summaryrefslogtreecommitdiff
path: root/docs/rfc/rfc1413.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/rfc/rfc1413.txt')
-rw-r--r--docs/rfc/rfc1413.txt451
1 files changed, 451 insertions, 0 deletions
diff --git a/docs/rfc/rfc1413.txt b/docs/rfc/rfc1413.txt
new file mode 100644
index 000000000..17ede58a2
--- /dev/null
+++ b/docs/rfc/rfc1413.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group M. St. Johns
+Request for Comments: 1413 US Department of Defense
+Obsoletes: 931 February 1993
+
+
+ Identification Protocol
+
+Status of this Memo
+
+ This RFC specifies an IAB standards track protocol for the Internet
+ community, and requests discussion and suggestions for improvements.
+ Please refer to the current edition of the "IAB Official Protocol
+ Standards" for the standardization state and status of this protocol.
+ Distribution of this memo is unlimited.
+
+1. INTRODUCTION
+
+ The Identification Protocol (a.k.a., "ident", a.k.a., "the Ident
+ Protocol") provides a means to determine the identity of a user of a
+ particular TCP connection. Given a TCP port number pair, it returns
+ a character string which identifies the owner of that connection on
+ the server's system.
+
+ The Identification Protocol was formerly called the Authentication
+ Server Protocol. It has been renamed to better reflect its function.
+ This document is a product of the TCP Client Identity Protocol
+ Working Group of the Internet Engineering Task Force (IETF).
+
+2. OVERVIEW
+
+ This is a connection based application on TCP. A server listens for
+ TCP connections on TCP port 113 (decimal). Once a connection is
+ established, the server reads a line of data which specifies the
+ connection of interest. If it exists, the system dependent user
+ identifier of the connection of interest is sent as the reply. The
+ server may then either shut the connection down or it may continue to
+ read/respond to multiple queries.
+
+ The server should close the connection down after a configurable
+ amount of time with no queries - a 60-180 second idle timeout is
+ recommended. The client may close the connection down at any time;
+ however to allow for network delays the client should wait at least
+ 30 seconds (or longer) after a query before abandoning the query and
+ closing the connection.
+
+
+
+
+
+
+
+St. Johns [Page 1]
+
+RFC 1413 Identification Protocol February 1993
+
+
+3. RESTRICTIONS
+
+ Queries are permitted only for fully specified connections. The
+ query contains the local/foreign port pair -- the local/foreign
+ address pair used to fully specify the connection is taken from the
+ local and foreign address of query connection. This means a user on
+ address A may only query the server on address B about connections
+ between A and B.
+
+4. QUERY/RESPONSE FORMAT
+
+ The server accepts simple text query requests of the form:
+
+ <port-on-server> , <port-on-client>
+
+ where <port-on-server> is the TCP port (decimal) on the target (where
+ the "ident" server is running) system, and <port-on-client> is the
+ TCP port (decimal) on the source (client) system.
+
+ N.B - If a client on host A wants to ask a server on host B about a
+ connection specified locally (on the client's machine) as 23, 6191
+ (an inbound TELNET connection), the client must actually ask about
+ 6191, 23 - which is how the connection would be specified on host B.
+
+ For example:
+
+ 6191, 23
+
+ The response is of the form
+
+ <port-on-server> , <port-on-client> : <resp-type> : <add-info>
+
+ where <port-on-server>,<port-on-client> are the same pair as the
+ query, <resp-type> is a keyword identifying the type of response, and
+ <add-info> is context dependent.
+
+ The information returned is that associated with the fully specified
+ TCP connection identified by <server-address>, <client-address>,
+ <port-on-server>, <port-on-client>, where <server-address> and
+ <client-address> are the local and foreign IP addresses of the
+ querying connection -- i.e., the TCP connection to the Identification
+ Protocol Server. (<port-on-server> and <port-on-client> are taken
+ from the query.)
+
+ For example:
+
+ 6193, 23 : USERID : UNIX : stjohns
+ 6195, 23 : ERROR : NO-USER
+
+
+
+St. Johns [Page 2]
+
+RFC 1413 Identification Protocol February 1993
+
+
+5. RESPONSE TYPES
+
+A response can be one of two types:
+
+USERID
+
+ In this case, <add-info> is a string consisting of an
+ operating system name (with an optional character set
+ identifier), followed by ":", followed by an
+ identification string.
+
+ The character set (if present) is separated from the
+ operating system name by ",". The character set
+ identifier is used to indicate the character set of the
+ identification string. The character set identifier,
+ if omitted, defaults to "US-ASCII" (see below).
+
+ Permitted operating system names and character set
+ names are specified in RFC 1340, "Assigned Numbers" or
+ its successors.
+
+ In addition to those operating system and character set
+ names specified in "Assigned Numbers" there is one
+ special case operating system identifier - "OTHER".
