1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
|
Internet Engineering Task Force (IETF) P. Saint-Andre
Request for Comments: 7712 &yet
Category: Standards Track M. Miller
ISSN: 2070-1721 Cisco Systems, Inc.
P. Hancke
&yet
November 2015
Domain Name Associations (DNA)
in the Extensible Messaging and Presence Protocol (XMPP)
Abstract
This document improves the security of the Extensible Messaging and
Presence Protocol (XMPP) in two ways. First, it specifies how to
establish a strong association between a domain name and an XML
stream, using the concept of "prooftypes". Second, it describes how
to securely delegate a service domain name (e.g., example.com) to a
target server hostname (e.g., hosting.example.net); this is
especially important in multi-tenanted environments where the same
target server hosts a large number of domains.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7712.
Saint-Andre, et al. Standards Track [Page 1]
^L
RFC 7712 XMPP DNA November 2015
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................4
3. Client-to-Server (C2S) DNA ......................................4
3.1. C2S Flow ...................................................4
3.2. C2S Description ............................................5
4. Server-to-Server (S2S) DNA ......................................5
4.1. S2S Flow ...................................................6
4.2. A Simple S2S Scenario .....................................10
4.3. No Mutual PKIX Authentication .............................12
4.4. Piggybacking ..............................................13
4.4.1. Assertion ..........................................13
4.4.2. Supposition ........................................15
5. Alternative Prooftypes .........................................16
5.1. DANE ......................................................16
5.2. POSH ......................................................17
6. Secure Delegation and Multi-Tenancy ............................18
7. Prooftype Model ................................................18
8. Guidance for Server Operators ..................................19
9. IANA Considerations ............................................20
9.1. POSH Service Name for xmpp-client Service .................20
9.2. POSH Service Name for xmpp-server Service .................20
10. Security Considerations .......................................20
11. References ....................................................21
11.1. Normative References .....................................21
11.2. Informative References ...................................23
Acknowledgements ..................................................24
Authors' Addresses ................................................24
Saint-Andre, et al. Standards Track [Page 2]
^L
RFC 7712 XMPP DNA November 2015
1. Introduction
In systems that use the Extensible Messaging and Presence Protocol
(XMPP) [RFC6120], it is important to establish a strong association
between the DNS domain name of an XMPP service (e.g., example.com)
and the XML stream that a client or peer server initiates with that
service. In other words, the client or peer server needs to verify
the identity of the server to which it connects. Additionally,
servers need to verify incoming connections from other servers.
To date, such verification has been established based on information
obtained from the Domain Name System (DNS), the Public Key
Infrastructure (PKI), or similar sources. In particular, XMPP as
defined in [RFC6120] assumed that Domain Name Associations (DNA) are
to be proved using the "PKIX prooftype"; that is, the server's proof
consists of a PKIX certificate that is checked according to the XMPP
profile of the matching rules from [RFC6125] (and the overall
validation rules from [RFC5280]), the client's verification material
is obtained out of band in the form of a trusted root, and secure DNS
is not necessary.
By extending the concept of a domain name association within XMPP,
this document does the following:
1. Generalizes the model currently in use so that additional
prooftypes can be defined if needed.
2. Provides a basis for modernizing some prooftypes to reflect
progress in underlying technologies such as DNS Security
[RFC4033].
3. Describes the flow of operations for establishing a domain name
association.
This document also provides guidelines for secure delegation of a
service domain name (e.g., example.com) to a target server hostname
(e.g., hosting.example.net). The need for secure delegation arises
because the process for resolving the domain name of an XMPP service
into the IP address at which an XML stream will be negotiated (see
[RFC6120]) can involve delegation of a service domain name to a
target server hostname using technologies such as DNS SRV records
[RFC2782]. A more detailed description of the delegation problem can
be found in [RFC7711]. The domain name association can be verified
only if the delegation is done in a secure manner.
Saint-Andre, et al. Standards Track [Page 3]
^L
RFC 7712 XMPP DNA November 2015
2. Terminology
This document inherits XMPP terminology from [RFC6120] and
[XEP-0220]; DNS terminology from [RFC1034], [RFC1035], [RFC2782], and
[RFC4033]; and security terminology from [RFC4949] and [RFC5280].
The terms "reference identity" and "presented identity" are used as
defined in the "CertID" specification [RFC6125]. For the sake of
consistency with [RFC7673], this document uses the terms "service
domain name" and "target server hostname" to refer to the same
entities identified by the terms "source domain" and "derived domain"
from [RFC6125].
3. Client-to-Server (C2S) DNA
The client-to-server case is much simpler than the server-to-server
case because the client does not assert a domain name; this means
that verification happens in only one direction. Therefore, we
describe this case first to help the reader understand domain name
associations in XMPP.
3.1. C2S Flow
The following flow chart illustrates the protocol flow for
establishing a domain name association for an XML stream from a
client (C) to a server (S) using the standard PKIX prooftype
specified in [RFC6120].
|
DNS RESOLUTION ETC.
|
+-----------------STREAM HEADERS---------------------+
| |
| C: <stream to='a.example'> |
| |
| S: <stream from='a.example'> |
| |
+----------------------------------------------------+
|
+-----------------TLS NEGOTIATION--------------------+
| |
| S: Server Certificate |
| |
+----------------------------------------------------+
|
(client checks certificate and
establishes DNA for a.example)
Saint-Andre, et al. Standards Track [Page 4]
^L
RFC 7712 XMPP DNA November 2015
3.2. C2S Description
The simplified order of events (see [RFC6120] for details) in
establishing an XML stream from a client (user@a.example) to a server
(a.example) is as follows:
1. The client resolves via DNS the service
_xmpp-client._tcp.a.example.
2. The client opens a TCP connection to the resolved IP address.
3. The client sends an initial stream header to the server:
<stream:stream to='a.example'>
4. The server sends a response stream header to the client,
asserting that it is a.example:
<stream:stream from='a.example'>
5. The parties attempt TLS negotiation, during which the XMPP server
(acting as a TLS server) presents a PKIX certificate proving that
it is a.example.
6. The client checks the PKIX certificate that the server provided;
if the proof is consistent with the XMPP profile of the matching
rules from [RFC6125] and the certificate is otherwise valid
according to [RFC5280], the client accepts that there is a strong
domain name association between its stream to the target server
and the DNS domain name of the XMPP service.
The certificate that the server presents might not be acceptable to
the client. As one example, the server might be hosting multiple
domains and secure delegation as described in Section 6 is necessary.
As another example, the server might present a self-signed
certificate, which requires the client to either (1) apply the
fallback process described in Section 6.6.4 of [RFC6125] or
(2) prompt the user to accept an unauthenticated connection as
described in Section 3.4 of [RFC7590].
4. Server-to-Server (S2S) DNA
The server-to-server case is significantly more complex than the
client-to-server case, and it involves the checking of domain name
associations in both directions along with other "wrinkles"
described in the following sections. In some parts of the flow,
server-to-server communications use the Server Dialback protocol
first specified in (the now obsolete) [RFC3920] and since moved to
Saint-Andre, et al. Standards Track [Page 5]
^L
RFC 7712 XMPP DNA November 2015
[XEP-0220]. See "Impact of TLS and DNSSEC on Dialback" [XEP-0344]
for considerations when using it together with TLS and DNSSEC. Also,
"Bidirectional Server-to-Server Connections" [XEP-0288] provides a
way to use the server-to-server connections for bidirectional
exchange of XML stanzas, which reduces the complexity of some of the
processes involved.
4.1. S2S Flow
The following flow charts illustrate the protocol flow for
establishing domain name associations between Server 1 (the
initiating entity) and Server 2 (the receiving entity), as described
in the remaining sections of this document.
A simple S2S scenario would be as follows:
|
DNS RESOLUTION ETC.
|
+-------------STREAM HEADERS--------------------+
| |
| A: <stream from='a.example' to='b.example'> |
| |
| B: <stream from='b.example' to='a.example'> |
| |
+-----------------------------------------------+
|
+-------------TLS NEGOTIATION-------------------+
| |
| B: Server Certificate |
| B: Certificate Request |
| A: Client Certificate |
| |
+-----------------------------------------------+
|
(A establishes DNA for b.example)
|
Saint-Andre, et al. Standards Track [Page 6]
^L
RFC 7712 XMPP DNA November 2015
After the domain name association has been established in one
direction, it is possible to perform mutual authentication using the
Simple Authentication and Security Layer (SASL) [RFC4422] and thus
establish domain name associations in both directions.
|
+-------------AUTHENTICATION--------------------+
| | |
| {valid client certificate?} --+ |
| | | |
| | yes no | |
| v | |
| SASL EXTERNAL | |
| (mutual auth) | |
| (B establishes DNA for a.example) | |
+-------------------------------------|---------+
|
However, if mutual authentication cannot be completed using SASL, the
receiving server needs to establish a domain name association in
another way. This scenario is described in Section 4.3.
|
+-----------------+
|
(Section 4.3: No Mutual PKIX Authentication)
|
| B needs to establish DNA
| for this stream from a.example,
| so A asserts its identity
|
+----------DIALBACK IDENTITY ASSERTION----------+
| |
| A: <db:result from='a.example' |
| to='b.example'> |
| some-dialback-key |
| </db:result> |
| |
+-----------------------------------------------+
|
Saint-Andre, et al. Standards Track [Page 7]
^L
RFC 7712 XMPP DNA November 2015
DNS RESOLUTION ETC.
|
+-------------STREAM HEADERS--------------------+
| |
| B: <stream from='b.example' to='a.example'> |
| |
| A: <stream from='a.example' to='b.example'> |
| |
+-----------------------------------------------+
|
+-------------TLS NEGOTIATION-------------------+
| |
| A: Server Certificate |
| |
+-----------------------------------------------+
|
+----------DIALBACK IDENTITY VERIFICATION-------+
| |
| B: <db:verify from='b.example' |
| to='a.example' |
| id='...'> |
| some-dialback-key |
| </db:verify> |
| |
| A: <db:verify from='a.example' |
| to='b.example' |
| type='valid' |
| id='...'> |
| |
+-----------------------------------------------+
|
(B establishes DNA for a.example)
|
If one of the servers hosts additional service names (e.g., Server 2
might host c.example in addition to b.example and Server 1 might host
rooms.a.example in addition to a.example), then the servers can use
Server Dialback "piggybacking" to establish additional domain name
associations for the stream, as described in Section 4.4.
Saint-Andre, et al. Standards Track [Page 8]
^L
RFC 7712 XMPP DNA November 2015
There are two varieties of piggybacking. The first is here called
"assertion".
|
(Section 4.4.1: Piggybacking Assertion)
|
+----------DIALBACK IDENTITY ASSERTION----------+
| |
| B: <db:result from='c.example' |
| to='a.example'/> |
| |
+-----------------------------------------------+
|
+-------DNA ESTABLISHMENT AS ABOVE--------------+
| |
| DNS RESOLUTION, STREAM HEADERS, |
| TLS NEGOTIATION, AUTHENTICATION |
| |
+-----------------------------------------------+
|
+----------DIALBACK IDENTITY VERIFICATION-------+
| |
| A: <db:result from='a.example' |
| to='c.example' |
| type='valid'/> |
| |
+-----------------------------------------------+
|
Saint-Andre, et al. Standards Track [Page 9]
^L
RFC 7712 XMPP DNA November 2015
The second variety of piggybacking is here called "supposition".
|
(Section 4.4.2: Piggybacking Supposition)
|
+-----------SUBSEQUENT CONNECTION---------------+
| |
| B: <stream from='c.example' |
| to='rooms.a.example'> |
| |
| A: <stream from='rooms.a.example' |
| to='c.example'> |
| |
+-----------------------------------------------+
|
+-------DNA ESTABLISHMENT AS ABOVE--------------+
| |
| DNS RESOLUTION, STREAM HEADERS, |
| TLS NEGOTIATION, AUTHENTICATION |
| |
+-----------------------------------------------+
|
+-----------DIALBACK OPTIMIZATION---------------+
| |
| B: <db:result from='c.example' |
| to='rooms.a.example'/> |
| |
| B: <db:result from='rooms.a.example' |
| to='c.example' |
| type='valid'/> |
| |
+-----------------------------------------------+
4.2. A Simple S2S Scenario
To illustrate the problem, consider the simplified order of events
(see [RFC6120] for details) in establishing an XML stream between
Server 1 (a.example) and Server 2 (b.example):
1. Server 1 resolves via DNS the service
_xmpp-server._tcp.b.example.
2. Server 1 opens a TCP connection to the resolved IP address.
3. Server 1 sends an initial stream header to Server 2, asserting
that it is a.example:
<stream:stream from='a.example' to='b.example'>
Saint-Andre, et al. Standards Track [Page 10]
^L
RFC 7712 XMPP DNA November 2015
4. Server 2 sends a response stream header to Server 1, asserting
that it is b.example:
<stream:stream from='b.example' to='a.example'>
5. The servers attempt TLS negotiation, during which Server 2
(acting as a TLS server) presents a PKIX certificate proving that
it is b.example and Server 1 (acting as a TLS client) presents a
PKIX certificate proving that it is a.example.
