IETF Logo Mail Archive

Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt

Greg Hudson <ghudson@mit.edu> Tue, 22 September 2015 14:58 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E85BE1A9008 for <kitten@ietfa.amsl.com>; Tue, 22 Sep 2015 07:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMyfIIk5EkEI for <kitten@ietfa.amsl.com>; Tue, 22 Sep 2015 07:58:22 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4E601A870C for <kitten@ietf.org>; Tue, 22 Sep 2015 07:58:21 -0700 (PDT)
X-AuditID: 12074423-f793f6d000007fc1-97-56016c8cbb9d
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 28.0C.32705.C8C61065; Tue, 22 Sep 2015 10:58:20 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t8MEwJi4028533; Tue, 22 Sep 2015 10:58:20 -0400
Received: from [18.101.8.79] (vpn-18-101-8-79.mit.edu [18.101.8.79]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t8MEwGod030636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 22 Sep 2015 10:58:18 -0400
To: Rick van Rein <rick@openfortress.nl>, kitten@ietf.org
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl> <20150918140247.GB13294@localhost> <20150918153219.GP21942@mournblade.imrryr.org> <55FC4A37.9020305@openfortress.nl> <55FD5F8B.8050807@openfortress.nl> <55FD8806.5070909@mit.edu> <560136F2.3010509@openfortress.nl>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <56016C88.6060708@mit.edu>
Date: Tue, 22 Sep 2015 10:58:16 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <560136F2.3010509@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixCmqrNuTwxhmsO6ZuMXRzatYLJ6+usfm wOSxZMlPJo8N/5rYApiiuGxSUnMyy1KL9O0SuDLmbpjAWLBaqOLUhp9sDYwv+LoYOTkkBEwk tk8+yAZhi0lcuLceyObiEBJYzCSx6sF3JghnI6PE1OevGSGcg0wS03tWsIK0CAtESZxadY4Z xBYRsJQ4ePA9O0TRXGaJDb++gSXYBJQl1u/fygKxQ06it3sSmM0roCaxdvNqoBUcHCwCqhIH NpmAhEUFIiROnX3LBlEiKHFy5hOwck4BfYlnL26A2cwCehI7rv9ihbDlJZq3zmaewCg4C0nL LCRls5CULWBkXsUom5JbpZubmJlTnJqsW5ycmJeXWqRrppebWaKXmlK6iREUwuwuyjsY/xxU OsQowMGoxMPr0ccQJsSaWFZcmXuIUZKDSUmUtzuVMUyILyk/pTIjsTgjvqg0J7X4EKMEB7OS CO86RaAcb0piZVVqUT5MSpqDRUmcd9MPvhAhgfTEktTs1NSC1CKYrAwHh5IEr2M2UKNgUWp6 akVaZk4JQpqJgxNkOA/QcFuQGt7igsTc4sx0iPwpRkUpcV4+kIQASCKjNA+uF5xiUjn8XzGK A70izDsDpIoHmJ7gul8BDWYCGnw/8l8o0OCSRISUVANjRPVuWZkJK94dzW29vUzVZOqLZqN7 dfpM8dNTONj+/bm6y0TW4ZPlv9cqCrmcC3pP3DLat/zcEqen09ytpP3EXpn5nVrxp371jNu6 MwQ2TWF49nyZzgvG9tyIybHt6rUPn59oXDuvkq9w6fsf1a//3Y6ob56k+HZ3vPwCyaw9QZFF BflaC1trlViKMxINtZiLihMBJdtynwwDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/ALYnHR9t4Dmm_cdtAYgcl-YGOtg>
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 14:58:24 -0000

On 09/22/2015 07:09 AM, Rick van Rein wrote:
>> 2. The client does determine the service realm name with confidence, but
>> with the wrong case.  In this case its asks its KDC for
>> krbtgt/wrong-case-realm@LOCALREALM, and RFC 6806 does not apply.
> Ah.  My reasoning was that it would ask directly for
> imap/imap.example.com@WRONG-CASE-REALM
> and that RFC 6806 would then be applied.  I've seen such guessing,
> presumably under the hoping that the KDC will know how to link the client
> to the requested service; I've seen this behaviour on Mac OS X, which
> uses Heimdal.

Can you elaborate on the request behavior you have seen?  Specifically,
these fields:

1. The realm of the KDC-REQ-BODY
2. The sname of the Ticket inside the PA-TGS-REQ

In my experience with the Kerberos protocol, when (2) is krbtgt/X, X
always matches (1).  The MIT krb5 KDC implementation requires this, and
will reject the request with a KRB_AP_ERR_NOT_US error if they don't match.

In summary, a client never asks realm X for a service ticket in realm Y.
 If it knows it wants a service ticket in realm Y, it asks realm X for a
krbtgt/Y ticket and then asks realm Y for the service ticket.

>> RFC 4120 section 9 allows the local realm KDC to issue a
>> krbtgt/right-case-realm@LOCALREALM ticket as a "closer TGT", but a
>> current client will not take that as a case correction; instead, it will
>> stubbornly ask right-case-realm for a krbtgt/wrong-case-realm Ticket.
> You mean because it sees wrong-case-realm as different from right-case-realm
> and thinks it hasn't reached its destination, right?

Yes.

> Do you agree that the conceptual model and inefficient theoretic implementation
> is in line with what RFC 4120 prescribes, and that the case-correction is
> merely a more efficient manner of getting to the right answer?  (That would
> need some explaining in the I-D of course.)

I do not agree.  RFC 4120 says, "Before sending a request to the
ticket-granting service, the client MUST determine in which realm the
application server is believed to be registered."  It doesn't talk about
determining a set of possible realms--certainly not a combinatoric set
of 2^N possible realms where N is the number of case-varying characters.
 What you are talking about is unquestionably an extension to RFC 4120.

v2.23.0 | Report a Bug | By Email