Re: [kitten] Kerberos Service Discovery using DNS
Greg Hudson <ghudson@mit.edu> Fri, 06 March 2015 21:43 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F088D1A8762 for <kitten@ietfa.amsl.com>; Fri, 6 Mar 2015 13:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Umt_Wcmpd7hg for <kitten@ietfa.amsl.com>; Fri, 6 Mar 2015 13:43:29 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797D21A8735 for <kitten@ietf.org>; Fri, 6 Mar 2015 13:43:29 -0800 (PST)
X-AuditID: 1209190c-f79696d000005933-90-54fa1f808dd2
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 8C.AB.22835.08F1AF45; Fri, 6 Mar 2015 16:43:28 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t26LhRGn022764; Fri, 6 Mar 2015 16:43:28 -0500
Received: from [18.101.8.131] (vpn-18-101-8-131.mit.edu [18.101.8.131]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t26LhPfi013135 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 6 Mar 2015 16:43:27 -0500
Message-ID: <54FA1F7D.2050703@mit.edu>
Date: Fri, 06 Mar 2015 16:43:25 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Nathaniel McCallum <npmccallum@redhat.com>, kitten@ietf.org
References: <1425578271.2715.5.camel@redhat.com>
In-Reply-To: <1425578271.2715.5.camel@redhat.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixCmqrNsg/yvE4NB2aYujm1exWMz9OovV gcljyZKfTB7v911lC2CK4rJJSc3JLEst0rdL4MrY1LKDqWANf8XNRffZGxh38XQxcnJICJhI rNy2lBXCFpO4cG89WxcjF4eQwGImiROv9rGAJIQENjBKdM8rgkgcZpL4/XU+E0iCV0BN4uLq l0A2BweLgKpE750ykDCbgLLE+v1bwXpFBcIkZq+7yAhRLihxcuYTFpByEQF7iYWNCSBhYQEr ic0blzBCrDKQeLl0Fdh0TgFDiZk/VrGB2MwCehI7rv9ihbDlJZq3zmaewCgwC8nUWUjKZiEp W8DIvIpRNiW3Sjc3MTOnODVZtzg5MS8vtUjXUC83s0QvNaV0EyM4SCV5djC+Oah0iFGAg1GJ h7dD6meIEGtiWXFl7iFGSQ4mJVFePblfIUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEePu+AJXz piRWVqUW5cOkpDlYlMR5N/3gCxESSE8sSc1OTS1ILYLJynBwKEnwioMMFSxKTU+tSMvMKUFI M3FwggznARpuDFLDW1yQmFucmQ6RP8WoKCXO6wWSEABJZJTmwfXCksgrRnGgV4R5w0GqeIAJ CK77FdBgJqDBWmI/QAaXJCKkpBoYWesfxegIbN7198bPawUFi39f2ehra1PxMvnEq2d9Fm6X X5z1s1SPyZrOknBAcf3sbW0+rf8FH175bNS46ODXM+/j/l93q7tr7to4V9lJe0povPST/jWK liWWOs+mr/SbeN9omvCb1+qrY5vPXWS77pl80nYf4/asdR5rHB2vaRvf2uv7SLbBV4mlOCPR UIu5qDgRAFieEMX9AgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/fUFz-O8eSjbY6jtXNfQNVZof8VQ>
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 21:43:32 -0000
On 03/05/2015 12:57 PM, Nathaniel McCallum wrote: > http://datatracker.ietf.org/doc/draft-mccallum-kitten-krb-service-discovery/ I'm on board with this in general. Some specific issues to be hashed out: 1. URL formats for basic RFC 4120 over UDP/TCP The draft uses udp://hostname[:port] and tcp://hostname[:port] for these. The IANA registry notes some application-specific precedent for the use of a "udp" scheme but there is no formal spec for it, and there is no registration for "tcp" at all. Obviously these URI schemes are very context-dependent; a generic application such as a web browser would have no idea what to do with a TCP or UDP URL. On the other hand, we are also proposing a very context-specific use of HTTP for MS-KKDCP, and there is a ton of precedent for that (basically any kind of RPC over HTTP). 2. UDP/TCP preference Some implementation guidance may be necessary on this. Implementations are currently used to having their own preference of UDP versus TCP, perhaps based on the packet size. The current draft does allow the URI records to express no preference of UDP versus TCP; one can simply give them the same priority and don't use weights. But if the URI records express a preference, should a client always honor that preference, or can it ignore it--say, if the packet is large? 3. Precedence of URI versus SRV Discussion elsewhere suggested that the URI records, if present, should have precedence over SRV records; if a client finds URI records, it shouldn't do SRV lookups. The draft should probably say that explicitly. 4. Security considerations MS-KKDCP can offer security benefits for Kerberos traffic because it uses TLS. These added protections are mostly lost if unsecured URI records are used to discover the proxy URL. This is not a deal-breaker as there are other reasons to use a proxy, but we should explicitly state this in the security considerations.
- Re: [kitten] Kerberos Service Discovery using DNS Petr Spacek
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Petr Spacek
- [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Simo Sorce
- Re: [kitten] Kerberos Service Discovery using DNS Nico Williams
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Rick van Rein
- Re: [kitten] Kerberos Service Discovery using DNS Viktor Dukhovni
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Greg Hudson
- Re: [kitten] Kerberos Service Discovery using DNS Benjamin Kaduk
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Nathaniel McCallum
- Re: [kitten] Kerberos Service Discovery using DNS Jeffrey Altman