mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
7055827b8f
This makes it clearer that we always want to do heimdal changes via the lorikeet-heimdal repository. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
767 lines
24 KiB
Plaintext
767 lines
24 KiB
Plaintext
Kerberos Working Group Karthik Jaganathan
|
|
Internet Draft Larry Zhu
|
|
Document: draft-ietf-krb-wg-kerberos-referrals-04.txt John Brezak
|
|
Category: Standards Track Microsoft
|
|
Mike Swift
|
|
University of Washington
|
|
Jonathan Trostle
|
|
Cisco Systems
|
|
Expires: January 2005
|
|
|
|
|
|
Generating KDC Referrals to locate Kerberos realms
|
|
|
|
|
|
Status of this Memo
|
|
|
|
|
|
This document is an Internet-Draft and is in full conformance with
|
|
all provisions of Section 10 of RFC-2026 [1].
|
|
|
|
|
|
Internet-Drafts are working documents of the Internet Engineering
|
|
Task Force (IETF), its areas, and its working groups. Note that other
|
|
groups may also distribute working documents as Internet-Drafts.
|
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|
and may be updated, replaced, or obsoleted by other documents at any
|
|
time. It is inappropriate to use Internet-Drafts as reference
|
|
material or to cite them other than as "work in progress."
|
|
|
|
|
|
The list of current Internet-Drafts can be accessed at
|
|
http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-
|
|
Draft Shadow Directories can be accessed at
|
|
http://www.ietf.org/shadow.html.
|
|
|
|
|
|
Abstract
|
|
|
|
|
|
The draft documents a method for a Kerberos Key Distribution Center
|
|
(KDC) to respond to client requests for Kerberos tickets when the
|
|
client does not have detailed configuration information on the realms
|
|
of users or services. The KDC will handle requests for principals in
|
|
other realms by returning either a referral error or a cross-realm
|
|
TGT to another realm on the referral path. The clients will use this
|
|
referral information to reach the realm of the target principal and
|
|
then receive the ticket.
|
|
|
|
|
|
Conventions used in this document
|
|
|
|
|
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|
document are to be interpreted as described in RFC-2119 [2].
|
|
|
|
|
|
1. Introduction
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
Current implementations of the Kerberos AS and TGS protocols, as
|
|
defined in [3], use principal names constructed from a known user or
|
|
service name and realm. A service name is typically constructed from
|
|
a name of the service and the DNS host name of the computer that is
|
|
providing the service. Many existing deployments of Kerberos use a
|
|
single Kerberos realm where all users and services would be using the
|
|
same realm. However in an environment where there are multiple
|
|
trusted Kerberos realms, the client needs to be able to determine
|
|
what realm a particular user or service is in before making an AS or
|
|
TGS request. Traditionally this requires client configuration to make
|
|
this possible.
|
|
|
|
|
|
When having to deal with multiple trusted realms, users are forced to
|
|
know what realm they are in before they can obtain a ticket granting
|
|
ticket (TGT) with an AS request. However, in many cases the user
|
|
would like to use a more familiar name that is not directly related
|
|
to the realm of their Kerberos principal name. A good example of this
|
|
is an RFC-821 style email name [4]. This document describes a
|
|
mechanism that would allow a user to specify a user principal name
|
|
that is an alias for the user's Kerberos principal name. In practice
|
|
this would be the name that the user specifies to obtain a TGT from a
|
|
Kerberos KDC. The user principal name no longer has a direct
|
|
relationship with the Kerberos principal or realm. Thus the
|
|
administrator is able to move the user's principal to other realms
|
|
without the user having to know that it happened.