6. Server 1 checks the PKIX certificate that Server 2 provided, and
Server 2 checks the PKIX certificate that Server 1 provided; if
these proofs are consistent with the XMPP profile of the matching
rules from [RFC6125] and are otherwise valid according to
[RFC5280], each server accepts that there is a strong domain name
association between its stream to the other party and the DNS
domain name of the other party (i.e., mutual authentication is
achieved).
Several simplifying assumptions underlie the "happy path" scenario
just outlined:
o The PKIX certificate presented by Server 2 during TLS negotiation
is acceptable to Server 1 and matches the expected identity.
o The PKIX certificate presented by Server 1 during TLS negotiation
is acceptable to Server 2; this enables the parties to complete
mutual authentication.
o There are no additional domains associated with Server 1 and
Server 2 (say, a sub-domain rooms.a.example on Server 1 or a
second domain c.example on Server 2).
o The server administrators are able to obtain PKIX certificates
issued by a widely accepted Certification Authority (CA) in the
first place.
o The server administrators are running their own XMPP servers,
rather than using hosting services.
Let's consider each of these "wrinkles" in turn.
Saint-Andre, et al. Standards Track [Page 11]
^L
RFC 7712 XMPP DNA November 2015
4.3. No Mutual PKIX Authentication
If the PKIX certificate presented by Server 1 during TLS negotiation
is not acceptable to Server 2, Server 2 is unable to mutually
authenticate Server 1. Therefore, Server 2 needs to verify the
asserted identity of Server 1 by other means.
1. Server 1 asserts that it is a.example using the Server Dialback
protocol:
<db:result from='a.example' to='b.example'>
some-dialback-key</db:result>
2. Server 2 resolves via DNS the service
_xmpp-server._tcp.a.example.
3. Server 2 opens a TCP connection to the resolved IP address.
4. Server 2 sends an initial stream header to Server 1, asserting
that it is b.example:
<stream:stream from='b.example' to='a.example'>
5. Server 1 sends a response stream header to Server 2, asserting
that it is a.example:
<stream:stream from='a.example' to='b.example'>
6. The servers attempt TLS negotiation, during which Server 1
(acting as a TLS server) presents a PKIX certificate.
7. Server 2 checks the PKIX certificate that Server 1 provided (this
might be the same certificate presented by Server 1 as a client
certificate in the initial connection). However, Server 2 does
not accept this certificate as proving that Server 1 is
authorized as a.example and therefore uses another method (here,
the Server Dialback protocol) to establish the domain name
association.
Saint-Andre, et al. Standards Track [Page 12]
^L
RFC 7712 XMPP DNA November 2015
8. Server 2 proceeds with Server Dialback in order to establish the
domain name association. In order to do this, it sends a request
for verification as described in [XEP-0220]:
<db:verify from='b.example' to='a.example'
id='...'>some-dialback-key</db:verify>
9. Server 1 responds to this:
<db:verify from='a.example' to='b.example' id='...' type='valid/>
allowing Server 2 to establish the domain name association.
In some situations (e.g., if the Authoritative Server in Server
Dialback presents the same certificate as the Originating Server), it
is the practice of some XMPP server implementations to skip steps 8
and 9. These situations are discussed in "Impact of TLS and DNSSEC
on Dialback" [XEP-0344].
4.4. Piggybacking
4.4.1. Assertion
Consider the common scenario in which Server 2 hosts not only
b.example but also a second domain c.example (often called a
"multi-tenanted" environment). If a user of Server 2 associated with
c.example wishes to communicate with a friend at a.example, Server 2
needs to send XMPP stanzas from the domain c.example rather than
b.example. Although Server 2 could open a new TCP connection and
negotiate new XML streams for the domain pair of c.example and
a.example, that is wasteful (especially if Server 2 hosts a large
number of domains). Server 2 already has a connection to a.example,
so how can it assert that it would like to add a new domain pair to
the existing connection?
The traditional method for doing so is the Server Dialback protocol
[XEP-0220]. Here, Server 2 can send a <db:result/> element for the
new domain pair over the existing stream.
<db:result from='c.example' to='a.example'>
some-dialback-key
</db:result>
This <db:result/> element functions as Server 2's assertion that it
is (also) c.example (thus, the element is functionally equivalent to
the 'from' address of an initial stream header as previously
described).
Saint-Andre, et al. Standards Track [Page 13]
^L
RFC 7712 XMPP DNA November 2015
In response to this assertion, Server 1 needs to obtain some kind of
proof that Server 2 really is also c.example. If the certificate
presented by Server 2 is also valid for c.example, then no further
action is necessary. However, if not, then Server 1 needs to do a
bit more work. Specifically, Server 1 can pursue the same strategy
it used before:
1. Server 1 resolves via DNS the service
_xmpp-server._tcp.c.example.
2. Server 1 opens a TCP connection to the resolved IP address (which
might be the same IP address as for b.example).
3. Server 1 sends an initial stream header to Server 2, asserting
that it is a.example:
<stream:stream from='a.example' to='c.example'>
4. Server 2 sends a response stream header to Server 1, asserting
that it is c.example:
<stream:stream from='c.example' to='a.example'>
5. The servers attempt TLS negotiation, during which Server 2
(acting as a TLS server) presents a PKIX certificate proving that
it is c.example.
6. At this point, Server 1 needs to establish that, despite
different certificates, c.example is associated with the origin
of the request. This is done using Server Dialback [XEP-0220]:
<db:verify from='a.example' to='c.example'
id='...'>some-dialback-key</db:verify>
7. Server 2 responds to this:
<db:verify from='c.example' to='a.example' id='...' type='valid/>
allowing Server 1 to establish the domain name association.
Now that Server 1 accepts the domain name association, it informs
Server 2 of that fact:
<db:result from='a.example' to='c.example' type='valid'/>
Saint-Andre, et al. Standards Track [Page 14]
^L
RFC 7712 XMPP DNA November 2015
The parties can then terminate the second connection, because it was
used only for Server 1 to associate a stream with the domain name
c.example (the dialback key links the original stream to the new
association).
4.4.2. Supposition
Piggybacking can also occur in the other direction. Consider the
common scenario in which Server 1 provides XMPP services not only for
a.example but also for a sub-domain such as a Multi-User Chat
[XEP-0045] service at rooms.a.example. If a user from c.example at
Server 2 wishes to join a room on the groupchat service, Server 2
needs to send XMPP stanzas from the domain c.example to the domain
rooms.a.example rather than a.example.
First, Server 2 needs to determine whether it can piggyback the
domain rooms.a.example on the connection to a.example:
1. Server 2 resolves via DNS the service
_xmpp-server._tcp.rooms.a.example.
2. Server 2 determines that this resolves to an IP address and port
to which it is already connected.
3. Server 2 determines that the PKIX certificate for that active
connection would also be valid for the rooms.a.example domain and
that Server 1 has announced support for dialback errors.
Server 2 sends a dialback key to Server 1 over the existing
connection:
<db:result from='c.example' to='rooms.a.example'>
some-dialback-key
</db:result>
Server 1 then informs Server 2 that it accepts the domain name
association:
<db:result from='rooms.a.example' to='c.example' type='valid'/>
Saint-Andre, et al. Standards Track [Page 15]
^L
RFC 7712 XMPP DNA November 2015
5. Alternative Prooftypes
The foregoing protocol flows assumed that domain name associations
were proved using the PKIX prooftype. However, sometimes XMPP server
administrators are unable or unwilling to obtain valid PKIX
certificates for all of the domains they host at their servers.
For example:
o In order to issue a PKIX certificate, a CA might try to send email
messages to authoritative mailbox names [RFC2142], but the
administrator of a subsidiary service such as im.cs.podunk.example
cannot receive email sent to hostmaster@podunk.example.
o A hosting provider such as hosting.example.net might not want to
take on the liability of holding the certificate and private key
for a tenant such as example.com (or the tenant might not want the
hosting provider to hold its certificate and private key).
o Even if PKIX certificates for each tenant can be obtained, the
management of so many certificates can introduce a large
administrative load.
(Additional discussion can be found in [RFC7711].)
In these circumstances, prooftypes other than PKIX are desirable or
necessary. As described below, two alternatives have been defined so
far: DNS-Based Authentication of Named Entities (DANE) and PKIX over
Secure HTTP (POSH).
5.1. DANE
The DANE prooftype is defined as follows:
1. The server's proof consists of either a service certificate or
domain-issued certificate (TLSA usage PKIX-EE or DANE-EE; see
[RFC6698] and [RFC7218]).
