IETF Logo Mail Archive

Re: [kitten] Kerberos Service Discovery using DNS

Rick van Rein <rick@openfortress.nl> Wed, 11 March 2015 09:25 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B38B51A905C for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 02:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1dc-X05w7hh for <kitten@ietfa.amsl.com>; Wed, 11 Mar 2015 02:25:52 -0700 (PDT)
Received: from lb1-smtp-cloud2.xs4all.net (lb1-smtp-cloud2.xs4all.net [194.109.24.21]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B831A710D for <kitten@ietf.org>; Wed, 11 Mar 2015 02:25:51 -0700 (PDT)
Received: from [10.0.1.225] ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id 29Rn1q00H10HQrX019RpPZ; Wed, 11 Mar 2015 10:25:49 +0100
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="utf-8"
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <1426025143.16339.10.camel@redhat.com>
Date: Wed, 11 Mar 2015 10:25:47 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8C3D9F0-5D74-493C-A75A-60AD5B765662@openfortress.nl>
References: <1425578271.2715.5.camel@redhat.com> <2CB0CE49-2109-4666-9FFA-33538244E84E@openfortress.nl> <1426025143.16339.10.camel@redhat.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/puloEhOD_jhhZrXaSEf-4zqH89c>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos Service Discovery using DNS
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 09:25:54 -0000

Hi Nathaniel,

>> Please consider deprecating the SRV-based procedure; without 
>> deprecation, implementatations are pretty much convicted to 
>> implementing both mechanisms forevermore, which is silly from both 
>> KISS and security viewpoints.
> 
> Is there specific IETF language I need to use for this?

I don’t know of any, but the word “deprecated” seems to me to make a
big difference.  Formally, it’s still true of course that clients choose
whether to adopt any new standard into their code, but practically it
means that clients could get away with only implementing the new
approach.  For DNS admins, it would mean that they had to create
both descriptors because old clients won’t upgrade, but that hardly
sounds like a problem to me — except from the design ideal that
all knowledge should be concentrated in one place.

>> Please specify the implications for naming in certificates, such as 
>> for PKINIT.
> 
> I'm not sure how this relates.

I’m not sure if there is a problem, but it seems to be worthwhile to
consider.

SRV records point to a hostname, not an IP address.  This hostname
is then acceptable for certificates in many protocols — but I’m not
sure if that applies to the KDC’s certificates for PKINIT as well.
Note that an alternative is also possible, that is to require the domain
name to be used as a certificate name.  The fact that you define a
URI means that new habits / choices may follow, and especially if
the URI contains IP addresses instead of host names.

> Are you 
> suggesting that we need to document the security considerations of 
> using MS-KKDCP?

No.

>> Please do not overlool SCTP; it has the reliability and size-
>> scalability of TCP but the speed and ordering advantages of UDP.  
>> Even when Kerberos does not currently use SCTP, it may need to in 
>> future updates, possibly to handle large key sizes during PKINIT.
> 
> Since there is not currently an SCTP protocol defined, we cannot write 
> a method for discovering it. Feel free to work on one. :)

Hmm, yes this chicken-and-egg problem is everywhere where new
protocols are introduced, and it is generally considered valid reasoning.
I won’t press this hard, but think it leads to an impasse, which is why
I mentioned it; you are very specific about UDP and TCP and so you
are explicitly passing by SCTP.

-Rick

v2.23.0 | Report a Bug | By Email