Issue 2437: Security: SECIOP (sec-rev) Source: (, ) Nature: Uncategorized Issue Severity: Summary: Summary: Severity: Yes :) Security 1.5: Issue: Interoperability. SECIOP needs an internet address designation. The current specification says that SECIOP goes under GIOP and over IIOP. This is misguided, as IIOP is really just a term for GIOP over TCP/IP. SECIOP doesn"t really have to be over TCP/IP, but it might be helpful to think of it that way. However, like SSL, we need away to separate SECIOP over TCP/IP and GIOP over TCP/IP. If SECIOP cannot have it"s own profile, since now ONE profile can represent multiple protocols, then we need a way specify a different internet address (different port), but also maybe a different interface card (multihomed hosts). Resolution: Close issue 2437 "SECIOP needs an internet address designation" Revised Text: Section 15.10 Add following after paragraph 1189 on page 15.24 (modeled after the SSLIOP). The IIOP TAG identifying the SECIOP security transport is TAG_SECIOP_INET_SEC_TRANS. The tagged component data described below must be encapsulated using CDR encoding. The data structure association with this tag is as follows: struct SECIOP_INET_SEC_TRANS { unsigned short port; }; The port field contains the port number to be used instead of the port defined the accompanying IIOP profile body, if SECIOP is selected by the client. It contains the TCP/IP port number (at the specified host) where the target agent is listening for connection requests for the SECIOP protocol. Appendix A.8, page 15-327 Add the following definitions to the module SECIOP: const IOP::ComponentId TAG_SECIOP_INET_SEC_TRANS = 123; struct SECIOP_INET_SEC_TRANS { unsigned short port; }; Actions taken: February 4, 1999: received issue June 18, 1999: closed issue Discussion: End of Annotations:===== X-Authentication-Warning: marcy.adiron.com: polar owned process doing -bs Date: Thu, 4 Feb 1999 10:32:20 -0500 (EST) From: Polar Humenn To: issues@omg.org Subject: Security: SECIOP Severity: Yes :) Security 1.5: Issue: Interoperability. SECIOP needs an internet address designation. The current specification says that SECIOP goes under GIOP and over IIOP. This is misguided, as IIOP is really just a term for GIOP over TCP/IP. SECIOP doesn't really have to be over TCP/IP, but it might be helpful to think of it that way. However, like SSL, we need away to separate SECIOP over TCP/IP and GIOP over TCP/IP. If SECIOP cannot have it's own profile, since now ONE profile can represent multiple protocols, then we need a way specify a different internet address (different port), but also maybe a different interface card (multihomed hosts). Discussion: I suggest a new SECIOP_INET_SEC_TRANS component and require it to be added to the IIOP profile to indicate the availability of SECIOP. Also, require at least one of the SECIOP security component (SPKM_1,SPKM_2,KerberosV5, etc.) to exist in the profile with it, and require that no SECIOP security components can exist in the IIOP profile with out the SECIOP_INET_SEC_TRANS component there as well. module SECIOP { const IOP::ProfileTag TAG_SECIOP_INET_SEC_TRANS = ??; struct SECIOP_INET_SEC_TRANS { sequence addresses; short port; }; }; If the sequence of addresses is empty, then the host in the IIOP profile is used. If it is not, it labels possibly alternate different internet interface addresses that can be used for SECIOP. An address may be the same as the host specified in IIOP without consequence. Note: The alternate addresses is needed because it may be the case that messages in the clear come in on one interface card, while secure ones come in one others. If the port number is the same as the IIOP profile, it is up to the ORB implementation of whether it may except SECIOP or GIOP messages over the same port, which is possible the way we designed the protocol. Thanks, -Polar ------------------------------------------------------------------- Polar Humenn Adiron, LLC President 2-212 Center for Science & Technology mailto:polar@adiron.com CASE Center/Syracuse University Phone: 315-443-3171 Syracuse, NY 13244-4100 Fax: 315-443-4745 http://www.adiron.com Sender: jon@floorboard.com Date: Thu, 04 Feb 1999 08:30:00 -0800 From: Jonathan Biggar X-Accept-Language: en To: Polar Humenn CC: issues@omg.org Subject: Re: Security: SECIOP References: Polar Humenn wrote: > > Severity: Yes :) > Security 1.5: > Issue: Interoperability. SECIOP needs an internet address > designation. > > The current specification says that SECIOP goes under GIOP and over > IIOP. > This is misguided, as IIOP is really just a term for GIOP over > TCP/IP. > > SECIOP doesn't really have to be over TCP/IP, but it might be > helpful > to think of it that way. However, like SSL, we need away to separate > SECIOP over TCP/IP and GIOP over TCP/IP. If SECIOP cannot have it's > own > profile, since now ONE profile can represent multiple protocols, > then we > need a way specify a different internet address (different port), > but also > maybe a different interface card (multihomed hosts). > > Discussion: > > I suggest a new SECIOP_INET_SEC_TRANS component and require it to be > added > to the IIOP profile to indicate the availability of SECIOP. Just wondering, are you aware of the new TAG_ALTERNATE_IIOP_ADDRESS that was added to IIOP 1.2? It has similar features to what you are proposing, and I wonder if there is a way to consolidate the two. -- Jon Biggar Floorboard Software jon@floorboard.com jon@biggar.org X-Authentication-Warning: marcy.adiron.com: polar owned process doing -bs Date: Wed, 10 Mar 1999 10:33:16 -0500 (EST) From: Polar Humenn To: sec-rev@omg.org Subject: Re: Open Issues On 9 Mar 1999, Andre Srinivasan wrote: > Issue 2437: I vote no on Polar's recommendataion. We need to discuss > this more. So, please do. SSL has tagged component with a port number designation, SECIOP really needs one as well. What is wrong/good about it? -Polar