|
|
|
|
|
|
Once a user has a TGT, they would like to be able to access services
|
|
in any trusted Kerberos realm. To do this requires that the client be
|
|
able to determine what realm the target service principal is in
|
|
before making the TGS request. Current implementations of Kerberos
|
|
typically have a table that maps DNS host names to corresponding
|
|
Kerberos realms. In order for this to work on the client, each
|
|
application canonicalizes the host name of the service, for example
|
|
by doing a DNS lookup followed by a reverse lookup using the returned
|
|
IP address. The returned primary host name is then used in the
|
|
construction of the principal name for the target service. In order
|
|
for the correct realm to be added for the target host, the mapping
|
|
table [domain_to_realm] is consulted for the realm corresponding to
|
|
the DNS host name. The corresponding realm is then used to complete
|
|
the target service principal name.
|
|
|
|
|
|
This traditional mechanism requires that each client have very
|
|
detailed configuration information about the hosts that are providing
|
|
services and their corresponding realms. Having client side
|
|
configuration information can be very costly from an administration
|
|
point of view - especially if there are many realms and computers in
|
|
the environment.
|
|
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
There are also cases where specific DNS aliases (local names) have
|
|
been setup in an organization to refer to a server in another
|
|
organization (remote server). The server has different DNS names in
|
|
each organization and each organization has a Kerberos realm that is
|
|
configured to service DNS names within that organization. Ideally
|
|
users are able to authenticate to the server in the other
|
|
organization using the local server name. This would mean that the
|
|
local realm be able to produce a ticket to the remote server under
|
|
its name. You could give that remote server an identity in the local
|
|
realm and then have that remote server maintain a separate secret for
|
|
each alias it is known as. Alternatively you could arrange to have
|
|
the local realm issue a referral to the remote realm and notify the
|
|
requesting client of the server's remote name that should be used in
|
|
order to request a ticket.
|
|
|
|
|
|
This draft proposes a solution for these problems and simplifies
|
|
administration by minimizing the configuration information needed on
|
|
each computer using Kerberos. Specifically it describes a mechanism
|
|
to allow the KDC to handle canonicalization of names, provide for
|
|
principal aliases for users and services and provide a mechanism for
|
|
the KDC to determine the trusted realm authentication path by being
|
|
able to generate referrals to other realms in order to locate
|
|
principals.
|
|
|
|
|
|
To rectify these problems, this draft introduces three new kinds of
|
|
KDC referrals:
|
|
|
|
|
|
1. AS ticket referrals, in which the client doesn't know which realm
|
|
contains a user account.
|
|
2. TGS ticket referrals, in which the client doesn't know which realm
|
|
contains a server account.
|
|
3. Cross realm shortcut referrals, in which the KDC chooses the next
|
|
path on a referral chain
|
|
|
|
|
|
2. Requesting a referral
|
|
|
|
|
|
In order to request referrals defined in section 5, 6, and 7, the
|
|
Kerberos client MUST explicitly request the canonicalize KDC option
|
|
(bit 15) [3] for the AS-REQ or TGS-REQ. This flag indicates to the
|
|
KDC that the client is prepared to receive a reply that contains a
|
|
principal name other than the one requested.
|
|
|
|
|
|
KDCOptions ::= KerberosFlags
|
|
-- canonicalize (15)
|
|
-- other KDCOptions values omitted
|
|
|
|
|
|
The client should expect, when sending names with the "canonicalize"
|
|
KDC option, that names in the KDC's reply MAY be different than the
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 3]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
name in the request. A referral ticket is a cross realm TGT that is
|
|
returned when the sname of the ticket is not the sname in the request
|
|
[3].
|
|
|
|
|
|
3. Realm Organization Model
|
|
|
|
|
|
This draft assumes that the world of principals is arranged on
|
|
multiple levels: the realm, the enterprise, and the world. A KDC may
|
|
issue tickets for any principal in its realm or cross-realm tickets
|
|
for realms with which it has a direct trust relationship. The KDC
|
|
also has access to a trusted name service that can resolve any name
|
|
from within its enterprise into a realm. This trusted name service
|
|
removes the need to use an un-trusted DNS lookup for name resolution.
