IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

"Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com> Sat, 18 February 2023 05:10 UTC

Return-Path: <Steve.Syfuhs@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE1EFC15DD44 for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 21:10:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bpiu8TiHrPZC for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 21:10:32 -0800 (PST)
Received: from BN6PR00CU002-vft-obe.outbound.protection.outlook.com (mail-eastus2azlp170110002.outbound.protection.outlook.com [IPv6:2a01:111:f403:c110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 497EAC153CBF for <kitten@ietf.org>; Fri, 17 Feb 2023 21:10:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IlBsiVCLWQc8VVybRZizy+58Ooca2+8ehuTnfKAJYfGzzcJktqNHODofbXiebAmFYsGzAICR3HICKtVQ6ykBpT3VQiLMh7485GcTv2J6jQEc/2G1TEDf55nfwxLasscXKQTrRDuZkQiNBRy/mYgK32T7TRPatYfWPFsokJwalmuUnHsXKBpPcwqv5MoOQgQ1GGDcEBaYLoZQesPIUPo1L3zIb3VUDoXIEZQWikE0NoI7W/DeZzkIdfaBeoKVfLB/z7LecK6AGZockHPyWRh8ZtYdKJTE1tZjFuK5xxHqAFm6OMkckiVJfNTzrh4EXbdXof9pEt+NXKn7r5eyySQDWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Fof104M1gsOBHZnenJwzOZrLihLCjyNeM4nFS8tt7rU=; b=DNzCf1wBvpHDite4vj/3uv4ZRNuFEnLhOO/h40LeHQ3cwkOxYywzX4DTPn2Hx2T9PqpTe6vqCIP7xTX7ODrmMeM+ixkwTg6vmFc/lqSu2fr4QaDVriBmUMhAxiJWM31NmpklBvYfJ+DUJc8DZU8ap+swD4jV/ppOfiPYJj2zIHJGXrtUf3pzskZlPBTt61qYPKN0138ccTh5y1iS1ZyquLvlOIbRHMwKj/nwgkZKHAAiXC8qfZCXnOyySx0x5dWGtr9nsVnJeFc4axjN3CTqrsr4cWHV1mlTF+On5Io1Agh3M93jzes2o2mFvhHwMBomBxWq7SE+TCGSoUFOEJxIYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fof104M1gsOBHZnenJwzOZrLihLCjyNeM4nFS8tt7rU=; b=ZIDYk3eYRxO3UBR5LDT3vQ5iTQabNQHEgw5f8WwVtMLrrchRUkb7ebWjnq46wOuAZZF/TMi25eVJ++OU9vjwc1nqY/M2bbupwappgKFYc8HKGCu4PJFQcp/IrhSIlImWLeZIjxa7Tncj5IcvcnjXojKuAImFfhQli9K/kycW1Lg=
Received: from MW4PR21MB1970.namprd21.prod.outlook.com (2603:10b6:303:70::14) by DS0PR21MB3904.namprd21.prod.outlook.com (2603:10b6:8:12e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.0; Sat, 18 Feb 2023 05:10:28 +0000
Received: from MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25]) by MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25%7]) with mapi id 15.20.6134.011; Sat, 18 Feb 2023 05:10:28 +0000
From: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
To: Luke Howard Bentata <lukeh@padl.com>
CC: Nicolas Williams <nico@cryptonector.com>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Thread-Index: AQHZQy3RG7pgpa/rrESkcdLapDYjjq7T2DIAgAABkpCAACIOAIAADS6AgAAPoVaAAA8SgIAAAD1t
Date: Sat, 18 Feb 2023 05:10:28 +0000
Message-ID: <MW4PR21MB1970AB4E0333CB19A43CEB779CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/AamL5pPJW1sYrv@gmail.com> <MW4PR21MB1970AEAB4ABD68C0059A2AB99CA69@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/A4eirujnDjO+46@gmail.com> <E1A16BAA-9B3D-4D63-96F5-6DD150DB0D6F@padl.com> <MW4PR21MB19709BF16824B097019F5EC19CA69@MW4PR21MB1970.namprd21.prod.outlook.com> <8EC4ADDC-C3DC-48BA-A67F-8BD261F8FAB8@padl.com>
In-Reply-To: <8EC4ADDC-C3DC-48BA-A67F-8BD261F8FAB8@padl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-02-18T05:09:16.6542917Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR21MB1970:EE_|DS0PR21MB3904:EE_
x-ms-office365-filtering-correlation-id: 9edf8860-7d16-45a1-2c85-08db116e7346
