Internet Draft
INTERNET-DRAFT                                         Graydon Hoare
draft-hoare-nics-00.txt                          
expires July 15 1997                                     Jan 15 1997

                               NICS
           Network of Identifier and Credential Servers
                       (first public draft)

                       Status of this Memo
 
This document is an Internet-Draft. Internet-Drafts are working 
documents of the Internet Engineering Task Force (IETF), its areas, 
and its working groups. Note that other groups may also distribute 
working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six 
months and may be updated, replaced, or obsoleted by other documents 
at any time. It is inappropriate to use Internet-Drafts as reference 
material or to cite them other than as "work in progress".

To learn the current status of any Internet-Draft, please check the 
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 
ftp.isi.edu (US West Coast).


Abstract
   
NICS is a proposed system which meets the requirements of large-
scale, unique principal identification, for use in conjunction with 
an arbitrary set of security systems such as have been proposed by 
members of the IETF.
 
This proposal outlines the motivation for the development of NICS, 
and gives a general description of its internal workings and 
interfaces with higher-level protocols.

It should be emphasized up front that NICS is not a complete 
security system, nor does it aim to replace any existing components 
of the internet which already work. The design draws off the fact 
that many security systems already have flexible name schemes, and 
are therefore considered components which are used in conjunction 
with NICS to achieve an improved level of service, flexibility and 
reliability, while introducing many desirable features such as 
anonymous identifiers, self-optimization, and low-overhead 
operation.

For the purpose of initial evaluation, the remainder of this paper 
is short and to the point, and requires a little work on the 
reader's side to understand the reasoning. Additional discussion is 
welcome on the mailing list.



jan 15 1997            draft-nics-00.txt               graydon hoare


Rationale

The intent of the author is to produce a stable, self-maintaining 
distributed database capable of identifying (naming) an extremely 
large number of principals and providing their credentials to any 
principals who ask. Such an intent initially appears to overshadow 
pre-existing systems such as DNS, X.500, SDSI, etc. However this is 
not the case: all currently existing naming schemes allow for, or 
require at some point in their operation a unique, unchanging 
reference name for a given principal. Currently existing standards 
to refer to each other by default: SDSI imports global names out of 
the DNS, X.500 imports names out of the MX map of the DNS, DNSSEC 
imports names from X.500/509 names, or from IP numbers etc. None of 
these exported names are static, or even acceptably detached from 
real-world organizational structures. Most standards also allow for 
additional naming schemes. NICS is an attempt to define such a 
naming scheme on which all others may optionally be built, or on 
which low-overhead security services may directly operate. NICS does 
not guarantee anonymity in all cases, nor does it guarantee any sort 
of directory service. The design does not specify a security 
framework -- the issue is implementation specific. The only feature 
NICS adds to the internet is strong universal naming, for purposes 
of customization, accounting, authentication, authorization, and 
other ``security'' procedures. It is beyond the scope of this 
initial document to describe these procedures further; the reader is 
assumed to be familliar with modern security systems. 


Design

NICS is a system for serving the values of a single relating table 
to anyone connected to the global internet. The table consists of 
identifiers (which uniquely identify communicating principals) and 
their associated credentials. This is called the NICS Database. It 
is served by Identifier and Credential Servers (ICSs). The format 
for NICS IDentifiers (NIDs) is specific and fixed: they are all 16-
bytenetwork order unsigned integers. The numeric space afforded by 
16bytes is immense, as no NIDs go unused within NICS. In 
comprehensible terms, a 128-bit length would allow each of 6 billion 
people to allocate 1 billion new NIDs every milisecond of the day 
for 1.8 million millennia before the range is exhausted. It is 
therefore suggested that 16 bytes is sufficient even for the large 
task of unique identification. 

The format for credentials is variable, but each type of credential 
must conform to the following criteria:

* it must be possible to encode, transmit and store the credentials 
as a string of bytes (octets)



jan 15 1997            draft-nics-00.txt               graydon hoare


* the standard from which the credentials are derived must be 
recognized and numbered by IANA.

Every principal within NICS is represented solely by its NID. A 
principal uses its NID and its associated credentials to establish 
any further relationships, but the basic NICS record is just a NID -
> Credential mapping called a Principal Record (PR). 

An ICS will use credentials within its local database to evaluate 
and authenticate transactions with other principals, including other 
ICSs. It is therefore essential that at minimum an ICS maintains its 
own PR in a safe, local store.

The database is distributed amongst all known ICSs in a non-
hierarchical maner. It is devided amongst hosts by using Scopes. A 
scope is stored as a tuple of 1 low NID and 1 high NID, which 
together represent an inclusive numeric range. A scope is associated 
with the NIDs of one or more ICSs acting as replication-peers for 
that scope in a structure called a Service Record (SR). Every ICS in 
an SR's peer table is responsible for storing a copy of every 
allocated PR within the Scope. A change to a PR within a scope can 
be initiated by any SR-peer, and inter-peer synchronization is 
achieved through flooding of timestamped advisory locks and a simple 
commit/rollback scheme. Any peer in an SR is responsible for 
maintaining an accurate map of the SR, as well as an accurate map of 
the 2 SRs with ranges immediately ``above'' and ``below'' the SR. If 
a peer is a member of more than one SR (as will often be the case) 
it must maintain these records for each SR independently. For every 
change to a PR or SR, every peer in the SR-peer list needs to 
acknowledge the change. SR updates should additionally flood into 
the neighbouring SRs, although acknowledges from neighbours may be 
delayed or ignored.

Each SR has an implicit ``desired distribution'' which is calculated 
based on its breadth of scope, among other things. The desired 
distribution is the ideal number of hosts on which the scope should 
be replicated in order to be considered reliable and fast -- 
obviously the calculation will need to take into account a few 
factors. Every peer within an SR communicates the size of its 
remaining allocated local storage to every other peer. Expansion of 
an SR towards its desired distribution takes place using the 
standard ICS flooding transaction method. An ICS will introduce a 
new ICS into an SR that it is a member of, if and only if 

* the desired distribution for the SR has not yet been met

* the new ICS has more free space available than any other willing 
neighbours




jan 15 1997            draft-nics-00.txt               graydon hoare


The first ICS within an SR to reach its highwater mark in allocated 
storage (which should be well beneath its real limit, as extra space 
is needed in panic situations) signals its peers that it is running 
out of space, and it is time for a ``split'' transaction. The SR 
then splits at a NID specified by the initiating peer, and a new SR 
is created beginning at the split NID + 1. The new SR excludes the 
initiating peer. This split takes place on all peers in the SR. The 
appropriate ``above'' and ``below'' SRs are adjusted, and the newly 
split scope goes about its top priority which is always to reach the 
desired distribution.

A peer may, at any time, ``resign'' from an SR provided the SR has 
other active peers. In the unlikely event that all peers in an SR 
resign or are disconnected in rapid succession, the neighbours of 
the SR will be made aware of the fact, and are obliged to offer 
assistance in transferring the portion of the database off the 
crashing servers. 

Aggregation may take place using an as-of-yet undecided strategy. 
Since all peers within an SR are always aware of the NIDs of all 
neighbouring peers, it is not difficult to imagine a strategy of SR-
boundary re-alignment in order to aggregate SRs. It should be 
stressed however that stability through replication takes priority 
over optimizing aggregations.

Any query which enters an ICS is answered by taking the following 
steps (assuming principal authentication) 

* If the PR is stored locally, return the credentials of the query

* Otherwise, forward the query to a random member of the SR with the 
closest known range.

In these cases, forwarding can mean either returning the SR to the 
client or actually performing a recursive query, much like DNS. 
Usually a recursive query will yield better results. Anyone is 
allowed to cache SRs, so locating an appropriate server should not 
take too long. PRs are not intended to be cached unless they are 
flagged with a special loose-security bit, which enables cached PRs 
to use TTLs for cache-consistency. Any PR without the loose-security 
bit set may be cached, but must have at minimum its hash-value 
reloaded from an authoritative peer every time it is required by 
another layer of the system. It will be hard to enforce this rule, 
but adherance is recommended in order to close any possible windows 
for attackers. In order to remain reasonably efficient in spite of 
the heavy consistency requirements, the communication protocol must 
be lightweight, and the cache of SRs much be as large as possible in 
clients.




jan 15 1997            draft-nics-00.txt               graydon hoare


For update messages, the query is processed in a timestamped, 
flooded two-phase commit, in which a transaction only proceeds after 
a signed cookie is received from all peers in the SR. If an SR peer 
is ever ``unreachable'', it is flagged as down and all commits are 
assumed to be approved by it. If the peer ever comes back up, in 
order to clear its down flag it must take whatever measures 
necessary in requested transfers to provide to all members of the SR 
with a signed digest of the most recent version of the SR. In the 
interim, the SR may have abandonned the peer altogether and expanded 
to the desired distribution using other peers. In such a case the 
host is informed of its exclusion upon resuming contact with its old 
SR. A peer is expected to abide by such a decision.

There is no defined means (yet) for dealing with multiple sets of 
peers who consider one another mutually exclusive. One SR must yield 
control of the given range to the other. Otherwise a ``shadow NICS'' 
emerges, much like the ``alternative'' domain name servers, except 
that no integration is possible because there is supposedly only one 
NID range. Such activity would therefore only be destructive to both 
sets of peers, as they would no longer be able to distinguish which 
NID was which. While such activity could be used as a means of 
attack, sufficient CA data communicated out of band makes this 
easily defended against.

Finally, announcement of an ICS proceeds exactly as does 
announcement of any other principal: the principal sends a broadcast 
challenge for valid authentication over its local link. The 
challenge uses either its own previously-established PR or an out of 
band PR. Any valid response it receives has proven itself to be 
attached to the wider NICS, and it therefore added to the client's 
list of local ICSs. If no response is received, a larger broadcast 
may be necessary, or the use of some service-location protocol. If 
an out of band PR is chosen, the next request will probably be a 
query to set a new NID for the principal. Such a query is forwarded 
a random number of times to random peers within the NICS and 
eventually serviced (perhaps after a TTL expires) by assigning the 
next consecutive NID in a scope with free space. NIDs are assigned 
consecutively within scopes starting from a randomly chosen position 
and overflowing onto the low end of the scope if necessary (in order 
to better permit aggregation) but since scopes shift from one server 
to another the actual value of a NID does not reveal any practical 
information about the principal posessing it.

In fact, this is the primary motivation for NICS: principals may 
have as many unassociated and (to varying degrees) anonymous NIDs as 
they feel they need to maintain privacy. If a NID ever outlives its 
usefulness, its PR may be set to NULL at which point no further 
modifications are authorized to take place. It is ``dead''. It is 
the responsibility of the principal to keep joinable data out of 



jan 15 1997            draft-nics-00.txt               graydon hoare


their PR, and out of the hands of anyone they do not wish to trace 
them, but under NICS it actually is an option to have anonymous 
identities. 


Implementation

At this time, no implementation is available. The author has begun 
work on a portable ANSI C version of an ICS, but it will most likely 
need to be rewritten several times in order to conform to emerging 
GSSAPI & IPSEC standards. Most of the code required for such a 
server has already been written -- there are libraries to handle 
most authentication schemes, simple database management, caching, 
and network communication. It should be stressed that NICS is 
intended to be capable of operating in an extremely low-overhead 
system, such as a consumer electronics device or embedded 
controller. Several scenarios do not even include mutual 
authentication -- systems relying on smart-cards or even magnetic 
strip cards may benefit from a uniform identifier scheme.

In order to make NIDs easier to remember, certain transformations 
are suggested such as mapping 16-bit chunks into a dictionary of 
standard english words. A 2^16 entry dictionary was prepared as a 
demonstration. 

The random NIDs (in 2^16 decimal chunks)

* 56184.10819.11346.28658.8732.65087.5944.14558
* 38012.49371.6317.16111.20713.58321.55011.48691
* 6887.1175.33979.52356.53123.62765.14518.24799

map to

* sucks.claw.coefficient.incredible.capioma.yountsville.bmw.dedeaux
* misery.rillton.bootstraps.dome.flandry.tick.squeaky.renshaw
* breathes.aliquid.liveware.shackleton.sides.ways.declez.gulph

which, while not exactly easy to remember, are better than their 
decimal counterparts. Such identifiers can be stored within any 
other security system easily as extended name types, revealing as 
little as is desired (or knowable) about the principal. 



Further comments on NICS can be directed to the IPSEC mailing list 
or to the author at graydon@pobox.com.