Stefan Santesson Microsoft

Slides:

Advertisements

Similar presentations

Internationalizing WHOIS Preliminary Approaches for Discussion Internationalized Registration Data Working Group ICANN Meeting, Brussels, Belgium Jeremy.

Advertisements

Authentication Applications The Kerberos Protocol Standard

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

Introduction to Kerberos Kerberos and Domain Authentication.

1 RFC 3486 Compressing the Session Initiation Protocol (SIP) 曾朝弘電機系系統組碩士班一年級.

AD DNS SRV RRs Active Directory DNS Service (SRV) Resource Records (RR)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Module 2: Implementing DNS to Support Active Directory

Dynamic Host Configuration Protocol Engr. Mehran Mamonai.

DHCPv6 Redundancy Considerations Redundancy Proposals in RFC 6853.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

IETF #82 DRINKS WG Meeting Taipei, Taiwan Fri, Nov 18 th

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

PAWS Protocol to Access White Space DB IETF 81 Gabor Bajko, Brian Rosen.

Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas

DNS Discovery Discussion Report Draft-ietf-ipngwg-dns-discovery-01.txt.

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

Path Computation Element (PCE) Discovery using Domain Name System(DNS) draft-wu-pce-dns-pce-discovery-04 Qin Wu ) Dhruv Dhody

Rfc3280bis-00 David Cooper, NIST Tim Polk, NIST. Development Process ● October 2004: Tim Polk requested that people submit any issues that needed to be.

Duplicate Address Detection Proxy (draft-costa-6man-dad-proxy-00)

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

IPv6 Site Renumbering Gap Analysis draft-ietf-6renum-gap-analysis-01 draft-ietf-6renum-gap-analysis-01 Bing Liu(speaker), Sheng Jiang, Brian.E.Carpenter.

SSHSM Issues David Harrington IETF64 ISMS WG Vancouver, BC.

PCE 64 th IETF PCE Policy Architecture draft-berger-pce-policy-architecture-00.txt Lou Berger Igor Bryskin Dimitri Papadimitriou.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Service location & discovery: S-NAPTR Open APPs Area Meeting November 10, 2003 Leslie Daigle.

Content Distribution Internetworking IETF BOF December 12, 2000 Phil Rzewski Gary Tomlinson.

MODERN BoF Managing, Ordering, Distributing, Exposing, and Registering telephone Numbers IETF 92.

DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.

Path Computation Element (PCE) Discovery using Domain Name System(DNS) draft-wu-pce-dns-pce-discovery-07 Qin Wu ) Dhruv Dhody

11 IMPLEMENTING ACTIVE DIRECTORY Chapter 2. Chapter 2: IMPLEMENTING ACTIVE DIRECTORY2 REQUIREMENTS FOR ACTIVE DIRECTORY  Microsoft Windows Server 2003.

Generalizing Metadata Services URLs Dale Moberg. Metadata Services Parts L,M, and N of PEPPOL describe a solution for finding out about capabilities and.

SNMP (Simple Network Management Protocol) Overview

Security Issues with Domain Name Systems

DNS Discovery Discussion draft-ietf-ipngwg-dns-discovery-00.txt

Everything You need to know

Informing AAA about what lower layer protocol is carrying EAP

47th IETF - Adelaide Chris Lonvick

Outline What’s in the document Open Issues Encoding Device Discovery

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

ALTO Protocol draft-ietf-alto-protocol-14

draft-ietf-simple-message-sessions-00 Ben Campbell

Location SIP Servers –RFC 3261

IETF 55 IPv6 Working Group IPv6 Node Requirements

NAT State Synchronization using SCSP draft-xu-behave-nat-state-sync-01

Host of Troubles : Multiple Host Ambiguities in HTTP Implementations

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Path Computation Element (PCE) Discovery using Domain Name System(DNS) draft-wu-pce-dns-pce-discovery-03 Qin Wu ) Dhruv Dhody

SNMP (Simple Network Management Protocol) Overview

GSS-API based Authentication and Key Establishment in TLS

Working at a Small-to-Medium Business or ISP – Chapter 7

Chapter 19 Domain Name System (DNS)

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Maryna Komarova (ENST)

Migration-Issues-xx Where it’s been and might be going

draft-ipdvb-sec-01.txt ULE Security Requirements

SIP Authentication using CHAP-Password

2nd TF-LSD meeting, Amsterdam, 2. February 2001

Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

AbbottLink™ - IP Address Overview

IETF Network Discovery and Selection Overview

COMPUTER NETWORKS PRESENTATION

Data Communications and Networks

IETF 87 DHC WG Berlin, Germany Thursday, 1 August, 2013

Support for Internationalized Addresses (EAI) in X.509 certificates

Presentation transcript:

Stefan Santesson Microsoft SRV RR otherName Stefan Santesson Microsoft

The Concept RFC 2782 DNS Server _service._protocol.domain.com host1.domain.com 192.168.0.132 Service Host (host1.domain.com) (192.168.0.132) Using service Client

The Concept From RFC 2742 Currently, one must either know the exact address of a server To contact it, or broadcast a question. The SRV RR allows administrators to use several servers for a Single domain, to move services from host to host with little fuss, and to designate some hosts as primary servers for a service and others as backups. Clients ask for a specific service/protocol for a specific domain and get back the names of any available servers. Example is discovery of a Kerberos KDC host but this could be used as a general mechanism for a variety of services.

The Threat DNS spoofing Spoofed DNS Server _service._protocol.domain.com _service._protocol.domain.com hostX.domain.com 192.168.0.174 Hijacked Host (hostX.domain.com) (192.168.0.174) Using service Client

Proposal Submitted as draft-santesson-pkix-srvrr-00.txt Define a Subject Alt Name otherName for SRV RR query string (_service._protocol.domain). Example: _ldap._tcp.example.com otherName structure: id-on-sRVRRName OBJECT IDENTIFIER ::= { id-on ? } SRVRRName ::= UTF8String

Applicability Constraints From RFC 2782: I In general, it is expected that SRV records will be used by clients for applications where the relevant protocol specification indicates that clients should use the SRV record. Such specification MUST define the symbolic name to be used in the Service field of the SRV record as described below. It also MUST include security considerations. Service SRV records SHOULD NOT be used in the absence of such specification. Any use of SRV RR for host authentication MUST NOT be in conflict with any rules specified for deployed security protocols and application/service definitions.

Request Request that PKIX accept the task to define this SAN otherName so it can be referenced and used by other protocol specifications to support host authentication where applicable.

Path forward Correct known errors (IA5String -> UTF8String) Submit as first pkix draft (00) Define appropriate constraints and security considerations Proceed as standards track WG last call after Vancouver IETF