3.3.1 Abstract Data Model

  • Article

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

Netlogon serves as a security provider for its own RPC connections. As such, it provides the following service: Confidentiality.

For protocol features, once a session key has been established through the session key negotiation, Netlogon relies upon the RPC runtime to invoke the per-message functions. The following define the services provided by the Netlogon security support provider (SSP).

Note The following defined variables are logical, abstract parameters that an implementation is required to maintain and expose to provide the proper level of service. How these variables are maintained and exposed is determined by the implementation.

Confidentiality: A Boolean setting that indicates that the caller is requiring encryption of messages so that they cannot be read while in transit. Requesting this service results in Netlogon encrypting the message. For more information, see sections 3.1.4.2 and 3.1.4.3.

As per [MS-RPCE] section 2.2.2.11, the auth_level field of the sec_trailer structure determines the authentication level used. Netlogon only supports RPC_C_AUTHN_LEVEL_PKT_INTEGRITY and RPC_C_AUTHN_LEVEL_PKT_PRIVACY. A value of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY implies that Integrity is provided by the Netlogon SSP, and a value of RPC_C_AUTHN_LEVEL_PKT_PRIVACY implies that Confidentiality is provided by the Netlogon SSP. Sequence detection is always provided.

The Netlogon SSP maintains the following set of data for each session:

ClientSequenceNumber: A 64-bit integer value used for detecting out-of-order messages on the client side.

ServerSequenceNumber: A 64-bit integer value used for detecting out-of-order messages on the server side.

Session-Key: See section 3.1.4.3 for Session-Key computation details.

NegotiateFlags: See section 3.1.1 for NegotiateFlags details.

MessageBlockSize: An integer that indicates the minimum size of messages for encryption. This value MUST be 1.