IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Luke Howard Bentata <lukeh@padl.com> Sat, 18 February 2023 03:18 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F476C15C533 for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 19:18:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTxotHrLMlpK for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 19:18:44 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCE7AC1516F8 for <kitten@ietf.org>; Fri, 17 Feb 2023 19:18:44 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 31I3IXGH023276 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 18 Feb 2023 03:18:38 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 31I3IXGH023276
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1676690320; bh=rjNOcAT0VJivdhmetmdhCIiE375Jv8DYcZjm6iavkcw=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=wDL1UoBX3VMdTCGrwKXxg7/K2vVLWlqYqyHYFNdlcbVtpp6k9l0A+m1LCC9hBZh0w jZmIxZcjQHPTP/AJGuMMThGMUW9lK9pEtOgQarfaUwnaaBrXEyjrE3gla69ePUAPNi YH7vpHm1Ap48j+daUo7Yvf3v78w6C8JVYOjMh6hS5rdZjy+UuEnR1jCKGaLSAgpVJW EdGpi3/NGScKf7n8vG4P2QZTVVYpaqyDvoBV7jwu1oB8AKPA6ILNr4NFmd7LrOZ5xb C85KdJBQ34cRRIz6yI3EVPd14Us+UQmVkQnqVW2JZjSWad2GqqK6ZGZ5T/PBkZ0rtr tE667p8Dgd5Gg==
From: Luke Howard Bentata <lukeh@padl.com>
Message-Id: <E1A16BAA-9B3D-4D63-96F5-6DD150DB0D6F@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_80022811-EC1C-4BC3-AB95-F8C299AEFF26"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Sat, 18 Feb 2023 14:18:33 +1100
In-Reply-To: <Y/A4eirujnDjO+46@gmail.com>
Cc: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>, "kitten@ietf.org" <kitten@ietf.org>
To: Nicolas Williams <nico@cryptonector.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/AamL5pPJW1sYrv@gmail.com> <MW4PR21MB1970AEAB4ABD68C0059A2AB99CA69@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/A4eirujnDjO+46@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/LaBnsTcGSDAvwDTDWak3Tz4WTzg>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2023 03:18:49 -0000


> On 18 Feb 2023, at 1:31 pm, Nico Williams <nico@cryptonector.com> wrote:
> 
> On Sat, Feb 18, 2023 at 12:50:57AM +0000, Steve Syfuhs (AP) wrote:
>> The rest is a mix of null target name, SPN unknown, local accounts,
>> and IP targets. Harcoding is honestly the most painful one.
> 
> Oof.
> 
> For the first two one might imagine having an extension where the
> initiator asks the acceptor what its name is, but, ugh, that would just
> paper over an important problem so best not to.  You might just have to
> break those apps in order to get rid of NTLM.

Microsoft’s SPNEGO used to do this, in the case where the acceptor sent the first message (or the initiator sent an empty message).

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-spng/8e71cf53-e867-4b79-b5b5-38c92be3d472 <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-spng/8e71cf53-e867-4b79-b5b5-38c92be3d472>

> =The fix I'm proposing now (as opposed to then[*]) is that SPNEGO could
> assume that if krb5 failed with service principal unknown, then don't
> bother trying IAKERB.  This is a purely local fix to the SPNEGO
> initiator; no protocol changes -not even a sentinel OID- are needed.

You could probably avoid a special case in SPNEGO with a context option that contained the mechanisms that had been tried and their status codes, calling GSS_Set_sec_context_option() before the first call to GSS_Init_sec_context() for the fallback mechanism (and ignoring the error if it’s GSS_S_UNAVAILABLE).

Or, you know, just a special case in SPNEGO. We already have one for the 16-bit Kerberos OID.

>> That doesn't cover the single-shot protocols. At this stage of our
>> adventure our answer is to block them from using IAKerb by target name
>> and service class. If admins really care, they can change the
>> opt-in/opt-out rules.
> 
> What's a "single-shot protocol”?

I suspect half / single round trip.

— Luke

v2.23.0 | Report a Bug | By Email