IETF Logo Mail Archive

Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00

Greg Hudson <ghudson@mit.edu> Mon, 03 April 2017 16:33 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C39129481 for <kitten@ietfa.amsl.com>; Mon, 3 Apr 2017 09:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sk6Z0i0YumK3 for <kitten@ietfa.amsl.com>; Mon, 3 Apr 2017 09:33:01 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CF6212947F for <kitten@ietf.org>; Mon, 3 Apr 2017 09:33:00 -0700 (PDT)
X-AuditID: 12074422-eefff70000003b20-ff-58e2793a96bc
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 63.24.15136.A3972E85; Mon, 3 Apr 2017 12:32:59 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v33GWvQl028036; Mon, 3 Apr 2017 12:32:58 -0400
Received: from [18.101.8.131] (vpn-18-101-8-131.mit.edu [18.101.8.131]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v33GWtFL029539 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 3 Apr 2017 12:32:56 -0400
To: Matt Rogers <mrogers@redhat.com>
References: <x7dzige39sj.fsf@equal-rites.mit.edu> <CAAeFVfwexk8THERJZ5Qm+sTB+FVMWsRSOXninGFmMWehzwiz-A@mail.gmail.com>
Cc: kitten@ietf.org
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <2ccb915d-4a10-1ced-d8c8-298e1aec6373@mit.edu>
Date: Mon, 03 Apr 2017 12:32:55 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CAAeFVfwexk8THERJZ5Qm+sTB+FVMWsRSOXninGFmMWehzwiz-A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixCmqrGtd+SjCYO4Ofoujm1exWNyfGOfA 5LFkyU8mj/f7rrIFMEVx2aSk5mSWpRbp2yVwZWyb+ZC94JZaRWPTYZYGxs9yXYycHBICJhKT fsxl7mLk4hASaGOSuDx7IiOEs4FRYum7qUwQzhEmiXePNzKCtAgLeEk8nrKUpYuRg0NEQEVi 7g5RkLCQQIXE8uZlzCA2s4CwxPI1Z9lAbDYBZYn1+7eClfMKWEm8u1IOEmYB6jz5ZjE7SFhU IEKi4XA6SJhXQFDi5MwnLCA2p0CgxIJZD1ghJqpL/Jl3CWq6vMT2t3OYJzAKzELSMgtJ2Swk ZQsYmVcxyqbkVunmJmbmFKcm6xYnJ+blpRbpmurlZpbopaaUbmIEhSi7i9IOxon/vA4xCnAw KvHwejg8ihBiTSwrrsw9xCjJwaQkyvtBASjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhJcjHijH m5JYWZValA+TkuZgURLnFddojBASSE8sSc1OTS1ILYLJynBwKEnwVpYDNQoWpaanVqRl5pQg pJk4OEGG8wANfw5Sw1tckJhbnJkOkT/FqMsxZ/buN0xCLHn5ealS4rwNIEUCIEUZpXlwc8Cp JZWj+RWjONBbwrzVIFU8wLQEN+kV0BImoCVP7jwEWVKSiJCSamBcwsTP7a+55uDr/y9OOXz5 fXxfxdvW7013eoRcY5l9r/0MV9g3w/xhlZO22tW56zk6fnLc1tz2Il0k+yijNF+Ks3rXwRtK D6Z8juW458P93eaG48ZGhq4L8274elR3PvFQnCmlE8bUUVr6Ys3+gt+Hlq7Z6PNl7y+LqZ+f Slen+7kxzE9UXpynxFKckWioxVxUnAgA32XzpwgDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/BxeuoVfXzD0UjgDTidkrood7ZFg>
Subject: Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 16:33:03 -0000

On 03/30/2017 02:51 PM, Matt Rogers wrote:
>> * RFC 7553 is informational and this document is standards track, which
>>   is a down reference (see RFC 3967).  Also, RFC 7553 contains ambiguous
>>   guidance about URI records labels which some readers have interpreted
>>   as being incompatible with our use of labels.  I think at one point we
>>   received advice to reference the IANA registration of the URI record
>>   type instead of RFC; unfortunately I do not know the mechanics of that
>>   kind of reference.

> The IANA registration entry refers to RFC 7553:
> https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
> Perhaps it should just be an informative reference instead.

There is also a "completed template" in the IANA assignment:

https://www.iana.org/assignments/dns-parameters/URI/uri-completed-template

I hadn't read this before.  It says (in section E):

  The URI RR has service information encoded in its ownername.  In
  order to encode the service for a specific owner name one uses
  service parameters.  Valid service parameters used are either
  Enumservice Registrations registered by IANA, or prefixes used
  for the SRV resource record.

which seems like a slightly more restrictive statement than the one in
RFC 7553.  We may need some guidance from the chairs or ADs on the
mechanics of moving forward here.  Simply making the reference
informative doesn't seem sufficient, as the URI RR type is fundamental
to this standard.

(To be clear, I think what we're doing ought to be fine, and that it's
generally pointless to include a transport label in a URI record owner
name like one would in a SRV owner name.  The question is one of
conformance with the pre-existing standard, not practicality.)

>> * Similarly, MS-KKDCP is in the normative references section, and is not
>>   a standards-track IETF document.  It is only used as the reference in
>>   the initial contents of the transport registry, so perhaps it can just
>>   be an informative reference.
>>
> I'll make this an informative reference.

The MS-KKDCP reference is obvious controlling when using the kkdcp
transport.  Since this is just an initial transport registration, it may
be okay to use an informative reference.

>> * "REALM indicates the translation of the Kerberos realm to a DNS
>>    domain" seems to invoke some kind of translation procedure without a
>>    reference.  RFC 4120 doesn't really define any such translation
>>    procedure; it just says in section 6.1 that a realm might be in
>>    domain style with some specifics on what that means, and in section
>>    7.2.3.2 that "The realm MUST be a domain-style realm name".
>>
>>    (Section 6 has this same wording again.)
> 
> How about "..client MUST query the following URI DNS record, where
> REALM is a domain-style realm name."

I'm okay with that.

>> * The wording here seems too general.  I think we want to specifically
>>   say that URI records should be preferred over SRV records.

> How about: "Clients that support service discovery through both URI
> and SRV records SHOULD perform the URI discovery first. If no URI
> record is found, the client MAY then attempt SRV discovery."

Sure.

There is an argument for a MUST here.  DNS administrators will commonly
want to set up both URI and SRV records for a realm, and the behavior of
trying URI first may be important (e.g. if the URI record includes a
kkdcp entry).

>> * The reference here is "TBD".  Is there a plan?  Is the reference
>>   supposed to be to this RFC once a number is assigned?
>>
> 
> It should be changed to the assigned number, yes. It was suggested
> that instead of TBD we use [This Document], which I think is the
> convention for this kind of reference.

That seems okay.  There might also need to be an RFC editor guidance
section pointing out the need for a substitution there.  For instance,
in https://tools.ietf.org/html/draft-ietf-krb-wg-crypto-07 see the
"Notes to RFC Editor" section at the end.

> "The security implication of using DNS URI records is identical to
> that of using DNS for any Kerberos service or host mapping; without
> secure DNS the results can be forged.  The same precautions regarding
> the use of insecure DNS with Kerberos outlined in RFC 4120 should be
> followed."

RFC 4120 primarily talks about DNS in the context of prohibiting the use
of insecure DNS to map between service names, which is irrelevant to
this standard.

Since RFC 4120 assumes a hostile network environment (and so does RFC
3244), it is usually uninteresting whether an attacker subverts
communication via a DNS attack or a network attack.  However, we should
note in security considerations that the added security benefits of
MS-KKDCP (such as confidentiality of client and server principal names)
are eroded when using insecure DNS to discover the server URL.

v2.23.0 | Report a Bug | By Email