Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
"Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com> Mon, 20 February 2023 17:07 UTC
Return-Path: <Steve.Syfuhs@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFBCC135DFD for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 09:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL7QO5t6XKyY for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 09:07:40 -0800 (PST)
Received: from BN6PR00CU002-vft-obe.outbound.protection.outlook.com (mail-eastus2azlp170110002.outbound.protection.outlook.com [IPv6:2a01:111:f403:c110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09767C151540 for <kitten@ietf.org>; Mon, 20 Feb 2023 09:06:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iUgJANc6T2IdoKUxjM7+v46JDh/DnUCIu4WP3bf+SPFlB0UosubTxkXNI4Fnovtu09zx7xy+81lB0sgO2+qTm6sVGcTmIlXgifNHjf0kFbHlySQA9rnhIWMkdI/xVvAj2EdXvgKDdTAvyL4y+9psZAcYDjTCg5LFH1F42m+gOpUbzeK2u4kcIMsNnZMhNY2lFVuqFBY37gqf5KeW2aHkwCsl1kqkEiyqadoebx4FByWWFatQo9BaCllK1mxyzXUBXN4W0oTIut8I9a3GPqxjmDAGUep428GVXf8iiCTTowrHumPQH0kuhVfPSWNlWQWsRX6AlCx55BWhIUPVKB+i9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lOcJw9xVGFRdHrx9FJYH0Wk8Lre4FQiSWtiqgENaZnQ=; b=dMsK7tlGjb+MbHk3WU37yUYU7Fv3/c7qy5LGV9fcdzaU5fVR8kQgvszjGdTpiBiyAuX+eo4gogy1zhKVfHb3cl9N3WyX7ASSw6l3JZYuDz6fWvVfjo8ZAE1PqSTwSz11dURMVdlL8ZHrAomZId5XnNgCIpj6Y/QymLJCtCkfjIuUyYEf7Ca+JEDoV+CMo9pgjT8OUCkbEz33UeruYfR3qEZuB0vshXqae0v5lZYLadDvMtVBcqkK0A4CkQyd/H+AXubeMc14M2SG6wqcKoiQTKGOiFuED+v133NC5BFC4mA6/3kQTf907tx9ZhzMphOCMtiD3d6v6/CqtJHHo7NqqA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lOcJw9xVGFRdHrx9FJYH0Wk8Lre4FQiSWtiqgENaZnQ=; b=S6IZGyJZMS8oOuNSZ/Myb4mXqXC1DbtFPUBg+S74RciGEumCSJAveqZBeLWtmWjSCfrETBboK7W+G3ua/PzWi9UquNcXvHEZcV1cnvJZ1Gvz9452gK2RTDOqB7HCrCJEPGYPKIfSMXSGPgOI64NbYkTJRKLZrT0lH9s216GJMtw=
Received: from MW4PR21MB1970.namprd21.prod.outlook.com (2603:10b6:303:70::14) by SJ1PR21MB3699.namprd21.prod.outlook.com (2603:10b6:a03:451::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.2; Mon, 20 Feb 2023 17:06:45 +0000
Received: from MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25]) by MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25%7]) with mapi id 15.20.6156.002; Mon, 20 Feb 2023 17:06:39 +0000
From: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
To: Nico Williams <nico@cryptonector.com>
CC: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Thread-Index: AQHZQy3RG7pgpa/rrESkcdLapDYjjq7XMJKAgADioaQ=
Date: Mon, 20 Feb 2023 17:06:39 +0000
Message-ID: <MW4PR21MB197022BC59E5A7CE0C6378A19CA49@MW4PR21MB1970.namprd21.prod.outlook.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/Lo+U/P9aerUgCW@gmail.com>
