IETF Logo Mail Archive

Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?

Nathaniel McCallum <npmccallum@redhat.com> Tue, 17 May 2016 20:43 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A9712DDDA for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 13:43:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-YTWCYlgxmA for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 13:43:23 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB49C12DDDD for <kitten@ietf.org>; Tue, 17 May 2016 13:43:22 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 44F717F6B0; Tue, 17 May 2016 20:43:22 +0000 (UTC)
Received: from vpn-55-135.rdu2.redhat.com (vpn-55-135.rdu2.redhat.com [10.10.55.135]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4HKhL3i026952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 May 2016 16:43:21 -0400
Message-ID: <1463517801.2432.24.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>, kitten@ietf.org
Date: Tue, 17 May 2016 16:43:21 -0400
In-Reply-To: <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com>
References: <1463500163.2432.9.camel@redhat.com> <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 17 May 2016 20:43:22 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Wdq9WdeAUKR65wMi9QcJ846Qhho>
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 20:43:24 -0000

On Tue, 2016-05-17 at 12:25 -0400, Jeffrey Altman wrote:
> On 5/17/2016 11:49 AM, Nathaniel McCallum wrote:
> > https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-disco
> > very
> > -02
> > 
> > I'd like to propose adoption of this draft:
> > 
> > 1. It is in the scope of the WG. This is an extension to the
> > discovery
> > methods already defined in RFC 4120.
> > 
> > 2. It is beneficial. It provides both speed improvments and
> > additional
> > functionality (discovery of MS-KKDCP proxies).
> > 
> > 3. It is small. It avoids defining new: DNS names, DNS semantics,
> > URIs,
> > or transport semantics. It simply combines the existing tools in a
> > fairly obvious way.
> > 
> > Thoughts?
> > 
> 
> Having read the draft I am totally unclear how it is implemented.
> 
>   _kerberos.REALM
> 
> is not a valid DNS URI record name.  To translate the URI
> 
>   https://host[:port][path]
> 
> to an URI record requires
> 
>  _kerberos._https.host
> 
> not
> 
>  _kerberos.host

It doesn't actually require this. It just gives examples.

> DNS URI records according to RFC 7553 work just like DNS SRV records
> in
> that they require both a service name and a protocol name.  Switching
> to
> URI records does not solve the problem of multiple DNS queries.
> 
> To find a KDC that supports https, use the DNS SRV record
> 
>   _kerberos._https.REALM

_https isn't a thing. You'd have to do something like: _http._tls._tcp.

> registering additional service types such as "kpasswd" can be done
> but
> the fact is implementations such as Heimdal already perform SRV
> lookups for
> 
>  _kpasswd,_tcp.REALM and _kpasswd._udp.REALM

At the cost of one DNS query per transport. Further, administrators
have no control over the weights or priorties between transports. My
draft provides this.

> Can you make a case for something that DNS URI records provides that
> DNS
> SRV records do not?

Yes. MS-KKDCP requires a path. SRV records cannot provide a path.

> The introduction of DNS URI records will only mean that in practice
> that
> Kerberos client libraries will need to issue the DNS URI queries in
> addition to the existing DNS SRV records.

We will need to add at least one more DNS query to support MS-KKDCP
(two if we have to treat http and https as separate queries). This is
unavoidable. While it is true that this will result in a 50% increase
in DNS queries, using my URI scheme means that a simple administrator
configuration can turn this 50% increase into a 50% decrease in queries
over the existing implementations. This is a win.

v2.23.0 | Report a Bug | By Email