[abfab] An oops: we stomped on reserved RFC 4121 token types
Sam Hartman <hartmans@painless-security.com> Mon, 18 November 2013 13:47 UTC
Return-Path: <hartmans@painless-security.com>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 711B711E8196; Mon, 18 Nov 2013 05:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Level:
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DG+TKseDHdUA; Mon, 18 Nov 2013 05:47:15 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 8001911E81A6; Mon, 18 Nov 2013 05:47:15 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 7694E20548; Mon, 18 Nov 2013 08:46:35 -0500 (EST)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCmhVGWMmn0m; Mon, 18 Nov 2013 08:46:35 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (c-50-136-31-107.hsd1.ma.comcast.net [50.136.31.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Mon, 18 Nov 2013 08:46:35 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 44B9981BF1; Mon, 18 Nov 2013 08:46:51 -0500 (EST)
From: Sam Hartman <hartmans@painless-security.com>
To: abfab@ietf.org
Date: Mon, 18 Nov 2013 08:46:51 -0500
Message-ID: <tsltxf9ddpw.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: kitten@ietf.org
Subject: [abfab] An oops: we stomped on reserved RFC 4121 token types
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 13:47:44 -0000
We use token types 06 01 and 06 02 for initial context tokens. However, RFC 4121 section 4.4 reserves token ID 06 01 through 06 ff in order that you can unambiguously distinguish ASN.1 wrapped framing from other framing. Luke, was this an oops or was something more clever going on. In the specific case of draft-ietf-abfab-gss-eap, section 5 requires all our context tokens have the ASN.1 framing. So, testing the first octet for 06 to determine if ASN.1 framing is present is still a fine test so long as you don't do it recursively. I think we have a couple options: 1) Change the token types we use. I don't know if this is a viable option: I need to contact the moonshot community and figure out if people are willing to invalidate all existing deployments. My suspicion is There would be moderate to infinite push back on this. 2) Register 06 01 and 06 02, reserve 06 00 and 06 03 through 06 ff. I think option 2 is acceptable because our mechanism always happens to use ASN.1 framing.