IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Tue, 21 February 2023 00:31 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC788C169509 for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 16:31:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYDpbZe9db4c for <kitten@ietfa.amsl.com>; Mon, 20 Feb 2023 16:31:12 -0800 (PST)
Received: from antelope.elm.relay.mailchannels.net (antelope.elm.relay.mailchannels.net [23.83.212.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0865C15155E for <kitten@ietf.org>; Mon, 20 Feb 2023 16:31:12 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DD9F05415DC; Tue, 21 Feb 2023 00:31:11 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 3AC02540980; Tue, 21 Feb 2023 00:31:11 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676939471; a=rsa-sha256; cv=none; b=TO5kYPe02wVk4lehro16rn4/gMJckL6zT7Ij5GyXoVRamVGeG9Q8ps9j+iYeVNKJBqABds s0BHW2J+SGbQzD4j+AWUM2N5n+0lJZAAF9dyex8T3xGJ2KkrkEE1epBoNHwjg+S3JVson/ iqV5Cd92Fr/+CyzTSiMPkw/8aAtVDhDw1wNaV7rmE62N1baO7v4cwPctSQGVKFh7jBDnlN YIPAUM27PKXigbT262raqdm1sVfbBvt96B7dR8OBMPyraK6/y9c1Oi96lRL28kZ6rpinZm qHw1rkSo6YgiudMMXl8SAXXpuGU/+GS8UOkHDyzugzKyOxvC9fS8RtnXW44VJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676939471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=G7FY7h8NhiMTbUNWQE3ELqVgaSfChX5iiL35z8Igh/M=; b=X1ExACqFl+uyps81qH4JJjyGfaTNUVim3Rgw+QcE1th77mSkVDAyrtDORaCuGwqXYdGNx2 cIASfIiS7vsLfGQnALpisjtDkWzkp+8PLEYdQAQZ37L2E4+bgPbQRc5pBcfYrUGOtS9Mwq +CJYvEwzk1k/77A9h0Ug1RY4cCoOr9r5h7Pk4Rf43DG+fyJHKFCMGp5z5LNTgqMaFvHQ5F KVTH2VFzFnm/0Sy+RNG8ALx6DLGmmuyT/XWp4LNsanspcnbukzWOF9/1IWiuqoSETvxA7z 4zex9U2XmxR30p5ZDsjTnnMfODuS+SAuMT/bYP1kQF+Yt5DGg3zYEsWbd9LPdA==
ARC-Authentication-Results: i=1; rspamd-5db48964c-747s9; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Robust-Whistle: 2075328016297bac_1676939471506_2979689380
X-MC-Loop-Signature: 1676939471506:1791402460
X-MC-Ingress-Time: 1676939471506
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.126.30.49 (trex/6.7.1); Tue, 21 Feb 2023 00:31:11 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PLKvy2hZVz3S; Mon, 20 Feb 2023 16:31:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676939470; bh=G7FY7h8NhiMTbUNWQE3ELqVgaSfChX5iiL35z8Igh/M=; h=Date:From:To:Cc:Subject:Content-Type; b=VMKGwajYtc664wYC08d/QRZAXpLe8MTCG+syiDb7uidBW+uJrnmtgAdTzZir2pfYu XhB73+xeKJfZIjC7+3F456X5y2MGiAhjM8Fcy3VSHcu7ite8uG34PawF05CRvEYrbP bmdW8uB8TDz5bI+ayK50oE7HweHDoJbWs8XIjIZcOKC/wZcLXQvN4+iq15BwMqT4XE glsGiLLKHj754vnI5vrkbnXFhy4TiPR7Xl/GQpFWPQF8pdU4Let2kJGq1MRHH+oYqL RRhqJQsp1a0c4z37kLOidnr40OJMOaU0C9FTqehP1bhzE+hTZ+2/KUMueSpdhcRAF3 XodQUAE1+83hw==
Date: Mon, 20 Feb 2023 18:31:07 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/QQywr17yf167Tf@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/Lo+U/P9aerUgCW@gmail.com> <MW4PR21MB197022BC59E5A7CE0C6378A19CA49@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB197022BC59E5A7CE0C6378A19CA49@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/TMP1CgmcnMyb0j8cfaT7yDdtJro>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 00:31:17 -0000

On Mon, Feb 20, 2023 at 05:06:39PM +0000, Steve Syfuhs (AP) wrote:
> I've been tempted to rip out negative caching in Windows once or
> twice, or more reasonably reduce the lifetime and scope of the cache.
> I would consider a negative cache an anti-pattern these days until
> performance shows its necessary. If you're getting lots of requests
> for things that don't exist, that's an indicator something is wonky,
> not that it should be ignored.

Even just a 30s NACK here would generally prevent the bug we're talking
about from biting.

You're right that a lot of requests for principals that don't exist is
indicative of something wacky, and I've had occasion to deal with such
things from load spikes on KDCs rather than from user/dev complaints on
the client side.  NACK caching would have made the load spikes much more
tolerable, but then, the load spikes helped us find a very broken
application so we could get it fixed.

So I'm very mixed on NACK caching, but even just an in-process or
threadl-local NACK cache would make the particular IAKERB problem easy
to fix.

Nico
--

v2.23.0 | Report a Bug | By Email