From 5238fad90a6c030760314cfb25ec0e068f08b236 Mon Sep 17 00:00:00 2001 From: Peter Saint-Andre Date: Thu, 25 Jun 2009 21:00:30 +0000 Subject: [PATCH] 0.4rc4 by Philipp Hancke and Peter Saint-Andre git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@3283 4b5297f7-1745-476d-ba37-a9c6900126ab --- xep-0220.xml | 1083 +++++++++++++++----------------------------------- 1 file changed, 328 insertions(+), 755 deletions(-) diff --git a/xep-0220.xml b/xep-0220.xml index 53c27420..80b33078 100644 --- a/xep-0220.xml +++ b/xep-0220.xml @@ -7,10 +7,10 @@
Server Dialback - This specification defines the Server Dialback protocol, which is used between XMPP servers to provide identity verification. Server Dialback uses the Domain Name System (DNS) as the basis for verifying identity; the basic approach is that when a receiving server receives a server-to-server connection request from an originating server, it does not accept the request until it has verified a key with an authoritative server for the domain asserted by the originating server. Although Server Dialback does not provide strong authentication or trusted federation and although it is subject to DNS poisoning attacks, it has effectively prevented most instances of address spoofing on the XMPP network since its development in the year 2000. + This specification defines the Server Dialback protocol, which is used between XMPP servers to provide identity verification. Server Dialback uses the Domain Name System (DNS) as the basis for verifying identity; the basic approach is that when a receiving server accepts a server-to-server connection from an originating server, it does not process traffic over the connection until it has verified a key with an authoritative server for the domain asserted by the originating server. Although Server Dialback does not provide strong authentication or trusted federation and although it is subject to DNS poisoning attacks, it has effectively prevented most instances of address spoofing on the XMPP network since its development in the year 2000. &LEGALNOTICE; 0220 - Proposed + Experimental Standards Track Standards Council @@ -22,6 +22,28 @@ dialback &stpeter; &jer; + + Philipp + Hancke + fippo@psyced.org + + + 0.4rc4 + in progress, last updated 2009-06-25 + ph/psa + +
    +
  • Changed description and order of steps.
    • +
  • Made clear that dialback consists of two mostly independent subprotocols.
    • +
  • Further piggybacking clarifications.
    • +
  • Defined extended usage of dialback errors, obsoleting stream errors.
    • +
  • Specified extended error conditions.
    • +
  • Added stream feature details for new-style error behavior.
    • +
  • Added multiplexing notes.
    • +
  • Updated schemas.
    • +
+ + 0.3 2008-10-16 @@ -63,814 +85,361 @@
-

When Jabber technologies were first developed in 1998, they were conceived of as a client-server system similar to email, wherein a client would connect to a server in order to communicate with other clients. Similarly, servers would connect with peer servers to provide inter-domain communication (often called "federation"). In a system that allows federation, it is important for a server to be able to determine the identity of a peer server; accepting a connection from any peer without determining its identity would result in the use of merely asserted identities and a completely uncontrolled approach to federation, which on the open Internet would rapidly devolve into chaos. Clearly such a state of affairs would be unsustainable for a network protocol aiming for widespread deployment.

-

Unfortunately, that was the state of affairs on the Jabber network during the earliest releases of the original &jabberd; server codebase (up through the 1.0 release in May 2000). Therefore the open-source developer community designed a protocol ("Server Dialback") for weak identity verification based on the Domain Name System (DNS), built support for that protocol into the jabberd 1.2 server (released in October 2000), and mandated support for that protocol on the emerging Jabber server network.

-

When the core Jabber protocols were formalized by the XMPP Working Group of the &IETF; in 2002-2004, support for strong identity verification was added. That support takes the form of Transport Layer Security (TLS) for encryption of server-to-server XML streams and the Simple Authentication and Security Layer (SASL) for authentication of such streams, using digital certificates issued by trusted root certificate authorities (CAs). Documentation of TLS and SASL within XMPP is provided in &xmppcore;. However, the Server Dialback protocol is still in wide use, and probably will be for the foreseeable future given the difficulty (real or perceived) of obtaining digital certificates issued by common CAs. (The &XSF; has worked to make certificates easier to obtain by running the &XMPPICA;.)

-

Therefore it is important to maintain accurate documentation of the Server Dialback protocol. Such documentation was originally provided in &rfc3920;. Although that documentation was removed from &rfc3920bis;, it is still provided in this specification for the sake of interoperability.

- - - -

There are at least four levels of server-to-server federation in Jabber/XMPP networks:

-
    -

  1. Permissive Federation -- a server accepts a connection from any other peer on the network, even without verifiying the identity of the peer based on DNS lookups. The lack of peer verification or authentication means that domains can be spoofed.

    2. -

  2. Verified Federation -- a server accepts a connection from a peer only after the identity of the peer has been weakly verified based on information obtained via the Domain Name System (DNS). However, the connection is not encrypted or authenticated. The use of identity verification effectively prevents domain spoofing, but federation requires proper DNS setup and is still subject to DNS poisoning attacks.

    3. -

  3. Encrypted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) as defined for XMPP in RFC 3920 and the peer presents a digital certificate. However, the certificate can be self-signed, in which case mutual authentication is typically not possible. Therefore, after STARTTLS negotiation the parties proceed to weakly verify identity based on DNS information as under Verified Federation. This combination results in an encrypted connection with weak identity verification.

    4. -

  4. Trusted Federation -- a server accepts a connection from a peer only if the peer supports Transport Layer Security (TLS) and the peer presents a digital certificate issued by a trusted root certificate authority (CA). The list of trusted root CAs is determined by local service policy, as is the level of trust accorded to various types of certificates (e.g., Class 1, Class 2, or Class 3). The use of trusted domain certificates effectively prevents DNS poisoning attacks and results in mutual authentication.

    5. -
-

This specification documents the technology that enabled the Jabber server network to advance beyond Permissive Federation to Verified Federation. Combined with the use of TLS, Server Dialback can also result in Encrypted Federation. However, Trusted Federation is not possible with Server Dialback.

-

Note: For detailed examples showing the protocol flows and outcomes of dialback negotiation for a wide variety of federation scenarios, refer to &xep0238;.

+

Such potential chaos was the state of affairs on the Jabber network during the earliest releases of the original &jabberd; server codebase (up through the 1.0 release in May 2000). Therefore the Jabber developer community designed a protocol ("Server Dialback") for weak identity verification based on the Domain Name System (DNS), built support for that protocol into the jabberd 1.2 server (released in October 2000), and mandated support for that protocol on the emerging Jabber server network.

+

When the early Jabber protocols were formalized by the XMPP Working Group of the &IETF; in 2002-2004, support for strong identity verification was added. That support takes the form of Transport Layer Security (TLS) for encryption of server-to-server XML streams and the Simple Authentication and Security Layer (SASL) for authentication of such streams, using digital certificates issued by trusted root certificate authorities (CAs). However, the Server Dialback protocol is still in wide use, and probably will be for the foreseeable future given the perceived difficulty of obtaining digital certificates issued by common CAs (although this problem is mitigated by the &XMPPICA; run by the &XSF;). Therefore it is important to maintain accurate documentation of the Server Dialback protocol. Such documentation was originally provided in &rfc3920;. Although that documentation was removed from &rfc3920bis;, it is still provided in this specification for the sake of interoperability.

