draft-ietf-nntpext-base-08.txt   draft-ietf-nntpext-base-09.txt 
INTERNET DRAFT S. Barber INTERNET DRAFT S. Barber
Expires: February, 10, 2000 Academ Consulting Services Expires: May 14, 2000 Academ Consulting Services
August 1999 November 1999
Network News Transport Protocol Network News Transport Protocol
draft-ietf-nntpext-base-08.txt draft-ietf-nntpext-base-09.txt
1. Status of this Document 1. Status of this Document
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with Section 10 of RFC 2026. Internet-Drafts are working with Section 10 of RFC 2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), documents of the Internet Engineering Task Force (IETF), its
its areas, and its working groups. Note that other areas, and its working groups. Note that other groups may
groups may also distribute working documents as Internet- also distribute working documents as Internet-Drafts.
Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or made obsolete by other months and may be updated, replaced, or made obsolete by other
documents at any time. It is inappropriate to use Internet- documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as Drafts as reference material or to cite them other than as
"work in progress." "work in progress."
The list of current Internet-Drafts can be accesses at The list of current Internet-Drafts can be accesses at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft shadown directories can be accessed The list of Internet-Draft shadow directories can be accessed
at http://www.ietf.org/shadow.html. at http://www.ietf.org/shadow.html.
This section will be updated with the appropriate verbiage This section will be updated with the appropriate verbiage
from RFC 2223 should this document has been found ready for from RFC 2223 should this document has been found ready for
publication as an RFC. publication as an RFC.
This document is a product of the NNTP Working Group, chaired This document is a product of the NNTP Working Group, chaired
by Ned Freed and Stan Barber. by Ned Freed and Stan Barber.
2. Abstract 2. Abstract
skipping to change at page 6, line 11 skipping to change at page 6, line 11
appropriate. appropriate.
5. The WILDMAT format 5. The WILDMAT format
The WILDMAT format[5] described here is based on the version The WILDMAT format[5] described here is based on the version
first developed by Rich Salz which was derived from the format first developed by Rich Salz which was derived from the format
used in the UNIX "find" command to articulate file names. It used in the UNIX "find" command to articulate file names. It
was developed to provide a uniform mechanism for matching was developed to provide a uniform mechanism for matching
patterns in the same manner that the UNIX shell matches patterns in the same manner that the UNIX shell matches
filenames. Patterns are implicitly anchored at the beginning filenames. Patterns are implicitly anchored at the beginning
and end of each string when testing for a match. There are and end of each string when testing for a match. There are
six pattern-matching operations other than a strict one-to-one five pattern-matching operations other than a strict one-to-
match between the pattern and the source to be checked for a one match between the pattern and the source to be checked for
match. The first is an asterisk (*) to match any sequence of a match. The first is an asterisk (*) to match any sequence of
zero or more UTF-8 characters. The second is a question mark zero or more UTF-8 characters. The second is a question mark
(?) to match any single UTF-8 character. The third specifies a (?) to match any single UTF-8 character. The third specifies a
specific set of characters. The set is specified as a list of specific set of characters. The set is specified as a list of
characters, or as a range of characters where the beginning characters, or as a range of characters where the beginning
and end of the range are separated by a minus (or dash) and end of the range are separated by a minus (or dash)
character, or as any combination of lists and ranges. The dash character, or as any combination of lists and ranges. The dash
can also be included in the set as a character it if is the can also be included in the set as a character it if is the
beginning or end of the set. This set is enclosed in square beginning or end of the set. This set is enclosed in square
brackets. The close square bracket (]) may be used in a set if brackets. The close square bracket (]) may be used in a set if
it is the first character in the set. The fourth operation is it is the first character in the set. The fourth operation is
the same as the logical not of the third operation and is the same as the logical not of the third operation and is
specified the same way as the third with the addition of a specified the same way as the third with the addition of a
caret character (^) at the beginning of the test string just caret character (^) at the beginning of the test string just
inside the open square bracket. The fifth operation uses the inside the open square bracket. The final operation uses the
exclamation mark (!) preceding any valid expression built backslash character to invalidate the special meaning of the
using any of the operators discussed prior to this sentence. open square bracket ([), the asterisk, backslash, or the
The final operation uses the backslash character to invalidate question mark. The meaning of the backslash operator cannot be
the special meaning of the open square bracket ([), the negated by the exclamation point. Two backslashes in sequence
asterisk, backslash, exclamation mark or the question mark. will result in the evaluation of the backslash as a character
The meaning of the backslash operator cannot be negated by the with no special meaning.
exclamation point. Two backslashes in sequence will result in
the evaluation of the backslash as a character with no special
meaning.
