domain-based service names redux
Peter Saint-Andre <stpeter@jabber.org> Mon, 11 June 2007 22:40 UTC
Return-path: <kitten-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HxsZ0-0005hu-Ob; Mon, 11 Jun 2007 18:40:42 -0400
Received: from kitten by megatron.ietf.org with local (Exim 4.43) id 1HxsYz-0005dc-Ok for kitten-confirm+ok@megatron.ietf.org; Mon, 11 Jun 2007 18:40:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HxsYz-0005cP-EO for kitten@ietf.org; Mon, 11 Jun 2007 18:40:41 -0400
Received: from dencfw1.jabber.com ([207.182.164.5] helo=roundabout.local) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HxsYv-0002SW-Rx; Mon, 11 Jun 2007 18:40:41 -0400
Received: from roundabout.local (localhost [127.0.0.1]) by roundabout.local (Postfix) with ESMTP id 43A7761DC3E; Mon, 11 Jun 2007 16:42:03 -0600 (MDT)
Message-ID: <466DCFBA.9020001@jabber.org>
Date: Mon, 11 Jun 2007 16:42:02 -0600
From: Peter Saint-Andre <stpeter@jabber.org>
Organization: XMPP Standards Foundation
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: kitten@ietf.org
Jabber-ID: stpeter@jabber.org
X-Spam-Score: 0.1 (/)
X-Scan-Signature: f60fbf3dbcaca652b6d10036f0630412
Cc: jhildebrand@jabber.com, linuxwolf@outer-planes.net, sasl@ietf.org
Subject: domain-based service names redux
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1596761288=="
Errors-To: kitten-bounces@lists.ietf.org
Warning: I am far from a Kerberos or SASL expert, and this email mostly channels feedback from several XMPP developers (cc'd on this message, also cc'ing sasl@ietf.org). My apologies for any inaccuracies. That said... I'm working to understand if draft-ietf-kitten-gssapi-domain-based-names and draft-ietf-kitten-krb5-gssapi-domain-based-names solve a problem we're having in the XMPP community. As you may know, XMPP (RFC 3920) essentially streams XML over a long-lived TCP connection. Large XMPP deployments tend to require tens of thousands of TCP connections (or more) from clients to a server, with the result that they are often architected with multiple connection managers (perhaps one CM per 10k clients) hooked into a core router. Client connections to the connection managers are often managed through a front-end load balancer. We can visualize as follows (where "CM" is a connection manager and "C" is a client): XMPP ROUTER / | \ CM CM CM \ | / LOAD BALANCER / | \ C C C (Such a solution *could* be managed via SRV, but in practice that is not feasible for some large XMPP deployments.) The problem is that a client doesn't know which CM it has connected to (e.g., cm6.example.com), since that information is hidden by the load balancer in the middle (all clients appear to be connected to the IP address of the load balancer). For non-Kerberos deployments that doesn't matter, but it does matter for Kerberos deployments since a client needs to know the address of its service. My understanding of draft-ietf-kitten-gssapi-domain-based-names is that it should be possible to name a CM in such a deployment as a GSS_C_NT_DOMAINBASED_SERVICE name like so: xmpp@example.com@cm6.example.com Where the form is "service@domain@hostname". In the context of the Kerberos 5 GSS-API mechanism, that would result in a principal name of: xmpp/cm6.example.com/example.com Based on my reading of RFC 4752, I assume that in a SASL exchange using the GSSAPI mechanism, the client can replace GSS_C_NT_HOSTBASED_SERVICE with GSS_C_NT_DOMAINBASED_SERVICE in the following operation (Section 3.1 of RFC 4752): The client calls GSS_Init_sec_context, passing in input_context_handle of 0 (initially), mech_type of the Kerberos V5 GSS-API mechanism [KRB5GSS], chan_binding of NULL, and targ_name equal to output_name from GSS_Import_Name called with input_name_type of GSS_C_NT_HOSTBASED_SERVICE (*) and input_name_string of "service@hostname" where "service" is the service name specified in the protocol's profile, and "hostname" is the fully qualified host name of the server. Where the asterisk refers to the following note: (*) Clients MAY use name types other than GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but only when they have a priori knowledge that the servers support alternate name types. Otherwise clients MUST use GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names. It is less clear to me how this service name should be communicated to the XMPP client. Currently in some XMPP implementations the Service Principal Name of the connection manager is returned to the client from the CM after the TCP connection is made (typically after TLS has been negotiated): http://mail.jabber.org/pipermail/xmppwg/2006-April/002379.html This is a mere assertion, but no one in the XMPP community has yet figured out a better method for communicating the CM's name to the client (at least in a way that is deployable in existing organizational environments). Would the use of the GSS_C_NT_DOMAINBASED_SERVICE name provide information that is stronger than a mere assertion by the CM? My reading of draft-ietf-kitten-gssapi-domain-based-names indicates that the "hostname" portion of the GSS_C_NT_DOMAINBASED_SERVICE name may be obtained via insecure service discovery mechanisms (DNS SRV is mentioned) as long as the service and domain are obtained in a secure fashion. Would communication of the GSS_C_NT_DOMAINBASED_SERVICE name after TLS negotiation with the service is complete qualify as obtaining the service and domain in a secure fashion? It seems to me that before TLS is negotiated, communication of the GSS_C_NT_DOMAINBASED_SERVICE name from the CM to the client would indeed be a mere assertion, but that after TLS is negotiated between the XMPP client and server, the client has securely verified the identity of the XMPP server (e.g., the combination of service name "xmpp" and domain name "example.com") and therefore can accept the hostname asserted by the connection manager. (Naturally, that hostname might also be discoverable via SRV through resolution of "_xmpp-client._tcp.example.com.".) If that is right, then the CM could legitimately communicate something like the following to the client after they complete the TLS negotiation (line breaks included for readability only): <stream:features> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism GSS_C_NT_DOMAINBASED_SERVICE='xmpp@example.com@cm6.example.com'> GSSAPI </mechanism> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> </mechanisms> </stream:features> I freely admit that I may be mistaken, so suggestions from folks in the KITTEN and SASL WGs would be most welcome. Thanks! Peter -- Peter Saint-Andre XMPP Standards Foundation http://www.xmpp.org/xsf/people/stpeter.shtml
_______________________________________________ Kitten mailing list Kitten@lists.ietf.org https://www1.ietf.org/mailman/listinfo/kitten
- domain-based service names redux Peter Saint-Andre
- Re: domain-based service names redux Jeffrey Hutzelman
- Re: domain-based service names redux Martin Rex
- Re: domain-based service names redux Peter Saint-Andre
- Re: domain-based service names redux Jeffrey Hutzelman
- Re: domain-based service names redux Jeffrey Hutzelman
- Re: domain-based service names redux Joe Hildebrand
- Re: domain-based service names redux Peter Saint-Andre
- Re: domain-based service names redux Nicolas Williams
- Hostbased service names (Re: domain-based serviceā¦ Nicolas Williams
- Re: domain-based service names redux Michael B Allen
- Re: domain-based service names redux Nicolas Williams
- Re: domain-based service names redux Nicolas Williams
- Re: domain-based service names redux Martin Rex