Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
Nathaniel McCallum <npmccallum@redhat.com> Thu, 19 May 2016 16:28 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A58112DA34 for <kitten@ietfa.amsl.com>; Thu, 19 May 2016 09:28:17 -0700 (PDT)
X-Quarantine-ID: <gC-Td6yy7fJw>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 09 hex): References: ...2432.9.camel@redhat.com>\n\t\n <54c900f2-399[...]
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gC-Td6yy7fJw for <kitten@ietfa.amsl.com>; Thu, 19 May 2016 09:28:15 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C87C912D97D for <kitten@ietf.org>; Thu, 19 May 2016 09:28:14 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7373478222; Thu, 19 May 2016 16:28:14 +0000 (UTC)
Received: from dhcp137-207.rdu.redhat.com (dhcp137-207.rdu.redhat.com [10.13.137.207]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4JGSDff025884 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 May 2016 12:28:14 -0400
Message-ID: <1463675293.31173.25.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Nico Williams <nico@cryptonector.com>, Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Thu, 19 May 2016 12:28:13 -0400
In-Reply-To: <20160519161004.GA19530@localhost>
References: <1463500163.2432.9.camel@redhat.com> <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com> <20160519161004.GA19530@localhost>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 19 May 2016 16:28:14 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/F5ZptjaBgOpmdLa9i87-m1UCgSs>
Cc: kitten@ietf.org
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 16:28:17 -0000
On Thu, 2016-05-19 at 11:10 -0500, Nico Williams wrote: > On Tue, May 17, 2016 at 12:25:10PM -0400, Jeffrey Altman wrote: > > On 5/17/2016 11:49 AM, Nathaniel McCallum wrote: > > > https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-dis > > > covery > > > -02 > > > > > > I'd like to propose adoption of this draft: > > > > > > 1. It is in the scope of the WG. This is an extension to the > > > discovery > > > methods already defined in RFC 4120. > > > > > > 2. It is beneficial. It provides both speed improvments and > > > additional > > > functionality (discovery of MS-KKDCP proxies). > > > > > > 3. It is small. It avoids defining new: DNS names, DNS semantics, > > > URIs, > > > or transport semantics. It simply combines the existing tools in > > > a > > > fairly obvious way. > > > > > > Thoughts? > > > > > > > Having read the draft I am totally unclear how it is implemented. > > > > _kerberos.REALM > > > > is not a valid DNS URI record name. To translate the URI > > RFC7553 is Informational. Clearly it's the most authoritative when > describing the URI RR type's RDATA and their semantics. But as for > the > RRset names, I think it's mistaken, and anyways, it's Informational > (though it once aimed for Proposed Standard; we might want to find > out > why it ended up being Informational). I have already inquired. I was informed that the change was made simply for the reason that all DNS RR type definitions are informational. To avoid a downreference, I was advised to reference IANA instead of the RFC: http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml > > https://host[:port][path] > > > > to an URI record requires > > > > _kerberos._https.host > > > > [...] > > Problems with this: > > a) if we're going to be pedantic, _https is not the sort of protocol > intended to go there (protocols running over IP are, so _tcp, > _udp, > _sctp, ...); > > b) plus we have *two* HTTP-based protocols, so how would we indicate > which protocol to use? > > c) every additional transport for the KDC exchanges adds a (serial, > as > implemented) DNS lookup for the clients -- this is a performance > disaster. > > (c) is fatal. We really need _kerberos.<REALM's domainname>. as the > QName and, therefore, the RRset name. One question, one answer set. > > And if we're going to use URI, then we'll need a 'krbtgt' URI scheme > by > which to express the four protocols we have (raw over TCP, raw over > UDP, > HTTP MSFT-style, and HTTP Heimdal-style: > > krbtgt:<host>[:<port>]#proto=tcp > krbtgt:<host>[:<port>]#proto=udp > krbtgt:http[s]://<host>[:port][/path]#style=POST > krbtgt:http[s]://<host>[:port][/path]#style=GET > > Or any variant of that that you might like, such as: > > krbtgttcp:<host>[:<port>] > krbtgtudp:<host>[:<port>] > krbtgtpost:http[s]://<host>[:port][/path] > krbtgtget:http[s]://<host>[:port][/path] One reason to avoid "krbtgt" is that we are actually defining transport mechanisms for multiple protocols: kerberos and kpasswd, at a minimum. I suspect implementors will extract this to additional protocols. But in general, I don't care what the actual URIs look like. As you may have hinted, it may be worth considering implementing a URI for Heimdal's proxy. I left it off the current draft since there is no protocol definition; just some code.
- [kitten] Adoption of draft-mccallum-kitten-krb-se… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Rick van Rein
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Jeffrey Altman
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Benjamin Kaduk
- Re: [kitten] Adoption ofdraft-mccallum-kitten-krb… tom p.
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption ofdraft-mccallum-kitten-krb… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nathaniel McCallum
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Nico Williams
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek
- Re: [kitten] Adoption of draft-mccallum-kitten-kr… Petr Spacek