IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Luke Howard Bentata <lukeh@padl.com> Sat, 18 February 2023 05:08 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FBABC15DD44 for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 21:08:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtczk6KU9YJQ for <kitten@ietfa.amsl.com>; Fri, 17 Feb 2023 21:08:36 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BAEEC153CBF for <kitten@ietf.org>; Fri, 17 Feb 2023 21:08:36 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 31I58QBA005378 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 18 Feb 2023 05:08:30 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 31I58QBA005378
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1676696913; bh=+jULkFOq6VWzl7koNy58983AG0hWhiUbDeOxsnczIcg=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=VXyueKyGfJtOLpJym7r9+L1RMKCFe53gRcG2oWje5Bg7evP3z4PJ6S6uYKLDvTs2F VZ1jJPRaJYVmZ6zucB4G6gwARDvTjlWeyoie272SqxkSQe0RfqhbA3hadz3XNagqxF DsL7kW/J2rns2dbzZrsp5BC+PTtOBuLXvrOHNMmg2f8Jw/9w9Lv2GMfrjK3/Q7oHUc vr+t9HbZF2zaqd8i2XcwvTH4RwUEIP91uhcllEqo2c63aspDRaT4ucIcEw+Mq42bH2 nsDAbdiolvi5uh6Bj6GBzOo+FR8uLr9SVOIheFpmJajjVPUX9GtV/vDVwU+eGeiiS8 6PjjBxpJvVbOg==
From: Luke Howard Bentata <lukeh@padl.com>
Message-Id: <8EC4ADDC-C3DC-48BA-A67F-8BD261F8FAB8@padl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8BC8E717-58F7-46E5-A9DF-C4E00C8FB2FC"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Sat, 18 Feb 2023 16:08:25 +1100
In-Reply-To: <MW4PR21MB19709BF16824B097019F5EC19CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
Cc: Nicolas Williams <nico@cryptonector.com>, "kitten@ietf.org" <kitten@ietf.org>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/AYFbD6wCrszskG@gmail.com> <Y/AamL5pPJW1sYrv@gmail.com> <MW4PR21MB1970AEAB4ABD68C0059A2AB99CA69@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/A4eirujnDjO+46@gmail.com> <E1A16BAA-9B3D-4D63-96F5-6DD150DB0D6F@padl.com> <MW4PR21MB19709BF16824B097019F5EC19CA69@MW4PR21MB1970.namprd21.prod.outlook.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/o7skbmddt4NqVRe9YqYJ1oLDCGU>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2023 05:08:40 -0000


> On 18 Feb 2023, at 3:56 pm, Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com> wrote:
> 
> Ah, I think I follow the failure case now Nico. I'll have to think about this in the generic case. In Windows our implementation is an extension within the core kerb stack, where kerberos exposes a list of mech OIDs it'll let nego try. This is incidentally how we expose u2u as a mech (NTLM, digest, etc. expose their own set of one; NegoEx is its own beast). Since kerb is still first, it'll try as usual and succeed, fail with no KDC, or fail with SPN not found. We keep a small bit of state such that when nego then tries the iakberb OID the kerb stack knows what the original failure was, and either starts the flow if KDC not found or triggers an error to move to the next mech. This doesn't help with non-Windows clients though.

It’s probably not a big deal in practice. All the non-Windows implementations I can think of build SPNEGO and Kerberos from the same source tree (indeed they’re almost always colocated in the same DLL). Adding some Kerberos-specific state to SPNEGO wouldn’t be the end of the world.

— Luke

v2.23.0 | Report a Bug | By Email