|
|
|
|
|
|
For example, consider the following configuration, where lines
|
|
indicate trust relationships:
|
|
|
|
|
|
|
|
MS.COM
|
|
/ \
|
|
/ \
|
|
OFFICE.MS.COM NTDEV.MS.COM
|
|
|
|
|
|
|
|
In this configuration, all users in the MS.COM enterprise could have
|
|
a principal name such as alice@MS.COM, with the same realm portion.
|
|
In addition, servers at MS.COM should be able to have DNS host names
|
|
from any DNS domain independent of what Kerberos realm their
|
|
principals reside in.
|
|
|
|
|
|
4. Client Name Canonicalization
|
|
|
|
|
|
A client account may have multiple principal names. More useful,
|
|
though, is a globally unique name that allows unification of email
|
|
and security principal names. For example, all users at MS may have a
|
|
client principal name of the form "joe@MS.COM" even though the
|
|
principals are contained in multiple realms. This global name is
|
|
again an alias for the true client principal name, which indicates
|
|
what realm contains the principal. Thus, accounts "alice" in the
|
|
realm NTDEV.MS.COM and "bob" in OFFICE.MS.COM may logon as
|
|
"alice@MS.COM" and "bob@MS.COM".
|
|
|
|
|
|
This utilizes a new client principal name type, as the AS-REQ message
|
|
only contains a single realm field, and the realm portion of this
|
|
name doesn't correspond to any Kerberos realm. Thus, the entire name
|
|
"alice@MS.COM" is transmitted as a single component in the client
|
|
name field of the AS-REQ message, with a name type of NT-ENTERPRISE
|
|
[3]. The KDC will recognize this name type and then transform the
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 4]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
requested name into the true principal name. The true principal name
|
|
can be using a name type different from the requested name type.
|
|
Typically the true principal name will be a NT-PRINCIPAL [3].
|
|
|
|
|
|
If the "canonicalize" KDC option is set, then the KDC MAY change the
|
|
client principal name and type in the AS response and ticket returned
|
|
from the name type of the client name in the request. For example the
|
|
AS request may specify a client name of "bob@MS.COM" as an NT-
|
|
PRINCIPAL with the "canonicalize" KDC option set and the KDC will
|
|
return with a client name of "104567" as a NT-UID.
|
|
|
|
|
|
5. Client Referrals
|
|
|
|
|
|
The simplest form of ticket referral is for a user requesting a
|
|
ticket using an AS-REQ. In this case, the client machine will send
|
|
the AS-REQ to a convenient trusted realm, for example the realm of
|
|
the client machine. In the case of the name alice@MS.COM, the client
|
|
MAY optimistically choose to send the request to MS.COM. The realm in
|
|
the AS-REQ is always the name of the realm that the request is for as
|
|
specified in [3].
|
|
|
|
|
|
The KDC will try to lookup the name in its local account database. If
|
|
the account is present in the realm of the request, it SHOULD return
|
|
a KDC reply structure with the appropriate ticket.
|
|
|
|
|
|
If the account is not present in the realm specified in the request
|
|
and the "canonicalize" KDC option is set, the KDC will try to lookup
|
|
the entire name, alice@MS.COM, using a name service. If this lookup
|
|
is unsuccessful, it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN
|
|
[3]. If the lookup is successful, it MUST return an error
|
|
KDC_ERR_WRONG_REALM [3] and in the error message the crealm field
|
|
will contain either the true realm of the client or another realm
|
|
that MAY have better information about the client's true realm. The
|
|
client MUST NOT use a cname returned from a referral.
|
|
|
|
|
|
If the client receives a KDC_ERR_WRONG_REALM error, it will issue a
|
|
new AS request with the same client principal name used to generate
|
|
the first referral to the realm specified by the realm field of the
|
|
Kerberos error message from the first request. The client SHOULD
|
|
repeat these steps until it finds the true realm of the client. To
|
|
avoid infinite referral loops, an implementation should limit the
|
|
number of referrals. A suggested limit is 5 referrals before giving
|
|
up. In Microsoft's current implementation through the use of global
|
|
catalogs any domain in one forest is reachable from any other domain
|
|
in the same forest or another trusted forest with 3 or less
|
|
referrals.
