IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 18:56 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63758C15270B for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 10:56:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Q_i1HXYJvZZ for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 10:56:05 -0800 (PST)
Received: from crocodile.elm.relay.mailchannels.net (crocodile.elm.relay.mailchannels.net [23.83.212.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 444E3C1595FE for <kitten@ietf.org>; Wed, 22 Feb 2023 10:56:05 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D3ED8101E40; Wed, 22 Feb 2023 18:56:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 5E541101BAA; Wed, 22 Feb 2023 18:56:03 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677092163; a=rsa-sha256; cv=none; b=Jquc/yyG2ItbWEEMKHtmzgzqVDJ4XaXthA/e6reKaSnsGSdlCSj1K8dXcdBM4WDJQ8UAHf qmru1GOyHuT9okA8J4REylyuJrZJxerB4Y/2AEg5irc+b2mfEgN2RpQyvX/7Gdh2uqR4il EUQ18wuyCYgS/jahBAL7WdhHhiRLcPozXUixzPZwVSuVojPQRkPw3hCS738TjfO3ECff7b /j3eNSbd5DV/znJHPoY3MtqA6cLFYjsCbwCPn4+7KO27CYVrRX5OfcfG09AGIDwnWdFiRD efdBLGhMzCNRXhPKWqBA95slet09uTVE4lE/2DXw7MGxrJZikp4ZosPxPIl6Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677092163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ELSYwDOjsDqEzfIuqIuvZa2BWVdBkNYjHYm1rOYDkMU=; b=cwwI8xnRhORekLkpmQj8FGxyUHhaUUCn0w4J98BzK5NxpPnGR3N/nwtqBPP2r5WuskHjrf NOJ7as6j4IqKmuX5nBv5fv4mr8SXcrVXIjwB3tqHspZFOf3gzXS2d5O5HAkKJZpK679k0l qj7pt2fVLKBZ9sDwUSe7KwXuF7wUxyyWqJkwym3EQwTmhlhE0GFmQA8eRoUaTv25bgJATf Yb1i7Yu2qv1uDvx41OCl6YpdqgUr4WyD8xrGK3mw+lJADyg9u0QTC6BwUzztc+4BOhtdkz qTelOwsE+kNnHMSS0xG14UqCt9M2oDXF/xXIYN1alENtgYt7h1EmH50CNvL0Hg==
ARC-Authentication-Results: i=1; rspamd-5db48964c-9shrn; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Lyrical-Harmony: 7ff0bf1461aec2f9_1677092163665_1738017878
X-MC-Loop-Signature: 1677092163665:4256201593
X-MC-Ingress-Time: 1677092163665
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.120.227.140 (trex/6.7.1); Wed, 22 Feb 2023 18:56:03 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PMQNL3SPXzK6; Wed, 22 Feb 2023 10:56:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677092163; bh=ELSYwDOjsDqEzfIuqIuvZa2BWVdBkNYjHYm1rOYDkMU=; h=Date:From:To:Cc:Subject:Content-Type; b=r2kGUU8yyDukT0mLWb81SbP5Up1A3OX1MqTinab2nbeItGfCsbgQuGy4FmlvWtZDr 9qUxMQwewoEnSJggV+OYzppYjA3txXndHoUQk6nKZoyl4/XEYsh8ZyyQmur3t0Lmec 8EJ0/qXWZASTmijnJBEy4+fadDtXeL5kaZUvphtP5bEDBxFc5ZoCdQsGcmgpyiWhJ8 XP/0VGXloQ7PWq93rQyYBHdgOHmY7Iq9mT+e4UkkY28C87R1FFZR0TvNpbBy3syXxu hiS7DanhOkUXTPY3fmRWWLHIitWJuQBIYNjaK+L+Ao04yhUyydeVwUNo6FXIMYuLQT VwMBHCOG0TSvQ==
Date: Wed, 22 Feb 2023 12:55:59 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/ZlP9gD0eyZP90T@gmail.com>
References: <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/VnjL/IBYXFWkYX@gmail.com> <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/WWjumkyhEjMvda@gmail.com> <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-QAOGi2zx2H_EehFxavAiUChRZ4>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 18:56:09 -0000

On Wed, Feb 22, 2023 at 05:36:40PM +0000, Steve Syfuhs (AP) wrote:
> You should implement forest trusts. We automated key rotation in 2000. :)

What RFC is that?  :)

Do we need an LDAP client in order to implement that?

Seriously, if you have key history, then you can rotate x-realm krbtgt
keys w/o trouble.  For non-x-realm krbtgt principals it's useful to have
the "new service key delay" feature so that the new keys can replicate
before they get used.

> That said, I'm a bit surprised you've seen any issues with key
> rotation. We generally return ap-err-modified in such bad key cases
> which should just trigger a client renew/reauth of the ticket. What do
> non-Windows clients do in that case? Do they just drop the request? 

If you're janedoe@A asking for a ticket for some service@B and you
already have a krbtgt/B@A ticket cached, you're going to use that
ticket, and then you might get an error from the KDC if either the
ticket is encrypted in the new key but the B KDC you hit doesn't have it
yet, or if the ticket is encrypted in the old key but the B KDC you hit
no longer has or accepts that key.  I believe MIT and Heimdal stop there
(though I'd have to check).

> I'll have to dig through the client/server logic for how gMSAs are
> handled. I don't quite remember the exact behavior, but caveat a few
> bugs we introduced ourselves I can't recall any major reports of
> timing issues, which I would attribute back to the badkey-retry-getkey
> behavior our clients have. Also said, I'm not aware of any non-Windows
> servers that implement gMSA support, especially given Andrew's comment
> about SAMBA only now investigating adding them. That sorta makes any
> third party behavior a bit moot.

Ok, I'll have to look into whether we have to special case certain
errors in TGS-REQ exchanges and retry in those cases.  This could be
complicated since we might have to purge ccache entries and then retry
from the top rather than retry the current TGS-REQ.

Complicating client-side logic is a problem, and complicated clients is
one of the problems with Kerberos.  For example, I've seen interop
issues with proprietary mobile apps not implementing kerberos referrals
chasing correctly, and getting those issues fixed can be nigh
impossible, and workarounds can be equally impossible.

In this case better key rotation functionality on the KDC can save the
client implementors a great deal of complexity.  Complexity is a big
source of bugs, too.

Nico
--

v2.23.0 | Report a Bug | By Email