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4kOm4I3adJocnhUIGP3DYKyaju7qgNiuuVH2pV/lyGgp2XFHQNhZ7GPtU12tK2vSy8OilsZWIGyId3plJ+bfeP/KxQQbOL1LA0N1YcJHxTt2zxLfrnkqe1M5/Lg0r3UWREh6UDV13tp4k5+ui66e0mo1Sxb62NZGdazX2ANaa82nauVP57uhPvWaGD4Hq+zFEJz0LtybEbiAGzErJOs8s5NslN+NjzkNAIwcymqxlaY0ccWGxKmZtvURbTFxgYs2FoEKl4WSaVHdvAAH1ipb+gqigD0hv+4XyRiPLolx5MWS3WM/2aUkEd9yyy+dx+0pTjLbkXqxHgPTENO0IboBeOVJiuuuDk843P2NLzQLG9AjFkZXbh+gioM+kTu4kKJHUsBz5ytJa30l9NFDLU7wxZpbkZX7Z0tYO6cqVNl331TvI39CmTmV/bE93+vqNtDZ62J2w3VJFnsu7aRnEtygtUJ7vp+Vz8YmnZ+52K8ivbohhsqpoN5h9efiYQhvzT7fRVBiz5BrpzGkgFhvwKVzZBwf3h0Z9YpDcdlo2QXJ+Pr6NxTQv6d+Lmc+GSzBO/XezYAC+gQ4EkiDryOAmvIxvg/YuJ5CR6aqfnF+Dh3hJPAelFizdcOnX+yndIGqzbcEBKzT48w3WkZpz4U1sLFKltNA6WeiPG3ui8MKW6/TmhxR4rZpeTvYgRyxpvvj8avpHIaUIdVUJXSnJH1jyvFgLUBmPf9jIO7IYTcCtpsebCK07CNUrXV6Yp3vCSUOxDvP
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR21MB1970.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(39860400002)(366004)(396003)(346002)(136003)(376002)(451199018)(66899018)(86362001)(4326008)(33656002)(6916009)(55016003)(66556008)(66446008)(66476007)(8676002)(2906002)(8936002)(52536014)(66946007)(76116006)(5660300002)(64756008)(122000001)(82960400001)(82950400001)(38070700005)(166002)(38100700002)(7696005)(6506007)(478600001)(10290500003)(71200400001)(316002)(54906003)(41300700001)(8990500004)(186003)(26005)(9686003)(83380400001)(53546011); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XNmHBCQuKuAF7ECiLC5iB05QI3/KBhCnMaeYw41Sx0BU+8LRltB0G6IJw7/UKVfzfXNo5aociVO70a3Ut09zf9q8WIge4yFiHEj72MV51T9D2G60ISGY+AMhyVctF9m8SYeuNDBRX1ue9S9M9Zmrg5WeRJVCH66C16aFv8UE1MRLvYx9qO3QKsBUzuKdMCG882iDtPE9nSjT2VztJ1feEHsBl++XPe0tvw8pOkoTaMlrVIEA5G46JIAyZhWtdP40jSHjDorcVl1BcJqrOsCHY45B+ItUkkaFsgw/tjYQPXC9hY5dFcjb3rW6KdEz+1fbDih6x7aKf010gpFhrQAcJf0nKPDVbyYjSSqOi/XrmN3wUwEjuWGSgTMQzBn9PKCn2R2LJmTOMe9dJ1ELFOXqE1nzDZzKl1SY5G0JJJ6RXV2FWZ2rK0ImNGPbRAyBYLjHm72nTSbMaVlamEPrIdOVJ3Znexod9vkDS2PTPn/CsDaDo2UjD/3IL4b65abjG6YmHP6JSe4hOdUQF+XLK9cBgzvcQX0qjLWMz5ZBoP/9/BFoKc/QkCZxy52G0RR6VmGx1IsMSYbMEnwqa6euSzenzCklaQnI77rkkqWFETxNANIN3POLoS6lxqcjd3SNPsbBiXNWDVctThf3lEl3TNKFRYohjqMvwaJrb6Es0IdBAjPNpSm3H/6FZIg4mfj2Jcq6fW9S3XTKVP8OyuIU10YOF7rPanbJnNiopjOgzB0oNh0xIiiahJTggyyvzyAkF8VCCuEKpvfILo+jnJDIwXaCaGsgxXpou9is8OAqkLS5/+KNcfc3wVXM7PeFPnM950MtUenUpUjsfHdR7+pwjC/ASDJ2S+FAF5hZ/Yeor5jQzu71esr+iqJGYl73q1NEcrV9lFBtDBonJRmkR7qf1WMhz8ibusxuSnOypBlOJDkP31p/RPy2HFn6VnxuttxrANvg9d7vFK0pl00qYnuyGpl1nEB5qjMDRQ2jIVbQ8siYWTVMBVRvGRntPlh/i0e9waeUl2hCYOfZO0yBQbFewtXnvfIFcIsBTChlznPYrUB3yBPsyX6aN6pwamTSU05oZHtGUXANJlCwYZzEGcSsCp3AYznXyNT3yEcCBpU/6IF33KMgHzKcmiB8VLoyjWO6Rj5tXh9rmxI/ouJHftmLjzV13i9m8v10pmJ8zGrrmubq8f5dZ7tTOiPeC7bXpwpqFCRZfNbOofqDkYtUCG1Ob+QTrUiF5e4x9JwuzSXU2c8tPncSDFTIfwFOt39Uf6P/629ZiQIS7DXRhOrBlc0EG4eYpP8A8LsmbNLyuqhEqs1R6h37rzA+IdanxJJh3f1Hf15QFHEWT6CC+AKeRXxdQAQsVRyk7e7moVELcsM70V+Nd/e7AP4pW3APVYF781iG3ecFCvlN6dAVW6ISvX9seXa7jucttv4hCAlq89f6DxVAyR2nQIFOq5rTGc6wXsGNv69DX2ImkmAMwqCciXANjVzP/3/CG/5uy74NGOj274yIcrlqFxxD3rV6xdt0RsS0O7T6kayRR/6TogR10jspKWidCq0yTnmIu6VNAiFT8pnvmU16rj/z2a5PMCAqRyCLRuKEFOiBKuHSO3Xby+viv1kcTaMghfCPc62BVUErlsU8aws=
Content-Type: multipart/alternative; boundary="_000_MW4PR21MB1970AB4E0333CB19A43CEB779CA69MW4PR21MB1970namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1970.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9edf8860-7d16-45a1-2c85-08db116e7346
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2023 05:10:28.0472 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HWwFfWWako63Ccbuo8w8r4Myj1amjxJhXbJdTzIMiKFaI6HXg6jX1BpMcuPtj6KuFJ81OdGt+0+S5XWaGuVG4w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR21MB3904
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/kceIFskPyTxcwyCCY20aSs47RgU>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2023 05:10:37 -0000

