| draft-josefsson-kerberos5-starttls-00.txt | draft-josefsson-kerberos5-starttls-01.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | ||||
| Expires: May 14, 2005 | Network Working Group S. Josefsson | |||
| Internet-Draft SJD | ||||
| Intended status: Standards Track October 4, 2006 | ||||
| Expires: April 7, 2007 | ||||
| Using Transport Layer Security (TLS) with Kerberos 5 | Using Kerberos V5 over the Transport Layer Security (TLS) protocol | |||
| draft-josefsson-kerberos5-starttls-00 | draft-josefsson-kerberos5-starttls-01 | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | By submitting this Internet-Draft, each author represents that any | |||
| of section 3 of RFC 3667. By submitting this Internet-Draft, each | applicable patent or other IPR claims of which he or she is aware | |||
| author represents that any applicable patent or other IPR claims of | have been or will be disclosed, and any of which he or she becomes | |||
| which he or she is aware have been or will be disclosed, and any of | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| which he or she become aware will be disclosed, in accordance with | ||||
| RFC 3668. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as | other groups may also distribute working documents as Internet- | |||
| Internet-Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on May 14, 2005. | This Internet-Draft will expire on April 7, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2004). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| This document specify how the Transport Layer Security (TLS) protocol | This document specify how the Kerberos V5 protocol can be transported | |||
| is used in conjunction with the Kerberos 5 protocol. | over the Transport Layer Security (TLS) protocol, to provide | |||
| additional security features. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | 1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | |||
| 2. Extension Mechanism for TCP/IP transport . . . . . . . . . . . 4 | 2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5 | |||
| 3. Kerberos 5 STARTTLS Extension . . . . . . . . . . . . . . . . 4 | 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1 STARTTLS requested by client (extension 1) . . . . . . . . 4 | 4. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 7 | |||
| 3.2 STARTTLS request accepted by server (extension 2) . . . . 5 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.3 Proceeding after successful TLS negotiation . . . . . . . 5 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.4 Proceeding after failed TLS negotiation . . . . . . . . . 5 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.5 STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . 5 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.6 Initial Authentication via TLS . . . . . . . . . . . . . . 5 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | Intellectual Property and Copyright Statements . . . . . . . . . . 12 | |||
| 5.1 Normative References . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 5.2 Informative References . . . . . . . . . . . . . . . . . . . 6 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . 8 | ||||
| 1. Introduction and Background | 1. Introduction and Background | |||
| This document describe how Shishi, a Kerberos 5 [1] implementation, | This document describe how a Kerberos V5 [2] implementation may | |||
| upgrade communication between clients and Key Distribution Centers | upgrade communication between clients and Key Distribution Centers | |||
| (KDCs) to use the Transport Layer Security (TLS) [2] protocol. | (KDCs) to use the Transport Layer Security (TLS) [4] protocol. | |||
| The TLS protocol offer integrity and privacy protected exchanges that | The TLS protocol offer integrity and privacy protected exchanges that | |||
| can be authentication using X.509 certificates, OpenPGP keys [6], and | can be authentication using X.509 certificates, OpenPGP keys [7], and | |||
| user name and passwords via SRP [5]. | user name and passwords via SRP [6]. | |||
| An inconclusive list of the motivation for using TLS with Kerberos 5 | ||||
| is given below. | ||||
| o Explicit server authentication of the KDC to the client. In | ||||
| traditional Kerberos 5, authentication of the KDC is proved as a | ||||
| side effect that the KDC knows your encryption key (i.e., your | ||||
| password). | ||||
| o Flexible authentication against KDC. Kerberos 5 assume the user | There are several reasons to use Kerberos V5 over TLS. | |||
| knows a key (usually in the form of a password). Sometimes | ||||
| external factors make this hard to fulfill. In some situations, | ||||
| users are equipped with smart cards with a RSA authentication key. | ||||
| In others, users have a OpenPGP client on their desktop, with a | ||||
| public OpenPGP key known to the server. In some situations, the | ||||
| policy may be that password authentication may only be done | ||||
| through SRP. | ||||
| o Kerberos exchanges are privacy protected. Part of many Kerberos | o Kerberos exchanges are privacy protected. Part of many Kerberos | |||
| packets are transfered without privacy protection (i.e., | packets are transfered without privacy protection (i.e., | |||