5.1 Examples 5.1 Negating the expression
The exclamation point can be used at the beginning of a
wildmat to negate it. If it appears as any other character
other than the first one, it has no special meaning.
5.2 Examples
a) [^]-] -- matches any single character other than a a) [^]-] -- matches any single character other than a
close square bracket or a minus sign/dash. close square bracket or a minus sign/dash.
b) *bdc -- matches any string that ends with the string b) *bdc -- matches any string that ends with the string
"bdc" including the string "bdc" (without quotes). "bdc" including the string "bdc" (without quotes).
c) [0-9a-zA-Z] -- matches any single printable c) [0-9a-zA-Z] -- matches any single printable
alphanumeric ASCII character. alphanumeric ASCII character.
d) a??d -- matches any four character string which d) a??d -- matches any four character string which
begins with a and ends with d. begins with a and ends with d.
e)!bc*d -- matches any string that does not start with
"bc" and end with "d" (without quotes)
6. Format for Keyword Descriptions 6. Format for Keyword Descriptions
On the following pages are descriptions of each keyword On the following pages are descriptions of each keyword
recognized by the NNTP server and the responses that will be recognized by the NNTP server and the responses that will be
returned by those commands. These keywords are grouped by the returned by those commands. These keywords are grouped by the
functional step in which they are used. functional step in which they are used.
Each keyword is shown in upper case for clarity, although the Each keyword is shown in upper case for clarity, although the
NNTP server ignores case in the interpretation of commands. NNTP server ignores case in the interpretation of commands.
Any parameters are shown in lower case. A parameter shown in Any parameters are shown in lower case. A parameter shown in
[square brackets] is optional. For example, [GMT] indicates [square brackets] is optional. For example, [GMT] indicates
that the triglyph GMT may be present or omitted. A parameter that the triglyph GMT may be present or omitted. A parameter
that may be repeated is followed by an ellipsis. Mutually that may be repeated is followed by an ellipsis. Mutually
exclusive parameters are separated by a vertical bar (|) exclusive parameters are separated by a vertical bar (|)
character. For example, ggg|<message-id> indicates that a character. For example, ggg|<message-id> indicates that a
group name or a <message-id> may be specified, but not both. group name or a <message-id> may be specified, but not both.
Some parameters may be case or language specific. See RFC Some parameters may be case or language specific. See RFC
1036[6] for these details. 1036[6] for these details.
skipping to change at page 37, line 26 skipping to change at page 37, line 33
<first> is the number of the first article currently in the <first> is the number of the first article currently in the
news group, and <status> indicates the current status of the news group, and <status> indicates the current status of the
group on this server. Typically, the <status> will be consist group on this server. Typically, the <status> will be consist
of the US-ASCII character `y' where posting is permitted, `n' of the US-ASCII character `y' where posting is permitted, `n'
where posting is not permitted and `m' where postings will be where posting is not permitted and `m' where postings will be
forwarded to the news group moderator by the news server. forwarded to the news group moderator by the news server.
Other status strings may exist. The definition of these other Other status strings may exist. The definition of these other
values is covered in other specifications. values is covered in other specifications.
The <first> and <last> fields will always be numeric. They The <first> and <last> fields will always be numeric. They
may have leading zeros. If the <last> field evaluates to less may have leading zeros. The <first> field corresponds to the
than the <first> field, there are no articles currently on "reported low water mark" and the <last> field corresponds to
file in the news group. the "reported high water mark" described in the GROUP command
(see Section 9.1.1.1).
Note that posting may still be prohibited to a client although Note that posting may still be prohibited to a client although
the LIST command indicates that posting is permitted to a the LIST command indicates that posting is permitted to a
particular news group. See the POST command for an explanation particular news group. See the POST command for an explanation
of client prohibitions. The posting flag exists for each news of client prohibitions. The posting flag exists for each news
group because some news groups are moderated or are digests, group because some news groups are moderated or are digests,
and therefore cannot be posted to; that is, articles posted to and therefore cannot be posted to; that is, articles posted to
them must be mailed to a moderator who will post them for the them must be mailed to a moderator who will post them for the
original poster. This is independent of the posting original poster. This is independent of the posting
permission granted to a client by the NNTP server. permission granted to a client by the NNTP server.
skipping to change at page 43, line 43 skipping to change at page 43, line 52
article numbers in a particular news group. article numbers in a particular news group.
The optional parameter ggg is the name of the news group to The optional parameter ggg is the name of the news group to
be selected (e.g. "news.software.b"). A list of valid news be selected (e.g. "news.software.b"). A list of valid news
groups may be obtained from the LIST command. If no group is groups may be obtained from the LIST command. If no group is
specified, the current group is used as the default specified, the current group is used as the default
argument. argument.
The successful selection response will be a list of the The successful selection response will be a list of the
article numbers in the group followed by a period on a line article numbers in the group followed by a period on a line
by itself. by itself. The list starts on the next line following the
211 response code.
When a valid group is selected by means of this command, the When a valid group is selected by means of this command, the
internally maintained "current article pointer" MUST be set internally maintained "current article pointer" MUST be set
to the first article in the group. If an invalid group is to the first article in the group. If an invalid group is
specified, the previously selected group and article remain specified, the previously selected group and article remain
selected. If an empty news group is selected, the "current selected. If an empty news group is selected, the "current
article pointer" may be in an indeterminate state and should article pointer" may be in an indeterminate state and should
not be used. not be used.
The group name MUST match a news group obtained from the The group name MUST match a news group obtained from the
skipping to change at page 46, line 10 skipping to change at page 46, line 17
The OVER command is part of the OVER extension, which includes The OVER command is part of the OVER extension, which includes
the LIST OVERVIEW.FMT command. The OVER extension is optional. the LIST OVERVIEW.FMT command. The OVER extension is optional.
If it is not implemented, the response to the LIST EXTENSIONS If it is not implemented, the response to the LIST EXTENSIONS
command must not include the OVER label. command must not include the OVER label.
9.4.8.1 Responses 9.4.8.1 Responses
224 Overview information follows 224 Overview information follows
412 No news group current selected 412 No news group current selected
420 No article(s) selected 420 No article(s) selected
502 no permission 502 Service Unavailable
9.4.8.2 Examples 9.4.8.2 Examples
Example of a successful retrieval of overview information for Example of a successful retrieval of overview information for
an article (using no article number) an article (using no article number)
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] GROUP misc.test [C] GROUP misc.test
[S] 211 1234 3000234 3002322 misc.test [S] 211 1234 3000234 3002322 misc.test
skipping to change at page 47, line 21 skipping to change at page 47, line 30
[C] GROUP example.empty.newsgroup [C] GROUP example.empty.newsgroup
[S] 211 0 0 0 example.empty.newsgroup [S] 211 0 0 0 example.empty.newsgroup
[C] OVER [C] OVER
[S] 420 No current article selected [S] 420 No current article selected
9.4.9 PAT 9.4.9 PAT
PAT header range|<message-id> [pat [pat...]] PAT header range|<message-id> [wildmat[ wildmat"]]
The PAT command is used to retrieve specific headers from The PAT command is used to retrieve specific headers from
specific articles, based on pattern matching on the contents specific articles, based on pattern matching on the contents
of the header. of the header.
The required header parameter is the name of a header line The required header parameter is the name of a header line
(e.g. "subject") in a news group article. See RFC-1036 for a (e.g. "subject") in a news group article. See RFC-1036 for a
list of valid header lines. The required range argument may be list of valid header lines. The required range argument may be
any of the following: any of the following:
. an article number . an article number
. an article number followed by a dash to indicate all following . an article number followed by a dash to indicate all following
. an article number followed by a dash followed by another . an article number followed by a dash followed by another
article number. article number.
The required message-id argument indicates a specific article. The required message-id argument indicates a specific article.
The range and message-id arguments are mutually exclusive. If The range and message-id arguments are mutually exclusive. An
there are additional arguments, they are joined together additional argument consisting of one wildmat or two or more
separated by a single space to form one complete pattern. If wildmats separated by a space may be specified. If there are
there are no additional arguments, a wildmat "*" is the no additional argument, a wildmat "*" is the default.
default. Successful responses start with a 221 response Successful responses start with a 221 response followed by
followed by article number, an US-ASCII space, and the header article number, an US-ASCII space, and the header from that
from that message in which the pattern matched the contents of message in which the argument pattern matches the contents of
the specified header line. A valid response includes an empty the specified header line. A valid response includes an empty
list (indicating that there were no matches). Once the output list (indicating that there were no matches). Once the output
is complete, a period is sent on a line by itself. If the is complete, a period is sent on a line by itself. If the
optional argument is a message-id and no such article exists, optional argument is a message-id and no such article exists,
a 430 error response shall be returned. A 502 response shall a 430 error response shall be returned. A 502 response shall
be returned if the client only has permission to transfer be returned if the client only has permission to transfer
articles. articles.
The PAT command is optional. If it is not implemented, the The PAT command is optional. If it is not implemented, the
response to the LIST EXTENSIONS command must not include the response to the LIST EXTENSIONS command must not include the
PAT label. PAT label.
9.4.9.1 Responses 9.4.9.1 Responses
221 Header follows 221 Header follows
412 no newsgroup selected 412 no newsgroup selected
430 no such article 430 no such article
502 no permission 502 Service Unavailable
9.4.9.2 Examples 9.4.9.2 Examples
Example of a successful retrieval of subject lines from a Example of a successful retrieval of subject lines from a
range of articles range of articles
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] GROUP misc.test [C] GROUP misc.test
[S] 211 1234 3000234 3002322 misc.test [S] 211 1234 3000234 3002322 misc.test
skipping to change at page 48, line 34 skipping to change at page 48, line 41
[S] 221 Header Follows [S] 221 Header Follows
3000234 I am just a test article 3000234 I am just a test article
3000237 Re: I am just a test article 3000237 Re: I am just a test article
3000238 Ditto 3000238 Ditto
. .
Example of a successful retrieval of subject lines from a
range of articles with header pattern matching
[S] 200 NNTP Service Ready
[C] GROUP misc.test
[S] 211 1234 3000234 3002322 misc.test
[C] PAT Subject 3000234-300238 j* ? *est
[S] 221 Header Follows
3000234 I am just a test article
3000237 Re: I am just a test article
.
Example of a successful retrieval of header from an article by Example of a successful retrieval of header from an article by
message-id message-id
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] pat subject <i.am.a.test.article@nowhere.to> [C] PAT subject <i.am.a.test.article@nowhere.to>
[S] 221 Header information follows [S] 221 Header information follows
3000345 I am just a test article 3000345 I am just a test article
. .
Example of an unsuccessful retrieval of a header from an Example of an unsuccessful retrieval of a header from an
article by message-id article by message-id
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] pat subject <i.am.not.there@nowhere.to> [C] PAT subject <i.am.not.there@nowhere.to>
[S] 430 No Such Article Found [S] 430 No Such Article Found
Example of an unsuccessful retrieval of headers from articles Example of an unsuccessful retrieval of headers from articles
by number because no news group was selected first by number because no news group was selected first
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] pat subject 300256- [C] PAT subject 300256-
[S] 412 No news group selected [S] 412 No news group selected
Example of retrieving header information when the current Example of retrieving header information when the current
group selected is empty group selected is empty
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] GROUP example.empty.newsgroup [C] GROUP example.empty.newsgroup
[S] 211 0 0 0 example.empty.newsgroup [S] 211 0 0 0 example.empty.newsgroup
[C] path subject 0- [C] PAT subject 0-
[S] 221 Headers follow [S] 221 Headers follow
. .
Example of a failure due to restrictions configured into the Example of a failure due to restrictions configured into the
server server
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
skipping to change at page 49, line 31 skipping to change at page 50, line 4
[S] 221 Headers follow [S] 221 Headers follow
. .
Example of a failure due to restrictions configured into the Example of a failure due to restrictions configured into the
server server
[S] 200 NNTP Service Ready [S] 200 NNTP Service Ready
[C] GROUP news.group [C] GROUP news.group
[S] 211 1234 3000234 3002322 misc.test [S] 211 1234 3000234 3002322 misc.test
[C] PAT Subject 3000234-300238 [C] PAT Subject 3000234-300238
[S] 502 access denied [S] 502 Service Unavailable
10. The CONCLUSION Step 10. The CONCLUSION Step
10.1 QUIT 10.1 QUIT
QUIT QUIT
The server process MUST acknowledge the QUIT command and then The server process MUST acknowledge the QUIT command and then
closes the connection to the client. This is the preferred closes the connection to the client. This is the preferred
method for a client to indicate that it has finished all its method for a client to indicate that it has finished all its
skipping to change at page 56, line 4 skipping to change at page 56, line 29
head-command / head-command /
help-command / help-command /
ihave-command / ihave-command /
last-command / last-command /
list-active-times-command / list-active-times-command /
list-distrib-pats-command / list-distrib-pats-command /
list-distributions-command / list-distributions-command /
list-extensions-command / list-extensions-command /
list-newsgroups-command / list-newsgroups-command /
list-overview-fmt-command / list-overview-fmt-command /
list-subscriptions-command /
list-command / list-command /
listgroup-command / listgroup-command /
mode-reader-command / mode-reader-command /
newgroups-command / newgroups-command /
newnews-command / newnews-command /
next-command / next-command /
over-command / over-command /
pat-command / pat-command /
post-command / post-command /
quit-command / quit-command /
skipping to change at page 56, line 44 skipping to change at page 57, line 14
list-distrib-pats-command = "LIST" 1*WSP "DISTRIB.PATS" *WSP list-distrib-pats-command = "LIST" 1*WSP "DISTRIB.PATS" *WSP
CRLF CRLF
list-distributions-command = "LIST" 1*WSP "DISTRIBUTIONS" *WSP list-distributions-command = "LIST" 1*WSP "DISTRIBUTIONS" *WSP
CRLF CRLF
list-extensions-command = "LIST" 1*WSP "EXTENSIONS" *WSP CRLF list-extensions-command = "LIST" 1*WSP "EXTENSIONS" *WSP CRLF
list-newsgroups-command = "LIST" 1*WSP "NEWSGROUPS" [1*WSP list-newsgroups-command = "LIST" 1*WSP "NEWSGROUPS" [1*WSP
wildmat] wildmat]
*WSP CRLF *WSP CRLF
list-overview-fmt-command = "LIST" 1*WSP "OVERVIEW.FMT" *WSP list-overview-fmt-command = "LIST" 1*WSP "OVERVIEW.FMT" *WSP
CRLF CRLF
list-subscriptions-command = "LIST" 1*WSP "SUBSCRIPTIONS" *WSP
CRLF
listgroup-command = "LISTGROUP" [1*WSP newsgroup] *WSP CRLF listgroup-command = "LISTGROUP" [1*WSP newsgroup] *WSP CRLF
mode-reader-command = "MODE" 1*WSP "READER" *WSP CRLF mode-reader-command = "MODE" 1*WSP "READER" *WSP CRLF
msg-id = <defined in RFC822> msg-id = <defined in RFC822>
newgroups-command = "NEWGROUPS" 1*WSP date 1*WSP time [1*WSP newgroups-command = "NEWGROUPS" 1*WSP date 1*WSP time [1*WSP
"GMT"/"UTC"] *WSP CRLF "GMT"/"UTC"] *WSP CRLF
newnews-command = "NEWNEWS" 1*WSP newsgroup *("," newsgroup) newnews-command = "NEWNEWS" 1*WSP newsgroup *("," newsgroup)
1*WSP date 1*WSP time [1*WSP "GMT"/"UTC"] 1*WSP date 1*WSP time [1*WSP "GMT"/"UTC"]
*WSP CRLF *WSP CRLF
newsgroup = parameter newsgroup = parameter
next-command = "NEXT" *WSP CRLF next-command = "NEXT" *WSP CRLF
skipping to change at page 57, line 20 skipping to change at page 57, line 42
stat-command = "STAT" [1*WSP (msg-id / article-number)] *WSP stat-command = "STAT" [1*WSP (msg-id / article-number)] *WSP
