Re: [kitten] draft-ietf-kitten-iakerb-02
Nico Williams <nico@cryptonector.com> Mon, 27 October 2014 17:28 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1E1C1A016B for <kitten@ietfa.amsl.com>; Mon, 27 Oct 2014 10:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c5NxUoP96pC for <kitten@ietfa.amsl.com>; Mon, 27 Oct 2014 10:28:18 -0700 (PDT)
Received: from homiemail-a85.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9F51A1A25 for <kitten@ietf.org>; Mon, 27 Oct 2014 10:28:14 -0700 (PDT)
Received: from homiemail-a85.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTP id 9D4C4BBA13F for <kitten@ietf.org>; Mon, 27 Oct 2014 10:28:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=5JUqLEqgSGut5kRAxmEu ronnPpQ=; b=IZ08YjMqNcXzX+mMDaDf+WG8GBTTbSW3pEupRhAsIzS0XpXDVHg8 g3veMSJbLPShk/LeoDnlmv4I9NOpCrMqGB3bHUI2sR9FuzRlnXDoDkXEp//scCsv tKRNWQRbrCjidvc/K4VInlsyw7POXL9GMLxg1mChcw94+PKBLSLfTQA=
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 86B74BBA0BC for <kitten@ietf.org>; Mon, 27 Oct 2014 09:30:16 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id z12so3598776wgg.9 for <kitten@ietf.org>; Mon, 27 Oct 2014 09:30:15 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.240.68 with SMTP id vy4mr24076060wjc.36.1414427415263; Mon, 27 Oct 2014 09:30:15 -0700 (PDT)
Received: by 10.216.32.135 with HTTP; Mon, 27 Oct 2014 09:30:15 -0700 (PDT)
In-Reply-To: <544E63DA.2030102@mit.edu>
References: <alpine.GSO.1.10.1410141053220.27826@multics.mit.edu> <54402CAC.3010209@mit.edu> <alpine.GSO.1.10.1410241543520.27826@multics.mit.edu> <544E63DA.2030102@mit.edu>
Date: Mon, 27 Oct 2014 11:30:15 -0500
Message-ID: <CAK3OfOgQSDP2H+kMCqbrE2xN+1BEBgvGF-v0Spw07S3DZbj6HQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/4BsWLdK52hG3iWjocMbqsyXJbak
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] draft-ietf-kitten-iakerb-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 17:28:19 -0000
On Mon, Oct 27, 2014 at 10:25 AM, Greg Hudson <ghudson@mit.edu> wrote: > On 10/24/2014 06:08 PM, Benjamin Kaduk wrote: >> Well, it has at least one realm that it knows exists. (I guess it need The only methods of determining an acceptor's realm, available to an IAKERB initiator, are: - referrals, starting with either or all of (in sequence) the client principal's realm, or any other realm that the initiator might have knowledge of - a resolver-style "search" of domain-style realms for a given hostname (presumably with FAST for each TGS exchange to protect the integrity of KRB-ERRORs) Note that the KRB_AP_ERR_IAKERB_KDC_NOT_FOUND and KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE errors cannot be protected. If this error results during a resolver-style search, the initiator should stop searching. Question: presumably KRB_AP_ERR_IAKERB_* do not terminate the security context exchange, and GSS_Accept_sec_context() returns GSS_S_CONTINUE_NEEDED in those cases? Although there should probably be a maximum number of context tokens that the acceptor is willing to exchange, past which it will need to return GSS_S_FAILURE, and then how is _that_ communicated to the initiator?? (It might have been nice to have DNS TXT/whatever RRs for determining target host principals' realms, and to proxy DNS[SEC] lookups in IAKERB. However, that seems like a lot of work.) >> not strictly speaking know where the KDCs for that realm are...) This >> case where the client needs to resolve an enterprise name but doesn't have >> a local realm may not be terribly common, so it might be okay to just fail >> the GSS negotiation at this point. Alternately, the acceptor could pick >> an arbitrary realm it can accept tickets from. The latter seems to allow >> things to work in more cases than the former, and I don't think it would >> make any cases worse than the former, so I'll probably go with the latter. I agree: the latter. > As an implementor, I would generally want to just call > krb5_get_default_realm() and return an error if that fails. But the RFC > should say what error to return. Hmmm. Is there a standard notion of "default realm"? We've seen a number of cases where there's no configured default realm, where an acceptor might have keys for principals in multiple realms, and so on. I'd rather say that the initiator can use a zero-length realm to indicate "I don't know where to send this" and the acceptor should substitute a realm of its choice. If the acceptor has many realms... then the above question once more arises as to how we know when a KRB-ERROR denotes that GSS_Accept_sec_context() returns GSS_S_CONTINUE_NEEDED versus when it returns GSS_S_FAILURE. > (I don't think MIT krb5 currently implements this part of IAKERB, since > it wasn't present in the earlier draft that we used.) Sure, but we're designing a protocol as much as documenting reality :) >> So, "including the generic token framing of the InnerContextToken type >> from [RFC 2743]", then? > > I think that's right. *sigh* Sure. Nico --
- [kitten] draft-ietf-kitten-iakerb-02 Benjamin Kaduk
- Re: [kitten] draft-ietf-kitten-iakerb-02 Greg Hudson
- Re: [kitten] draft-ietf-kitten-iakerb-02 Benjamin Kaduk
- Re: [kitten] draft-ietf-kitten-iakerb-02 Greg Hudson
- Re: [kitten] draft-ietf-kitten-iakerb-02 Nico Williams
- Re: [kitten] draft-ietf-kitten-iakerb-02 Nico Williams
- Re: [kitten] draft-ietf-kitten-iakerb-02 Greg Hudson