IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Greg Hudson <ghudson@mit.edu> Fri, 06 March 2015 21:43 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F088D1A8762 for <kitten@ietfa.amsl.com>; Fri, 6 Mar 2015 13:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Umt_Wcmpd7hg for <kitten@ietfa.amsl.com>; Fri, 6 Mar 2015 13:43:29 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797D21A8735 for <kitten@ietf.org>; Fri, 6 Mar 2015 13:43:29 -0800 (PST)
X-AuditID: 1209190c-f79696d000005933-90-54fa1f808dd2
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 8C.AB.22835.08F1AF45; Fri, 6 Mar 2015 16:43:28 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t26LhRGn022764; Fri, 6 Mar 2015 16:43:28 -0500
Received: from [18.101.8.131] (vpn-18-101-8-131.mit.edu [18.101.8.131]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t26LhPfi013135 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 6 Mar 2015 16:43:27 -0500
Message-ID: <54FA1F7D.2050703@mit.edu>
Date: Fri, 06 Mar 2015 16:43:25 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Nathaniel McCallum <npmccallum@redhat.com>, kitten@ietf.org
References: <1425578271.2715.5.camel@redhat.com>
In-Reply-To: <1425578271.2715.5.camel@redhat.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixCmqrNsg/yvE4NB2aYujm1exWMz9OovV gcljyZKfTB7v911lC2CK4rJJSc3JLEst0rdL4MrY1LKDqWANf8XNRffZGxh38XQxcnJICJhI rNy2lBXCFpO4cG89WxcjF4eQwGImiROv9rGAJIQENjBKdM8rgkgcZpL4/XU+E0iCV0BN4uLq l0A2BweLgKpE750ykDCbgLLE+v1bwXpFBcIkZq+7yAhRLihxcuYTFpByEQF7iYWNCSBhYQEr ic0blzBCrDKQeLl0Fdh0TgFDiZk/VrGB2MwCehI7rv9ihbDlJZq3zmaewCgwC8nUWUjKZiEp W8DIvIpRNiW3Sjc3MTOnODVZtzg5MS8vtUjXUC83s0QvNaV0EyM4SCV5djC+Oah0iFGAg1GJ h7dD6meIEGtiWXFl7iFGSQ4mJVFePblfIUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEePu+AJXz piRWVqUW5cOkpDlYlMR5N/3gCxESSE8sSc1OTS1ILYLJynBwKEnwioMMFSxKTU+tSMvMKUFI M3FwggznARpuDFLDW1yQmFucmQ6RP8WoKCXO6wWSEABJZJTmwfXCksgrRnGgV4R5w0GqeIAJ CK77FdBgJqDBWmI/QAaXJCKkpBoYWesfxegIbN7198bPawUFi39f2ehra1PxMvnEq2d9Fm6X X5z1s1SPyZrOknBAcf3sbW0+rf8FH175bNS46ODXM+/j/l93q7tr7to4V9lJe0povPST/jWK liWWOs+mr/SbeN9omvCb1+qrY5vPXWS77pl80nYf4/asdR5rHB2vaRvf2uv7SLbBV4mlOCPR UIu5qDgRAFieEMX9AgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/fUFz-O8eSjbY6jtXNfQNVZof8VQ>
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 21:43:32 -0000

On 03/05/2015 12:57 PM, Nathaniel McCallum wrote:
> http://datatracker.ietf.org/doc/draft-mccallum-kitten-krb-service-discovery/

I'm on board with this in general.  Some specific issues to be hashed out:

1. URL formats for basic RFC 4120 over UDP/TCP

The draft uses udp://hostname[:port] and tcp://hostname[:port] for
these.  The IANA registry notes some application-specific precedent for
the use of a "udp" scheme but there is no formal spec for it, and there
is no registration for "tcp" at all.  Obviously these URI schemes are
very context-dependent; a generic application such as a web browser
would have no idea what to do with a TCP or UDP URL.  On the other hand,
we are also proposing a very context-specific use of HTTP for MS-KKDCP,
and there is a ton of precedent for that (basically any kind of RPC over
HTTP).

2. UDP/TCP preference

Some implementation guidance may be necessary on this.  Implementations
are currently used to having their own preference of UDP versus TCP,
perhaps based on the packet size.

The current draft does allow the URI records to express no preference of
UDP versus TCP; one can simply give them the same priority and don't use
weights.  But if the URI records express a preference, should a client
always honor that preference, or can it ignore it--say, if the packet is
large?

3. Precedence of URI versus SRV

Discussion elsewhere suggested that the URI records, if present, should
have precedence over SRV records; if a client finds URI records, it
shouldn't do SRV lookups.  The draft should probably say that explicitly.

4. Security considerations

MS-KKDCP can offer security benefits for Kerberos traffic because it
uses TLS.  These added protections are mostly lost if unsecured URI
records are used to discover the proxy URL.  This is not a deal-breaker
as there are other reasons to use a proxy, but we should explicitly
state this in the security considerations.

v2.23.0 | Report a Bug | By Email