| encryption). That part contains information, such as the client | encryption). That part contains information, such as the client | |||
| principal name, the server principal name, the encryption types | principal name, the server principal name, the encryption types | |||
| supported by the client, the lifetime of tickets, etc. Revealing | supported by the client, the lifetime of tickets, etc. Revealing | |||
| such information is, in some threat models, considered a problem. | such information is, in some threat models, considered a problem. | |||
| o Prevents downgrade attacks affecting encryption types. The | o Prevents downgrade attacks affecting encryption types. The | |||
| encryption type of the ticket in KDC-REQ are sent in the clear in | encryption type of the ticket in KDC-REQ are sent in the clear in | |||
| Kerberos 5. This allows an attacker to replace the encryption | Kerberos 5. This allows an attacker to replace the encryption | |||
| type with a compromised mechanisms, e.g. 56-bit DES. Since | type with a compromised mechanisms, e.g., 56-bit DES. Since | |||
| clients in general cannot know the encryption types other servers | clients in general cannot know the encryption types other servers | |||
| support, it is difficult for the client to detect if there was a | support, it is difficult for the client to detect if there was a | |||
| man-in-the-middle or if the remote server simply did not support a | man-in-the-middle or if the remote server simply did not support a | |||
| stronger mechanism. Clients could chose to refuse 56-bit DES | stronger mechanism. Clients could chose to refuse, e.g., 56-bit | |||
| altogether, but in some environments this leads to operational | DES altogether, but in some environments this leads to operational | |||
| difficulties. | difficulties. | |||
| o Additional authentication against the KDC. In some situations, | ||||
| users are equipped with smart cards with a RSA authentication key. | ||||
| In others, users have a OpenPGP client on their desktop, with a | ||||
| public OpenPGP key known to the server. In some situations, the | ||||
| policy may be that password authentication may only be done | ||||
| through SRP. | ||||
| o The TLS protocol has been studied by many parties. In some threat | o The TLS protocol has been studied by many parties. In some threat | |||
| models, the designer prefer to reduce the number of protocols that | models, the designer prefer to reduce the number of protocols that | |||
| can hurt the overall system security if they are compromised. | can hurt the overall system security if they are compromised. | |||
| o Explicit server authentication of the KDC to the client. In | ||||
| traditional Kerberos 5, authentication of the KDC is proved as a | ||||
| side effect that the KDC knows your encryption key (i.e., your | ||||
| password). | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [4]. | document are to be interpreted as described in RFC 2119 [1]. | |||
| 2. Extension Mechanism for TCP/IP transport | 2. Kerberos V5 STARTTLS Extension | |||
| Kerberos 5 require Key Distribution Centers (KDCs) to accept requests | The STARTTLS extension uses the Kerberos V5 TCP extension mechanism | |||
| over TCP. Each request and response is prefixed by 4 octets, | [3]. The extension uses bit #TBD in the extension bitmask. | |||
| encoding an integer in network byte order, that indicate the length | ||||
| of the packet. The high bit of the 4 octet length field was reserved | ||||
| for future expansion. Servers that do not understand how to | ||||
| interpret a set high bit are required to return a KRB-ERROR with the | ||||
| KRB_ERR_FIELD_TOOLONG error code, and to close the TCP stream. | ||||
| We will use the reserved bit to provide an extension mechanism. When | The protocol is as follows. After the server has sent the 4-octet | |||
| the reserved high bit is set, the remaining 31 bits of the 4 octets | value 0x00000000 to indicate support of this extension, the stream | |||
| are treated as an extensible typed hole, and thus form a 31 bit | will be controlled by the TLS protocol and its framing. The TLS | |||
| integer enumerating various extensions. Each of the values indicate | protocol is initiated by the client. | |||
| a specific extended operation mode, two of which are used and defined | ||||
| here, and the rest are left for others to use. | ||||
| If the KDC do not understand a requested extension, it MUST return a | Typically, the client initiate the TLS handshake protocol by sending | |||
| KRB-ERROR with a KRB_ERR_FIELD_TOOLONG value (prefixed by the 4 octet | a client hello, and the server responds, and the handshake continues | |||
| length integer, with the high bit clear, as usual) and close the TCP | until it either succeed or fails. | |||
| stream. | ||||
| The following table specify the meaning of the 31 lower bits in the 4 | If for any reason the handshake fails, the STARTTLS protocol will | |||
| octet field, when the high bit is set: | also fail, and the TLS error is used as the error indication. | |||
| 0 RESERVED. | If the handshake succeeds, the Kerberos V5 authentication protocol is | |||
| 1 STARTTLS requested by client. | performed within the protected TLS channel, like a normal TCP | |||