|
|
|
|
|
|
6. Service Referrals
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 5]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
The primary problem in service referrals is that the KDC must return
|
|
a referral ticket rather than an error message as is done in AS
|
|
ticket referrals. There needs to be a place to include in the TGS-REP
|
|
information about what realm contains the service. This is done by
|
|
returning information about the service name in the pre-
|
|
authentication data field of the KDC reply [3].
|
|
|
|
|
|
If the KDC resolves the service principal name into a principal in
|
|
the realm specified by the service realm name, it will return a
|
|
normal ticket.
|
|
|
|
|
|
If the "canonicalize" flag in the KDC options is not set, the KDC
|
|
MUST only look up the name as a normal principal name in the
|
|
specified service realm. If the "canonicalize" flag in the KDC
|
|
options is set and the KDC doesn't find the principal locally, the
|
|
KDC MAY return a cross-realm ticket granting ticket to the next hop
|
|
on the trust path towards a realm that may be able to resolve the
|
|
principal name.
|
|
|
|
|
|
When a referral TGT is returned, the KDC MUST return the target realm
|
|
for the referral TGT as an KDC supplied pre-authentication data
|
|
element in the response. The pre-authentication data MUST be
|
|
encrypted using the sub-session key from the authenticator if present
|
|
or the session key from the ticket. The pre-authentication data
|
|
contains the referred realm, and if known, the real principal name.
|
|
|
|
|
|
PA-SERVER-REFERRAL 25
|
|
|
|
|
|
PA-SERVER-REFERRAL-DATA ::= EncryptedData
|
|
-- ServerReferalData --
|
|
|
|
|
|
ServerReferralData ::= SEQUENCE {
|
|
referred-realm [0] Realm,
|
|
-- target realm of the referral TGT
|
|
referred-name [1] PrincipalName OPTIONAL,
|
|
-- service principal name, MAY differ
|
|
-- from the server name in the request
|
|
...
|
|
}
|
|
|
|
|
|
Clients MUST NOT process referral tickets if the KDC response does
|
|
not contain the PA-SERVER-REFERRAL.
|
|
|
|
|
|
If applicable to the encryption type, the key usage value for the
|
|
encryption key used by PA-SERVER-REFERRAL is 26 if the session key
|
|
from the ticket is used or 27 if a sub-session key is used.
|
|
|
|
|
|
If the referred-name field is present, the client MUST use that name
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 6]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
in a subsequent TGS request to the service realm when following the
|
|
referral.
|
|
|
|
|
|
The client will use this information to request a chain of cross-
|
|
realm ticket granting tickets until it reaches the realm of the
|
|
service, and can then expect to receive a valid service ticket.
|
|
However an implementation should limit the number of referrals that
|
|
it processes to avoid infinite referral loops. A suggested limit is 5
|
|
referrals before giving up.
|
|
|
|
|
|
Here is an example of a client requesting a service ticket for a
|
|
service in realm NTDEV.MS.COM where the client is in OFFICE.MS.COM.