+
+ Unless "OTHER" is specified as the operating system
+ type, the server is expected to return the "normal"
+ user identification of the owner of this connection.
+ "Normal" in this context may be taken to mean a string
+ of characters which uniquely identifies the connection
+ owner such as a user identifier assigned by the system
+ administrator and used by such user as a mail
+ identifier, or as the "user" part of a user/password
+ pair used to gain access to system resources. When an
+ operating system is specified (e.g., anything but
+ "OTHER"), the user identifier is expected to be in a
+ more or less immediately useful form - e.g., something
+ that could be used as an argument to "finger" or as a
+ mail address.
+
+ "OTHER" indicates the identifier is an unformatted
+ character string consisting of printable characters in
+ the specified character set. "OTHER" should be
+ specified if the user identifier does not meet the
+ constraints of the previous paragraph. Sending an
+ encrypted audit token, or returning other non-userid
+ information about a user (such as the real name and
+ phone number of a user from a UNIX passwd file) are
+
+
+
+St. Johns [Page 3]
+
+RFC 1413 Identification Protocol February 1993
+
+
+ both examples of when "OTHER" should be used.
+
+ Returned user identifiers are expected to be printable
+ in the character set indicated.
+
+ The identifier is an unformatted octet string - - all
+ octets are permissible EXCEPT octal 000 (NUL), 012 (LF)
+ and 015 (CR). N.B. - space characters (040) following the
+ colon separator ARE part of the identifier string and
+ may not be ignored. A response string is still
+ terminated normally by a CR/LF. N.B. A string may be
+ printable, but is not *necessarily* printable.
+
+ERROR
+
+ For some reason the port owner could not be determined, <add-info>
+ tells why. The following are the permitted values of <add-info> and
+ their meanings:
+
+ INVALID-PORT
+
+ Either the local or foreign port was improperly
+ specified. This should be returned if either or
+ both of the port ids were out of range (TCP port
+ numbers are from 1-65535), negative integers, reals or
+ in any fashion not recognized as a non-negative
+ integer.
+
+ NO-USER
+
+ The connection specified by the port pair is not
+ currently in use or currently not owned by an
+ identifiable entity.
+
+ HIDDEN-USER
+
+ The server was able to identify the user of this
+ port, but the information was not returned at the
+ request of the user.
+
+ UNKNOWN-ERROR
+
+ Can't determine connection owner; reason unknown.
+ Any error not covered above should return this
+ error code value. Optionally, this code MAY be
+ returned in lieu of any other specific error code
+ if, for example, the server desires to hide
+ information implied by the return of that error
+
+
+
+St. Johns [Page 4]
+
+RFC 1413 Identification Protocol February 1993
+
+
+ code, or for any other reason. If a server
+ implements such a feature, it MUST be configurable
+ and it MUST default to returning the proper error
+ message.
+
+ Other values may eventually be specified and defined in future
+ revisions to this document. If an implementer has a need to specify
+ a non-standard error code, that code must begin with "X".
+
+ In addition, the server is allowed to drop the query connection
+ without responding. Any premature close (i.e., one where the client
+ does not receive the EOL, whether graceful or an abort should be
+ considered to have the same meaning as "ERROR : UNKNOWN-ERROR".
+
+FORMAL SYNTAX
+
+ <request> ::= <port-pair> <EOL>
+
+ <port-pair> ::= <integer> "," <integer>
+
+ <reply> ::= <reply-text> <EOL>
+
+ <EOL> ::= "015 012" ; CR-LF End of Line Indicator
+
+ <reply-text> ::= <error-reply> | <ident-reply>
+
+ <error-reply> ::= <port-pair> ":" "ERROR" ":" <error-type>
+
+ <ident-reply> ::= <port-pair> ":" "USERID" ":" <opsys-field>
+ ":" <user-id>
+
+ <error-type> ::= "INVALID-PORT" | "NO-USER" | "UNKNOWN-ERROR"
+ | "HIDDEN-USER" | <error-token>
+
+ <opsys-field> ::= <opsys> [ "," <charset>]
+
+ <opsys> ::= "OTHER" | "UNIX" | <token> ...etc.
+ ; (See "Assigned Numbers")
+
+ <charset> ::= "US-ASCII" | ...etc.
+ ; (See "Assigned Numbers")
+
+ <user-id> ::= <octet-string>
+
+ <token> ::= 1*64<token-characters> ; 1-64 characters
+
+ <error-token> ::= "X"1*63<token-characters>
+ ; 2-64 chars beginning w/X
+
+
+
+St. Johns [Page 5]
+
+RFC 1413 Identification Protocol February 1993
+
+
+ <integer> ::= 1*5<digit> ; 1-5 digits.
+
+ <digit> ::= "0" | "1" ... "8" | "9" ; 0-9
+
+ <token-characters> ::=
+ <Any of these ASCII characters: a-z, A-Z,
+ - (dash), .!@#$%^&*()_=+.,<>/?"'~`{}[]; >
+ ; upper and lowercase a-z plus
+ ; printables minus the colon ":"
+ ; character.
+
+ <octet-string> ::= 1*512<octet-characters>
+
+ <octet-characters> ::=
+ <any octet from 00 to 377 (octal) except for
+ ASCII NUL (000), CR (015) and LF (012)>
+
+Notes on Syntax:
+
+ 1) To promote interoperability among variant
+ implementations, with respect to white space the above
+ syntax is understood to embody the "be conservative in
+ what you send and be liberal in what you accept"
+ philosophy. Clients and servers should not generate
+ unnecessary white space (space and tab characters) but
+ should accept white space anywhere except within a
+ token. In parsing responses, white space may occur
+ anywhere, except within a token. Specifically, any
+ amount of white space is permitted at the beginning or
+ end of a line both for queries and responses. This
+ does not apply for responses that contain a user ID
+ because everything after the colon after the operating
+ system type until the terminating CR/LF is taken as
+ part of the user ID. The terminating CR/LF is NOT
+ considered part of the user ID.
+
+ 2) The above notwithstanding, servers should restrict the
+ amount of inter-token white space they send to the
+ smallest amount reasonable or useful. Clients should
+ feel free to abort a connection if they receive 1000
+ characters without receiving an <EOL>.
+
+ 3) The 512 character limit on user IDs and the 64
+ character limit on tokens should be understood to mean
+ as follows: a) No new token (i.e., OPSYS or ERROR-TYPE)
+ token will be defined that has a length greater than 64
+ and b) a server SHOULD NOT send more than 512 octets of
+ user ID and a client MUST accept at least 512 octets of
+
+
+
+St. Johns [Page 6]
+
+RFC 1413 Identification Protocol February 1993
+
+
+ user ID. Because of this limitation, a server MUST
+ return the most significant portion of the user ID in
+ the first 512 octets.
+
+ 4) The character sets and character set identifiers should
+ map directly to those defined in or referenced by RFC 1340,
+ "Assigned Numbers" or its successors. Character set
+ identifiers only apply to the user identification field
+ - all other fields will be defined in and must be sent
+ as US-ASCII.
+
+ 5) Although <user-id> is defined as an <octet-string>
+ above, it must follow the format and character set
+ constraints implied by the <opsys-field>; see the
+ discussion above.
+
+ 6) The character set provides context for the client to
+ print or store the returned user identification string.
+ If the client does not recognize or implement the
+ returned character set, it should handle the returned
+ identification string as OCTET, but should in addition
+ store or report the character set. An OCTET string
+ should be printed, stored or handled in hex notation
+ (0-9a-f) in addition to any other representation the
+ client implements - this provides a standard
+ representation among differing implementations.
+
+6. Security Considerations
+
+ The information returned by this protocol is at most as trustworthy
+ as the host providing it OR the organization operating the host. For
+ example, a PC in an open lab has few if any controls on it to prevent
+ a user from having this protocol return any identifier the user
+ wants. Likewise, if the host has been compromised the information
+ returned may be completely erroneous and misleading.
+
+ The Identification Protocol is not intended as an authorization or
+ access control protocol. At best, it provides some additional
+ auditing information with respect to TCP connections. At worst, it
+ can provide misleading, incorrect, or maliciously incorrect
+ information.
+
+ The use of the information returned by this protocol for other than
+ auditing is strongly discouraged. Specifically, using Identification
+ Protocol information to make access control decisions - either as the
+ primary method (i.e., no other checks) or as an adjunct to other
+ methods may result in a weakening of normal host security.
+
+
+
+
+St. Johns [Page 7]
+
+RFC 1413 Identification Protocol February 1993
+
+
+ An Identification server may reveal information about users,
+ entities, objects or processes which might normally be considered
+ private. An Identification server provides service which is a rough
+ analog of the CallerID services provided by some phone companies and
+ many of the same privacy considerations and arguments that apply to
+ the CallerID service apply to Identification. If you wouldn't run a
+ "finger" server due to privacy considerations you may not want to run
+ this protocol.
+
+7. ACKNOWLEDGEMENTS
+
+ Acknowledgement is given to Dan Bernstein who is primarily
+ responsible for renewing interest in this protocol and for pointing
+ out some annoying errors in RFC 931.
+
+References
+
+ [1] St. Johns, M., "Authentication Server", RFC 931, TPSC, January
+ 1985.
+
+ [2] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC 1340,
+ USC/Information Sciences Institute, July 1992.
+
+Author's Address
+
+ Michael C. St. Johns
+ DARPA/CSTO
+ 3701 N. Fairfax Dr
+ Arlington, VA 22203
+
+ Phone: (703) 696-2271
+ EMail: stjohns@DARPA.MIL
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+St. Johns [Page 8]
+ \ No newline at end of file