CRLF CRLF
time = 6DIGIT time = 6DIGIT
UTF-8-non-ascii = UTF8-2 / UTF8-3 / UTF8-4 / UTF8-5 / UTF8-6 UTF-8-non-ascii = UTF8-2 / UTF8-3 / UTF8-4 / UTF8-5 / UTF8-6
UTF8-1 = %x80-BF UTF8-1 = %x80-BF
UTF8-2 = %xC0-DF UTF8-1 UTF8-2 = %xC0-DF UTF8-1
UTF8-3 = %xE0-EF 2UTF8-1 UTF8-3 = %xE0-EF 2UTF8-1
UTF8-4 = %xF0-F7 3UTF8-1 UTF8-4 = %xF0-F7 3UTF8-1
UTF8-5 = %xF8-FB 4UTF8-1 UTF8-5 = %xF8-FB 4UTF8-1
UTF8-6 = %xFC-FD 5UTF8-1 UTF8-6 = %xFC-FD 5UTF8-1
wildmat = 1*("!" / "*" / "?" / wildmat-exact / wildmat-set / wildmat = ["!"]1*("*" / "?" / wildmat-exact / wildmat-set /
"\" (%x22-7F / UTF-8-non-ascii)) "\" (%x22-7F / UTF-8-non-ascii))
wildmat-exact = %x22-29 / %x2B-3E / %x40-5A / %x5D-7F / UTF-8- wildmat-exact = %x22-29 / %x2B-3E / %x40-5A / %x5D-7F / UTF-8-
non-ascii ; exclude space ! * ? [ \ non-ascii ; exclude space ! * ? [ \
wildmat-non-hyphen = %x21-2C / %x2E-7F / UTF-8-non-ascii ; wildmat-non-hyphen = %x21-2C / %x2E-7F / UTF-8-non-ascii ;
exclude space - exclude space -
wildmat-set = "[" ["^"] ["]" / "-"] *(wildmat-non-hyphen ["-" wildmat-set = "[" ["^"] ["]" / "-"] *(wildmat-non-hyphen"["-"
wildmat-non-hyphen]) ["-"]
WSP = SP / HT WSP = SP / HT
14. Security Considerations 14. Security Considerations
There is a serious need for good text to put in this section.
Here is an attempt:
The nature of network news over its history has been the This section is meant to inform application developers,
sharing of information, seemingly without restriction. While information providers, and users of the security limitations
this was reasonable when NNTP was first specified, the lack of in NNTP as described by this document. The discussion does not
a mechanism for restricting access to network news may no include definitive solutions to the problems revealed, though
longer be appropriate. This specification has some provisions it does make some suggestions for reducing security risks.
in it which make it possible to add authentication and
identification mechanisms, but none are included in this 14.1 Personal and Proprietary Information
specification. It is expected that those mechanisms will be
defined as specific extensions using the extension mechanism NNTP, because it was created to distribute network news
specified in this document. articles, will forward whatever information is stored in those
articles. Specification of that information is outside this
scope of this document, but it is likely that some personal
and/or proprietary information is available in some of those
articles. It is very important that designers and implementors
provide informative warnings to users so personal and/or
proprietary information is not disclosed inadvertently.
Additionally, effective and easily understood mechanisms to
manage the distribution of news articles must be provided to
NNTP Server administrators, so that they are able to report
with confidence what information is and is not being forwarded
in news articles passing though their servers.
14.2 Abuse of Server Log Information
A server is in the position to save session data about a
user's requests which might identify their reading patterns or
subjects of interest. This information is clearly confidential
in nature and its handling can be constrained by law in
certain countries. People using the NNTP protocol to provide
data are responsible for ensuring that such material is not
distributed without the permission of any individuals that are
identifiable by the published results.
14.3 DNS Spoofing
Clients and Servers using NNTP rely heavily on the Domain Name
Service, and are thus generally prone to security attacks
based on the deliberate mis-association of IP addresses and
DNS names. Clients and Servers need to be cautious in assuming
the continuing validity of an IP number/DNS name association.
In particular, NNTP clients and servers SHOULD rely on their
name resolver for confirmation of an IP number/DNS name
association, rather than caching the result of previous host
name lookups. Many platforms already can cache host name
lookups locally when appropriate, and they SHOULD be
configured to do so. It is proper for these lookups to be
cached, however, only when the TTL (Time To Live) information
reported by the name server makes it likely that the cached
information will remain useful.
If NNTP clients or servers cache the results of host name
lookups in order to achieve a performance improvement, they
MUST observe the TTL information reported by DNS.
If NNTP clients or servers do not observe this rule, they
could be spoofed when a previously-accessed server's IP
address changes. As network renumbering is expected to become
increasingly common, the possibility of this form of attack
will grow. Observing this requirement thus reduces this
potential security vulnerability.
This requirement also improves the load-balancing behavior of
clients for replicated servers using the same DNS name and
reduces the likelihood of a user's experiencing failure in
accessing sites which use that strategy.
14.4 Weak Authentication and Access Control
There is no user-based or token-based authentication in the
basic NNTP specification. Access is normally controlled by
server configuration files. Those files specify access by
using domain names or ip addresses. However, this
specification does permit the creation of extensions to the
NNTP protocol itself for such purposes. While including such
mechanisms is optional, doing so is strongly encouraged.
Other mechanisms are also available. For example, a proxy
server could be put in place that requires authentication
before connecting via the proxy to the NNTP server.
15. Notes 15. Notes
UNIX is a registered trademark of the X/Open Consortium. UNIX is a registered trademark of the X/Open Consortium.
16. Acknowledgments 16. References
1 Kantor, B and P. Lapsley, "Network News Transfer Protocol",
RFC-977, U.C. San Diego and U.C. Berkeley.
2 Yergeau, F., "UTF-8, a transformation format of ISO 10646",
RFC 2278, Alis Technologies.
3 Coded Character Set-7-bit American Standard Code for
Information Interchange, ANSI x3.4-1986.
4 Bradner, Scott, "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, Harvard University.
5 Salz, Rich, Manual Page for wildmat(3) from the INN 1.4
distribution, UUNET Technologies, Revision 1.10, April, 1992.
6 Horton, M.R. and R. Adams, "Standard for interchange of
USENET messages", RFC-1036, AT&T Bell Laboratories and Center
for Seismic Studies, December, 1987.
7 Robertson, Rob, "FAQ: Overview database / NOV General
Information", ftp://ftp.uu.net/networking/news/nntp/inn/faq-
nov.Z, January, 1995.
8 Mills, David L., "Network Time Protocol (Version 3),
Specification, Implementation and Analysis", RFC-1305,
University of Delaware, March 1992.
9 Crocker, D. and Overell, P., "Augmented BNF for Syntax
Specifications: ABNF", RFC-2234, Internet Mail Consortium and
Demon Internet, Ltd.
17. Acknowledgments
The author acknowledges the original authors of NNTP as The author acknowledges the original authors of NNTP as
documented in RFC 977: Brian Kantor and Phil Lapsey. documented in RFC 977: Brian Kantor and Phil Lapsey.
The author gratefully acknowledges the work of the NNTP The author gratefully acknowledges the work of the NNTP
committee chaired by Eliot Lear. The organization of this committee chaired by Eliot Lear. The organization of this
document was influenced by the last available draft from this document was influenced by the last available draft from this
working group. A special thanks to Eliot for generously working group. A special thanks to Eliot for generously
providing the original machine readable sources for that providing the original machine readable sources for that
document. document.
The author gratefully acknowledges the work of the Marshall The author gratefully acknowledges the work of the Marshall
Rose & John G. Meyers in RFC 1939 and the work of the DRUMS Rose & John G. Meyers in RFC 1939 and the work of the DRUMS
working group, specifically RFC 1869, which is the basis of working group, specifically RFC 1869, which is the basis of
the NNTP extensions mechanism detailed in this document. the NNTP extensions mechanism detailed in this document.
The author gratefully acknowledges the authors of RFC 2616 for
providing specific and relevant examples of security issues
that should be considered for HTTP. Since many of the same
considerations exist for NNTP, those examples that are
relevant have been included here with some minor rewrites.
The author gratefully acknowledges the comments and additional The author gratefully acknowledges the comments and additional
information provided by the following individuals in preparing information provided by the following individuals in preparing
one of the progenitors of this document: one of the progenitors of this document:
. Wayne Davison <davison@armory.com> . Wayne Davison <davison@armory.com>
. Clive D.W. Feather <clive@demon.net> . Clive D.W. Feather <clive@demon.net>
. Chris Lewis <clewis@bnr.ca> . Chris Lewis <clewis@bnr.ca>
. Tom Limoncelli <tal@mars.superlink.net> . Tom Limoncelli <tal@mars.superlink.net>
. Eric Schnoebelen <eric@egsner.cirr.com> . Eric Schnoebelen <eric@egsner.cirr.com>
. Rich Salz <rsalz@osf.org> . Rich Salz <rsalz@osf.org>
skipping to change at page 58, line 41 skipping to change at page 60, line 56
newsreaders that are part of Bnews. newsreaders that are part of Bnews.
. Geoff Collyer -- Original author of the OVERVIEW database . Geoff Collyer -- Original author of the OVERVIEW database
proposal and one of the original authors of CNEWS proposal and one of the original authors of CNEWS
. Dan Curry -- Original author of the xvnews newsreader . Dan Curry -- Original author of the xvnews newsreader
. Wayne Davision -- Author of the first threading extensions to . Wayne Davision -- Author of the first threading extensions to
the the
RN newsreader (commonly called TRN). RN newsreader (commonly called TRN).
. Geoff Huston -- Original author of ANU NEWS . Geoff Huston -- Original author of ANU NEWS
. Phil Lapsey -- Original author of the UNIX reference . Phil Lapsey -- Original author of the UNIX reference
implementation implementation
. Ian Lea -- Maintainer of the TIN newsreader . Ian Lea -- Long time maintainer of the TIN newsreader
. Chris Lewis -- First known implementor of the AUTHINFO GENERIC . Chris Lewis -- First known implementor of the AUTHINFO GENERIC
extension extension
. Rich Salz -- Original author of INN . Rich Salz -- Original author of INN
. Henry Spencer -- One of the original authors of CNEWS . Henry Spencer -- One of the original authors of CNEWS
. Kim Storm -- Original author of the NN newsreader . Kim Storm -- Original author of the NN newsreader
18. References
[1] Kantor, B and P. Lapsley, "Network News Transfer Protocol",
RFC-977, U.C. San Diego and U.C. Berkeley.
[2] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
RFC 2278, Alis Technologies.
[3] Coded Character Set-7-bit American Standard Code for
Information Interchange, ANSI x3.4-1986.
[4] Bradner, Scott, "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, Harvard University.
[5] Salz, Rich, Manual Page for wildmat(3) from the INN 1.4
distribution, UUNET Technologies, Revision 1.10, April, 1992.
[6] Horton, M.R. and R. Adams, "Standard for interchange of
USENET messages", RFC-1036, AT&T Bell Laboratories and Center
for Seismic Studies, December, 1987.
[7] Robertson, Rob, "FAQ: Overview database / NOV General 18. Author's Address
Information", ftp://ftp.uu.net/networking/news/nntp/inn/faq-
nov.Z, January, 1995.
[8] Mills, David L., "Network Time Protocol (Version 3),
Specification, Implementation and Analysis", RFC-1305,
University of Delaware, March 1992.
[9] Crocker, D. and Overell, P., "Augmented BNF for Syntax
Specifications: ABNF", RFC-2234, Internet Mail Consortium and
Demon Internet, Ltd.
19. Author's Address
Stan Barber Stan Barber
P.O. Box 300481 P.O. Box 300481
Houston, Texas 77230 Houston, Texas 77230
Email: <sob@academ.com> Email: <sob@academ.com>
This document expires Feburary 10, 2000. This document expires May 15, 2000.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/