|
|
|
|
|
|
+NC = Canonicalize KDCOption set
|
|
+PA-REFERRAL = returned PA-SERVER-REFERRAL
|
|
C: TGS-REQ sname=server/foo.ntdev.ms.com +NC to OFFICE.MS.COM
|
|
S: TGS-REP sname=krbtgt/MS.COM@OFFICE.MS.COM +PA-REFERRAL
|
|
containing MS.COM as the referred realm with no referred name
|
|
C: TGS-REQ sname=server/foo.ntdev.ms.com +NC to MS.COM
|
|
S: TGS-REP sname=krbtgt/NTDEV.MS.COM@MS.COM +PA-REFERRAL
|
|
containing NTDEV.MS.COM as the referred realm with no referred
|
|
name
|
|
C: TGS-REQ sname=server/foo.ntdev.ms.com +NC to NTDEV.MS.COM
|
|
S: TGS-REP sname=server/foo.ntdev.ms.com@NTDEV.MS.COM
|
|
|
|
|
|
7. Cross Realm Routing
|
|
|
|
|
|
The current Kerberos protocol requires the client to explicitly
|
|
request a cross-realm TGT for each pair of realms on a referral
|
|
chain. As a result, the client need to be aware of the trust
|
|
hierarchy and of any short-cut trusts (those that aren't parent-
|
|
child trusts).
|
|
|
|
|
|
Instead, using this referral routing mechanism, The KDC will
|
|
determine the best path for the client and return a cross-realm TGT
|
|
as the referral TGT, and the target realm for this TGT in the PA-
|
|
SERVER-REFERRAL of the KDC reply.
|
|
|
|
|
|
If the "canonicalize" KDC option is not set, the KDC MUST NOT return
|
|
a referral ticket. Clients MUST NOT process referral tickets if the
|
|
KDC response does not contain the PA-SERVER-REFERRAL.
|
|
|
|
|
|
8. Compatibility with earlier implementations of name canonicalization
|
|
|
|
|
|
The Microsoft Windows 2000 and Windows 2003 releases included an
|
|
earlier form of name-canonicalization [5]. Here are the differences:
|
|
|
|
|
|
1) The TGS referral data is returned inside of the KDC message as
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 7]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
"encrypted pre-authentication data".
|
|
|
|
|
|
EncKDCRepPart ::= SEQUENCE {
|
|
key [0] EncryptionKey,
|
|
last-req [1] LastReq,
|
|
nonce [2] UInt32,
|
|
key-expiration [3] KerberosTime OPTIONAL,
|
|
flags [4] TicketFlags,
|
|
authtime [5] KerberosTime,
|
|
starttime [6] KerberosTime OPTIONAL,
|
|
endtime [7] KerberosTime,
|
|
renew-till [8] KerberosTime OPTIONAL,
|
|
srealm [9] Realm,
|
|
sname [10] PrincipalName,
|
|
caddr [11] HostAddresses OPTIONAL,
|
|
encrypted-pa-data [12] SEQUENCE OF PA-DATA OPTIONAL
|
|
}
|
|
|
|
|
|
2) The preauth data type definition in the encrypted preauth data is
|
|
as follows:
|
|
|
|
|
|
PA-SVR-REFERRAL-INFO 20
|
|
|
|
|
|
PA-SVR-REFERRAL-DATA ::= SEQUENCE {
|
|
referred-name [1] PrincipalName OPTIONAL,
|
|
referred-realm [0] Realm
|
|
}
|
|
|
|
|
|
9. Security Considerations
|
|
|
|
|
|
In the case of TGS requests the client may be vulnerable to a denial
|
|
of service attack by an attacker that replays replies from previous
|
|
requests. The client can verify that the request was one of its own
|
|
by checking the client-address field or authtime field, though, so
|
|
the damage is limited and detectable.
|
|
|
|
|
|
For the AS exchange case, it is important that the logon mechanism
|
|
not trust a name that has not been used to authenticate the user.
|
|
For example, the name that the user enters as part of a logon
|
|
exchange may not be the name that the user authenticates as, given
|
|
that the KDC_ERR_WRONG_REALM error may have been returned. The
|
|
relevant Kerberos naming information for logon (if any), is the
|
|
client name and client realm in the service ticket targeted at the
|
|
workstation that was obtained using the user's initial TGT.
|
|
|
|
|
|
How the client name and client realm is mapped into a local account
|
|
for logon is a local matter, but the client logon mechanism MUST use
|
|
additional information such as the client realm and/or authorization
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 8]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
attributes from the service ticket presented to the workstation by
|
|
the user, when mapping the logon credentials to a local account on
|
|
the workstation.
|
|
|
|
|
|
10. Acknowledgements
|
|
|
|
|
|
The authors wish to thank Ken Raeburn for his comments and
|
|
suggestions.
|
|
|
|
|
|
11. References
|
|
|
|
|
|
11.1 Normative References
|
|
|
|
|
|
[1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
|
|
9, RFC 2026, October 1996.
|
|
|
|
|
|
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
|
Levels", BCP 14, RFC 2119, March 1997.
|
|
|
|
|
|
[3] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos
|
|
Network Authentication Service (V5)", draft-ietf-krb-wg-kerberos-
|
|
clarifications. Work in progress.
|
|
|
|
|
|
[4] Postel, J., "Simple Mail Transfer Protocol", RFC 821, August
|
|
1982.
|
|
|
|
|
|
11.2 Informative References
|
|
|
|
|
|
[5] Trostle, J., Kosinovsky, I., and Swift, M., "Implementation of
|
|
Crossrealm Referral Handling in the MIT Kerberos Client", In Network
|
|
and Distributed System Security Symposium, February 2001.
|
|
|
|
|
|
12. Author's Addresses
|
|
|
|
|
|
Karthik Jaganathan
|
|
Microsoft
|
|
One Microsoft Way
|
|
Redmond, Washington
|
|
Email: karthikj@Microsoft.com
|
|
|
|
|
|
Larry Zhu
|
|
Microsoft
|
|
One Microsoft Way
|
|
Redmond, Washington
|
|
Email: lzhu@Microsoft.com
|
|
|
|
|
|
Michael Swift
|
|
University of Washington
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 9]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
Seattle, Washington
|
|
Email: mikesw@cs.washington.edu
|
|
|
|
|
|
John Brezak
|
|
Microsoft
|
|
One Microsoft Way
|
|
Redmond, Washington
|
|
Email: jbrezak@Microsoft.com
|
|
|
|
|
|
Jonathan Trostle
|
|
Cisco Systems
|
|
170 W. Tasman Dr.
|
|
San Jose, CA 95134
|
|
Email: jtrostle@cisco.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 10]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KDC Referrals January 2005
|
|
|
|
|
|
|
|
Copyright Statement
|
|
|
|
|
|
Copyright (C) The Internet Society (2004). This document is subject
|
|
to the rights, licenses and restrictions contained in BCP 78, and
|
|
except as set forth therein, the authors retain all their rights.
|
|
|
|
|
|
This document and the information contained herein are provided on an
|
|
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
|
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
|
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
|
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
|
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
|
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
|
|
Intellectual Property
|
|
|
|
|
|
The IETF takes no position regarding the validity or scope of any
|
|
Intellectual Property Rights or other rights that might be claimed to
|
|
pertain to the implementation or use of the technology described in
|
|
this document or the extent to which any license under such rights
|
|
might or might not be available; nor does it represent that it has
|
|
made any independent effort to identify any such rights. Information
|
|
on the procedures with respect to rights in RFC documents can be
|
|
found in BCP 78 and BCP 79.
|
|
|
|
|
|
Copies of IPR disclosures made to the IETF Secretariat and any
|
|
assurances of licenses to be made available, or the result of an
|
|
attempt made to obtain a general license or permission for the use of
|
|
such proprietary rights by implementers or users of this
|
|
specification can be obtained from the IETF on-line IPR repository at
|
|
http://www.ietf.org/ipr.
|
|
|
|
|
|
The IETF invites any interested party to bring to its attention any
|
|
copyrights, patents or patent applications, or other proprietary
|
|
rights that may cover technology that may be required to implement
|
|
this standard. Please address the information to the IETF at ietf-
|
|
ipr@ietf.org.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Jaganathan [Page 11] |