 -

Server Dialback is a method for weak identify verification. Such verification depends on the Domain Name System (DNS) and the use of keys based on a shared secret known to all XMPP servers within a given trust domain (e.g., the trust domain associated with a given second-level DNS domain such as "example.com" and all of its subdomains).

+

Server Dialback is a method for weak identify verification. Such verification depends on the Domain Name System (DNS) and the use of keys based on a shared secret known to all XMPP servers within a given trust domain.

Since October 2000, the use of Server Dialback has made it more difficult to spoof the hostnames of servers (and therefore the addresses of sent messages) on the XMPP network. However, Server Dialback does not provide authentication between servers and is not a security mechanism. Domains requiring high security are advised to use TLS and SASL with certificates issued by trusted roots.

Server Dialback is uni-directional, and results in weak identity verification for one XML stream in one direction. Because Server Dialback is not an authentication mechanism, mutual authentication is not possible via dialback. Therefore, Server Dialback must be completed in each direction in order to enable bi-directional communication between two domains.

+

Dialback does not verify that the IP address returned by a DNS lookup of the originating domain is the same as the source IP address of the incoming TCP connection. While this might often be true, not performing this check enables large deployments to separate incoming and outgoing message routing.

Server Dialback is typically used in two scenarios:

  1. When a peer service does not support XMPP 1.0 as defined in RFC 3920 or, more generally, does not offer negotiation of TLS.

    2. -

  2. When STARTTLS negotiation succeeds with a peer service but the peer's certificate is not strong enough to result in mutual authentication via SASL (e.g., because the certificate presented by the peer service during TLS negotiation is self-signed and local service policies stipulate that it is preferable to weakly identify the peer service via Server Dialback rather than depend on the self-signed certificate for identity verification).

    3. +

  3. When STARTTLS negotiation succeeds with a peer service but the peer's certificate cannot be be used to establish the peer's identity.

-

Both of these scenarios result in an untrusted connection (verified federation in the first scenario and encrypted federation in the second scenario). However, depending on local security policies, a server might accept such an untrusted connection if the use of Server Dialback results in weak identity verification.

-

Dialback is not used if SASL is used for server-to-server authentication, since SASL provides strong authentication using certificates, pre-established passwords, or other credentials.

-

A service cannot begin negotiation of Server Dialback unless its peer advertises support for the Server Dialback protocol. As described under Receiving Server Processes Initial Stream Header, a peer advertises support through inclusion of the Server Dialback namespace declaration in its response stream header and (for XMPP 1.0 servers) through inclusion of the Server Dialback stream feature.

+

Both of these scenarios result in an untrusted connection. However, depending on local security policies, a server might accept such an untrusted connection if the use of Server Dialback results in weak identity verification.

The basic idea behind Server Dialback is that a receiving server does not accept XMPP traffic from a sending server until it has "called back" the authoritative server for the domain asserted by the sending server, and verified that the sending server is truly authorized to generate XMPP traffic for that domain.

A helpful analogy might be the following telephone scenario:

    -
  1. A representative from your electric utility company knocks on your front door and says he needs to enter your house.
    2. +
  2. A worker from your electric utility company knocks on your front door and says he needs to enter your house to check your usage meter.
  3. Rather than letting him in, you ask for his employee ID number and politely close the door for a few moments.
  4. You open the phone book, find the authoritative phone number for the utility company's headquarters, and call them on the phone.
    5. -
  5. After being transferred to the customer service department, you ask if a rep with that particular ID number is authorized to be visiting your house.
    6. -
  6. The company tells you that the rep is authorized, so you thank them and hang up.
    7. -
  7. You then reopen the front door and allow the rep to enter your house.
    8. +
  8. After being transferred to the customer service department, you ask if a worker with that particular ID number is authorized to be visiting your house.
    9. +
  9. The company tells you that the worker is authorized, so you thank them and hang up.
    10. +
  10. You then reopen the front door and allow the worker to enter your house.
-

In Server Dialback, the equivalent of the utility company representative is the ORIGINATING SERVER, i.e., the machine that wants to send a message to an entity at a destination domain and thus is attempting to establish a connection between the two servers. The equivalent of the person at the house is the RECEIVING SERVER, i.e., the machine to which the originating server has opened a connection for the purpose of sending the message and thus is trying to authenticate that the Originating Server represents the domain which it claims to be. And the equivalent of the company headquarters is the AUTHORITATIVE SERVER, i.e., the machine that answers to a DNS lookup for the domain asserted by the originating server (which is not necessarily the machine associated with the originating server); for basic environments this will be the Originating Server, but it could be a separate machine in the Originating Server's network (where "network" is defined by knowledge of a shared secret for verification of dialback keys).

+

In Server Dialback, the equivalent of the utility company worker is the ORIGINATING SERVER, i.e., the machine that wants to send a message from an entity at the SENDER DOMAIN to an entity at the TARGET DOMAIN and thus is attempting to establish a connection between the two servers. The equivalent of the person at the house is the RECEIVING SERVER, i.e., the machine to which the Originating Server has opened a connection for the purpose of sending a message from the Sender Domain to the Target Domain (and thus the machine that is trying to verify that the Originating Server represents the Sender Domain). And the equivalent of the company headquarters is the AUTHORITATIVE SERVER, i.e., the machine that is discovered from a DNS lookup for the Sender Domain; for basic environments this will be the Originating Server, but it could be a separate machine in the Originating Server's network (where "network" is defined by knowledge of a shared secret for verification of dialback keys).

The basic flow of events in Server Dialback is as follows:

    -
  1. The Originating Server performs a DNS lookup on the hostname of the Receiving Server, opens a TCP connection to the discovered IP address and port, and establishes an XML stream with the Receiving Server.
    2. -
  2. The Originating Server generates a dialback key and sends that value over its XML stream with the Receiving Server.
    3. -
  3. The Receiving Server does not immediately accept the connection but instead performs a DNS lookup on the hostname of the Authoritative Server, opens a TCP connection to the discovered IP address and port, and establishes an XML stream with the Authoritative Server.
    4. -
  4. The Receiving Server sends the same dialback key over its XML stream with the Authoritative Server for verification.
    5. -
  5. The Authoritative Server replies that the key is valid or invalid.
    6. +
  6. The Originating Server generates a dialback key and sends that value over its XML stream with the Receiving Server. (If the Originating Server does not yet have an XML stream to the Receiving Server, it will first need to perform a DNS lookup on the Target Domain and thus discover the Receiving Server, open a TCP connection to the discovered IP address and port, and establish an XML stream with the Receiving Server.)
    7. +
  7. Instead of immediately accepting XML stanzas on the connectiom from the Originating Server, the Receiving Server sends the same dialback key over its XML stream with the Authoritative Server for verification. (If the Receiving Server does not yet have an XML stream to the Authoritative Server, it will first need to perform a DNS lookup on the Sender Domain and thus discover the Authoritative Server, open a TCP connection to the discovered IP address and port, and establish an XML stream with the Authoritative Server.)
    8. +
  8. The Authoritative Server informs the Receiving Server whether the key is valid or invalid.
  9. The Receiving Server informs the Originating Server whether its identify has been verified or not.
+

After step 4, the Originating Server is authorized to send stanzas from the Sender Domain to the Target Domain as communicated in the 'to' and 'from' attributes of the dialback negotiation. In addition to a weak identity verification of the Sender Domain, this also ensures that the Receiving Server is accepting stanzas for the Target Domain.

We can represent this flow of events graphically as follows.

+ | - | | Authoritative - | send dialback key | Server - | ----------------------> | ------------- - | | | - | | perform DNS lookup, | - | | open TCP connection, | - | | and establish stream | - | | ----------------------> | - | | | - | | send verify request | - | | ----------------------> | - | | | - | | send verify response | - | | <---------------------- | - | | - | report dialback result | - | <---------------------- | - | | + | | + | [if necessary, | + | perform DNS lookup | + | on Target Domain, | + | open TCP connection, | + | and establish stream] | + | -----------------------> | + | | Authoritative + | send dialback key | Server + | -------(STEP 1)--------> | ------------- + | | | + | | [if necessary, | + | | perform DNS lookup, | + | | on Sender Domain, | + | | open TCP connection, | + | | and establish stream] | + | | -----------------------> | + | | | + | | send verify request | + | | -------(STEP 2)--------> | + | | | + | | send verify response | + | | <------(STEP 3)--------- | + | | + | report dialback result | + | <-------(STEP 4)-------- | + | | ]]> -

Note: In Steps 1 and 3, it is not always necessary to open a new TCP connection and establish a new stream; for details, see the section on Reuse of Negotiated Connections ("Piggybacking").

 - - -

This section describes the detailed protocol interaction between the Originating Server, the Receiving Server, and the Authoritative Server.

-

The examples in this section use the following domain names, IP addresses, stream IDs, and shared secret:

+

This section describes the protocol in detail.

+

Assumptions used in the examples:

    -
  • The Originating Server is "example.org" (there is no IP address associated with this domain since it is merely asserted by the Originating Server).
    • -
  • The Receiving Server is "xmpp.example.com" and the discovered IP address for the XMPP service at that domain is "192.0.2.1" or "192.0.2.2" (see below).
    • -
  • The Authoritative Server is "example.org" and the discovered IP address for the XMPP service at that domain is "192.0.2.23".
    • -
  • The stream ID of the stream from the Originating Server to the Receiving Server is "D60000229F".
    • -
  • The shared secret known by the Authoritative Server's network is "s3cr3tf0rd14lb4ck".
    • +
  • The Sender Domain is "sender.tld". A DNS lookup on this domain resolves to the machine "authority.sender.tld".
    • +
  • The Target Domain is "target.tld". A DNS lookup on this domain resolves to the machine "receiver.target.tld".
    • +
  • The stream ID of the stream from the Originating Server (some IP address) to the Receiving Server (receiver.target.tld) is "D60000229F".
    • +
  • The stream ID of the stream from the Receiving Server (receiver.target.tld) to the Authoritative Server (authority.sender.tld) is "417GAF25".
    • +
  • The shared secret of the Sender Domain (sender.tld) is "s3cr3tf0rd14lb4ck".
    • +
  • The shared secret of the Target Domain (target.tld) is "d14lb4ck43v3r".
-

To assist the reader, the following conventions are used to clarify the flow of packets:

-
    -
  • "O2R:" -- packets sent from the Originating Server to the Receiving Server.
    • -
  • "R2O:" -- packets sent from the Receiving Server to the Originating Server.
    • -
  • "R2A:" -- packets sent from the Receiving Server to the Authoritative Server.
    • -
  • "A2R:" -- packets sent from the Authoritative Server to the Receiving Server.
    • -
-

Note: Any error that occurs during dialback negotiation MUST be considered a stream error, resulting in termination of the stream and potentially of the underlying TCP connection. The possible error conditions are specified in the protocol description below.

-

The flow of events is as follows.

+

Note: All XML elements qualified by the Server Dialback namespace MUST be prefixed with the namespace prefix for the 'jabber:server:dialback' namespace as advertised on the stream header originally sent by the entity sending the element. RFC 3920 stipulated that "an implementation SHOULD generate only the 'db:' prefix for such elements and MAY accept only the 'db:' prefix." This restriction was included for the sake of backward compatibility with the jabberd 1.x codebase and is no longer necessary.

+

Section 2.1 describes the protocol from the point of view of an active, outgoing connection from the Originating Server. Section 2.2 describes the protocol from the point of view of an incoming connection on the Receiving Server. Note that both parts can be implemented, tested, and used separately.

- - - -

Before opening a TCP connection to the Receiving Server, the Originating Server first needs to determine the appropriate IP address and port at which to connect. This is done by resolving the Receiving Server's hostname ("xmpp.example.com") using the Domain Name System. As described in XMPP Core, the Originating Server will first attempt to resolve a TCP service of _xmpp-server for that hostname using DNS SRV records. Here we assume that example.com has the following records in its DNS configuration:

- -

These records show that server-to-server connections for the XMPP service "xmpp.example.com" are serviced by two machines: x1.example.com at port 5269 and x2.example.com at port 9625.

-

Based on the SRV record weights, the Originating Server would then attempt to resolve one of these machines further. Here the Originating Server resolves x2.example.com, for which a standard A lookup yields an IP address of "192.0.2.2".

-

Note: As described in XMPP Core, if the Receiving Server does not provide appropriate DNS SRV records then in order to resolve the hostname of the Receiving Server the Originating Server can fall back to normal IPv4/IPv6 address record resolution to determine the IP address and assume a port of 5269 as registered with the IANA.

- - - -

Once the Originating Server has resolved "xmpp.example.com" to an IP address of 192.0.2.2 and port of 9625, it opens a TCP connection to that IP and port.

-

Note: Instead of opening a new TCP connection to the Receiving Server, the Originating Server MAY reuse an existing TCP connnection; for details, see the Reuse of Negotiated Connections ("Piggybacking") section of this document.

- - - -

Once the Originating Server has opened a TCP connection to the resolved IP address and port of the Receiving Server, it sends an initial stream header to the Receiving Server as described in XMPP Core.

- - ]]> -

In addition to the core XMPP rules regarding initial stream headers, the following dialback-related rules apply to the initial stream header:

-
    -
  1. It MUST include a declaration for the Server Dialback namespace.
    2. -
  2. The Server Dialback namespace MUST be 'jabber:server:dialback'.
    3. -
  3. The prefix for the Server Dialback namespace SHOULD be 'db:'.
    4. -
-

Until the initial stream has been validated, the Originating Server MUST NOT send any further XML data to the Receiving Server over that stream.

-

Note: If the Receiving Server receives any XML stanzas from the Originating Server before the initial stream has been validated, the Receiving Server MUST silently drop those stanzas.

- - - -

When the Receiving Server receives the initial stream header from the Originating Server, it MUST proceed as follows.

- -

If the Receiving Server can successfully process the initial stream header, it MUST return a response stream header to the Originating Server over the same TCP connection.

- - ]]> -

In addition to the core XMPP rules regarding response stream headers, the following dialback-related rules apply to the response stream header:

-
    -
  1. If the initial stream header included a Server Dialback namespace declaration and the Receiving Server supports the Server Dialback protocol, the response stream header also MUST include a declaration for the Server Dialback namespace.
    2. -
  2. If the initial stream header did not include a Server Dialback namespace declaration and the Receiving Server supports the Server Dialback protocol, the response stream header MAY include a Server Dialback namespace declaration.
    3. -
  3. If the response stream header includes a Server Dialback namespace declaration, the Server Dialback namespace MUST be 'jabber:server:dialback' and the prefix for the Server Dialback namespace SHOULD be 'db:'.
    4. -
-

After sending the response stream header, the Receiving Server also sends stream features to the Originating Server. The Receiving Server SHOULD include the dialback feature in its initial stream features advertisement, including an indication of whether Server Dialback negotiation is optional or required.

- - - - - - ]]> -

Note: Typically, Server Dialback negotiation is required for server-to-server communication unless SASL is used for strong authentication.

- - -

There are several reasons why the Receiving Server's processing of the initial stream header might fail:

-
    -
  1. The Server Dialback namespace name provided by the Originating Server is incorrect.
    2. -
  2. The Server Dialback namespace prefix provided by the Originating Server is not supported by the Receiving Server (note: an implementation MAY accept only the 'db:' namespace prefix).
    3. -
  3. The value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server.
    4. -
  4. The Receiving Server does not accept communication with the hostname of the 'from' address provided by the Originating Server.
    5. -
-

These error cases are described more fully in the remainder of this section.

-

If the Server Dialback namespace name is incorrect, then the Receiving Server SHOULD generate an <invalid-namespace/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: - ]]> -

If the Server Dialback namespace prefix is not supported by the Receiving Server, then the Receiving Server SHOULD generate a <bad-namespace-prefix/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: - ]]> -

If the value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server, then the Receiving Server SHOULD generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: - ]]> -

If the Receiving Server does not allow communication with the hostname of the 'from' address provided by the Originating Server, then the Receiving Server SHOULD generate a <not-authorized/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: - ]]> -

Note Well: The foregoing error flows specify that the Receiving Server SHOULD return a stream error. However, depending on local security policies, the Receiving Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).

- - - - - -

When the Originating Server receives the response stream header from the Receiving Server, it MUST proceed as follows.

- - -

If the response stream header can be successfully processed, the Originating Server MUST generate and send a dialback key as described under Generation and Exchange of Dialback Key.

- - - -

There are several reasons why the Originating Server's processing of the response stream header and stream features might fail:

-
    -
  1. The Server Dialback namespace name provided by the Receiving Server is incorrect.
    2. -
  2. The Server Dialback namespace prefix provided by the Receiving Server is not supported by the Originating Server (note: an implementation MAY accept only the 'db:' namespace prefix).
    3. -
  3. The value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Originating Server.
    4. -
  4. The Originating Server does not accept communication with the hostname of the 'from' address provided by the Receiving Server.
    5. -
  5. The Receiving Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature.
    6. -
-

These error cases are described more fully in the remainder of this section.

-

If the Server Dialback namespace name is incorrect, then the Originating Server SHOULD generate an <invalid-namespace/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -O2R: - ]]> -

If the Server Dialback namespace prefix is not supported by the Originating Server, then the Originating Server SHOULD generate a <bad-namespace-prefix/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -O2R: - ]]> -

If the value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Originating Server, then the Originating Server SHOULD generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -O2R: - ]]> -

If the Originating Server does not allow communication with the hostname of the 'from' address provided by the Receiving Server, then the Originating Server SHOULD generate a <not-authorized/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -O2R: - ]]> -

Note Well: The foregoing error flows specify that the Originating Server SHOULD return a stream error. However, depending on local security policies, the Originating Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).

-

If the Receiving Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature, then the Originating Server's attempt to negotiate Server Dialback also fails.

-

Note Well: In all of the foregoing error cases, the Originating Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &timeout; stanza error to the local entity that generated the stanza that triggered the Server Dialback negotiation attempt in the first place (if any).

- - - - - - - - - -

Once the Originating Server has established an XML stream with the Receiving Server, it MUST generate a dialback key for verification by the Authoritative Server.

-

The method for generating (and verifying) the keys used in Server Dialback MUST take into account the following pieces of information:

-
    -
  • the hostname of the Originating Server
    • -
  • the hostname of the Receiving Server
    • -
  • the Stream ID
    • -
  • a shared secret known by the Authoritative Server's network
    • -
-

The stream ID is security-critical in Server Dialback and therefore MUST be both unpredictable and non-repeating (see &rfc4086; for recommendations regarding randomness for security purposes).

-

It is RECOMMENDED for the dialback key to be the hexadecimal representation of a Keyed-Hash Message Authentication Code (see &nistfips198a;) generated using the SHA256 hashing algorithm (see &nistfips180-2;), as follows.

- -

The shared secret SHOULD either be set up in a configuration option for each host or process within the Authoritative Server's network or generated as a random string when starting each host or process. The secret's length SHOULD be at least 128 bits or 16 characters long.

-

Consider the following scenario:

-
    -
  • The Originating Server is "example.org"
    • -
  • The Receiving Server is "xmpp.example.com"
    • -
  • The Stream ID is "D60000229F"
    • -
  • The secret is "s3cr3tf0rd14lb4ck"
    • -
-

The resulting dialback key would be:

- - - - -

Once the Originating Server has processed the response stream header from the Receiving Server and has generated a dialback key for verification by the Receiving Server, it MUST then send that key to the Receiving Server. This is done by creating a <db:result/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the hostname of the Originating Server and MUST possess a 'to' attribute whose value is the hostname of the Receiving Server.

-

Note: All XML elements qualified by the Server Dialback namespace MUST be prefixed with the namespace prefix advertised on the stream header originally sent by the entity sending the element.

- + +

Dialback usually takes place after the TCP connection and the XML stream to the Receiving Server have been established, but the Originating Server has not yet provided identification. Apart from reusing connections this can also happen if the stream was first used to send a verification request to the Authoritative Server. This section describes the handling of an outgoing connection from the Sender Domain 'sender.tld' to the Target Domain 'target.tld'.

+ +

This subsection describes the interaction between the Originating Server and the Receiving Server, from the perspective of the Originating Server.

+

When the Originating Server has stanzas to send for the domain pair (Sender Domain/Target Domain), does not have a verified connection, or is currently attempting to get a verified connection for this domain pair, it sends a new dialback key to the Receiving Server.

+

This is done by creating a <db:result/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the Sender Domain and MUST possess a 'to' attribute whose value is the Target Domain.

+ 37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643 ]]> - - - -

When the Receiving Server receives the dialback key, it MUST proceed as follows.

- -

If the dialback key can be successfully processed, the Receiving Server MUST attempt to open a connection to the Authoritative Server and then ask the Authoritative Server to validate the key provided by the Originating Server, as described in under Stream Setup Between Receiving Server and Authoritative Server.

-

Note: The dialback key is not examined by the Receiving Server, since the key is validated by the Authoritative Server.

- - - -

There are several reasons why the Receiving Server's processing of the dialback key might fail:

-
    -
  1. The Server Dialback namespace prefix provided by the Originating Server is not supported by the Receiving Server (note: an implementation MAY accept only the 'db:' namespace prefix).
    2. -
  2. The value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server.
    3. -
  3. The Receiving Server does not accept communication with the hostname of the 'from' address provided by the Originating Server.
    4. -
-

These error cases are described more fully in the remainder of this section.

-

If the Server Dialback namespace prefix is not supported by the Receiving Server, then the Receiving Server SHOULD generate a <bad-namespace-prefix/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: - ]]> -

If the value of the 'to' address provided by the Originating Server does not match a hostname serviced by the Receiving Server, then the Receiving Server SHOULD generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: +

The key sent is generated as described in &xep0185;:

+ +key = HMAC-SHA256( + SHA256('s3cr3tf0rd14lb4ck'), + {'target.tld', ' ', 'sender.tld', ' ', 'D60000229F'} + ) + +

Note: the Receiving Server MAY use any method to determine the validity of the dialback key and the identity of the Originating Sever. The Originating Server MUST NOT make any assumptions about how the Receiving Server verifies the key. This includes the assumption that the key is ever verified by the Receiving Server.

+

After that, the Originating Server waits for the verification result. Any stanzas for this domain pair have to be queued. The Originating Server MUST NOT attempt to reverify this domain pair on this connection.

+

Note: While waiting for the verification result, the Originating Server SHOULD continue to send stanzas for any pair of domains that have been verified on that connection. It MAY send out additional dialback keys for different domain pairs and issue dialback verification requests as described in section 2.1.2. To avoid Denial-of-Service attacks, the Originating Server MAY impose a timeout on key verification.

+

If the stream or the underlying TCP connection is closed by the remote side while waiting for the verification result, this is to be handled similar to receiving a negative result as described below.

+

After the Receiving Server has verified the request, the Originating Server receives the verification result.

+ ]]> -

If the Receiving Server does not allow communication with the hostname of the 'from' address provided by the Originating Server, then the Receiving Server SHOULD generate a <not-authorized/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2O: - ]]> -

Note Well: In all of the foregoing error cases, the Originating Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &timeout; stanza error to the local entity that generated the stanza that triggered the Server Dialback negotiation attempt in the first place (if any).

- - - - - - - - - -

Before opening a TCP connection to the Authoritative Server, the Receiving Server first needs to determine the appropriate IP address and port at which to connect. This is done by resolving the Authoritative Server's hostname ("example.org") using the Domain Name System. As described in XMPP Core, the Receiving Server will first attempt to resolve a TCP service of _xmpp-server for that hostname using DNS SRV records. Here we assume that example.org has the following records in its DNS configuration:

- ]]> -

These records show that server-to-server connections for the XMPP service "example.org" are serviced by the physical machine foo.example.org at port 5269.

-

The Receiving Server would then resolve that machine to an IP address, in this case "192.0.2.23".

-

Note: As described in XMPP Core, if the Authoritative Server does not provide appropriate DNS SRV records then in order to resolve the hostname of the Authoritative Server the Receiving Server can fall back to normal IPv4/IPv6 address record resolution to determine the IP address and assume a port of 5269 as registered with the IANA.

- - - -

Once the Receiving Server has resolved "example.org" to an IP address of 192.0.2.23 and port of 5269, it opens a TCP connection to that IP and port.

-

Note: Instead of opening a new TCP connection to the Authoritative Server, the Receiving Server MAY reuse an existing TCP connnection; for details, see the Reuse of Negotiated Connections ("Piggybacking") section of this document.

- - - -

Once the Receiving Server has opened a TCP connection to the resolved IP address and port of the Authoritative Server, it sends an initial stream header to the Authoritative Server as described in XMPP Core.

- +

If the value of the 'type' attribute is "valid", then the connection between the domain pair is considered verified and the Originating Server can send any queued stanzas. If the value of the 'type' attribute is "invalid", this means that the Originating Server's identity (as valid for the Sender Domain) could not be verified by the Receiving Server. Queued stanzas MUST be bounced back to the respective senders with a <internal-server-error> stanza error and the underlying stream MAY be closed unless it is being used by other domain pairs.

+ +

If the value of the 'type' attribute is "error", this indicates a problem which is not related to the validity of the dialback key provided. The error conditions are explained in detail in section 2.4. Such an error is to be considered non-fatal for the XML stream, but queued stanzas MUST be bounced to the respective senders with a &timeout; stanza error.

+ + + + + ]]> -

In addition to the core XMPP rules regarding initial stream headers, the following dialback-related rules apply to the initial stream header:

-
    -
  1. It MUST include a declaration for the Server Dialback namespace.
    2. -
  2. The Server Dialback namespace MUST be 'jabber:server:dialback'.
    3. -
  3. The prefix for the Server Dialback namespace SHOULD be 'db:'.
    4. -
-

Note: An implementation MAY accept only the 'db:' namespace prefix.

 - -

When the Authoritative Server receives the initial stream header from the Receiving Server, it MUST proceed as follows.

- -

If the Authoritative Server can successfully process the initial stream header, it MUST return a response stream header to the Receiving Server over the same TCP connection.

- - ]]> -

In addition to the core XMPP rules regarding response stream headers, the following dialback-related rules apply to the response stream header:

-
    -
  1. If the initial stream header included a Server Dialback namespace declaration and the Authoritative Server supports the Server Dialback protocol, the response stream header also MUST include a declaration for the Server Dialback namespace.
    2. -
  2. If the initial stream header did not include a Server Dialback namespace declaration and the Authoritative Server supports the Server Dialback protocol, the response stream header MAY include a Server Dialback namespace declaration.
    3. -
  3. If the response stream header includes a Server Dialback namespace declaration, the Server Dialback namespace MUST be 'jabber:server:dialback' and the prefix for the Server Dialback namespace SHOULD be 'db:'.
    4. -
-

After sending the response stream header, the Authoritative Server also sends stream features to the Receiving Server. The Authoritative Server SHOULD include the dialback feature in its initial stream features advertisement, including an indication of whether Server Dialback negotiation is optional or required.

- - - - - - ]]> - - -

There are several reasons why the Authoritative Server's processing of the initial stream header might fail:

-
    -
  1. The Server Dialback namespace name provided by the Receiving Server is incorrect.
    2. -
  2. The Server Dialback namespace prefix provided by the Receiving Server is not supported by the Authoritative Server (note: an implementation MAY accept only the 'db:' namespace prefix).
    3. -
  3. The value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Authoritative Server.
    4. -
  4. The Authoritative Server does not accept communication with the hostname of the 'from' address provided by the Receiving Server.
    5. -
-

These error cases are described more fully in the remainder of this section.

-

Note Well: If

- - -

If the Server Dialback namespace name is incorrect, then the Authoritative Server SHOULD generate an <invalid-namespace/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -A2R: - ]]> -

If the Server Dialback namespace prefix is not supported by the Authoritative Server, then the Authoritative Server SHOULD generate a <bad-namespace-prefix/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -A2R: - ]]> -

If the value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Authoritative Server, then the Authoritative Server SHOULD generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -A2R: - ]]> -

If the Authoritative Server does not allow communication with the hostname of the 'from' address provided by the Receiving Server, then the Authoritative Server SHOULD generate a <not-authorized/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -A2R: - ]]> -

Note Well: The foregoing error flows specify that the Authoritative Server SHOULD return a stream error. However, depending on local security policies, the Authoritative Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).

- - - - - -

When the Receiving Server receives the response stream header from the Authoritative Server, it MUST proceed as follows.

- - -

If the response stream header can be successfully processed, the Receiving Server MUST send the dialback key it received from the Originating Server as described under Exchange of Verification Request between Receiving Server and Authoritative Server.

- - - -

There are several reasons why the Receiving Server's processing of the response stream header and stream features might fail:

-
    -
  1. The Server Dialback namespace name provided by the Authoritative Server is incorrect.
    2. -
  2. The Server Dialback namespace prefix provided by the Authoritative Server is not supported by the Receiving Server (note: an implementation MAY accept only the 'db:' namespace prefix).
    3. -
  3. The value of the 'to' address provided by the Authoritative Server does not match a hostname serviced by the Receiving Server.
    4. -
  4. The Receiving Server does not accept communication with the hostname of the 'from' address provided by the Authoritative Server.
    5. -
  5. The Authoritative Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature.
    6. -
-

These error cases are described more fully in the remainder of this section.

-

If the Server Dialback namespace name is incorrect, then the Receiving Server SHOULD generate an <invalid-namespace/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2A: - ]]> -

If the Server Dialback namespace prefix is not supported by the Receiving Server, then the Receiving Server SHOULD generate a <bad-namespace-prefix/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2A: - ]]> -

If the value of the 'to' address provided by the Authoritative Server does not match a hostname serviced by the Receiving Server, then the Receiving Server SHOULD generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -R2A: - ]]> -

If the Receiving Server does not allow communication with the hostname of the 'from' address provided by the Authoritative Server, then the Receiving Server SHOULD generate a <not-authorized/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2A: - ]]> -

Note Well: The foregoing error flows specify that the Receiving Server SHOULD return a stream error. However, depending on local security policies, the Receiving Server MAY silently terminate the XML stream and underlying TCP connection instead of returning a stream error (e.g., to prevent certain denial of service attacks).

-

If the Authoritative Server does not advertise support for Server Dialback via a Server Dialback namespace declaration or stream feature, then the Receiving Server's attempt to request verification of the Originating Server's dialback key also fails.

-

Note: In all of the foregoing error cases, the Receiving Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &remoteconnection; stream error to the Originating Server.

- - - - -R2O: - ]]> - - - - - - - - -

Once the Receiving Server has established an XML stream with the Authoritative Server, it MUST send to the Authoritative Server the dialback key it received from the Originating Server. This is done by creating a <db:verify/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the hostname of the Receiving Server, MUST possess a 'to' attribute whose value is the hostname of the Originating Server, and MUST possess an 'id' attribute whose value is the stream identifier from the Receiving Server's response stream header to the Originating Server.

-

Note: All XML elements qualified by the Server Dialback namespace MUST be prefixed with the namespace prefix advertised on the stream header originally sent by the entity sending the element.

- - 37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643 + +

This subsection describes the interaction between the Receiving Server and the Authoritative Server, from the perspective of the Receiving Server.

+

To determine the validity of a dialback key, the Receiving Server needs to establish communications with the Authoritative Server. To do so, either it can reuse an existing XML stream or it needs to establish a new connection. To establish a new connection, the Receiving Server performs a DNS lookup on the Sender Domain, thus finding the IP address and port for server-to-server communication at an authoritative machine for the Sender Domain (here the machine is authority.sender.tld).

+

After the XML stream is established from the Receiving Server to the Authoritative Server, the Receiving Server sends a verification request for the domain pair. This is done by creating a <db:verify/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the Target Domain, MUST possess a 'to' attribute whose value is the Sender Domain as provided in the 'from' attribute of step 1, and MUST possess an 'id' attribute whose value is the stream identifier from the Receiving Server's response stream header to the Originating Server. The combination of 'from', 'to', and 'id' attributes makes it possible for the Receiving Server to uniquely identify the TCP connection on which it received the original request in step 1.

+

Note: An implementation can open a separate connection to the Authoritative Server for the sole purpose of doing key verification.

+ + 38b501ec606752318f72ad53de17ac6d15f86257485b0d8f5d54e1f619e6b869 ]]> - - - - - -

If the verification request can be successfully processed, the Authoritative Server MUST validate the dialback key it received from the Receiving Server as described under Validation of Dialback Key by Authoritative Server.

- - - -

There are several reasons why the Authoritative Server's processing of the verification request might fail:

-
    -
  1. The value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Authoritative Server's network.
    2. -
  2. The value of the 'from' address provided by the Receiving Server does not match the hostname sent by the Receiving Server in the 'from' address of the initial stream header it sent to the Authoritative Server.
    3. -
-

These error cases are described more fully in the remainder of this section.

-

If the value of the 'to' address provided by the Receiving Server does not match a hostname serviced by the Authoritative Server's network, then the Authoritative Server MUST generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -A2R: - ]]> -

If the value of the 'from' address provided by the Receiving Server does not match the hostname sent by the Receiving Server in the 'from' address of the initial stream header it sent to the Authoritative Server, then the Authoritative Server MUST generate an <invalid-from/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -A2R: - ]]> -

Note: In all of the foregoing error cases, the Receiving Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &remoteconnection; stream error to the Originating Server.

- - - - -R2O: - ]]> - - - - - - - - - -

If the Authoritative Server can successfully process the verification request, it MUST determine whether the key is valid or invalid.

-

The key shall be considered valid if the Authoritative Server determines that the key matches the output it would have produced using its key generation algorithm with the inputs specified in the XML attributes of the verification request along with its shared secret.

-

The key shall be considered invalid if the Authoritative Server determines that the key does not match the output it would have produced using its key generation algorithm with the inputs specified in the XML attributes of the verification request along with its shared secret.

- - - -

Once the Authoritative Server determines whether the key is valid or invalid, it MUST inform the Receiving Server of its determination. This is done by creating a <db:verify/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the hostname of the Originating Server, MUST possess a 'to' attribute whose value is the hostname of the Receiving Server, MUST possess an 'id' attribute whose value is the stream identifier from the Receiving Server's response stream header to the Originating Server as communicated in the verification request, and MUST possess a 'type' attribute whose value is either "valid" or "invalid".

- - 37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643 +

After that, the Receiving Server waits for the verification result. While doing so, it can still use the connection to send any valid stanzas or dialback packets.

+ ]]>

Or:

- - 37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643 + ]]> +

In addition to the values "valid" and "invalid", the 'type' attribute can also have a value of "error"; see section 2.4 for a detailed explanation.

+ + + + + + + ]]> +

Note: if the underlying TCP connection is closed by the remote side while there are pending verification requests, those requests SHOULD be considered failed and therefore be treated like an error response.

+

After receiving the validation result from the Authoritative Server, the Receiving Server determines the incoming connection that the dialback key was originally received on. This connection is uniquely identified by the combination of the 'from', 'to', and 'id' attributes. If no incoming connection is found that matches this combination, the verification result can be dropped silently. If an incoming connection is found, the Receiving Server uses it to communicate the verification result to the Originating Server. A positive result indicates the willingness of the Receiving Server to accept stanzas from the Originating Server for this domain pair.

 - - - - -

If the validation result can be successfully processed, the Receiving Server MUST inform the Originating Server of the Server Dialback results described under Communication of Result from Receiving Server to Originating Server. The Receiving Server then SHOULD also terminate the XML stream and the underlying TCP connection between the Receiving Server and the Authoritative Server.

- - - -

There are several reasons why the Receiving Server's processing of the validation result might fail:

-
    -
  1. The value of the 'id' attribute does not match that provided by the Receiving Server in the verification request.
    2. -
  2. The value of the 'from' address does not match the hostname represented by the Originating Server in the 'from' address of the initial stream header it sent to the Receiving Server.
    3. -
  3. The value of the 'to' address does not match a hostname serviced by the Receiving Server.
    4. -
-

These error cases are described more fully in the remainder of this section.

-

If the value of the 'id' attribute does not match that provided by the Receiving Server in the verification request, then the Receiving Server MUST generate an <invalid-id/> stream error condition and terminate both the XML stream and the underlying TCP connection between it and the Authoritative Server.

- - - - -R2A: - ]]> -

The value of the 'from' address does not match the hostname represented by the Originating Server in the 'from' address of the initial stream header it sent to the Receiving Server, then the Receiving Server MUST generate an <invalid-from/> stream error condition and terminate both the XML stream and the underlying TCP connection.

- - - - -R2A: - ]]> -

If the value of the 'to' address does not match a hostname serviced by the Receiving Server, then the Receiving Server MUST generate a <host-unknown/> or <host-gone/> stream error condition (as appropriate) and terminate both the XML stream and the underlying TCP connection.

- - - - -R2A: - ]]> -

Note: In all of the foregoing error cases, the Receiving Server SHOULD consider the Server Dialback negotiation attempt to have failed in an unrecoverable fashion and therefore it SHOULD return a &remoteconnection; stream error to the Originating Server.

- - - - -R2O: - ]]> - - - - - - - -

Once the Receiving Server successfully processes the validation result it received from the Authoritative Server, it informs the Originating Server of the result. This is done by creating a <db:result/> element whose XML character data is the dialback key; the element MUST possess a 'from' attribute whose value is the hostname of the Receiving Server, MUST possess a 'to' attribute whose value is the hostname of the Originating Server, MUST possess an 'id' attribute whose value is the stream identifier from the Receiving Server's response stream header to the Originating Server, and MUST possess a 'type' attribute whose value is either "valid" or "invalid".

- + +

This section describes the handling of an incoming connection from the Sender Domain 'sender.tld' to the Target Domain 'target.tld'.

+ +

This subsection describes the interaction between the Originating Server and the Receiving Server, from the perspective of the Receiving Server.

+ 37c69b1cf07a3f67c04a5ef5902fa5114f2c76fe4a2686482ba5b89323075643 ]]> +

This key MUST be verified before the Sender Domain ('sender.tld') is authorized to send stanzas. The verification process might fail prematurely, for example, if the Receiving Server's policy states that connections from the Sender Domain are not allowed.

+

The usual method for verifying that the Originating Server is authorized to send stanzas for the Sender Domain is to "dial back" the Authoritative Server for the Sender Domain and asking it to validate the dialback key which is contained in the XML character data of the request. Other methods can be used for verifying the identity of the Originating Server, but are out of scope for this document.

+

Note: the Receiving Server MUST continue to accept and process stanzas for already verified domain pairs, and MUST continue to process both <db:result/> and <db:verify/> elements.

+

If the Target Domain as given in the 'to' attribute of the element is not a configured domain of the Receiving Server, this results in a dialback error. This error, which is explained further in section 2.4, is not a stream error and therefore MUST NOT result in termination of the stream and the underlying TCP connection, which might already be used for sending XML stanzas for other domain pairs.

+ + + + + + ]]> +

After the validity of the key has been established (for example, by the Authoritative Server), the domain pair is to be considered as verified and the Receiving Server MUST accept stanzas from the Originating Server.

+

In addition, the Originating Server is notified of the result. This is done by creating a <db:result/> element which MUST possess a 'from' attribute whose value is the Target Domain, MUST possess a 'to' attribute whose value is the Sender Domain, and MUST possess a 'type' attribute whose value is either "valid" or "invalid".

+ + ]]> +

Or:

+ + ]]> +

If the type is 'invalid', the Originating Server is attempting to spoof the Sender Domain. The Receiving Server MUST terminate the XML stream and the underlying TCP connection and SHOULD log the attempt.

 - - - -

If the Authoritative Server reported the dialback key as invalid, then the Receiving Server MUST terminate both the XML stream and the underlying TCP connection between itself and the Originating Server.

- - - -

If the Authoritative Server reported the dialback key as valid, the Receiving Server has verified the identity of the Originating Server. As a result, the Receiving Server can now accept XML stanzas from the Originating Server over the validated connection (i.e., over the "initial stream" from the Originating Server to the Receiving Server). However, in accordance with XMPP Core, the Receiving Server MUST follow the rules specified therein regarding inclusion and checking of 'from' and 'to' attributes on all XML stanzas it receives from the Originating Server. These checks help to prevent address spoofing.

-

Note Well: If the Receiving Server receives any XML stanzas from the Originating Server before the initial stream has been validated, the Receiving Server MUST silently drop those stanzas.

-

As mentioned, Server Dialback results in weak identity verification in one direction only (in the foregoing text, verification of the Originating Server by the Receiving Server). In order to proceed with bi-directional communication so that the Receiving Server can send XML stanzas to the Originating Server, the Receiving Server MUST now also initiate a dialback negotiation with the Originating Server (i.e., assume the role of an originating server in a new dialback negotiation).

- - + +

This subsection describes the interaction between the Receiving Server and the Authoritative Server, from the perspective of the Authoritative Server.

+ + 38b501ec606752318f72ad53de17ac6d15f86257485b0d8f5d54e1f619e6b869 + + ]]> +

If the Target Domain as given in the 'to' attribute of the element does not match a configured local domain, this results in a dialback error. This error, which is explained further in section 2.4, is not a stream error and therefore MUST NOT result in termination of the stream and the underlying TCP connection, which might already be used for sending XML stanzas for other domain pairs.

+ + + + + + ]]> +

Upon receiving this <db:verify/> element, the Authoritative Server determines the validity of the dialback key provided in the XML character data of the element. This can be achieved for example by comparing the character data with the output of applying the same key generation mechanism that was (presumably) used for the generation of the key, using as input the values of the 'from', 'to', and 'id' attributes contained in the verification request and the secret known only to the Sender Domain:

+ +key = HMAC-SHA256( + SHA256('d14lb4ck43v3r'), + { 'sender.tld', ' ', 'target.tld', ' ', '417GAF25'} + ) + = 38b501ec606752318f72ad53de17ac6d15f86257485b0d8f5d54e1f619e6b869 + +

The Authoritative Server then notifies the Receiving Server whether the key is valid. This is done by creating a <db:verify/> element which MUST possess 'from' and 'to' attributes whose values are swapped from the request, MUST possess an 'id' attribute whose value is copied from the 'id' value of the request, and MUST possess a 'type' attribute whose value is either "valid" or "invalid".

+ + ]]> +

Or:

+ + ]]> - - + +

Support for the server dialback protocol can be indicated in two ways:

+
    +
  • By inclusion of the server dialback feature in a given set of stream features.
    • +
  • By inclusion of the dialback namespace declaration in the stream header.
    • +
+

The former method is preferred, but the latter method is also specified herein for the purpose of backward-compatibility with older "XMPP 0.9" deployments.

+

The server dialback stream feature is advertised by including in any given set of stream features a <dialback/> element qualified by the 'urn:xmpp:features:dialback' namespace; the element MAY also include an empty <errors/> element, indicating that the entity sending the stream features supports graceful handling of dialback errors as described in section 2.4.

+ + + + + + + ]]> +

As mentioned, support for the server dialback protocol can also be advertised by including the dialback namespace declaration in a stream header.

+ + ]]> + + + +

RFC 3920 introduced stream errors for any errors related to dialback. However, this turned out to be overly aggressive, particulary if the XML stream was used to multiplex stanzas from more than one originating or receiving domain. Therefore this specification introduces a third value for the 'type' attribute, with the value "error"./

+

This usage of the 'error' value for the 'type' attribute is not backward compatible with RFC 3920. However, the server that generates the error SHOULD still attempt to send the dialback error instead of terminating the stream, as the worst thing that can happen is that the remote server terminates the stream if it does not understand the error. Those dialback errors are to be considered non-fatal for the XML stream, but queued stanzas MUST be bounced to the respective senders with a &timeout; stanza error. If the error is encountered in step 3, the Receiving Server must send an authoritative-host-unknown error to the Originating Server.

+

When the <db:verify/> or <db:result/> element is of type "error", the element MUST contain an <error/> element qualified by the 'jabber:server' namespace, i.e., a "stanza error" as specified in &xmppcore;. This specification re-uses the following stanza error conditions.

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
ConditionDescriptionWhen Occurs
¬found;The domain given in the 'to' attribute of the request is not hosted on the Receiving Server. The domain is used in the 'from' attribute nonetheless with the purpose of identifying the original request.Step 3 or 4
&remoteconnection;The Receiving Server was unable to establish a connection to the Authoritative Server and therefore could not validate the identity of the Originating Server.Step 4
&remoteserver;The Receiving Server encountered an ¬found; error condition or a 'host-unknown' stream error when attempting to contact the Authoritative Server.Step 4
&timeout;The Receiving Server encountered a problem with the connection to the Authoritative Server, for example if the Authoritative Server unexpectedly closed the stream without verifying the dialback key.Step 4
+ - -

After the Receiving Server has validated a connection from the Originating Server, the Originating Server might wish to reuse that connection for validation of additional domains. This feature is called PIGGYBACKING. Support for piggybacking is OPTIONAL.

-

One common motivation for such reuse is the existence of additional services associated with the Originating Server but hosted at subdomains of the Originating Server (the use of subdomains helps to ensure proper routing of XML stanzas to the hosted services). For example, the "example.org" XMPP server might host a groupchat service at "chat.example.org". In order to accept XML stanzas from rooms at "chat.example.org" intended for addresses at "xmpp.example.com", the "xmpp.example.com" domain will need to validate the "chat.example.org" domain (just as it already did for the "example.org" domain). Thus the "example.org" server would now initiate a dialback negotiation with "xmpp.example.com" but specify the Originating Server as "chat.example.org".

-

However, because the "example.org" server already has a validated connection open to the Receiving Server ("xmpp.example.com"), it MAY send a <db:result/> element with the key to be validated for the new Originating Server ("chat.example.org") over the XML stream that has already been negotiated, rather than opening a new TCP connection and XML stream.

- - 88a96894060d5f4258c37cd51b772e5a483430d8203f71d3782cac72a0866458 - - ]]> -

The Receiving Server SHOULD accept this <db:result/> element (as it did for the first <db:result/> element) and process it according to the rules already specified. If that process is successful, it would eventually result in sending of a <db:result/> element from the Receiving Server to the Originating Server.

- - 88a96894060d5f4258c37cd51b772e5a483430d8203f71d3782cac72a0866458 - - ]]> -

However, if the Receiving Server does not allow reuse of the existing connection, it MUST return an error of the following form to the Originating Server.

- - 88a96894060d5f4258c37cd51b772e5a483430d8203f71d3782cac72a0866458 - - ]]> -

Note: a <db:result/> element of type "error" MUST NOT be considered a stream error and therefore MUST NOT result in termination of the stream and the underlying TCP connection, which presumably is being used for sending XML stanzas from the Originating Server to the Receiving Server.

-

Note Well: Use of the "error" value was unspecified in RFC3920.

+ +

A single XML stream between Originating and Receiving Server can be used to multiplex stanzas for more than one domain pair. This usage is for historical reasons called "piggybacking". There are two variants of this:

+
    +
  • Origin Piggybacking, which employs different originating domains.
    • +
  • Destination Piggybacking, which employs different receiving domains.
    • +
+

The Originating Server SHOULD NOT use Destination Piggybacking unless the Receiving Server has signalled support for dialback error handling via <stream:features/>. The Originating Server MAY then attempt to multiplex a domain 'B' on the stream to the Receiving Server that is already used for domain 'A' if the hostname and port resolution results in the same IP address and port combination.

+

The Originating Server MAY use Origin Piggybacking even if the Receiving Server has not signalled support for graceful dialback error handling.

+ @@ -890,8 +459,13 @@ R2O: + +

Thanks to Dave Cridland, Joe Hildebrand, Justin Karneges, Nina Kirchner, Carlo von Loesch, Ralph Meijer, Rob Norris, Matthew Wild, and Matthias Wimmer for their comments.

+ + +

Note Well: the 'error' value for the 'type' attribute was added since RFC 3920.

@@ -931,6 +505,7 @@ R2O: + @@ -944,7 +519,7 @@ R2O: ]]> - + @@ -954,19 +529,17 @@ R2O: - + - - - - + + + + + + + - - - - - - + ]]>