| 2 STARTTLS request accepted by server. | Kerberos V5 exchange. In particular, this means that every Kerberos | |||
| 3...2147483647 AVAILABLE for registration (via [email protected]). | V5 packet will be prefixed by a 4-octet length field, that indicate | |||
| 2147483648 RESERVED. | the length of the Kerberos V5 packet. | |||
| 3. Kerberos 5 STARTTLS Extension | 3. Examples | |||
| 3.1 STARTTLS requested by client (extension 1) | A complete packet flow for a successful AS-REQ/REP exchange protected | |||
| by this mechanism will be as follows. The "STARTTLS-bit" is a | ||||
| 4-octet value with only the bit allocated for this extension set. | ||||
| When this message is sent by the client, the client is requesting the | Client Server | |||
| server to start TLS negotiation on the TCP stream. The client MUST | ||||
| NOT start TLS negotiation immediately. Instead, the client wait for | ||||
| either a KRB-ERROR (sent normally, prefixed by a 4 octet length | ||||
| integer) indicating the server do not understand the set high bit, or | ||||
| 4 octets which is to be interpreted as an integer in network byte | ||||
| order, where the high bit is set and the remaining 31 bit are | ||||
| interpreted as an integer specifying ``STARTTLS request accepted by | ||||
| server'' (extension 2). In the first case, the client infer that the | ||||
| server do not understand (or wish to support) STARTTLS, and can | ||||
| re-try using normal TCP, if unprotected Kerberos 5 exchanges are | ||||
| acceptable to the client policy. In the latter case, it should | ||||
| invoke TLS negotiation on the stream. If any other data is received, | ||||
| the client MUST close the TCP stream. | ||||
| 3.2 STARTTLS request accepted by server (extension 2) | [ Kerberos V5 TCP extension mechanism negotiation starts ] | |||
| This message should be sent by the server when it has received the | [0x70000000 & STARTTLS-bit] --------> | |||
| extension 1 message. The message is an acknowledgment of the | [0x00000000] | |||
| client's request to initiate STARTTLS on the channel. The server | <-------- | |||
| MUST then invoke a TLS negotiation. | ||||
| 3.3 Proceeding after successful TLS negotiation | [ TLS negotiation starts ] | |||
| If the TLS negotiation ended successfully, possibly also considering | ClientHello --------> | |||
| client or server policies, the exchange within the TLS protected | ServerHello | |||
| stream is performed like normal UDP Kerberos 5 exchanges, i.e., there | Certificate* | |||
| is no TCP 4 octet length field before each packet. Instead each | ServerKeyExchange* | |||
| Kerberos packet MUST be sent within one TLS record, so the | CertificateRequest* | |||
| application can use the TLS record length as the Kerberos 5 packet | <-------- ServerHelloDone | |||
| length. | Certificate* | |||
| ClientKeyExchange | ||||
| CertificateVerify* | ||||
| [ChangeCipherSpec] | ||||
| Finished --------> | ||||
| [ChangeCipherSpec] | ||||
| <-------- Finished | ||||
| 3.4 Proceeding after failed TLS negotiation | [ Kerberos V5 negotiation starts ] | |||
| If the TLS negotiation fails, possibly due to client or server policy | Kerberos V5 AS-REQ --------> | |||
| (e.g., inadequate support of encryption types in TLS, or lack of | Kerberos V5 AS-REP | |||
| client or server authentication) the entity that detect the failure | <-------- | |||
| MUST disconnected the connection. It is expected that any error | ||||
| messages that explain the error condition is transfered by TLS. | ||||
| 3.5 STARTTLS aware KDC Discovery | * Indicates optional or situation-dependent messages that are not | |||
| always sent. | ||||
| 4. STARTTLS aware KDC Discovery | ||||
| Section 7.2.3 of Kerberos V5 [2] describe how Domain Name System | ||||
| (DNS) SRV records [5] can be used to find the address of an KDC. | ||||
| Using the terminology of Section 7.2.3 of RFC 4120, we define a new | ||||
| Proto of "tls" to indicate that the particular KDC is intended to | ||||
| support this STARTTLS extension. The Service, Realm, TTL, Class, | ||||
| SRV, Priority, Weight, Port and Target have the same meaning as in | ||||
| RFC 4120. | ||||
| Section 7.2.3 of Kerberos 5 [1] describe how Domain Name System (DNS) | ||||
| SRV records [3] can be used to find the address of an KDC. To locate | ||||
| a KDC that support the STARTTLS extension, we use the "_tls" domain. | ||||
| For example: | For example: | |||
| _kerberos._tls._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | |||
| _kerberos._tls._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | |||
| 3.6 Initial Authentication via TLS | 5. IANA Considerations | |||
| The server MAY consider the authentication performed by the TLS | The IANA is requested to allocate a bit in the "Kerberos TCP | |||
| exchange as sufficient to issue Kerberos 5 tickets to the client, | Extensions" registry for the extension described in this document, as | |||
| without requiring, e.g., pre-authentication. However, it is not an | per [3]. | |||
| error to require or use pre-authentication as well. | ||||
| The client may also indicate that it wishes to use TLS both for | 6. Security Considerations | |||
