Abstract: | This document proposes improvements to the XML stream features definition for inclusion in the specification that supersedes RFC 3920. |
Author: | Peter Saint-Andre |
Copyright: | © 1999 - 2011 XMPP Standards Foundation. SEE LEGAL NOTICES. |
Status: | Deprecated |
Type: | Standards Track |
Version: | 1.1 |
Last Updated: | 2011-05-11 |
WARNING: This document has been Deprecated by the XMPP Standards Foundation. Implementation of the protocol described herein is not recommended. Developers desiring similar functionality are advised to implement the protocol that supersedes this one (if any).
1. Introduction
2. Required Flag
3. Dialback Stream Feature
4. Security Considerations
5. IANA Considerations
6. XMPP Registrar Considerations
6.1. Stream Features
7. XML Schema
7.1. SASL Stream Feature
7.2. Resource Binding Stream Feature
7.3. Server Dialback Stream Feature
8. Acknowledgements
Appendices
A: Document Information
B: Author Information
C: Legal Notices
D: Relation to XMPP
E: Discussion Venue
F: Requirements Conformance
G: Notes
H: Revision History
RFC 3920 introduced the concept of stream features. Implementation experience has revealed several shortcomings in the current definition and usage of stream features:
Those shortcomings are addressed in this document, and the recommendations described herein have been incorporated into RFC 6120 [1].
The XMPP stream feature for Transport Layer Security (TLS) includes a <required/> child element that can be used to indicate that negotiation of TLS must be completed before proceeding with the rest of the stream negotiation. However, as defined in RFC 3920 the remaining stream features do not include the ability to flag that negotiation of the feature is required in order to (1) proceed with the negotiation or (2) begin sending XML stanzas. Because the non-TLS features lack a required flag, it is not possible for the initiating entity to know definitively how to proceed at any given stage in the stream negotiation, and the only way for the initiating entity to know whether it may begin sending XML stanzas is to attempt to send them (the receiving entity will return a <not-authorized/> stream error if not all required features have been negotiated). This state of affairs is suboptimal. Therefore, every stream feature must include the ability to flag the feature as required or not required. When the initiating entity receives a stream features element with no features containing a <required/> element, it knows thatt the receiving party will accept XML stanzas over the stream.
The following examples show a possible flow of stream negotiation between a client and a server, using the required flag for all but one of the features and following the order specified in Recommended Order of Stream Feature Negotiation [2]. (This example is more verbose than a typical stream negotiation flow, but is provided here for the sake of completeness.)
C: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'> S: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_123' from='example.com' version='1.0'> S: <stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'> <required/> </starttls> </stream:features> C: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> S: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> [TLS negotiation] C: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'> S: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='example.com' id='c2s_234' version='1.0'> S: <stream:features> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>EXTERNAL</mechanism> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> <required/> </mechanisms> </stream:features> C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'/> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg== </challenge> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo YXJzZXQ9dXRmLTgK </response> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo= </challenge> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> C: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'> S: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_345' from='example.com' version='1.0'> S: <stream:features> <compression xmlns='http://jabber.org/features/compress'> <method>zlib</method> <required/> </compression> </stream:features> C: <compress xmlns='http://jabber.org/protocol/compress'> <method>zlib</method> </compress> S: <compressed xmlns='http://jabber.org/protocol/compress'/> C: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'> S: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_456' from='example.com' version='1.0'> S: <stream:features> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <required/> </bind> </stream:features> C: <iq type='set' id='bind_1'> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <resource>someresource</resource> </bind> </iq> S: <iq type='result' id='bind_1'> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> <jid>somenode@example.com/someresource</jid> </bind> </iq>
As specified in RFC 3920, support for the server dialback protocol is currently adverised through inclusion of a dialback namespace prefix in the stream header:
<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='s2s_123'>
However, it is not clear if inclusion of the dialback namespace indicates that a server supports the server dialback protocol or that it requires negotiation of server dialback. To make this clear, we define a stream feature for server dialback:
<stream:features> <dialback xmlns='urn:xmpp:features:dialback'> <required/> </dialback> </stream:features>
Consider the following scenario, in which Server1 provides a self-signed certificate. According to Server2's local service policy, it does not consider self-signed certificates to be trustworthy and therefore requires negotiation of server dialback in this case.
S1: <stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'> S2: <stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' id='s2s_123' from='example.com' version='1.0'> S2: <stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'> <required/> </starttls> </stream:features> S2: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> [TLS negotiation with self-signed certificate] S1: <stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'> S2: <stream:stream xmlns='jabber:server' xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' from='example.com' id='c2s_234' version='1.0'> S2: <stream:features> <dialback xmlns='urn:xmpp:features:dialback'> <required/> </dialback> </stream:features> [Dialback negotiation]
The improvements described herein do not introduce any new security concerns above and beyond those defined in RFC 3920.
No interaction with the Internet Assigned Numbers Authority (IANA) [3] is required as a result of this document.
As specified in Server Dialback [4], the XMPP Registrar [5] includes a dialback stream feature of 'urn:xmpp:features:dialback' in its registry of stream features (see <http://xmpp.org/registrar/stream-features.html>).
Note: The following provisional schema is intended to replace the existing schema for the SASL stream feature.