Excellent.

>Heimdal did add support for it a couple of years back (3a6229f6) but I don’t believe MIT supports it.

That's good to know. It's a bit of an edge case anyway. Mostly only affects callers in the kernel for us (they like their rented pools), and that's a relatively small number.
________________________________
From: Luke Howard Bentata <lukeh@padl.com>
Sent: Friday, February 17, 2023 9:08:25 PM
To: Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com>
Cc: Nicolas Williams <nico@cryptonector.com>; kitten@ietf.org <kitten@ietf.org>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

You don't often get email from lukeh@padl.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>


On 18 Feb 2023, at 3:56 pm, Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com<mailto:Steve.Syfuhs@microsoft.com>> wrote:

Ah, I think I follow the failure case now Nico. I'll have to think about this in the generic case. In Windows our implementation is an extension within the core kerb stack, where kerberos exposes a list of mech OIDs it'll let nego try. This is incidentally how we expose u2u as a mech (NTLM, digest, etc. expose their own set of one; NegoEx is its own beast). Since kerb is still first, it'll try as usual and succeed, fail with no KDC, or fail with SPN not found. We keep a small bit of state such that when nego then tries the iakberb OID the kerb stack knows what the original failure was, and either starts the flow if KDC not found or triggers an error to move to the next mech. This doesn't help with non-Windows clients though.

It’s probably not a big deal in practice. All the non-Windows implementations I can think of build SPNEGO and Kerberos from the same source tree (indeed they’re almost always colocated in the same DLL). Adding some Kerberos-specific state to SPNEGO wouldn’t be the end of the world.

— Luke

v2.23.0 | Report a Bug | By Email