| authentication and data protection by using the NULL encryption type | ||||
| in its request. The server can decide from its local policy whether | ||||
| or not issuing tickets based solely on TLS authentication, and | ||||
| whether NULL encryption within TLS, is acceptable or not. | ||||
| 4. Security Considerations | The security considerations in Kerberos V5, TLS, and the extension | |||
| mechanism framework are inherited. | ||||
| Because the initial token is not protected, it is possible for an | To protect against the inherent downgrade attack in the extension | |||
| active attacker to make it appear to the client that the server do | framework, it is suggested that implementations offer a policy to | |||
| not support this extension. It is up to client configuration to | require that this extension is successfully negotiated. For | |||
| disallow non-TLS connections, if that vulnerability is deemed | interoperability with implementations that do not support this | |||
| unacceptable. For interoperability, we suggest the default behaviour | extension, it is suggested that the policy is disabled by default. | |||
| should be to allow automatic fall back to TCP or UDP. | ||||
| The security considerations of both TLS and Kerberos 5 are inherited. | 7. References | |||
| Using TLS for authentication and/or data protection together with | ||||
| Kerberos alter the authentication logic fundamentally. Thus, it may | ||||
| be that even if the TLS and Kerberos 5 protocols and implementations | ||||
| were secure, the combination of TLS and Kerberos 5 described here | ||||
| could be insecure. | ||||
| No channel bindings are provided in the Kerberos messages. It is an | 7.1. Normative References | |||
| open question whether, and how, this could be solved. One idea for | ||||
| solving this may be to specify a new encryption algorithm in Kerberos | ||||
| 5 that is similar to the NULL encryption algorithm, but also include | ||||
| the TLS session identifier. | ||||
| 5. References | [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
| Levels", BCP 14, RFC 2119, March 1997. | ||||
| 5.1 Normative References | [2] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos | |||
| Network Authentication Service (V5)", RFC 4120, July 2005. | ||||
| [1] Neuman, C., "The Kerberos Network Authentication Service (V5)", | [3] Josefsson, S., "Extended Kerberos Version 5 Key Distribution | |||
| draft-ietf-krb-wg-kerberos-clarifications-07 (work in progress), | Center (KDC) Exchanges Over TCP", | |||
| September 2004. | draft-ietf-krb-wg-tcp-expansion-01 (work in progress), | |||
| September 2006. | ||||
| [2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC | [4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | |||
| 2246, January 1999. | Protocol Version 1.1", RFC 4346, April 2006. | |||
| [3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for | [5] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |||
| specifying the location of services (DNS SRV)", RFC 2782, | specifying the location of services (DNS SRV)", RFC 2782, | |||
| February 2000. | February 2000. | |||
| 5.2 Informative References | 7.2. Informative References | |||
| [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement | ||||
| Levels", BCP 14, RFC 2119, March 1997. | ||||
| [5] Taylor, D., "Using SRP for TLS Authentication", | [6] Taylor, D., "Using SRP for TLS Authentication", | |||
| draft-ietf-tls-srp-08 (work in progress), August 2004. | draft-ietf-tls-srp-12 (work in progress), June 2006. | |||
| [6] Mavroyanopoulos, N., "Using OpenPGP keys for TLS | [7] Mavroyanopoulos, N., "Using OpenPGP keys for TLS | |||
| authentication", draft-ietf-tls-openpgp-keys-05 (work in | authentication", draft-ietf-tls-openpgp-keys-10 (work in | |||
| progress), April 2004. | progress), June 2006. | |||
| Author's Address | Author's Address | |||
| Simon Josefsson | Simon Josefsson | |||
| SJD | ||||
| EMail: [email protected] | Email: [email protected] | |||
| Intellectual Property Statement | Full Copyright Statement | |||
| Copyright (C) The Internet Society (2006). | ||||
| This document is subject to the rights, licenses and restrictions | ||||
| contained in BCP 78, and except as set forth therein, the authors | ||||
| retain all their rights. | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Intellectual Property | ||||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
| found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
| skipping to change at page 8, line 29 | skipping to change at page 12, line 45 | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
| [email protected]. | [email protected]. | |||
| Disclaimer of Validity | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Copyright Statement | ||||
| Copyright (C) The Internet Society (2004). This document is subject | ||||
| to the rights, licenses and restrictions contained in BCP 78, and | ||||
| except as set forth therein, the authors retain all their rights. | ||||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is provided by the IETF | |||
| Internet Society. | Administrative Support Activity (IASA). | |||
| End of changes. 56 change blocks. | ||||
| 183 lines changed or deleted | 156 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||