IETF Logo Mail Archive

Re: draft-karppinen-imap-conman-00.txt

"RL 'Bob' Morgan" <rlmorgan@cac.washington.edu> Fri, 08 October 1999 22:10 UTC

Received: (from majordomo@localhost) by mail.imc.org (8.9.3/8.9.3) id PAA19709 for ietf-imapext-bks; Fri, 8 Oct 1999 15:10:43 -0700 (PDT)
Received: from perq.cac.washington.edu (perq.cac.washington.edu [140.142.110.198]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id PAA19705 for <ietf-imapext@imc.org>; Fri, 8 Oct 1999 15:10:42 -0700 (PDT)
Received: from localhost (rlmorgan@localhost) by perq.cac.washington.edu (8.8.7/8.8.7) with ESMTP id PAA08122 for <ietf-imapext@imc.org>; Fri, 8 Oct 1999 15:12:17 -0700
X-Authentication-Warning: perq.cac.washington.edu: rlmorgan owned process doing -bs
Date: Fri, 08 Oct 1999 15:12:17 -0700
From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
Reply-To: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
To: ietf-imapext@imc.org
Subject: Re: draft-karppinen-imap-conman-00.txt
In-Reply-To: <37FDF46A.954858E7@att.com>
Message-ID: <Pine.LNX.4.19.99.9910081045410.8032-100000@perq.cac.washington.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ietf-imapext@imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-imapext/mail-archive/>
List-ID: <ietf-imapext.imc.org>
List-Unsubscribe: <mailto:ietf-imapext-request@imc.org?body=unsubscribe>

A few points about all this.

LDAP, which otherwise uses SASL in a very similar manner to IMAP (since it
was following the example set by IMAP), has an Unbind operation (see RFC
2251 section 4.3) which is more or less identical to the proposed IMAP
USERLOGOUT command.  I believe this was part of the DAP command set that
was just carried over into LDAP.  But certainly as the LDAP authentication
details were being worked on (in draft-ietf-ldapext-ldapv3-tls-05.txt and
draft-ietf-ldapext-authmeth-04.txt) implementors made it known that being
able to de- and re-authenticate the connection was important to them, I
think for more or less the same reasons as the pro-USERLOGOUT folks give
here.  I have no idea how much this is used in practice.

The connection-reuse strategy proposed by the USERLOGOUT proponents is
similar to the "connection pooling" technique that is universally used, in
my experience, in 3-tier database-oriented apps these days, especially
those with a web front end (ie, all new ones).  A set of database
connections is created by the app-server at system startup time, and
connections are grabbed and released by app-server threads as needed.  
The authentication story is somewhat different than it would be with IMAP,
though, since generally the app-server authenticates to the database
service as itself at connection start time, and app-level authentication
identity is one of the parameters in each database op; so there isn't a
USERLOGOUT equivalent in this case.

So, there's certainly adequate precedent in other areas for the approach
proposed in this draft; I think the question at hand is whether this is
worth adding to a protocol that doesn't have it already.  I think what the
anti-USERLOGOUT implementors are saying is that if you came to them and
said that the performance cost of simply making a TCP connection is a
substantial fraction of the total cost of starting an authenticated
session, as is claimed in the draft:

   Initial profiling suggests
   that persistent IMAP4 connections can lead to a performance increase
   of an order of magnitude when compared to separate IMAP4 connections
   per mailbox action.

that they would scurry off and make it not be so, and that this is doable,
and should be done, without requiring any protocol changes.

So, this is a performance hack.  The only way to decide whether it's
justified is with numbers.  I think it's up to the proponents to post real
observed numbers; and then for the anti- implementors to refute them or do
the implementation mods to prove that the remediation can be done without
protocol mods.

As someone mentioned, adding this capability in the context of TLS makes
things even trickier.  Let me philosophize on this point.  TLS basically
has its own set of security states that can change more or less
independently of the application protocol (SASL) states; the job of the
profile is to tie these together appropriately.  We dealt with some of
this in the ldapv3-tls spec, see specifically section 7.2 which says that
ending a TLS connection undoes any authentication state in the LDAP
connection; but that the LDAP connection itself can continue after TLS is
stopped.  (RFC 2595 doesn't address this issue, which is an omission.)  
See

 http://www.stanford.edu/~hodges/doc/StartTLSStateDiagram-8-May-1998.html

for an excellent state diagram of this behavior.  This is necessary to
specify the relevant behavior if you want TLS to be STOPpable as well as
STARTable.

Another look at RFC 2246 on TLS shows that at any time during a TLS
connection the handshake protocol can happen again, which can result in a
new set of security conditions and in particular a new client cert.  I
don't think any of the current app profiles for TLS take this into
account, even to the extent of saying "prohibited".  But if you wanted 
USERLOGOUT to work in the TLS+client_cert case (and surely this is an
increasingly important case) you'd probably say that *if* TLS is in use
and the client was authenticated via a cert, *then* USERLOGOUT would also
cause the server to issue a handshake protocol hello to renegotiate the
TLS authentication; or you might say that the TLS connection had to close,
but that's going to knock holes in the performance argument.

I find it hard to believe that performance gains (that aren't achievable
any other way) are enough to motivate USERLOGOUT as a standard facility,
given the non-trivial complexity of fully specifying (not to mention
implementing) the behavior it implies.

 - RL "Bob"

v2.23.0 | Report a Bug | By Email