In-Reply-To: <Y/Lo+U/P9aerUgCW@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-02-20T17:00:04.8739527Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR21MB1970:EE_|SJ1PR21MB3699:EE_
x-ms-office365-filtering-correlation-id: a976986c-d156-42cb-5e8e-08db1364d510
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0sp77PqDCQmDh3NzdWgJzPjXx2pYwcWolT7BJXa9YABapGe/t+J88vGU8xZltVfrt8N5pdgruK6zOJrKusxANft7SE/r72SYO6CQV90JrqHAP3m0+DI0wIWxGy3J7DcuW0kyQlr7xE7sObTSq1ffzYeykek7PDRjndf1V7kJyuq5icBXJ1S8r3dg7mRoxvsL50iDpI21q5etSm64rzWx0bGCX5kNCTo91XPsSciceP8kPZEEjg6BVxhcvERPjdcstyBuYBgZdRyMSaX9vOEvmbkir7y7FWEvFIyrUlq79BcXAP99khSwwwFxVqaMNOejJp+FTXtbfzlp5u44Fj4qJz6Unscg86k6FlbbQHOv/VyW2JJQPckhfxZrEPUeOFgH5cLT53trW2tumqqL7Ppp0JDaqhZQJ9OPz3cvprvdcd0SlaQ0HLJ/qMiCKlsnj0L+VISTALIPEYJLMdbb2zW79BWdHd3ljtBW16P5AGF0TmfUX8iUYGCvJce1GRBQ1eifuqKvOcPjYITLfLOLdNF+bWfUWZLsZwnNO9I92WQ/rjTvB+p6rODUnWhM2uWTcFaZo98KowMdMUXg3zLXZg7jbDowkCgkZGGs8/k7Umo9LY/KGfr0YttDnDGqiYsUIKvuUbaWqUK4E/0LnFG3RyJ3Jq21cVXRGZFohiW5b94Oo/ThdPVR3JVVrRoXTcEanDpqnlAOl4WuHdrWZymp5L8vICXpLXUxeumfd4wk8ajy1qQR8ELt0bU6TRjzpD37QIG9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR21MB1970.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(376002)(39860400002)(396003)(366004)(346002)(136003)(451199018)(26005)(9686003)(186003)(53546011)(83380400001)(8676002)(66946007)(64756008)(6916009)(55016003)(66476007)(4326008)(66446008)(8936002)(5660300002)(66556008)(52536014)(76116006)(7696005)(6506007)(71200400001)(478600001)(10290500003)(41300700001)(316002)(54906003)(38100700002)(86362001)(82950400001)(82960400001)(8990500004)(122000001)(38070700005)(2906002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5uA4d10/sn0uUKy29X06EadSCiqiztW+xVbFajCUlss3ol/3sCVgG9M4PWz+ao1xKFgweCaoCVFAr6JCOYOPktEZHu9zVO9OPoWnRGpMAJzmpeIwLW+w6G7xshr11NaOSbZn5TvPAbxebVM8e8DHsRcsNVaWs9VxM7iIvjXQAhbyRz8X0RtiZKviYZ/mj8dwKfsiyZfrFc6fGPtm1BfOSw5Xc025ldVGpvANnwYBgr/J9Nbe4lfBYbCNKy3OnhbnEas1HgzftUhO+DWxLiZBlGwuEedqot89P785r9P9Shl9GmOmfW7y4uJxJGaAUo9QDeMZLs4k6HSGdIn5A9KAc2XjdzZUsFOsLjqSnYPEbDJma3f+sQww0Nwa7vXopn6IgnvztN4zPWSaKIX32IU8dPLpgJtvwGIXxUhmQnefAv1Ex2d2QkV/woVdqwWg+rTbVqe/R/xtozZUMpoI5+46z5cPbZYKTs1Dlx2xHHBG0G1l/nMJdw0Tc5ByaHpIV75rfMtKzjnD4iEqOy9UTYDN+RvX7q+DmFxoQEnPpn/9UhA1ZAurmAEs8LzmRCbUbYTS1zOvU0aNf2vqQfaSoE0TIEW5I/ILmjtp6YhTgy34NyHv++A62Pq4pLVIg3TBgQ9muy5HZxMTILhoYiNgWRBiWBnqnSBAwSKl7IV5/mTYMcQBqcwfY3siVucTfOgk+WsIZsW9HJvHqu65MLDtDa0aKxWjAG7ermSG6JHf7fWWZHCuL88xoGmTf7+YX7sYjN9Wq6Lzb/sn5DJ9Z2FDFvPydxUmtIgRH3GsFui68J9YdDQrQmUmsftONZ6RhRaNrkjBSz4lTOWRsy4AMzYJwMLgS6T8vP72JJlY2+fFOJFk/Bt94+ucrwAUA1SUupW0/0L8ja3ujuMKnTqG5argtVO8DiW892B0nEAmx3S8GyQfDbS8491HQ4d+OqzmXz73jEmYVGXsiJKrmL1yYpvNOPkUSEkz48q2paTq0Nyho1QZxLgQ+OPw1wqbs5kofSctcST5Pw5tLH2PeJ10suygmEvp4RvIHCk0/spB4S0T7lHUoJFxuazfGKvxnLxUxXFkz1izJrMlehwwBvRzyQZwLKch05UXxFfT4E8oGzJ0MuTqoUmJAqKbF2nqGWcZmDHfX513NnNwjYYcpLtK0nOBB8Yz1FDCW4WAZvsaUV27A3pV8uBgUwZ3V5j2/luuQl20+5Q2bzXK4hFx3QQt3NFEQc/2LC0AsMsYCQDDUvjzeT3pvwdtepqMu0v60gT4xSRzRqR+sP/YWrHUFucupUumkgPcjdvSxUQZ7u29tz5KbEVKf8Nra/11pTjZbbYzCt5ZdZ4+JxTH99szWty7D6tOcj0lMKInSCFfa9zDdNI6FhspcB5/OzYZVX3T+jdCAsdABs3xxs4jhcaiiTJXC9C0tUuCEPrhPP86lJAohbFASnmgCi630zaWF2mj80goy7oCHbX+f5TrMKgye6PQ1PQ9/IIJ2sAd77H74sEXQHRlzPZndqcopEmIiqfDCB+fWyikUHY4/LHlvc3S2PQXkoOM1qQb4n98bwIhXGcNqjiaHpl1NCQOoGCN+kMYkfri0C6brMXmiljQ7GYpXZuMIfV88uiTSA==
Content-Type: multipart/alternative; boundary="_000_MW4PR21MB197022BC59E5A7CE0C6378A19CA49MW4PR21MB1970namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1970.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a976986c-d156-42cb-5e8e-08db1364d510
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2023 17:06:39.4865 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: w+g7Z1GHBUtlPXDgpvy6xnGGicQM0IltLOVGRQNySruox/kYYEpUxYvgQ0P7Iz/XjrqW++H7zT4aSod5n6RiXA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ1PR21MB3699
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/4gJaQzFgCvNKgdS9u6ahe48T43M>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 17:07:43 -0000
I've been tempted to rip out negative caching in Windows once or twice, or more reasonably reduce the lifetime and scope of the cache. I would consider a negative cache an anti-pattern these days until performance shows its necessary. If you're getting lots of requests for things that don't exist, that's an indicator something is wonky, not that it should be ignored. ________________________________ From: Nico Williams <nico@cryptonector.com> Sent: Sunday, February 19, 2023 7:28:57 PM To: Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com> Cc: Jeffrey Altman <jaltman@secure-endpoints.com>; kitten@ietf.org <kitten@ietf.org> Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03 Another fix for MIT rt #8021 would be to have NACK entries in the cache for service principal unknown. Then GSS_Init_sec_context() for Kerberos would fail and create the NACK entry, then it would fail immediately for IAKERB so SPNEGO wouldn't try it. Negative cache entries would be very nice to have, but they can also be very expensive and bloaty if you're stuck with the venerable FILE cred cache. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce