IETF Logo Mail Archive

Re: [kitten] New URI Discovery Draft

Matt Rogers <mrogers@redhat.com> Mon, 26 September 2016 15:55 UTC

Return-Path: <mrogers@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C51F12B2F0 for <kitten@ietfa.amsl.com>; Mon, 26 Sep 2016 08:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.218
X-Spam-Level:
X-Spam-Status: No, score=-9.218 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.316, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWqG_-UNnvnQ for <kitten@ietfa.amsl.com>; Mon, 26 Sep 2016 08:55:20 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3257012B2D4 for <kitten@ietf.org>; Mon, 26 Sep 2016 08:55:20 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E6C446370D for <kitten@ietf.org>; Mon, 26 Sep 2016 15:55:19 +0000 (UTC)
Received: from unused (unused [10.10.52.232] (may be forged)) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u8QFtJTL010189; Mon, 26 Sep 2016 11:55:19 -0400
Message-ID: <1474905318.15526.31.camel@redhat.com>
From: Matt Rogers <mrogers@redhat.com>
To: Petr Spacek <pspacek@redhat.com>, Nathaniel McCallum <npmccallum@redhat.com>, kitten@ietf.org
Date: Mon, 26 Sep 2016 11:55:18 -0400
In-Reply-To: <c2e61e27-8a6c-1d38-140e-0c019b0a13a2@redhat.com>
References: <1474669521.30344.15.camel@redhat.com> <c2e61e27-8a6c-1d38-140e-0c019b0a13a2@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Mon, 26 Sep 2016 15:55:19 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/gKikFyzaU1PzdYEVtcZqZ2uB-JQ>
Cc: Simo Sorce <simo@redhat.com>
Subject: Re: [kitten] New URI Discovery Draft
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 15:55:22 -0000

On Sat, 2016-09-24 at 18:29 +0200, Petr Spacek wrote:
> On 24.9.2016 00:25, Nathaniel McCallum wrote:
> > 
> > https://datatracker.ietf.org/doc/draft-mccallum-kitten-krb-service-
> > disc
> > overy/
> > 
> > I've submitted a new version of the draft. This version matches the
> > code that is now merged into MIT Kerberos.
> > 
> > We need to move forward. If that is as an individual submission,
> > then
> > so be it. But we really can't wait any longer. So unless I hear
> > some
> > noise to the contrary ASAP, I plan to go this route.
> 
> Hello,
> 
> in general it makes sense. The new URI format opened an encoding-
> Pandora-box
> so it needs more work to make it fully specified. Here are nits I
> found in the
> 03 version of the draft:
> 

Hi Petr, thanks for reviewing! 

> 1]
> > 
> > 4.  Required URI Format
> >    krb5srv:[flags]:transport:residual
> Nitpick: I do not really like naming "transport:residual". Something
> like
> "transport-type:transport-options" would be more descriptive.
> 

"transport-options" may make it seem that it's an optional field or
carries something other than a hostname or URI for the client to
contact. How about "transport-type:transport-target"?

> 
> 2] Is this a good idea?
> > 
> >    Flags are not considered critical, therefore flags that are not
> > used
> >    or unknown to the implementation SHOULD be ignored.
> Just wondering out loud, not insisting on it:
> If we say there is no criticality, it will be impossible to add later
> on.
> 
> What about using capitalization to indicate criticality of a flag?
> Records
> with critical but unsupported flags should be skipped as if there
> were not
> present in DNS. Records with non-critical unsupported flags should be
> used as
> usual.
> 
> Or maybe we can limit valid flags to lowercase ASCII letters for now
> so there
> is a room for extension in future?

I think avoiding having case-sensitive fields is the most appropriate
thing to do for DNS data, our exception here being the path part of a
KKDCP URL, which we can leave as defined by MS-KKDCP (see below)

If we want to later add criticality to a flag then it could be a flag
prepended by a '!' or some such character rather than using the case.

> 
> 
> 3] In any case, there is disagreement between
> > 
> > 4.2.  Flags
> >    This field contains a sequence of zero or more case-insensitive
> vs.
> > 
> > 9.1.  Kerberos Server Discovery Flags
> > 9.1.1.  Registration Template
> >    Value:  A single unique ASCII character that identifies the
> > entry,
> 
> "A single unique ASCII character" is case-sensitive by definition.
> This
> conflicts with case-insensitivity defined in 4.2.
> 
> 
> 3] The draft is not clear on whether transport field is case-
> sensitive or not.
> > 
> > 4.3.  Transport
> > 9.2.  Kerberos Server Discovery Transport Types
> 

I'll clear this up.

> 
> 4] Residual formats are not sufficiently specified:
> > 
> > 4.4.  Residual
> > 9.2.  Kerberos Server Discovery Transport Types
> > 9.2.2.  Initial Registry Contents
> > 
> >    o Value: "udp"
> >    o Description: User Datagram Protocol
> >    o Residual Format: "host[:port]"
> >    o Case Sensitive: None
> >    o Default KDC Port: 88
> >    o Default Admin Service Port: 749
> >    o Default Password Service Port: 464
> >    o Reference: [RFC0768]
> 
> There is no definition of "host" and there is none in RFC 768.
> Can it be IP(v?) address?
> Can it be DNS name?
> How this field should be encoded into the URI?
> 
> > 
> >    o Value: "tcp"
> >    o Description: Transport Control Protocol
> >    o Residual Format: "host[:port]"
> >    o Case Sensitive: None
> >    o Default KDC Port: 88
> >    o Default Admin Service Port: 749
> >    o Default Password Service Port: 464
> >    o Reference: [RFC0793]
> 
> Again there is no definition of "host".
> Can it be IP(v?) address?
> Can it be DNS name?
> How this field should be encoded into the URI?

Good point, I'll clear this up as well.

> 
> > 
> >    o Value: "kkdcp"
> >    o Description: Kerberos Key Distribution Center Proxy Protocol
> >    o Residual Format: https://host[:port][/path]
> 
> This is technically URI inside URI, am I right?
> How is it encoded? Should usual %-encoding be used here?
> > 
> > 10.1.  URI Format Examples
> suggest that %-encoding is not used. I would like to see this clearly
> specified and explained why not.
> 
> At this point I would rather say "use URL as specified by [MS-KKDCP]" 
> instead
> of specifying "https://host[:port][/path]".

I agree with this, especially since MS-KKDCP defines the URI with
RFC3986 encoding rules. I think then the registration template can also
leave out the case-sensitivity definition as the path is defined as
case-sensitive with RFC3986.

> 
> Also, to make this bullet-proof, I would mention that "/KdcProxy"
> must be
> explicitly specified in the URI record and is not implicitly assumed
> by clients.
> 

Sure, that makes sense. 

Thanks again,
Matt

v2.23.0 | Report a Bug | By Email