IETF Logo Mail Archive

Re: [kitten] draft-ietf-kitten-rfc5653bis-02 review

Thomas Maslen <Thomas.Maslen@software.dell.com> Wed, 11 February 2015 19:34 UTC

Return-Path: <Thomas.Maslen@software.dell.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BC7F1A8ABF for <kitten@ietfa.amsl.com>; Wed, 11 Feb 2015 11:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFS-NCwe0x1v for <kitten@ietfa.amsl.com>; Wed, 11 Feb 2015 11:34:08 -0800 (PST)
Received: from amersmtp2.software.dell.com (amersmtp2.software.dell.com [12.106.87.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0764D1A1A13 for <kitten@ietf.org>; Wed, 11 Feb 2015 11:34:07 -0800 (PST)
Received: from amersmtp2.software.dell.com (127.0.0.1) id hrenb00171s3 for <kitten@ietf.org>; Wed, 11 Feb 2015 11:34:07 -0800 (envelope-from <Thomas.Maslen@software.dell.com>)
Received: from ALVHTXW02.prod.quest.corp ([10.1.135.18]) by amersmtp2.software.dell.com (SonicWALL 8.0.7.2831) with ESMTPS (version=TLSv1 cipher=AES128-SHA bits=128/128) id 201502111934070239357; Wed, 11 Feb 2015 11:34:07 -0800
Received: from ALVMBXW02.prod.quest.corp ([fe80::b862:2ecd:1237:d875]) by ALVHTXW02.prod.quest.corp ([::1]) with mapi id 14.03.0224.002; Wed, 11 Feb 2015 11:34:06 -0800
From: Thomas Maslen <Thomas.Maslen@software.dell.com>
To: Greg Hudson <ghudson@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] draft-ietf-kitten-rfc5653bis-02 review
Thread-Index: AQHQRZiqtINAbwvb/kCw227JtWH+lJzsK9KA//+g7yU=
Date: Wed, 11 Feb 2015 19:34:06 +0000
Message-ID: <D5847DD823005F4E9DB94FE77DCEDF68319E5F90@ALVMBXW02.prod.quest.corp>
References: <D5847DD823005F4E9DB94FE77DCEDF68319E4B4C@ALVMBXW02.prod.quest.corp>, <54DB8453.4060607@mit.edu>
In-Reply-To: <54DB8453.4060607@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.104.156]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mlf-Version: 8.0.7.2831
X-Mlf-UniqueId: o201502111934070239357
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/JIEYJGV9cCK4AoY6g2rIArqpD3E>
Subject: Re: [kitten] draft-ietf-kitten-rfc5653bis-02 review
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 19:34:11 -0000

On 11 Feb 2015 11:33:23 -0500, Greg Hudson wrote:
> [...]
> I am having trouble reconciling these statements.
> 
> The issue with token framing is not just an issue with the wording in
> the RFC; it calls into question the whole mode of operation.  An
> implementation of init/accept_sec_context cannot know how much data to
> read from the input stream in order to read a token, since GSS tokens do
> not necessarily have self-describing lengths.  The only way this can
> really work is if the application cooperates by creating a single-use
> input stream which ends at the end of the token.

Yes but no:

I agree that the application must create a single-use input stream which ends at the end of the token.

But you can do that without having to read and buffer the token.

It's easy enough to write a new subclass (I may as well call it BoundedInputStream) that takes an underlying InputStream and a length count, and produces an InputStream which lets you read that number of octets but no more (unless you go around it and get to the underlying InputStream).

This is a pretty normal sort of thing to do in Java, and it's normal enough that even JDK 1.0 had a convenience class -- http://docs.oracle.com/javase/7/docs/api/java/io/FilterInputStream.html -- that acts as a helpful base class for this sort of thing.  (The standard subclasses of FilterInputStream are mostly designed to munge the sequence of octets in the stream, not to virtualize end-of-stream, but the general approach is similar).


> Similarly, output tokens must be externally framed by the protocol.  An
> application cannot simply provide its outgoing network buffer to
> init/accept_sec_context; it must package up the data written to the
> output stream and frame it.  In effect, the output stream must be
> transformed into a byte array.

I agree that the argument is weaker for output tokens, because the majority of application protocols that convey GSS tokens probably use simple framing where the token is preceded by a length count for the entire token -- so yeah, in that case you're pretty much stuck with buffering the token in order to determine its length, so you may as well have used the byte array instead.  Hypothetically an application protocol could use a chunked encoding, e.g. ASN.1 indefinite-length or HTTP/1.1 chunking, and then you could write a subclass of java.io.FilterOutputStream that only had to buffer up to some chunk size, not the whole token...  but likely all non-hypothetical protocols that use GSS tokens just use the simple whole-token length count?

v2.23.0 | Report a Bug | By Email