2. The proof is checked by verifying an exact match or a hash of
either the SubjectPublicKeyInfo or the full certificate.
3. The client's verification material is obtained via secure DNS
[RFC4033] as described in [RFC7673].
4. Secure DNS is necessary in order to effectively establish an
alternative chain of trust from the service certificate or
domain-issued certificate to the DNS root.
Saint-Andre, et al. Standards Track [Page 16]
^L
RFC 7712 XMPP DNA November 2015
The DANE prooftype makes use of DNS-Based Authentication of Named
Entities [RFC6698], specifically the use of DANE with DNS SRV records
[RFC7673]. For XMPP purposes, the following rules apply:
o If there is no SRV resource record, pursue the fallback methods
described in [RFC6120].
o Use the 'to' address of the initial stream header to determine the
domain name of the TLS client's reference identifier (because the
use of the Server Name Indication extension (TLS SNI) [RFC6066] is
purely discretionary in XMPP, as mentioned in [RFC6120]).
5.2. POSH
The POSH prooftype is defined as follows:
1. The server's proof consists of a PKIX certificate.
2. The proof is checked according to the rules from [RFC6120] and
[RFC6125].
3. The client's verification material is obtained by retrieving a
hash of the PKIX certificate over HTTPS at a well-known URI
[RFC5785].
4. Secure DNS is not necessary, because the HTTPS retrieval
mechanism relies on the chain of trust from the public key
infrastructure.
POSH is defined in [RFC7711]. For XMPP purposes, the following rules
apply:
o If no verification material is found via POSH, pursue the fallback
methods described in [RFC6120].
o Use the 'to' address of the initial stream header to determine the
domain name of the TLS client's reference identifier (because the
use of TLS SNI [RFC6066] is purely discretionary in XMPP, as
mentioned in [RFC6120]).
The well-known URIs [RFC5785] to be used for POSH are:
o "/.well-known/posh/xmpp-client.json" for client-to-server
connections
o "/.well-known/posh/xmpp-server.json" for server-to-server
connections
Saint-Andre, et al. Standards Track [Page 17]
^L
RFC 7712 XMPP DNA November 2015
6. Secure Delegation and Multi-Tenancy
One common method for deploying XMPP services is multi-tenancy: e.g.,
XMPP services for the service domain name example.com are actually
hosted at the target server hosting.example.net. Such an arrangement
is relatively convenient in XMPP given the use of DNS SRV records
[RFC2782], such as the following delegation from example.com to
hosting.example.net:
_xmpp-server._tcp.example.com. 0 IN SRV 0 0 5269 hosting.example.net
Secure connections with multi-tenancy can work using the PKIX
prooftype on a small scale if the provider itself wishes to host
several domains (e.g., related domains such as jabber-de.example and
jabber-ch.example). However, in practice the security of
multi-tenancy has been found to be unwieldy when the provider hosts
large numbers of XMPP services on behalf of multiple tenants (see
[RFC7711] for a detailed description). There are two possible
results: either (1) server-to-server communications to example.com
are unencrypted or (2) the communications are TLS-encrypted but the
certificates are not checked (which is functionally equivalent to a
connection using an anonymous key exchange). This is also true of
client-to-server communications, forcing end users to override
certificate warnings or configure their clients to accept or "pin"
certificates for hosting.example.net instead of example.com. The
fundamental problem here is that if DNSSEC is not used, then the act
of delegation via DNS SRV records is inherently insecure.
The specification for the use of SRV records with DANE [RFC7673]
explains how to use DNSSEC for secure delegation with the DANE
prooftype, and the POSH specification [RFC7711] explains how to use
HTTPS redirects for secure delegation with the POSH prooftype.
7. Prooftype Model
In general, a Domain Name Association (DNA) prooftype conforms to the
following definition:
prooftype: A mechanism for proving an association between a domain
name and an XML stream, where the mechanism defines (1) the nature
of the server's proof, (2) the matching rules for comparing the
client's verification material against the server's proof, (3) how
the client obtains its verification material, and (4) whether or
not the mechanism depends on secure DNS.
The PKIX, DANE, and POSH prooftypes adhere to this model. (Some
prooftypes depend on, or are enhanced by, secure DNS [RFC4033] and
thus also need to describe how they ensure secure delegation.)
