draft-josefsson-kerberos5-starttls-00.txt | draft-josefsson-kerberos5-starttls-01.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | ||||
Expires: May 14, 2005 | Network Working Group S. Josefsson | |||
Internet-Draft SJD | ||||
Intended status: Standards Track October 4, 2006 | ||||
Expires: April 7, 2007 | ||||
Using Transport Layer Security (TLS) with Kerberos 5 | Using Kerberos V5 over the Transport Layer Security (TLS) protocol | |||
draft-josefsson-kerberos5-starttls-00 | draft-josefsson-kerberos5-starttls-01 | |||
Status of this Memo | Status of this Memo | |||
This document is an Internet-Draft and is subject to all provisions | By submitting this Internet-Draft, each author represents that any | |||
of section 3 of RFC 3667. By submitting this Internet-Draft, each | applicable patent or other IPR claims of which he or she is aware | |||
author represents that any applicable patent or other IPR claims of | have been or will be disclosed, and any of which he or she becomes | |||
which he or she is aware have been or will be disclosed, and any of | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
which he or she become aware will be disclosed, in accordance with | ||||
RFC 3668. | ||||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
other groups may also distribute working documents as | other groups may also distribute working documents as Internet- | |||
Internet-Drafts. | Drafts. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on May 14, 2005. | This Internet-Draft will expire on April 7, 2007. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2004). | Copyright (C) The Internet Society (2006). | |||
Abstract | Abstract | |||
This document specify how the Transport Layer Security (TLS) protocol | This document specify how the Kerberos V5 protocol can be transported | |||
is used in conjunction with the Kerberos 5 protocol. | over the Transport Layer Security (TLS) protocol, to provide | |||
additional security features. | ||||
Table of Contents | Table of Contents | |||
1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | 1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | |||
2. Extension Mechanism for TCP/IP transport . . . . . . . . . . . 4 | 2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5 | |||
3. Kerberos 5 STARTTLS Extension . . . . . . . . . . . . . . . . 4 | 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
3.1 STARTTLS requested by client (extension 1) . . . . . . . . 4 | 4. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 7 | |||
3.2 STARTTLS request accepted by server (extension 2) . . . . 5 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
3.3 Proceeding after successful TLS negotiation . . . . . . . 5 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
3.4 Proceeding after failed TLS negotiation . . . . . . . . . 5 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
3.5 STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . 5 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | |||
3.6 Initial Authentication via TLS . . . . . . . . . . . . . . 5 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | Intellectual Property and Copyright Statements . . . . . . . . . . 12 | |||
5.1 Normative References . . . . . . . . . . . . . . . . . . . . 6 | ||||
5.2 Informative References . . . . . . . . . . . . . . . . . . . 6 | ||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7 | ||||
Intellectual Property and Copyright Statements . . . . . . . . 8 | ||||
1. Introduction and Background | 1. Introduction and Background | |||
This document describe how Shishi, a Kerberos 5 [1] implementation, | This document describe how a Kerberos V5 [2] implementation may | |||
upgrade communication between clients and Key Distribution Centers | upgrade communication between clients and Key Distribution Centers | |||
(KDCs) to use the Transport Layer Security (TLS) [2] protocol. | (KDCs) to use the Transport Layer Security (TLS) [4] protocol. | |||
The TLS protocol offer integrity and privacy protected exchanges that | The TLS protocol offer integrity and privacy protected exchanges that | |||
can be authentication using X.509 certificates, OpenPGP keys [6], and | can be authentication using X.509 certificates, OpenPGP keys [7], and | |||
user name and passwords via SRP [5]. | user name and passwords via SRP [6]. | |||
An inconclusive list of the motivation for using TLS with Kerberos 5 | ||||
is given below. | ||||
o Explicit server authentication of the KDC to the client. In | ||||
traditional Kerberos 5, authentication of the KDC is proved as a | ||||
side effect that the KDC knows your encryption key (i.e., your | ||||
password). | ||||
o Flexible authentication against KDC. Kerberos 5 assume the user | There are several reasons to use Kerberos V5 over TLS. | |||
knows a key (usually in the form of a password). Sometimes | ||||
external factors make this hard to fulfill. In some situations, | ||||
users are equipped with smart cards with a RSA authentication key. | ||||
In others, users have a OpenPGP client on their desktop, with a | ||||
public OpenPGP key known to the server. In some situations, the | ||||
policy may be that password authentication may only be done | ||||
through SRP. | ||||
o Kerberos exchanges are privacy protected. Part of many Kerberos | o Kerberos exchanges are privacy protected. Part of many Kerberos | |||
packets are transfered without privacy protection (i.e., | packets are transfered without privacy protection (i.e., | |||
encryption). That part contains information, such as the client | encryption). That part contains information, such as the client | |||
principal name, the server principal name, the encryption types | principal name, the server principal name, the encryption types | |||
supported by the client, the lifetime of tickets, etc. Revealing | supported by the client, the lifetime of tickets, etc. Revealing | |||
such information is, in some threat models, considered a problem. | such information is, in some threat models, considered a problem. | |||
o Prevents downgrade attacks affecting encryption types. The | o Prevents downgrade attacks affecting encryption types. The | |||
encryption type of the ticket in KDC-REQ are sent in the clear in | encryption type of the ticket in KDC-REQ are sent in the clear in | |||
Kerberos 5. This allows an attacker to replace the encryption | Kerberos 5. This allows an attacker to replace the encryption | |||
type with a compromised mechanisms, e.g. 56-bit DES. Since | type with a compromised mechanisms, e.g., 56-bit DES. Since | |||
clients in general cannot know the encryption types other servers | clients in general cannot know the encryption types other servers | |||
support, it is difficult for the client to detect if there was a | support, it is difficult for the client to detect if there was a | |||
man-in-the-middle or if the remote server simply did not support a | man-in-the-middle or if the remote server simply did not support a | |||
stronger mechanism. Clients could chose to refuse 56-bit DES | stronger mechanism. Clients could chose to refuse, e.g., 56-bit | |||
altogether, but in some environments this leads to operational | DES altogether, but in some environments this leads to operational | |||
difficulties. | difficulties. | |||
o Additional authentication against the KDC. In some situations, | ||||
users are equipped with smart cards with a RSA authentication key. | ||||
In others, users have a OpenPGP client on their desktop, with a | ||||
public OpenPGP key known to the server. In some situations, the | ||||
policy may be that password authentication may only be done | ||||
through SRP. | ||||
o The TLS protocol has been studied by many parties. In some threat | o The TLS protocol has been studied by many parties. In some threat | |||
models, the designer prefer to reduce the number of protocols that | models, the designer prefer to reduce the number of protocols that | |||
can hurt the overall system security if they are compromised. | can hurt the overall system security if they are compromised. | |||
o Explicit server authentication of the KDC to the client. In | ||||
traditional Kerberos 5, authentication of the KDC is proved as a | ||||
side effect that the KDC knows your encryption key (i.e., your | ||||
password). | ||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [4]. | document are to be interpreted as described in RFC 2119 [1]. | |||
2. Extension Mechanism for TCP/IP transport | 2. Kerberos V5 STARTTLS Extension | |||
Kerberos 5 require Key Distribution Centers (KDCs) to accept requests | The STARTTLS extension uses the Kerberos V5 TCP extension mechanism | |||
over TCP. Each request and response is prefixed by 4 octets, | [3]. The extension uses bit #TBD in the extension bitmask. | |||
encoding an integer in network byte order, that indicate the length | ||||
of the packet. The high bit of the 4 octet length field was reserved | ||||
for future expansion. Servers that do not understand how to | ||||
interpret a set high bit are required to return a KRB-ERROR with the | ||||
KRB_ERR_FIELD_TOOLONG error code, and to close the TCP stream. | ||||
We will use the reserved bit to provide an extension mechanism. When | The protocol is as follows. After the server has sent the 4-octet | |||
the reserved high bit is set, the remaining 31 bits of the 4 octets | value 0x00000000 to indicate support of this extension, the stream | |||
are treated as an extensible typed hole, and thus form a 31 bit | will be controlled by the TLS protocol and its framing. The TLS | |||
integer enumerating various extensions. Each of the values indicate | protocol is initiated by the client. | |||
a specific extended operation mode, two of which are used and defined | ||||
here, and the rest are left for others to use. | ||||
If the KDC do not understand a requested extension, it MUST return a | Typically, the client initiate the TLS handshake protocol by sending | |||
KRB-ERROR with a KRB_ERR_FIELD_TOOLONG value (prefixed by the 4 octet | a client hello, and the server responds, and the handshake continues | |||
length integer, with the high bit clear, as usual) and close the TCP | until it either succeed or fails. | |||
stream. | ||||
The following table specify the meaning of the 31 lower bits in the 4 | If for any reason the handshake fails, the STARTTLS protocol will | |||
octet field, when the high bit is set: | also fail, and the TLS error is used as the error indication. | |||
0 RESERVED. | If the handshake succeeds, the Kerberos V5 authentication protocol is | |||
1 STARTTLS requested by client. | performed within the protected TLS channel, like a normal TCP | |||
2 STARTTLS request accepted by server. | Kerberos V5 exchange. In particular, this means that every Kerberos | |||
3...2147483647 AVAILABLE for registration (via bug-shishi@josefsson.org). | V5 packet will be prefixed by a 4-octet length field, that indicate | |||
2147483648 RESERVED. | the length of the Kerberos V5 packet. | |||
3. Kerberos 5 STARTTLS Extension | 3. Examples | |||
3.1 STARTTLS requested by client (extension 1) | A complete packet flow for a successful AS-REQ/REP exchange protected | |||
by this mechanism will be as follows. The "STARTTLS-bit" is a | ||||
4-octet value with only the bit allocated for this extension set. | ||||
When this message is sent by the client, the client is requesting the | Client Server | |||
server to start TLS negotiation on the TCP stream. The client MUST | ||||
NOT start TLS negotiation immediately. Instead, the client wait for | ||||
either a KRB-ERROR (sent normally, prefixed by a 4 octet length | ||||
integer) indicating the server do not understand the set high bit, or | ||||
4 octets which is to be interpreted as an integer in network byte | ||||
order, where the high bit is set and the remaining 31 bit are | ||||
interpreted as an integer specifying ``STARTTLS request accepted by | ||||
server'' (extension 2). In the first case, the client infer that the | ||||
server do not understand (or wish to support) STARTTLS, and can | ||||
re-try using normal TCP, if unprotected Kerberos 5 exchanges are | ||||
acceptable to the client policy. In the latter case, it should | ||||
invoke TLS negotiation on the stream. If any other data is received, | ||||
the client MUST close the TCP stream. | ||||
3.2 STARTTLS request accepted by server (extension 2) | [ Kerberos V5 TCP extension mechanism negotiation starts ] | |||
This message should be sent by the server when it has received the | [0x70000000 & STARTTLS-bit] --------> | |||
extension 1 message. The message is an acknowledgment of the | [0x00000000] | |||
client's request to initiate STARTTLS on the channel. The server | <-------- | |||
MUST then invoke a TLS negotiation. | ||||
3.3 Proceeding after successful TLS negotiation | [ TLS negotiation starts ] | |||
If the TLS negotiation ended successfully, possibly also considering | ClientHello --------> | |||
client or server policies, the exchange within the TLS protected | ServerHello | |||
stream is performed like normal UDP Kerberos 5 exchanges, i.e., there | Certificate* | |||
is no TCP 4 octet length field before each packet. Instead each | ServerKeyExchange* | |||
Kerberos packet MUST be sent within one TLS record, so the | CertificateRequest* | |||
application can use the TLS record length as the Kerberos 5 packet | <-------- ServerHelloDone | |||
length. | Certificate* | |||
ClientKeyExchange | ||||
CertificateVerify* | ||||
[ChangeCipherSpec] | ||||
Finished --------> | ||||
[ChangeCipherSpec] | ||||
<-------- Finished | ||||
3.4 Proceeding after failed TLS negotiation | [ Kerberos V5 negotiation starts ] | |||
If the TLS negotiation fails, possibly due to client or server policy | Kerberos V5 AS-REQ --------> | |||
(e.g., inadequate support of encryption types in TLS, or lack of | Kerberos V5 AS-REP | |||
client or server authentication) the entity that detect the failure | <-------- | |||
MUST disconnected the connection. It is expected that any error | ||||
messages that explain the error condition is transfered by TLS. | ||||
3.5 STARTTLS aware KDC Discovery | * Indicates optional or situation-dependent messages that are not | |||
always sent. | ||||
4. STARTTLS aware KDC Discovery | ||||
Section 7.2.3 of Kerberos V5 [2] describe how Domain Name System | ||||
(DNS) SRV records [5] can be used to find the address of an KDC. | ||||
Using the terminology of Section 7.2.3 of RFC 4120, we define a new | ||||
Proto of "tls" to indicate that the particular KDC is intended to | ||||
support this STARTTLS extension. The Service, Realm, TTL, Class, | ||||
SRV, Priority, Weight, Port and Target have the same meaning as in | ||||
RFC 4120. | ||||
Section 7.2.3 of Kerberos 5 [1] describe how Domain Name System (DNS) | ||||
SRV records [3] can be used to find the address of an KDC. To locate | ||||
a KDC that support the STARTTLS extension, we use the "_tls" domain. | ||||
For example: | For example: | |||
_kerberos._tls._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | |||
_kerberos._tls._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | |||
3.6 Initial Authentication via TLS | 5. IANA Considerations | |||
The server MAY consider the authentication performed by the TLS | The IANA is requested to allocate a bit in the "Kerberos TCP | |||
exchange as sufficient to issue Kerberos 5 tickets to the client, | Extensions" registry for the extension described in this document, as | |||
without requiring, e.g., pre-authentication. However, it is not an | per [3]. | |||
error to require or use pre-authentication as well. | ||||
The client may also indicate that it wishes to use TLS both for | 6. Security Considerations | |||
authentication and data protection by using the NULL encryption type | ||||
in its request. The server can decide from its local policy whether | ||||
or not issuing tickets based solely on TLS authentication, and | ||||
whether NULL encryption within TLS, is acceptable or not. | ||||
4. Security Considerations | The security considerations in Kerberos V5, TLS, and the extension | |||
mechanism framework are inherited. | ||||
Because the initial token is not protected, it is possible for an | To protect against the inherent downgrade attack in the extension | |||
active attacker to make it appear to the client that the server do | framework, it is suggested that implementations offer a policy to | |||
not support this extension. It is up to client configuration to | require that this extension is successfully negotiated. For | |||
disallow non-TLS connections, if that vulnerability is deemed | interoperability with implementations that do not support this | |||
unacceptable. For interoperability, we suggest the default behaviour | extension, it is suggested that the policy is disabled by default. | |||
should be to allow automatic fall back to TCP or UDP. | ||||
The security considerations of both TLS and Kerberos 5 are inherited. | 7. References | |||
Using TLS for authentication and/or data protection together with | ||||
Kerberos alter the authentication logic fundamentally. Thus, it may | ||||
be that even if the TLS and Kerberos 5 protocols and implementations | ||||
were secure, the combination of TLS and Kerberos 5 described here | ||||
could be insecure. | ||||
No channel bindings are provided in the Kerberos messages. It is an | 7.1. Normative References | |||
open question whether, and how, this could be solved. One idea for | ||||
solving this may be to specify a new encryption algorithm in Kerberos | ||||
5 that is similar to the NULL encryption algorithm, but also include | ||||
the TLS session identifier. | ||||
5. References | [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
Levels", BCP 14, RFC 2119, March 1997. | ||||
5.1 Normative References | [2] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos | |||
Network Authentication Service (V5)", RFC 4120, July 2005. | ||||
[1] Neuman, C., "The Kerberos Network Authentication Service (V5)", | [3] Josefsson, S., "Extended Kerberos Version 5 Key Distribution | |||
draft-ietf-krb-wg-kerberos-clarifications-07 (work in progress), | Center (KDC) Exchanges Over TCP", | |||
September 2004. | draft-ietf-krb-wg-tcp-expansion-01 (work in progress), | |||
September 2006. | ||||
[2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC | [4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | |||
2246, January 1999. | Protocol Version 1.1", RFC 4346, April 2006. | |||
[3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for | [5] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |||
specifying the location of services (DNS SRV)", RFC 2782, | specifying the location of services (DNS SRV)", RFC 2782, | |||
February 2000. | February 2000. | |||
5.2 Informative References | 7.2. Informative References | |||
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement | ||||
Levels", BCP 14, RFC 2119, March 1997. | ||||
[5] Taylor, D., "Using SRP for TLS Authentication", | [6] Taylor, D., "Using SRP for TLS Authentication", | |||
draft-ietf-tls-srp-08 (work in progress), August 2004. | draft-ietf-tls-srp-12 (work in progress), June 2006. | |||
[6] Mavroyanopoulos, N., "Using OpenPGP keys for TLS | [7] Mavroyanopoulos, N., "Using OpenPGP keys for TLS | |||
authentication", draft-ietf-tls-openpgp-keys-05 (work in | authentication", draft-ietf-tls-openpgp-keys-10 (work in | |||
progress), April 2004. | progress), June 2006. | |||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
SJD | ||||
EMail: simon@josefsson.org | Email: simon@josefsson.org | |||
Intellectual Property Statement | Full Copyright Statement | |||
Copyright (C) The Internet Society (2006). | ||||
This document is subject to the rights, licenses and restrictions | ||||
contained in BCP 78, and except as set forth therein, the authors | ||||
retain all their rights. | ||||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Intellectual Property | ||||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
skipping to change at page 8, line 29 | skipping to change at page 12, line 45 | |||
such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
Disclaimer of Validity | ||||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Copyright Statement | ||||
Copyright (C) The Internet Society (2004). This document is subject | ||||
to the rights, licenses and restrictions contained in BCP 78, and | ||||
except as set forth therein, the authors retain all their rights. | ||||
Acknowledgment | Acknowledgment | |||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is provided by the IETF | |||
Internet Society. | Administrative Support Activity (IASA). | |||
End of changes. 56 change blocks. | ||||
183 lines changed or deleted | 156 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |