are not |
| 134 | + prohibited. |
| 135 | + |
| 136 | + Characters from the following tables of [StringPrep] are prohibited: |
| 137 | + |
| 138 | + - C.2.1 (ASCII control characters) |
| 139 | + - C.2.2 (Non-ASCII control characters) |
| 140 | + - C.3 (Private use characters) |
| 141 | + - C.4 (Non-character code points) |
| 142 | + - C.5 (Surrogate codes) |
| 143 | + - C.6 (Inappropriate for plain text) |
| 144 | + - C.8 (Change display properties are deprecated) |
| 145 | + - C.9 (Tagging characters) |
| 146 | + |
| 147 | + No additional characters are prohibited. |
| 148 | + |
| 149 | + This profile requires bidirectional character checking per Section 6 |
| 150 | + of [StringPrep]. |
| 151 | + |
| 152 | +4. Example |
| 153 | + |
| 154 | + Here is a sample ANONYMOUS login between an IMAP client and server. |
| 155 | + In this example, "C:" and "S:" indicate lines sent by the client and |
| 156 | + server, respectively. If such lines are wrapped without a new "C:" |
| 157 | + or "S:" label, then the wrapping is for editorial clarity and is not |
| 158 | + part of the command. |
| 159 | + |
| 160 | + Note that this example uses the IMAP profile [IMAP4] of SASL. The |
| 161 | + base64 encoding of challenges and responses as well as the "+ " |
| 162 | + preceding the responses are part of the IMAP4 profile, not part of |
| 163 | + SASL itself. Additionally, protocols with SASL profiles permitting |
| 164 | + an initial client response will be able to avoid the extra round trip |
| 165 | + below (the server response with an empty "+ "). |
| 166 | + |
| 167 | + |
| 168 | + |
| 169 | + |
| 170 | +Zeilenga Standards Track [Page 3] |
| 171 | +� |
| 172 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 173 | + |
| 174 | + |
| 175 | + In this example, the trace information is "sirhc". |
| 176 | + |
| 177 | + S: * OK IMAP4 server ready |
| 178 | + C: A001 CAPABILITY |
| 179 | + S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=DIGEST-MD5 AUTH=ANONYMOUS |
| 180 | + S: A001 OK done |
| 181 | + C: A002 AUTHENTICATE ANONYMOUS |
| 182 | + S: + |
| 183 | + C: c2lyaGM= |
| 184 | + S: A003 OK Welcome, trace information has been logged. |
| 185 | + |
| 186 | +5. Security Considerations |
| 187 | + |
| 188 | + The ANONYMOUS mechanism grants access to services and/or resources by |
| 189 | + anyone. For this reason, it should be disabled by default so that |
| 190 | + the administrator can make an explicit decision to enable it. |
| 191 | + |
| 192 | + If the anonymous user has any write privileges, a denial-of-service |
| 193 | + attack is possible by filling up all available space. This can be |
| 194 | + prevented by disabling all write access by anonymous users. |
| 195 | + |
| 196 | + If anonymous users have read and write access to the same area, the |
| 197 | + server can be used as a communication mechanism to exchange |
| 198 | + information anonymously. Servers that accept anonymous submissions |
| 199 | + should implement the common "drop box" model, which forbids anonymous |
| 200 | + read access to the area where anonymous submissions are accepted. |
| 201 | + |
| 202 | + If the anonymous user can run many expensive operations (e.g., an |
| 203 | + IMAP SEARCH BODY command), this could enable a denial-of-service |
| 204 | + attack. Servers are encouraged to reduce the priority of anonymous |
| 205 | + users or limit their resource usage. |
| 206 | + |
| 207 | + While servers may impose a limit on the number of anonymous users, |
| 208 | + note that such limits enable denial-of-service attacks and should be |
| 209 | + used with caution. |
| 210 | + |
