Telnet Security BOF (telsec) Monday, December 11 at 1930-2200 ================================ CHAIR: Jeffrey Altman DESCRIPTION: The Telnet Security Working Group is a followup to the recent approval of the Telnet Authentication and Encryption options as Proposed Standards. Background: Work on the Telnet Authentication and Encryption options began in the early 90s. Unfortunately, due to various forces the effort to finalize these options and move them to the IETF Standards Track did not occur until this past year. In the meantime numerous implementations supporting these options with a wide variety of authentication protocols and encryption algorithms were developed and distributed. The most recent editors of the Authentication and Encryption Option RFCs believed it was necessary to plug holes in the protocols and move them to standards track before continuing their development. While the Telnet Authentication option provides strong authentica- tion in a secure manner, the Telnet Encryption option leaves much to be desired. While the encryption provides privacy to the telnet data stream it does not provide integrity protection. The TN3270 Working Group has been working on the Telnet START_TLS option which does provide significant improvements in the strength of the ciphers used for encryption and provides integrity protection as well as privacy for the connection. Work has also been done to provide for protection of X Windows System data communication via the Telnet channel incorporating strong authentication of the X Windows sessions. (Telnet FORWARD_X) Microsoft Windows 2000 shipped this year with support for Kerberos 5 but not with support for the Krb5 API upon which Telnet AUTH KRB5 is based. Microsoft does implement GSSAPI-KRB5 via their Kerberos SSPI. It is therefore necessary for a GSSAPI-KRB5 Telnet AUTH method to be implemented for interoperability between Windows 2000 and other operating systems. There is also some outstanding work on integrating the three remaining features of the BSD R-protocols not supported by Telnet (TELNET RCMD): . STDERR redirection; . SIGNAL redirection; . Command execution without shell access. Goals: The Telnet Security Working Group has a very well defined set of goals which we intend to complete within one year: . Define the interoperability between the START_TLS and AUTH options. In particular, how AUTH can be negotiated after START_TLS to provide end user authentication; and mutual authentication of an anonymous TLS session. . Publish the Telnet START_TLS as Proposed Standard . Revise the Telnet ENCRYPT option and publish it as Historic . Revise the Telnet AUTH option and publish it as Draft Standard . Revise the Telnet AUTH sub-options to reflect the support for START_TLS and publish them as Draft Standards. . Develop the Telnet AUTH GSSAPI-KRB5 authentication method and publish it as Proposed Standard. . Complete the work on Telnet FORWARD_X option and publish as Proposed Standard. . Complete the work on Telnet RCMD and publish as Proposed Standard. Documents: TELNET AUTH ftp://ftp.isi.edu/in-notes/rfc2941.txt http://www.ietf.org/internet-drafts/draft-altman-rfc2941bis-00.txt TELNET AUTH KRB5 ftp://ftp.isi.edu/in-notes/rfc2942.txt http://www.ietf.org/internet-drafts/draft-altman-rfc2942bis-00.txt TELNET AUTH DSA ftp://ftp.isi.edu/in-notes/rfc2943.txt TELNET AUTH SRP ftp://ftp.isi.edu/in-notes/rfc2944.txt http://www.ietf.org/internet-drafts/draft-altman-rfc2944bis-00.txt TELNET ENCRYPT ftp://ftp.isi.edu/in-notes/rfc2946.txt TELNET AUTH KEA-SKIPJACK ftp://ftp.isi.edu/in-notes/rfc2951.txt TELNET FORWARD-X http://search.ietf.org/internet-drafts/draft-altman-telnet-fwdx-02.txt TELNET START_TLS http://search.ietf.org/internet-drafts/draft-ietf-tn3270e-telnet-tls-05.txt TELNET RCMD Not yet written TELNET AUTH GSSAPI-KRB5 Not yet written AGENDA: