IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Wed, 22 February 2023 19:16 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2703BC15257C for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 11:16:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrgA6p035p9S for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 11:16:22 -0800 (PST)
Received: from boar.tulip.relay.mailchannels.net (boar.tulip.relay.mailchannels.net [23.83.218.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EE2EC1526ED for <kitten@ietf.org>; Wed, 22 Feb 2023 11:15:41 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 2711E8214BE; Wed, 22 Feb 2023 19:15:38 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 9197E821487; Wed, 22 Feb 2023 19:15:37 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677093337; a=rsa-sha256; cv=none; b=breU+uAR8QF4+SiR9/AB6sBRSw3yzXqw7pw6i7ieqW8pCBdEuHOyeziFYLQg2HNUHlmTlw pxxE0gLWRtZ3fnCo5hME/cp0jR54mmAr5Bdc27humikNKTXuAar3PEFr7vn+a9CrDBzcxG gH6JU5TsXfJICvQJ99RAtywdl3vReDb93zaZHeA5WRoBfet2syncw1GimbwAO7v9FEayFy UmLfn96v/oBQdj/jBMw3pxNXzhUYu/6aGffC6QICaJwRQkzTuciB02D3hDV62GaFi2wWV2 d/zwIUM0km3zoNI/44Ftd4ju5nxv7lU8Hv0ieJf7OXA7cEfNvePCsIesicKR0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677093337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=H3jdjOaTxGk1lpVqJRMOtDzz/l2YNKbwfMZIJ66A47c=; b=h11rynLD7oGFLtUVkfo+xEeODTjLfrgp3UOdklJkYkUt3sejMhNY7Lq23lT/lWphE4gcsH e3QGKLFaBJkNEOXvfDZSjMZy3AhxbA381KmnVrxOsdJSCpfnV6LiWl1N6uWiNJr4p4/mVK bCC8DaACiQSJRMG8lvzIQVXdGRNKsz2Oiacv89A9WGDtLdPnMS5WUp477FaLul/9fyNl+6 AUaCH6K0QV7gmYSQVDx+FrsRZHbZzTLrcNgDkwgkpbt+ytJl4gtUQbQvd2vK7h1KKbmUQ4 uoJvf4jBnZejIPdCgUnUxpYKSfO8H1k50cq9rV7oA72dVJt0ThM2Wq/YY8XWqg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-lbm99; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Cold-Belong: 123d02be501c8dfc_1677093337699_3737764470
X-MC-Loop-Signature: 1677093337699:220519643
X-MC-Ingress-Time: 1677093337699
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.116.179.67 (trex/6.7.1); Wed, 22 Feb 2023 19:15:37 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PMQpw5L0PzK6; Wed, 22 Feb 2023 11:15:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677093337; bh=H3jdjOaTxGk1lpVqJRMOtDzz/l2YNKbwfMZIJ66A47c=; h=Date:From:To:Cc:Subject:Content-Type; b=R3dnHiIQo7/JyVz8AmRP+WtZQ40XFUoAg1IX/SuwamxZ/OGCWp7TJw8kgRPE6Oyni Ra7SqBlPxqKaUm8u893VlYMUdqnXwZjQCvvyVsJEjGZ9t+1wM00bcYmm86t8NEWSkZ zz9hfrFJLlQThXAYBLHiG5ks9T+qNSmCdBIof10w8kSKSzVH1FhKSjiJO34mrJVj8Q q7WdVtufPxmZlWXdG7VDBYPKyryRFvpSctz/6OGyaqsYNzkIqY4RQU3whIxA6pLzLz VaFNak2ixxRcNSMHJZj14l1qIHAVXpq6JzD2xscORIaxobwbEP/e3qcrSWX8+yox+p OFlP1A2aK/56w==
Date: Wed, 22 Feb 2023 13:15:34 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/Zp1qBNOUU6M02C@gmail.com>
References: <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/VnjL/IBYXFWkYX@gmail.com> <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/WWjumkyhEjMvda@gmail.com> <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/ZlP9gD0eyZP90T@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y/ZlP9gD0eyZP90T@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/JEOpP2Sdrciki6wyy_0ecdTzWVI>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 19:16:26 -0000

On Wed, Feb 22, 2023 at 12:55:59PM -0600, Nico Williams wrote:
> Ok, I'll have to look into whether we have to special case certain
> errors in TGS-REQ exchanges and retry in those cases.  This could be
> complicated since we might have to purge ccache entries and then retry
> from the top rather than retry the current TGS-REQ.

KRB-AP-ERR-BADKEYVER is not special-cased in neither MIT's nor Heimdal's
TGS client, and I expect this to be one of the errors that would have to
be.

The other one that would have to be special cased would be
KRB-AP-ERR-BAD-INTEGRITY, but this one aliases other error conditions
too, so it doesn't seem great to special-case it in the TGS client...
But I guess we'll have to.  

Note that if the realm's KDCs don't do key history and there's
replication latency then one can retry and fail anyways because there
has to be a limit on retries and one can keep getting unlucky.

Nico
--

v2.23.0 | Report a Bug | By Email