| 211 | + The trace information is not authenticated, so it can be falsified. |
| 212 | + This can be used as an attempt to get someone else in trouble for |
| 213 | + access to questionable information. Administrators investigating |
| 214 | + abuse need to realize that this trace information may be falsified. |
| 215 | + |
| 216 | + A client that uses the user's correct email address as trace |
| 217 | + information without explicit permission may violate that user's |
| 218 | + privacy. Anyone who accesses an anonymous archive on a sensitive |
| 219 | + subject (e.g., sexual abuse) likely has strong privacy needs. |
| 220 | + Clients should not send the email address without the explicit |
| 221 | + permission of the user and should offer the option of supplying no |
| 222 | + trace information, thus only exposing the source IP address and time. |
| 223 | + |
| 224 | + |
| 225 | + |
| 226 | +Zeilenga Standards Track [Page 4] |
| 227 | +� |
| 228 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 229 | + |
| 230 | + |
| 231 | + Anonymous proxy servers could enhance this privacy but would have to |
| 232 | + consider the resulting potential denial-of-service attacks. |
| 233 | + |
| 234 | + Anonymous connections are susceptible to man-in-the-middle attacks |
| 235 | + that view or alter the data transferred. Clients and servers are |
| 236 | + encouraged to support external data security services. |
| 237 | + |
| 238 | + Protocols that fail to require an explicit anonymous login are more |
| 239 | + susceptible to break-ins given certain common implementation |
| 240 | + techniques. Specifically, Unix servers that offer user login may |
| 241 | + initially start up as root and switch to the appropriate user id |
| 242 | + after an explicit login command. Normally, such servers refuse all |
| 243 | + data access commands prior to explicit login and may enter a |
| 244 | + restricted security environment (e.g., the Unix chroot(2) function) |
| 245 | + for anonymous users. If anonymous access is not explicitly |
| 246 | + requested, the entire data access machinery is exposed to external |
| 247 | + security attacks without the chance for explicit protective measures. |
| 248 | + Protocols that offer restricted data access should not allow |
| 249 | + anonymous data access without an explicit login step. |
| 250 | + |
| 251 | + General [SASL] security considerations apply to this mechanism. |
| 252 | + |
| 253 | + [StringPrep] security considerations and [Unicode] security |
| 254 | + considerations discussed in [StringPrep] apply to this mechanism. |
| 255 | + [UTF-8] security considerations also apply. |
| 256 | + |
| 257 | +6. IANA Considerations |
| 258 | + |
| 259 | + The SASL Mechanism registry [IANA-SASL] entry for the ANONYMOUS |
| 260 | + mechanism has been updated by the IANA to reflect that this document |
| 261 | + now provides its technical specification. |
| 262 | + |
| 263 | + To: iana@iana.org |
| 264 | + Subject: Updated Registration of SASL mechanism ANONYMOUS |
| 265 | + |
| 266 | + SASL mechanism name: ANONYMOUS |
| 267 | + Security considerations: See RFC 4505. |
| 268 | + Published specification (optional, recommended): RFC 4505 |
| 269 | + Person & email address to contact for further information: |
| 270 | + Kurt Zeilenga <Kurt@OpenLDAP.org> |
| 271 | + Chris Newman <Chris.Newman@sun.com> |
| 272 | + Intended usage: COMMON |
| 273 | + Author/Change controller: IESG <iesg@ietf.org> |
| 274 | + Note: Updates existing entry for ANONYMOUS |
| 275 | + |
| 276 | + |
| 277 | + |
| 278 | + |
| 279 | + |
| 280 | + |
| 281 | + |
| 282 | +Zeilenga Standards Track [Page 5] |
| 283 | +� |
| 284 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 285 | + |
| 286 | + |
| 287 | + The [StringPrep] profile "trace", first defined in this RFC, has been |
| 288 | + registered: |
| 289 | + |
| 290 | + To: iana@iana.org |
| 291 | + Subject: Initial Registration of Stringprep "trace" profile |
| 292 | + |
| 293 | + Stringprep profile: trace |
| 294 | + Published specification: RFC 4505 |
| 295 | + Person & email address to contact for further information: |
| 296 | + Kurt Zeilenga <kurt@openldap.org> |
| 297 | + |
| 298 | +7. Acknowledgement |
| 299 | + |
| 300 | + This document is a revision of RFC 2245 by Chris Newman. Portions of |
| 301 | + the grammar defined in Section 1 were borrowed from RFC 3629 by |
| 302 | + Francois Yergeau. |
| 303 | + |
| 304 | + This document is a product of the IETF SASL WG. |
| 305 | + |
| 306 | +8. Normative References |
| 307 | + |
| 308 | + [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax |
| 309 | + Specifications: ABNF", RFC 4234, October 2005. |
| 310 | + |
| 311 | + [IMAIL] Resnick, P., "Internet Message Format", RFC 2822, April |
| 312 | + 2001. |
| 313 | + |
| 314 | + [SASL] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple |
| 315 | + Authentication and Security Layer (SASL)", RFC 4422, |
| 316 | + June 2006. |
| 317 | + |
| 318 | + [StringPrep] Hoffman, P. and M. Blanchet, "Preparation of |
| 319 | + Internationalized Strings ('stringprep')", RFC 3454, |
| 320 | + December 2002. |
| 321 | + |
| 322 | + [Unicode] The Unicode Consortium, "The Unicode Standard, Version |
| 323 | + 3.2.0" is defined by "The Unicode Standard, Version 3.0" |
| 324 | + (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), |
| 325 | + as amended by the "Unicode Standard Annex #27: Unicode |
| 326 | + 3.1" (http://www.unicode.org/reports/tr27/) and by the |
| 327 | + "Unicode Standard Annex #28: Unicode 3.2" |
| 328 | + (http://www.unicode.org/reports/tr28/). |
| 329 | + |
| 330 | + [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO |
| 331 | + 10646", RFC 3629 (also STD 63), November 2003. |
| 332 | + |
| 333 | + |
| 334 | + |
| 335 | + |
| 336 | + |
| 337 | + |
| 338 | +Zeilenga Standards Track [Page 6] |
| 339 | +� |
| 340 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 341 | + |
| 342 | + |
| 343 | +9. Informative References |
| 344 | + |
| 345 | + [IMAP4] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION |
| 346 | + 4rev1", RFC 3501, March 2003. |
| 347 | + |
| 348 | + [IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL) |
| 349 | + MECHANISMS", <http://www.iana.org/assignments/sasl- |
| 350 | + mechanisms>. |
| 351 | + |
| 352 | + |
| 353 | + |
| 354 | + |
| 355 | + |
| 356 | + |
| 357 | + |
| 358 | + |
| 359 | + |
| 360 | + |
| 361 | + |
| 362 | + |
| 363 | + |
| 364 | + |
| 365 | + |
| 366 | + |
| 367 | + |
| 368 | + |
| 369 | + |
| 370 | + |
| 371 | + |
| 372 | + |
| 373 | + |
| 374 | + |
| 375 | + |
| 376 | + |
| 377 | + |
| 378 | + |
| 379 | + |
| 380 | + |
| 381 | + |
| 382 | + |
| 383 | + |
| 384 | + |
| 385 | + |
| 386 | + |
| 387 | + |
| 388 | + |
| 389 | + |
| 390 | + |
| 391 | + |
| 392 | + |
| 393 | + |
| 394 | +Zeilenga Standards Track [Page 7] |
| 395 | +� |
| 396 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 397 | + |
| 398 | + |
| 399 | +Appendix A. Changes since RFC 2245 |
| 400 | + |
| 401 | + This appendix is non-normative. |
| 402 | + |
| 403 | + RFC 2245 allows the client to include optional trace information in |
| 404 | + the form of a human readable string. RFC 2245 restricted this string |
| 405 | + to US-ASCII. As the Internet is international, this document uses a |
| 406 | + string restricted to UTF-8 encoded Unicode characters. A |
| 407 | + "stringprep" profile is defined to precisely define which Unicode |
| 408 | + characters are allowed in this string. While the string remains |
| 409 | + restricted to 255 characters, the encoded length of each character |
| 410 | + may now range from 1 to 4 octets. |
| 411 | + |
| 412 | + Additionally, a number of editorial changes were made. |
| 413 | + |
| 414 | +Editor's Address |
| 415 | + |
| 416 | + Kurt D. Zeilenga |
| 417 | + OpenLDAP Foundation |
| 418 | + |
| 419 | + EMail: Kurt@OpenLDAP.org |
| 420 | + |
| 421 | + |
| 422 | + |
| 423 | + |
| 424 | + |
| 425 | + |
| 426 | + |
| 427 | + |
| 428 | + |
| 429 | + |
| 430 | + |
| 431 | + |
| 432 | + |
| 433 | + |
| 434 | + |
| 435 | + |
| 436 | + |
| 437 | + |
| 438 | + |
| 439 | + |
| 440 | + |
| 441 | + |
| 442 | + |
| 443 | + |
| 444 | + |
| 445 | + |
| 446 | + |
| 447 | + |
| 448 | + |
| 449 | + |
| 450 | +Zeilenga Standards Track [Page 8] |
| 451 | +� |
| 452 | +RFC 4505 Anonymous SASL Mechanism June 2006 |
| 453 | + |
| 454 | + |
| 455 | +Full Copyright Statement |
| 456 | + |
| 457 | + Copyright (C) The Internet Society (2006). |
| 458 | + |
| 459 | + This document is subject to the rights, licenses and restrictions |
| 460 | + contained in BCP 78, and except as set forth therein, the authors |
| 461 | + retain all their rights. |
| 462 | + |
| 463 | + This document and the information contained herein are provided on an |
| 464 | + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS |
| 465 | + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET |
| 466 | + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, |
| 467 | + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE |
| 468 | + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED |
| 469 | + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. |
| 470 | + |
| 471 | +Intellectual Property |
| 472 | + |
| 473 | + The IETF takes no position regarding the validity or scope of any |
| 474 | + Intellectual Property Rights or other rights that might be claimed to |
| 475 | + pertain to the implementation or use of the technology described in |
| 476 | + this document or the extent to which any license under such rights |
| 477 | + might or might not be available; nor does it represent that it has |
| 478 | + made any independent effort to identify any such rights. Information |
| 479 | + on the procedures with respect to rights in RFC documents can be |
| 480 | + found in BCP 78 and BCP 79. |
| 481 | + |
| 482 | + Copies of IPR disclosures made to the IETF Secretariat and any |
| 483 | + assurances of licenses to be made available, or the result of an |
| 484 | + attempt made to obtain a general license or permission for the use of |
| 485 | + such proprietary rights by implementers or users of this |
| 486 | + specification can be obtained from the IETF on-line IPR repository at |
| 487 | + http://www.ietf.org/ipr. |
| 488 | + |
| 489 | + The IETF invites any interested party to bring to its attention any |
| 490 | + copyrights, patents or patent applications, or other proprietary |
| 491 | + rights that may cover technology that may be required to implement |
| 492 | + this standard. Please address the information to the IETF at |
| 493 | + ietf-ipr@ietf.org. |
| 494 | + |
| 495 | +Acknowledgement |
| 496 | + |
| 497 | + Funding for the RFC Editor function is provided by the IETF |
| 498 | + Administrative Support Activity (IASA). |
| 499 | + |
| 500 | + |
| 501 | + |
| 502 | + |
| 503 | + |
| 504 | + |
| 505 | + |
| 506 | +Zeilenga Standards Track [Page 9] |
| 507 | +� |
0 commit comments