IETF Logo Mail Archive

Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt

Greg Hudson <ghudson@mit.edu> Sat, 19 September 2015 16:06 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B71AD1B6018 for <kitten@ietfa.amsl.com>; Sat, 19 Sep 2015 09:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gcJEFXmLVS9 for <kitten@ietfa.amsl.com>; Sat, 19 Sep 2015 09:06:35 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE95D1B6017 for <kitten@ietf.org>; Sat, 19 Sep 2015 09:06:35 -0700 (PDT)
X-AuditID: 12074423-f793f6d000007fc1-9f-55fd880a5a5e
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 98.E3.32705.A088DF55; Sat, 19 Sep 2015 12:06:34 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t8JG6XbS001248; Sat, 19 Sep 2015 12:06:33 -0400
Received: from [18.101.8.250] (vpn-18-101-8-250.mit.edu [18.101.8.250]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t8JG6U9X031366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 19 Sep 2015 12:06:32 -0400
To: Rick van Rein <rick@openfortress.nl>, kitten@ietf.org
References: <20150915143628.21162.89108.idtracker@ietfa.amsl.com> <55F82DA5.10504@openfortress.nl> <alpine.GSO.1.10.1509172254390.26829@multics.mit.edu> <55FBF0C8.6090904@openfortress.nl> <20150918140247.GB13294@localhost> <20150918153219.GP21942@mournblade.imrryr.org> <55FC4A37.9020305@openfortress.nl> <55FD5F8B.8050807@openfortress.nl>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <55FD8806.5070909@mit.edu>
Date: Sat, 19 Sep 2015 12:06:30 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <55FD5F8B.8050807@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixCmqrMvV8TfU4OFrfoujm1exWDx9dY/N gcljyZKfTB4b/jWxBTBFcdmkpOZklqUW6dslcGX0TF7DXLBcqOL0G4kGxgt8XYycHBICJhJL 7vSyQthiEhfurWfrYuTiEBJYzCTR/PMHK4SzkVFi59tPTBDOESaJW73NzCAtwgJREqdWnQOz RQQsJQ4efM8OYgsJ3GWS6GhIA7HZBJQl1u/fygKxQk6it3sSmM0roCbxY/YWsHoWAVWJY3/X MILYogIREqfOvmWDqBGUODnzCVg9p4C+xJm2hWD1zAJ6Ejuu/2KFsOUlmrfOZp7AKDgLScss JGWzkJQtYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuml5tZopeaUrqJERTA7C7KOxj/HFQ6 xCjAwajEw7uj+0+oEGtiWXFl7iFGSQ4mJVHe8ptAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8 CeF/Q4V4UxIrq1KL8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4G9uAGgWLUtNT K9Iyc0oQ0kwcnCDDeYCG24HU8BYXJOYWZ6ZD5E8xKkqJ824GSQiAJDJK8+B6wQkmlePXK0Zx oFeEeVeCVPEAkxNc9yugwUxAg1/F/gIZXJKIkJJqYKxmEql+MPPv8lnvzYxzHYwjCvbuqv7g 85dNQiGqNvHcfoGcX92rmF/FBe0QPfmo4MEnVeG0SpdFNiqPF8Y9lZII7GZ4t9XdKzPaiuv4 uYkGP+xvT7C5+fVXDI/Vy2UGPdE9s1L2h5eem9WnUmDTHvjYY8Ubk/Uf9zMaMq7svXlN+Edo V9G/zUosxRmJhlrMRcWJAHpZ2iMLAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/TrMnJ7drLX1pLN4ZeAr3I_kRkik>
Subject: Re: [kitten] Fwd: New Version Notification for draft-vanrein-dnstxt-krb1-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 16:06:37 -0000

On 09/19/2015 09:13 AM, Rick van Rein wrote:
>    RFC 4120 permits a KDC to return a closer referral ticket when a
>    cross-realm TGT is requested.  This specification extends this
>    behavior when the canonicalize flag is set.  When this flag is set, a
>    KDC MAY return a TGT for a realm closer to the service for any
>    service as discussed in the previous section.  When a client follows
>    such a referral, it includes the realm of the referred-to realm in
>    the generated request.
>    [Section 9 of RFC6806]
> 
> This can be used to change a request with a different case that is
> considered an alias to one that has the case that we want to.  Clients
> would need to treat this as a change to another realm, due to their
> case-insensitive treatment of realm names.  Effectively, the case would
> be changed to the case as known to the KDC.

This reasoning isn't correct.  There are two scenarios:

1. The client can't determine the service realm name with confidence (it
doesn't implement PTR lookups, or can't do secure DNS resolution because
of a restrictive network element, or whatever).  In this case, it asks
its local KDC for a service ticket (making a TGS query to
serviceprinc@LOCALREALM) with no conception of what the target realm
should be.  The KDC can issue an RFC 6806 referral to whatever realm it
wants.  Case correction doesn't even enter the picture from the Kerberos
protocol perspective, since the client has no realm name to correct.

2. The client does determine the service realm name with confidence, but
with the wrong case.  In this case its asks its KDC for
krbtgt/wrong-case-realm@LOCALREALM, and RFC 6806 does not apply.  RFC
4120 section 9 allows the local realm KDC to issue a
krbtgt/right-case-realm@LOCALREALM ticket as a "closer TGT", but a
current client will not take that as a case correction; instead, it will
stubbornly ask right-case-realm for a krbtgt/wrong-case-realm Ticket.

We can certainly require that clients which implement PTR realm lookup
also treat krbtgt/case-variant-realm replies as case corrections rather
than referrals.  But that needs to be treated as a protocol extension
and an update to RFC 4120.  In MIT krb5 there are some API and caching
considerations for this new client behavior, though they may be manageable.

v2.23.0 | Report a Bug | By Email