IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

"Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com> Mon, 20 February 2023 17:07 UTC

Return-Path: <Steve.Syfuhs@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFBCC135DFD for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 09:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL7QO5t6XKyY for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 09:07:40 -0800 (PST)
Received: from BN6PR00CU002-vft-obe.outbound.protection.outlook.com (mail-eastus2azlp170110002.outbound.protection.outlook.com [IPv6:2a01:111:f403:c110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09767C151540 for <kitten@ietf.org>; Mon, 20 Feb 2023 09:06:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iUgJANc6T2IdoKUxjM7+v46JDh/DnUCIu4WP3bf+SPFlB0UosubTxkXNI4Fnovtu09zx7xy+81lB0sgO2+qTm6sVGcTmIlXgifNHjf0kFbHlySQA9rnhIWMkdI/xVvAj2EdXvgKDdTAvyL4y+9psZAcYDjTCg5LFH1F42m+gOpUbzeK2u4kcIMsNnZMhNY2lFVuqFBY37gqf5KeW2aHkwCsl1kqkEiyqadoebx4FByWWFatQo9BaCllK1mxyzXUBXN4W0oTIut8I9a3GPqxjmDAGUep428GVXf8iiCTTowrHumPQH0kuhVfPSWNlWQWsRX6AlCx55BWhIUPVKB+i9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lOcJw9xVGFRdHrx9FJYH0Wk8Lre4FQiSWtiqgENaZnQ=; b=dMsK7tlGjb+MbHk3WU37yUYU7Fv3/c7qy5LGV9fcdzaU5fVR8kQgvszjGdTpiBiyAuX+eo4gogy1zhKVfHb3cl9N3WyX7ASSw6l3JZYuDz6fWvVfjo8ZAE1PqSTwSz11dURMVdlL8ZHrAomZId5XnNgCIpj6Y/QymLJCtCkfjIuUyYEf7Ca+JEDoV+CMo9pgjT8OUCkbEz33UeruYfR3qEZuB0vshXqae0v5lZYLadDvMtVBcqkK0A4CkQyd/H+AXubeMc14M2SG6wqcKoiQTKGOiFuED+v133NC5BFC4mA6/3kQTf907tx9ZhzMphOCMtiD3d6v6/CqtJHHo7NqqA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lOcJw9xVGFRdHrx9FJYH0Wk8Lre4FQiSWtiqgENaZnQ=; b=S6IZGyJZMS8oOuNSZ/Myb4mXqXC1DbtFPUBg+S74RciGEumCSJAveqZBeLWtmWjSCfrETBboK7W+G3ua/PzWi9UquNcXvHEZcV1cnvJZ1Gvz9452gK2RTDOqB7HCrCJEPGYPKIfSMXSGPgOI64NbYkTJRKLZrT0lH9s216GJMtw=
Received: from MW4PR21MB1970.namprd21.prod.outlook.com (2603:10b6:303:70::14) by SJ1PR21MB3699.namprd21.prod.outlook.com (2603:10b6:a03:451::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.2; Mon, 20 Feb 2023 17:06:45 +0000
Received: from MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25]) by MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25%7]) with mapi id 15.20.6156.002; Mon, 20 Feb 2023 17:06:39 +0000
From: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
To: Nico Williams <nico@cryptonector.com>
CC: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Thread-Index: AQHZQy3RG7pgpa/rrESkcdLapDYjjq7XMJKAgADioaQ=
Date: Mon, 20 Feb 2023 17:06:39 +0000
Message-ID: <MW4PR21MB197022BC59E5A7CE0C6378A19CA49@MW4PR21MB1970.namprd21.prod.outlook.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/Lo+U/P9aerUgCW@gmail.com>
In-Reply-To: <Y/Lo+U/P9aerUgCW@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-02-20T17:00:04.8739527Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR21MB1970:EE_|SJ1PR21MB3699:EE_
x-ms-office365-filtering-correlation-id: a976986c-d156-42cb-5e8e-08db1364d510
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0sp77PqDCQmDh3NzdWgJzPjXx2pYwcWolT7BJXa9YABapGe/t+J88vGU8xZltVfrt8N5pdgruK6zOJrKusxANft7SE/r72SYO6CQV90JrqHAP3m0+DI0wIWxGy3J7DcuW0kyQlr7xE7sObTSq1ffzYeykek7PDRjndf1V7kJyuq5icBXJ1S8r3dg7mRoxvsL50iDpI21q5etSm64rzWx0bGCX5kNCTo91XPsSciceP8kPZEEjg6BVxhcvERPjdcstyBuYBgZdRyMSaX9vOEvmbkir7y7FWEvFIyrUlq79BcXAP99khSwwwFxVqaMNOejJp+FTXtbfzlp5u44Fj4qJz6Unscg86k6FlbbQHOv/VyW2JJQPckhfxZrEPUeOFgH5cLT53trW2tumqqL7Ppp0JDaqhZQJ9OPz3cvprvdcd0SlaQ0HLJ/qMiCKlsnj0L+VISTALIPEYJLMdbb2zW79BWdHd3ljtBW16P5AGF0TmfUX8iUYGCvJce1GRBQ1eifuqKvOcPjYITLfLOLdNF+bWfUWZLsZwnNO9I92WQ/rjTvB+p6rODUnWhM2uWTcFaZo98KowMdMUXg3zLXZg7jbDowkCgkZGGs8/k7Umo9LY/KGfr0YttDnDGqiYsUIKvuUbaWqUK4E/0LnFG3RyJ3Jq21cVXRGZFohiW5b94Oo/ThdPVR3JVVrRoXTcEanDpqnlAOl4WuHdrWZymp5L8vICXpLXUxeumfd4wk8ajy1qQR8ELt0bU6TRjzpD37QIG9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR21MB1970.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(376002)(39860400002)(396003)(366004)(346002)(136003)(451199018)(26005)(9686003)(186003)(53546011)(83380400001)(8676002)(66946007)(64756008)(6916009)(55016003)(66476007)(4326008)(66446008)(8936002)(5660300002)(66556008)(52536014)(76116006)(7696005)(6506007)(71200400001)(478600001)(10290500003)(41300700001)(316002)(54906003)(38100700002)(86362001)(82950400001)(82960400001)(8990500004)(122000001)(38070700005)(2906002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5uA4d10/sn0uUKy29X06EadSCiqiztW+xVbFajCUlss3ol/3sCVgG9M4PWz+ao1xKFgweCaoCVFAr6JCOYOPktEZHu9zVO9OPoWnRGpMAJzmpeIwLW+w6G7xshr11NaOSbZn5TvPAbxebVM8e8DHsRcsNVaWs9VxM7iIvjXQAhbyRz8X0RtiZKviYZ/mj8dwKfsiyZfrFc6fGPtm1BfOSw5Xc025ldVGpvANnwYBgr/J9Nbe4lfBYbCNKy3OnhbnEas1HgzftUhO+DWxLiZBlGwuEedqot89P785r9P9Shl9GmOmfW7y4uJxJGaAUo9QDeMZLs4k6HSGdIn5A9KAc2XjdzZUsFOsLjqSnYPEbDJma3f+sQww0Nwa7vXopn6IgnvztN4zPWSaKIX32IU8dPLpgJtvwGIXxUhmQnefAv1Ex2d2QkV/woVdqwWg+rTbVqe/R/xtozZUMpoI5+46z5cPbZYKTs1Dlx2xHHBG0G1l/nMJdw0Tc5ByaHpIV75rfMtKzjnD4iEqOy9UTYDN+RvX7q+DmFxoQEnPpn/9UhA1ZAurmAEs8LzmRCbUbYTS1zOvU0aNf2vqQfaSoE0TIEW5I/ILmjtp6YhTgy34NyHv++A62Pq4pLVIg3TBgQ9muy5HZxMTILhoYiNgWRBiWBnqnSBAwSKl7IV5/mTYMcQBqcwfY3siVucTfOgk+WsIZsW9HJvHqu65MLDtDa0aKxWjAG7ermSG6JHf7fWWZHCuL88xoGmTf7+YX7sYjN9Wq6Lzb/sn5DJ9Z2FDFvPydxUmtIgRH3GsFui68J9YdDQrQmUmsftONZ6RhRaNrkjBSz4lTOWRsy4AMzYJwMLgS6T8vP72JJlY2+fFOJFk/Bt94+ucrwAUA1SUupW0/0L8ja3ujuMKnTqG5argtVO8DiW892B0nEAmx3S8GyQfDbS8491HQ4d+OqzmXz73jEmYVGXsiJKrmL1yYpvNOPkUSEkz48q2paTq0Nyho1QZxLgQ+OPw1wqbs5kofSctcST5Pw5tLH2PeJ10suygmEvp4RvIHCk0/spB4S0T7lHUoJFxuazfGKvxnLxUxXFkz1izJrMlehwwBvRzyQZwLKch05UXxFfT4E8oGzJ0MuTqoUmJAqKbF2nqGWcZmDHfX513NnNwjYYcpLtK0nOBB8Yz1FDCW4WAZvsaUV27A3pV8uBgUwZ3V5j2/luuQl20+5Q2bzXK4hFx3QQt3NFEQc/2LC0AsMsYCQDDUvjzeT3pvwdtepqMu0v60gT4xSRzRqR+sP/YWrHUFucupUumkgPcjdvSxUQZ7u29tz5KbEVKf8Nra/11pTjZbbYzCt5ZdZ4+JxTH99szWty7D6tOcj0lMKInSCFfa9zDdNI6FhspcB5/OzYZVX3T+jdCAsdABs3xxs4jhcaiiTJXC9C0tUuCEPrhPP86lJAohbFASnmgCi630zaWF2mj80goy7oCHbX+f5TrMKgye6PQ1PQ9/IIJ2sAd77H74sEXQHRlzPZndqcopEmIiqfDCB+fWyikUHY4/LHlvc3S2PQXkoOM1qQb4n98bwIhXGcNqjiaHpl1NCQOoGCN+kMYkfri0C6brMXmiljQ7GYpXZuMIfV88uiTSA==
Content-Type: multipart/alternative; boundary="_000_MW4PR21MB197022BC59E5A7CE0C6378A19CA49MW4PR21MB1970namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1970.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a976986c-d156-42cb-5e8e-08db1364d510
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2023 17:06:39.4865 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: w+g7Z1GHBUtlPXDgpvy6xnGGicQM0IltLOVGRQNySruox/kYYEpUxYvgQ0P7Iz/XjrqW++H7zT4aSod5n6RiXA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ1PR21MB3699
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/4gJaQzFgCvNKgdS9u6ahe48T43M>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 17:07:43 -0000

I've been tempted to rip out negative caching in Windows once or twice, or more reasonably reduce the lifetime and scope of the cache. I would consider a negative cache an anti-pattern these days until performance shows its necessary. If you're getting lots of requests for things that don't exist, that's an indicator something is wonky, not that it should be ignored.
________________________________
From: Nico Williams <nico@cryptonector.com>
Sent: Sunday, February 19, 2023 7:28:57 PM
To: Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com>
Cc: Jeffrey Altman <jaltman@secure-endpoints.com>; kitten@ietf.org <kitten@ietf.org>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Another fix for MIT rt #8021 would be to have NACK entries in the cache
for service principal unknown.  Then GSS_Init_sec_context() for Kerberos
would fail and create the NACK entry, then it would fail immediately for
IAKERB so SPNEGO wouldn't try it.

Negative cache entries would be very nice to have, but they can also be
very expensive and bloaty if you're stuck with the venerable FILE cred
cache.

Nico
--

v2.23.0 | Report a Bug | By Email