<?xml version='1.0' encoding='UTF-8'?> <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema' targetNamespace='urn:ietf:params:xml:ns:xmpp-sasl' xmlns='urn:ietf:params:xml:ns:xmpp-sasl' elementFormDefault='qualified'> <xs:element name='mechanisms'> <xs:complexType> <xs:sequence> <xs:element name='mechanism' maxOccurs='unbounded' type='xs:string'/> <xs:element name='required' minOccurs='0' maxOccurs='1' type='empty'/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name='auth'> <xs:complexType> <xs:simpleContent> <xs:extension base='xs:string'> <xs:attribute name='mechanism' type='xs:string' use='optional'/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name='challenge' type='xs:string'/> <xs:element name='response' type='xs:string'/> <xs:element name='abort' type='empty'/> <xs:element name='success' type='empty'/> <xs:element name='failure'> <xs:complexType> <xs:choice minOccurs='0'> <xs:element name='aborted' type='empty'/> <xs:element name='incorrect-encoding' type='empty'/> <xs:element name='invalid-authzid' type='empty'/> <xs:element name='invalid-mechanism' type='empty'/> <xs:element name='mechanism-too-weak' type='empty'/> <xs:element name='not-authorized' type='empty'/> <xs:element name='temporary-auth-failure' type='empty'/> </xs:choice> </xs:complexType> </xs:element> <xs:simpleType name='empty'> <xs:restriction base='xs:string'> <xs:enumeration value=''/> </xs:restriction> </xs:simpleType> </xs:schema>
Note: The following provisional schema is intended to replace the existing schema for the Resource Binding stream feature.
<?xml version='1.0' encoding='UTF-8'?> <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema' targetNamespace='urn:ietf:params:xml:ns:xmpp-bind' xmlns='urn:ietf:params:xml:ns:xmpp-bind' elementFormDefault='qualified'> <xs:element name='bind'> <xs:complexType> <xs:sequence> <xs:choice minOccurs='0' maxOccurs='1'> <xs:element name='resource' type='resourceType'/> <xs:element name='jid' type='fullJIDType'/> </xs:choice> <xs:element name='required' minOccurs='0' maxOccurs='1' type='empty'/> </xs:choice> </xs:sequence> </xs:complexType> </xs:element> <xs:simpleType name='resourceType'> <xs:restriction base='xs:string'> <xs:minLength value='1'/> <xs:maxLength value='1023'/> </xs:restriction> </xs:simpleType> <xs:simpleType name='fullJIDType'> <xs:restriction base='xs:string'> <xs:minLength value='8'/> <xs:maxLength value='3071'/> </xs:restriction> </xs:simpleType> </xs:schema>
Note: The following defines a schema for the proposed Server Dialback stream feature.
<?xml version='1.0' encoding='UTF-8'?> <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema' targetNamespace='urn:xmpp:features:dialback' xmlns='urn:xmpp:features:dialback' elementFormDefault='qualified'> <xs:element name='dialback'> <xs:complexType> <xs:sequence> <xs:element name='required' minOccurs='0' maxOccurs='1' type='empty'/> </xs:sequence> </xs:complexType> <xs:simpleType name='empty'> <xs:restriction base='xs:string'> <xs:enumeration value=''/> </xs:restriction> </xs:simpleType> </xs:schema>
Thanks to Ralph Meijer and Joe Hildebrand for their comments.
Series: XEP
Number: 0192
Publisher: XMPP Standards Foundation
Status:
Deprecated
Type:
Standards Track
Version: 1.1
Last Updated: 2011-05-11
Approving Body: XMPP Council
Dependencies: XMPP Core
Supersedes: None
Superseded By: None
Short Name: N/A
Source Control:
HTML
This document in other formats:
XML
PDF
Email:
stpeter@jabber.org
JabberID:
stpeter@jabber.org
URI:
https://stpeter.im/
The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 3920) and XMPP IM (RFC 3921) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.
The primary venue for discussion of XMPP Extension Protocols is the <standards@xmpp.org> discussion list.
Discussion on other xmpp.org discussion lists might also be appropriate; see <http://xmpp.org/about/discuss.shtml> for a complete list.
Errata can be sent to <editor@xmpp.org>.
The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".
1. RFC 6120: Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/rfc6120>.
2. XEP-0170: Recommended Order of Stream Feature Negotiation <http://xmpp.org/extensions/xep-0170.html>.
3. The Internet Assigned Numbers Authority (IANA) is the central coordinator for the assignment of unique parameter values for Internet protocols, such as port numbers and URI schemes. For further information, see <http://www.iana.org/>.
4. XEP-0220: Server Dialback <http://xmpp.org/extensions/xep-0220.html>.
5. The XMPP Registrar maintains a list of reserved protocol namespaces as well as registries of parameters used in the context of XMPP extension protocols approved by the XMPP Standards Foundation. For further information, see <http://xmpp.org/registrar/>.
Note: Older versions of this specification might be available at http://xmpp.org/extensions/attic/
Per a vote of the XMPP Council, changed specification to Deprecated because the recommendations described in this document were not incorporated into RFC 6120.
(psa)Per a vote of the XMPP Council, advanced specification to Draft; XMPP Registrar assigned urn:xmpp:features:dialback as namespace for dialback stream feature.
(psa)Removed session establishment examples and text; specified that namespace for dialback stream feature shall be issued by the XMPP Registrar.
(psa)Initial version.
(psa)First draft.
(psa)END