The internet draft draft-ietf-svrloc-protocol-v2-09.txt
is now in WG last call.
The changes in the draft were the result of comments during
the last WG last call period.
The major change is to SLP security. We now identify all
security parameters in a SLP SPI string. This could be a
string identical with a scope, in which case the SLPv1
(and SLPv2 up to draft 8) 'protected scope' security policy
could be followed. This mechanism, however, allows other
security policies to be implemented later, such as one key
per site, one key per SA, names of trusted entities that
correspond to names retrievable using PKI, etc. The actual
impact on the protocol is minimal except that it adds a
field to requests specifying a SLP SPI (or no SLP SPI if
authentication is not desired). Otherwise, SLP SPIs simply
make security explicit (where it was implicit previously,
by the use of 'certain scopes.')
The change list is as follows:
A. Changes to security.
1. I removed all mention of protected scopes. There is no
longer any necessary connection between scopes and
authentication in the protocol. This does not *prevent*
an administration from configuring certain scopes to be
equal to SLP SPIs. In this case, the configuration and
requirements for keying are identical to the protected
scope requirements in SLPv1 and SLPv2 up to draft 8.
2. I added SLP SPI Strings to SrvRqst and AttrRqst. Requests
made specifying a SLP SPI will only match services
which can be returned with Authentication Blocks
which can be verified using the parameters associated
with the SLP SPI.
3. SAAdverts and DAAdverts list the supported SLP SPIs of
that agent. That is, for what SLP SPIs can that SA or
DA supply authentication blocks in conjunction with
SrvRply and AttrRply messages.
4. If a SrvReg includes Authentication Blocks which cannot
be verified by a DA, the DA returns an AUTHENTICATION_UNKNOWN
error. If a subsequent SrvReg includes a different SLP SPI
list than a prior one, the DA returns an AUTHENTICATION_ABSENT
error.
5. There is a SLP SPI String field in Authentication Blocks
instead of a protected scope string. This string is used
by any agent which receives the auth block to identify
what parameters to use to verify the signature.
6. Unicast SrvRqst, AttrRqst and SrvTypeRqsts which cannot
be responded to because they include a SLP SPI not supported
by the receiving SA or DA receive an AUTHENTICATION_UNKNOWN
error reply.
7. Configuration notes were changed to include SLP SPI for
DA discovery and for service discovery, as well as
configuration for SLP and DA Private Key configuration.
8. The security considerations were modified to include text
mentioning that SLPv2 doesn't mandate a policy, it provides
a mechanism flexible enough to implement different policies.
9. All authentication block formats, including data inputs for
authentication calculations were moved to a single section.
B. Other changes:
1. The length field of Option Offsets is now 3 bytes long, not
2 bytes long. This was an error in previous drafts. This
required the header to be rearranged so that the XID field,
etc. stayed in the same place. Now Language Tags are immediately
preceded by the length field consistent with all other strings
in SLPv2 (a good thing!)
2. DAAdverts can be solicited using unicast requests. An error
code was added. This is necessary so that UAs and SAs can
request DAAdverts directly after having been configured using
DHCP or a config file to know what the SLP SPIs & attributes
of a DA are.
3. Definitions of other security BSD types were removed.
4. Multicast TTL set at 255 not 32. Since the administrative
scoped address is used for multicasting there is no need to
limit the extent of the multicast range by a smaller TTL than
the max.
5. SAs MUST accept unicast requests - this was implied by not
explicit in subsequent drafts.
6. There were a couple slight inconsistencies in the grammars
with RFC 2234 (ABNF).
Please comment to the SRVLOC@SRVLOC.ORG list by Oct. 27.
Thanks,
Erik Guttman
SVRLOC WG Chair