Saint-Andre, et al. Standards Track [Page 18]
^L
RFC 7712 XMPP DNA November 2015
Other prooftypes are possible; examples might include TLS with Pretty
Good Privacy (PGP) keys [RFC6091], a token mechanism such as Kerberos
[RFC4120] or OAuth [RFC6749], and Server Dialback keys [XEP-0220].
Although the PKIX prooftype reuses the syntax of the XMPP Server
Dialback protocol [XEP-0220] for signaling between servers, this
framework document does not define how the generation and validation
of Server Dialback keys (also specified in [XEP-0220]) constitute a
DNA prooftype. However, nothing in this document prevents the
continued use of Server Dialback for signaling, and a future
specification (or an updated version of [XEP-0220]) might define a
DNA prooftype for Server Dialback keys in a way that is consistent
with this framework.
8. Guidance for Server Operators
This document introduces the concept of a prooftype in order to
explain and generalize the approach to establishing a strong
association between the DNS domain name of an XMPP service and the
XML stream that a client or peer server initiates with that service.
The operations and management implications of DNA prooftypes will
depend on the particular prooftypes that an operator supports.
For example:
o To support the PKIX prooftype [RFC6120], an operator needs to
obtain certificates for the XMPP server from a Certification
Authority (CA). However, DNS Security is not required.
o To support the DANE prooftype [RFC7673], an operator can generate
its own certificates for the XMPP server or obtain them from a CA.
In addition, DNS Security is required.
o To support the POSH prooftype [RFC7711], an operator can generate
its own certificates for the XMPP server or obtain them from a CA,
but in addition needs to deploy the web server for POSH files with
certificates obtained from a CA. However, DNS Security is not
required.
Considerations for the use of the foregoing prooftypes are explained
in the relevant specifications. See in particular Section 13.7 of
[RFC6120], Section 6 of [RFC7673], and Section 7 of [RFC7711].
Naturally, these operations and management considerations are
additive: if an operator wishes to use multiple prooftypes, the
complexity of deployment increases (e.g., the operator might want to
obtain a PKIX certificate from a CA for use in the PKIX prooftype and
generate its own certificate for use in the DANE prooftype). This is
Saint-Andre, et al. Standards Track [Page 19]
^L
RFC 7712 XMPP DNA November 2015
an unavoidable aspect of supporting as many prooftypes as needed in
order to ensure that domain name associations can be established in
the largest possible percentage of cases.
9. IANA Considerations
The POSH specification [RFC7711] establishes the "POSH Service Names"
registry for use in well-known URIs [RFC5785]. This specification
registers two such service names for use in XMPP: "xmpp-client" and
"xmpp-server". The completed registration templates follow.
9.1. POSH Service Name for xmpp-client Service
Service name: xmpp-client
Change controller: IETF
Definition and usage: Specifies the location of a POSH file
containing verification material or a reference thereto that
enables a client to verify the identity of a server for a
client-to-server stream in XMPP
Specification: RFC 7712 (this document)
9.2. POSH Service Name for xmpp-server Service
Service name: xmpp-server
Change controller: IETF
Definition and usage: Specifies the location of a POSH file
containing verification material or a reference thereto that
enables a server to verify the identity of a peer server for a
server-to-server stream in XMPP
Specification: RFC 7712 (this document)
10. Security Considerations
With regard to the PKIX prooftype, this document supplements but does
not supersede the security considerations of [RFC6120] and [RFC6125].
With regard to the DANE and POSH prooftypes, the reader is referred
to [RFC7673] and [RFC7711], respectively.
Any future prooftypes need to thoroughly describe how they conform to
the prooftype model specified in Section 7 of this document.
Saint-Andre, et al. Standards Track [Page 20]
^L
RFC 7712 XMPP DNA November 2015
11. References
11.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and
facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034,
November 1987, <http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<http://www.rfc-editor.org/info/rfc2782>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>.
[RFC4422] Melnikov, A., Ed., and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)", RFC 4422,
DOI 10.17487/RFC4422, June 2006,
<http://www.rfc-editor.org/info/rfc4422>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280,
May 2008, <http://www.rfc-editor.org/info/rfc5280>.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
Uniform Resource Identifiers (URIs)", RFC 5785,
DOI 10.17487/RFC5785, April 2010,
<http://www.rfc-editor.org/info/rfc5785>.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120,
March 2011, <http://www.rfc-editor.org/info/rfc6120>.
Saint-Andre, et al. Standards Track [Page 21]
^L
RFC 7712 XMPP DNA November 2015
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
March 2011, <http://www.rfc-editor.org/info/rfc6125>.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based
Authentication of Named Entities (DANE) Transport Layer
Security (TLS) Protocol: TLSA", RFC 6698,
DOI 10.17487/RFC6698, August 2012,
<http://www.rfc-editor.org/info/rfc6698>.
[RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify
Conversations about DNS-Based Authentication of Named
Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218,
April 2014, <http://www.rfc-editor.org/info/rfc7218>.
[RFC7673] Finch, T., Miller, M., and P. Saint-Andre, "Using
DNS-Based Authentication of Named Entities (DANE) TLSA
Records with SRV Records", RFC 7673,
DOI 10.17487/RFC7673, October 2015,
<http://www.rfc-editor.org/info/rfc7673>.
[RFC7711] Miller, M. and P. Saint-Andre, "PKIX over Secure HTTP
(POSH)", RFC 7711, DOI 10.17487/RFC7711, November 2015,
<http://www.rfc-editor.org/info/rfc7711>.
[XEP-0220] Miller, J., Saint-Andre, P., and P. Hancke, "Server
Dialback", XSF XEP 0220, August 2014,
<http://xmpp.org/extensions/xep-0220.html>.
Saint-Andre, et al. Standards Track [Page 22]
^L
RFC 7712 XMPP DNA November 2015
11.2. Informative References
[RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles
and Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997,
<http://www.rfc-editor.org/info/rfc2142>.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, DOI 10.17487/RFC3920,
October 2004, <http://www.rfc-editor.org/info/rfc3920>.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
DOI 10.17487/RFC4120, July 2005,
<http://www.rfc-editor.org/info/rfc4120>.
[RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", RFC 6066,
DOI 10.17487/RFC6066, January 2011,
<http://www.rfc-editor.org/info/rfc6066>.
[RFC6091] Mavrogiannopoulos, N. and D. Gillmor, "Using OpenPGP Keys
for Transport Layer Security (TLS) Authentication",
RFC 6091, DOI 10.17487/RFC6091, February 2011,
<http://www.rfc-editor.org/info/rfc6091>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>.
[RFC7590] Saint-Andre, P. and T. Alkemade, "Use of Transport Layer
Security (TLS) in the Extensible Messaging and Presence
Protocol (XMPP)", RFC 7590, DOI 10.17487/RFC7590,
June 2015, <http://www.rfc-editor.org/info/rfc7590>.
[XEP-0045] Saint-Andre, P., "Multi-User Chat", XSF XEP 0045,
February 2012,
<http://xmpp.org/extensions/xep-0045.html>.
[XEP-0288] Hancke, P. and D. Cridland, "Bidirectional
Server-to-Server Connections", XSF XEP 0288,
September 2013,
<http://xmpp.org/extensions/xep-0288.html>.
[XEP-0344] Hancke, P. and D. Cridland, "Impact of TLS and DNSSEC on
Dialback", XSF XEP 0344, March 2015,
<http://xmpp.org/extensions/xep-0344.html>.
Saint-Andre, et al. Standards Track [Page 23]
^L
RFC 7712 XMPP DNA November 2015
Acknowledgements
Richard Barnes, Stephen Farrell, and Jonas Lindberg contributed as
co-authors to earlier draft versions of this document.
Derek Atkins, Mahesh Jethanandani, and Dan Romascanu reviewed the
document on behalf of the Security Directorate, the Operations and
Management Directorate, and the General Area Review Team,
respectively.
During IESG review, Stephen Farrell and Barry Leiba provided helpful
input that led to improvements in the specification.
Thanks to Dave Cridland as document shepherd, Joe Hildebrand as
working group chair, and Ben Campbell as area director.
Peter Saint-Andre wishes to acknowledge Cisco Systems, Inc., for
employing him during his work on earlier draft versions of this
document.
Authors' Addresses
Peter Saint-Andre
&yet
Email: peter@andyet.com
URI: https://andyet.com/
Matthew Miller
Cisco Systems, Inc.
1899 Wynkoop Street, Suite 600
Denver, CO 80202
United States
Email: mamille2@cisco.com
Philipp Hancke
&yet
Email: fippo@andyet.com
URI: https://andyet.com/
Saint-Andre, et al. Standards Track [Page 24]
^L
|
