IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Sat, 18 February 2023 02:31 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F9EFC15DD44 for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 18:31:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-WFo5LdEMiz for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 18:31:28 -0800 (PST)
Received: from fossa.birch.relay.mailchannels.net (fossa.birch.relay.mailchannels.net [23.83.209.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7AE3C15C533 for <kitten@ietf.org>; Fri, 17 Feb 2023 18:31:27 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 20E0541100; Sat, 18 Feb 2023 02:31:27 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 77D9C413BD; Sat, 18 Feb 2023 02:31:26 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676687486; a=rsa-sha256; cv=none; b=axsSz761MNxIRJiII5ce9J1R65aI/JvJDPdQpw8PWs/+IJdn1qSMFARXNqgHUptmGXee3J e7Dxfols3QM2tGyHjN9KTOkbtrC9gnlb2D/8qmEvKs5+RE9iI0/F5IzYH/+MxWL6EaTUbp ZcqXtHypSNw8iz4pjJ3ecZSUX5lXYjkPmCJr8PB3ai5T8Lk+M17BAu3lDqMGKvxRATXVUX zuyd3HmLq+MInN1UYJgMsvZaAQhbUPb+kLTar6ShEbJWn/PV2gjQ+CTBnrjcNl35DmBM1v JoP9G0FKcg9rBg5homdfT2hmHpFnCAvOTBHq4+Zhgw+xXQkN7kG5Jp1T7mGt3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676687486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=nP2bObqeYxyki1lMq4YncqHiopdD5PEvjS44GBRZi54=; b=boDQmzU3p55D1Ko3TnC0LnVgA4IZUWTKQ+gcfaA13Y8IZJ0z8b/cTUWhGO/CY0NjAsqXe1 OOIqiYkyyGspVq50Y158PrDGv7UY6+VfwcVgyTuay6Z8OirWah0LtnrTKPL//UXzqfyMER SY8e2yI1OLFOXonNgukKXecnPz0zFfv6YUV9nXyy0GWKq/b6ZeCqMO120aleyWWZkB4yqc WIjyfMEcKLdsix3ryuOcfUWu6agIDRCiOX2InA4Vkr071SCO9zFXlBQOgFFHaZvh4hUB1X fFvkGU4B2ZpwJFdfr6tVUlmJEdIqZQFOuPIPrfp33Xln+m80gwe/Vi+ryt4Xbw==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-ww4zp; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Callous-Whistle: 4a40a2953f5d7929_1676687486753_3318425467
X-MC-Loop-Signature: 1676687486753:83767279
X-MC-Ingress-Time: 1676687486752
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.97.48.87 (trex/6.7.1); Sat, 18 Feb 2023 02:31:26 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PJXk50VSQzFM; Fri, 17 Feb 2023 18:31:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676687485; bh=nP2bObqeYxyki1lMq4YncqHiopdD5PEvjS44GBRZi54=; h=Date:From:To:Cc:Subject:Content-Type; b=eYhrLZyjqxRwQipAG6PI66h5dA9r0K/pTzLgTgfV5lZvT4mJfbWl6cptZ0sOPhFqf NEc7El3DfIg5eVLg3p3raAzc7hvZCvlboEceUE2xUzVY8W3/SjdUtz9Xj+rO90QnWW 1rqqR9LpidSX9n6MWJutXiRzJTqXVrKZF8DcOvAQDf8Nf9KhCnGiQntCPXwnhBkNKe p1Zd6lOYKPYqU0CJeuF5huH7KCjxkH1WZVqJ7QTl3tCAC7OOwtt3PKl4AXldYYZCHG Nt2w7++0fXdAOt5OAD3Y7VjOfLqqNhxFblamYUfbW+sOfkstIe7fo/j2SrtHFuYsao iSja1h3Kd2agw==
Date: Fri, 17 Feb 2023 20:31:22 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
Cc: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/A4eirujnDjO+46@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/AamL5pPJW1sYrv@gmail.com> <MW4PR21MB1970AEAB4ABD68C0059A2AB99CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB1970AEAB4ABD68C0059A2AB99CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/YvSlfNtC5yo9__TC3fTD90TkeFs>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2023 02:31:33 -0000

On Sat, Feb 18, 2023 at 12:50:57AM +0000, Steve Syfuhs (AP) wrote:
> The rest is a mix of null target name, SPN unknown, local accounts,
> and IP targets. Harcoding is honestly the most painful one.

Oof.

For the first two one might imagine having an extension where the
initiator asks the acceptor what its name is, but, ugh, that would just
paper over an important problem so best not to.  You might just have to
break those apps in order to get rid of NTLM.

> Our plan for dealing with the failure scenario you mention below is
> through a mechanism we're referring to as 'late fallback' where we
> stuff a sentry OID in the mech list. If both initiator and acceptor
> SPNego libraries understand what that OID is, it'll treat it as a
> signal that both parties know that failures at any stage of the
> exchange can trigger a move to the next mech. [...]

The failure in question is an early failure, before the NegTokenInit is
sent.  A sentinel OID couldn't help.  It goes like this:

 - The SPNEGO initiator looks over the mechanisms the app wants (or all
   of them) in a local order of preference, then it picks the first one
   for which GSS_Init_sec_context() succeeds.

 - Typically krb5 is first in the list, and if krb5's initSecContext()
   fails, then the SPNEGO initiator goes on to the next item.

 - Now if krb5 fails with service principal unknown (so we have line of
   sight) then SPNEGO ends up trying IAKERB, well, IAKERB's
   initSecContext() will return CONTINUE_NEEDED the first time, then
   later will fail because... the service principal is still unknown.

 - So now instead of failing immediately with a useful error that users
   are accustomed to we fail after at least one round trip and possibly
   with a more obscure error.

The fix I'm proposing now (as opposed to then[*]) is that SPNEGO could
assume that if krb5 failed with service principal unknown, then don't
bother trying IAKERB.  This is a purely local fix to the SPNEGO
initiator; no protocol changes -not even a sentinel OID- are needed.

> That doesn't cover the single-shot protocols. At this stage of our
> adventure our answer is to block them from using IAKerb by target name
> and service class. If admins really care, they can change the
> opt-in/opt-out rules.

What's a "single-shot protocol"?

Nico
--

v2.23.0 | Report a Bug | By Email