IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Sat, 18 February 2023 00:13 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAE3BC14F72D for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 16:13:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_DOTEDU=1.999] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVp_Cau6wmcv for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 16:13:16 -0800 (PST)
Received: from caracal.birch.relay.mailchannels.net (caracal.birch.relay.mailchannels.net [23.83.209.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD1CCC1595FD for <kitten@ietf.org>; Fri, 17 Feb 2023 16:13:15 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BCABF7E0BC5; Sat, 18 Feb 2023 00:13:13 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 392877E0B7F; Sat, 18 Feb 2023 00:13:13 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676679193; a=rsa-sha256; cv=none; b=okMUqsbuiUWqf/upwX3ihgzOLHtsoPUoQof8oSHK/qgxFW81xpuAec2QHuC/9TwXxMrOHZ C2p4tAcqLXYdzlvdM4Cz+xc/pCM6zzDKcIT4V6ttbE79OerhGvkV+IeLkox8tMi0ECwJol jZ2KGILIxKhoLCOuXh8Q4yD9ZC/anAii4NB2wCZSHkWAYyVvXwAJDaaNeFhXxbG4PVe8Rp xHJmEmUnl89cZgM841p97D6Bjbua715ceDd7FXf8QH6MS+7Vgy51aVB1P8n5cA45e99MZj CBeX14Ll0da/eQgBEzoxRZq3mklz6rPsbH+7+H7YTRzuQTqN5RuFwgTqEX11eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676679193; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8tiW8Naw8uqECVF/f+Zo5JG70GONeTwhsepCzVi0png=; b=vWqPDjlLUMrHtW++wwu/4ioffDNzLN0M7quNAEUYS7jYyG4LV7BhoCfNGUZHxporSYXWpF CjanKs3rey51jzW8PSp1ag5bH+WkaF1Bz1JeiE0H8sxnlesN1wWBlJrzQ10Jt0fLSlCIA/ NRDUQKhSXit3ag3uFNXs/RU1TWmyl8X4/skbFamUuxdD9G1Z1PRqPrCShQMgofnvV9Oe1q 6VN0b/C1UsW66n0+AtiaRjvmnw/updhbmXRUxcy8hqf9IEfbYRl/N8mjjo1l7xyGo1jOfA RaUxC+25fOjzMI6rWFfaD2glatj3TmwOK2fyvGOwseOoj49QlP1MTPbYsOS38g==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-hzrxs; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Supply-Little: 39e50c6626e972a5_1676679193503_4222426490
X-MC-Loop-Signature: 1676679193503:2728720214
X-MC-Ingress-Time: 1676679193503
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.200.110 (trex/6.7.1); Sat, 18 Feb 2023 00:13:13 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PJTfc2Xwwzvk; Fri, 17 Feb 2023 16:13:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676679192; bh=8tiW8Naw8uqECVF/f+Zo5JG70GONeTwhsepCzVi0png=; h=Date:From:To:Cc:Subject:Content-Type; b=ufpAOAWLXH77g5DkBxZSShmPTVkXuwRQ82nOb4L4GaVEXSCZTBgWH/wH/g4of6vgY FBPl+bWGdDGyi/c7S+GijG6aef5KZErkQ77QIRI3kHf31xVCwWbbNTtLjO3/7xg6zf /MDzeikc8xof4Ix9T+G1fkbkOHTsfTfRuwq+k5kKvBOmIgvsR3sGcz4DYIoZFmHqfW gaz2T6HNgSG9Wv/gAjgegeARzLZYnvCPBIB2A1MRiksno2qf/LJKMw+H34JJkVtQ5c 41mYMi1GRVSZxO0Qwo0DCqnYducdTpzo8qseqyvKMk5xhd2a0BlB0EAhccP7Fx+lqY MHKWz367kCFFA==
Date: Fri, 17 Feb 2023 18:13:09 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>
Cc: Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/AYFbD6wCrszskG@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/jZ9WAKBjpVgNiZzONVRj5WFfb3k>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2023 00:13:19 -0000

On Fri, Feb 17, 2023 at 07:04:02PM +0000, Steve Syfuhs (AP) wrote:
> As for why we care - Luke is spot on. NTLM deprecation. Despite the
> good intentions of our corporate overlords over the last few years,
> Kerberos ain't going away anytime soon, and with that NTLM certainly
> isn't going away without us giving it a good shove. So...

I'd like for something to be able to replace Kerberos, but we shouldn't
have that discussion in this thread, so I'll shut up about that :)

> 52% of NTLM usage is because of hardcoding the package in GSS or SSPI.
> We know why this happens some of the time - lack of visibility into
> outer negotiation processes like HTTP - and sometimes just lack of
> knowledge on the implementers part. Internally, we're working with the
> top offenders to move them to SPNego. Once that happens we predict it
> will increase line of sight issues a fair bit, though relative to the
> rest of the fallback reasons.

So you could lie to the app and say "you got NTLM" but actually do
IAKERB?  Seems reasonable to me; NTLM must die.

> 100% - 52% - 7% != 0%, so obviously there would have to be some other
> things going on to kill NTLM. We have a plan, but aren't ready to talk
> about it yet. Suffice to say IAKerb is an integral part of it.

Any idea what the remaining 41% are about?

The one thing I'll say is that when MIT enabled IAKERB by default in
SPNEGO that broke things for users.  See
https://krbdev.mit.edu/rt/Ticket/History.html?id=8021 whose description
says:

| We implemented IAKERB in 1.9. SPNEGO automatically tries all
| mechanisms except for SPNEGO itself, so it tries IAKERB after regular
| krb5. In practice, this is rarely useful and often serves to
| complicate scenarios which would otherwise be simple. For instance, if
| the user has credentials but we cannot get a service ticket for the
| target host, we try IAKERB instead of failing locally; most of the
| time this is unnecessary work and obscures the resulting error
| message.

That captures the issues I saw exactly.  But let me rephrase.  In some
cases it took longer to fail and then the resulting error was different
from what users understood already, while in other cases -IIRC- we saw
failures where the _app_ could not do more than one round-trip and then
the error definitely had to be very different from "service principal
unknown".

In order to fallback to pick IAKERB in SPNEGO because krb5 failed,
SPNEGO has to know that the failure was due to line of sight issues and
not that the server principal is unknown.

The fix in #8021 was to make SPNEGO never try IAKERB by default.  It can
still be negotiated IIRC, but the app has to opt-into it.

Thinking about it now, a better fix would be to allow SPNEGO to try
falling back to IAKERB IFF initSecContext() w/ krb5 failed with a KDC
unreachable error.  That requires hard-coding -in the SPNEGO initiator
implementation- knowledge of the special relationship between IAKERB and
krb5 -- this might be unpleasant to us implementors givne that we've
striven to keep SPNEGO implementations totally generic, but so what.

Assuming you already have a TGT for the user, then having SPNEGO know
when to fall back on IAKERB and when not to should suffice.

Otherwise you might run into an API design issue with how to defer
initial credential acquisition to initSecContext() time in a backwards-
compatible way.  But I assume that if you want to do initial credential
acquisition using IAKERB then you probably only need to do that when
connecting to a remote access gateway, in which case backwards-compat in
APIs is probably not a concern.

Nico
--

v2.23.0 | Report a Bug | By Email