IETF Logo Mail Archive

Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00

Matt Rogers <mrogers@redhat.com> Thu, 30 March 2017 18:52 UTC

Return-Path: <mrogers@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 431DE127698 for <kitten@ietfa.amsl.com>; Thu, 30 Mar 2017 11:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VmPzmsXvvH0 for <kitten@ietfa.amsl.com>; Thu, 30 Mar 2017 11:52:09 -0700 (PDT)
Received: from mail-qt0-f181.google.com (mail-qt0-f181.google.com [209.85.216.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA8D129A20 for <kitten@ietf.org>; Thu, 30 Mar 2017 11:52:08 -0700 (PDT)
Received: by mail-qt0-f181.google.com with SMTP id n21so47565955qta.1 for <kitten@ietf.org>; Thu, 30 Mar 2017 11:52:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DvOb4DF+ZaQoSVtnPjDA2NlBXnV9ObEzsKYXD9SwBXM=; b=F5KiSDUEEuNXTPrnislbf0NNTqSjas5TPDPidMthiSxloL7uyvIXMehrCu51c8mEJg rVbJ8MyQ/XEquOh+mIiIKIoTb5+KGltf1QPdtdwcFAN50KNWAPLCNvzuDzjGe018ojHV yht9Ne0hx5/dKbsg78E1+T1P0ImvL06GLrF1ocw68sAdx57NZHUJtgjVdj+qBxfwFeon ruhtCdu9m0mLYeHwhUzwcWaA6LqHbnfuVmCHeQBCHMHqVFchJPwdkFxTYIVsueEI7L3a H4xD8bPQIPuz6zRs1z9h2BzHJiKofcX0WdkjYv7SWZpAfYS0QR9CWWWHd8bDFg5EpLO9 Ho/w==
X-Gm-Message-State: AFeK/H2RT4wx+lfgbDI2xQgZpzT7k2MvhGPCv0rbJmhxwft7cWu/VWUabwfsf+FNQpqi2QcFIcIIWnopA8kuUqli
X-Received: by 10.200.39.97 with SMTP id h30mr1317325qth.18.1490899927077; Thu, 30 Mar 2017 11:52:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.175.181 with HTTP; Thu, 30 Mar 2017 11:51:36 -0700 (PDT)
In-Reply-To: <x7dzige39sj.fsf@equal-rites.mit.edu>
References: <x7dzige39sj.fsf@equal-rites.mit.edu>
From: Matt Rogers <mrogers@redhat.com>
Date: Thu, 30 Mar 2017 14:51:36 -0400
Message-ID: <CAAeFVfwexk8THERJZ5Qm+sTB+FVMWsRSOXninGFmMWehzwiz-A@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kitten@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ghNm080mE5DP_r11igluDu2Hc1Q>
Subject: Re: [kitten] Review of draft-ietf-kitten-krb-service-discovery-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 18:52:12 -0000

On Tue, Mar 21, 2017 at 11:54 AM, Greg Hudson <ghudson@mit.edu> wrote:
> In general:
>
> * RFC 7553 is informational and this document is standards track, which
>   is a down reference (see RFC 3967).  Also, RFC 7553 contains ambiguous
>   guidance about URI records labels which some readers have interpreted
>   as being incompatible with our use of labels.  I think at one point we
>   received advice to reference the IANA registration of the URI record
>   type instead of RFC; unfortunately I do not know the mechanics of that
>   kind of reference.
>
The IANA registration entry refers to RFC 7553:
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
Perhaps it should just be an informative reference instead.

> * Similarly, MS-KKDCP is in the normative references section, and is not
>   a standards-track IETF document.  It is only used as the reference in
>   the initial contents of the transport registry, so perhaps it can just
>   be an informative reference.
>
I'll make this an informative reference.

> Abstract:
>
> * I would rephrase or omit the fourth goal ("define a discovery
>   procedure for Kerberos password services").  There is an
>   interoperable, well-documented[1] de facto standard for discovering
>   kpasswd services; it just isn't specified in an RFC.  It's debatable
>   whether this is a serious enough deficit to mention in the abstract as
>   a problem that we're solving; if it is, I would say "formally specify"
>   rather than "define" to make it clear that the problem being remedied
>   is the lack of a formal specification.

I think "formally specify" would be better.

>
> * Section 4.2.1 (Master Flag) is too focused on password changes, I
>   think.  I suggest:
>
>   The client SHOULD consider this server as one that might possess more
>   up-to-date long-term key material, and use it as a fallback for errors
>   that might result from out-of-date keys.
>
Works for me.

> Section 4.4 (Residual):
>
> * I suggest "where such are defined" -> "as defined"
>

This will be removed with the Residual section (based on past comments
to redefine the fields as
"krb5srv:[flags]:transport-type:transport-info")

> Section 5 (Kerberos V5 KDC Service Discovery):
>
> * "REALM indicates the translation of the Kerberos realm to a DNS
>    domain" seems to invoke some kind of translation procedure without a
>    reference.  RFC 4120 doesn't really define any such translation
>    procedure; it just says in section 6.1 that a realm might be in
>    domain style with some specifics on what that means, and in section
>    7.2.3.2 that "The realm MUST be a domain-style realm name".
>
>    (Section 6 has this same wording again.)

How about "..client MUST query the following URI DNS record, where
REALM is a domain-style realm name."

>
> Section 7 (Kerberos Admin Service Discovery):
>
> * There is no standard admin protocol, even a de facto one (well,
>   Heimdal has some interoperability with MIT krb5).  It doesn't make a
>   lot of sense to specify a standard discovery protocol when there is no
>   standard for what is being discovered.  I think we want to leave this
>   as an implementation-specific aside.
>
>   This change would have an impact on section 9.2.1 (removing the
>   default admin service port) and 9.2.2.
>
I'm OK with removing this part.

> Section 8 (Relationship to Existing Mechanism):
>
> * The wording here seems too general.  I think we want to specifically
>   say that URI records should be preferred over SRV records.
>

How about: "Clients that support service discovery through both URI
and SRV records SHOULD perform the URI discovery first. If no URI
record is found, the client MAY then attempt SRV discovery."

> Section 9.1.2 (Initial Registry Contents, for flags registry):
>
> * The reference here is "TBD".  Is there a plan?  Is the reference
>   supposed to be to this RFC once a number is assigned?
>

It should be changed to the assigned number, yes. It was suggested
that instead of TBD we use [This Document], which I think is the
convention for this kind of reference.

I'd also like to get some thoughts on this text for a Security
Considerations section:
"The security implication of using DNS URI records is identical to
that of using DNS for any Kerberos service or host mapping; without
secure DNS the results can be forged.  The same precautions regarding
the use of insecure DNS with Kerberos outlined in RFC 4120 should be
followed."

Thanks,
Matt

v2.23.0 | Report a Bug | By Email