IETF Logo Mail Archive

Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?

Nathaniel McCallum <npmccallum@redhat.com> Tue, 17 May 2016 20:53 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D738112D5D2 for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 13:53:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbfZnApchAae for <kitten@ietfa.amsl.com>; Tue, 17 May 2016 13:53:24 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E999312DA16 for <kitten@ietf.org>; Tue, 17 May 2016 13:53:23 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6094663305; Tue, 17 May 2016 20:53:23 +0000 (UTC)
Received: from vpn-55-135.rdu2.redhat.com (vpn-55-135.rdu2.redhat.com [10.10.55.135]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4HKrJIU001137 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 17 May 2016 16:53:22 -0400
Message-ID: <1463518399.2432.33.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Rick van Rein <rick@openfortress.nl>, Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Tue, 17 May 2016 16:53:19 -0400
In-Reply-To: <573B7E6E.1010900@openfortress.nl>
References: <1463500163.2432.9.camel@redhat.com> <54c900f2-399c-0ff0-c292-91baba495a21@secure-endpoints.com> <573B7E6E.1010900@openfortress.nl>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 17 May 2016 20:53:23 +0000 (UTC)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/sxiRlQcrCllIRJyxjnMy-ASAgVQ>
Cc: kitten@ietf.org
Subject: Re: [kitten] Adoption of draft-mccallum-kitten-krb-service-discovery?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 20:53:30 -0000

On Tue, 2016-05-17 at 22:26 +0200, Rick van Rein wrote:
> Hi,
> 
> I agree mostly with Jeffrey, but have some additional remarks /
> thoughts.
> 
> > _kerberos.REALM
> > 
> > is not a valid DNS URI record name. To translate the URI
> > 
> Yes, the RFC wants it to be of the form _server._transport, however
> 
> > https://host[:port][path]
> > 
> > to an URI record requires
> > 
> > _kerberos._https.host
> 
> where is _https defined as a transport?  RFC 7553 gives examples with
> _http._tcp -- I've always wondered to deal with _https and especially
> how to add semantics on top of it, so I certainly like the scheme,
> but
> is this format defined anywhere?  For SRV, I though transports were
> limited to TCP, UDP, SCTP -- so not even TLS, let alone HTTPS?
> 
> Nathaniel, I think what you are actually trying to do is to describe
> HTTPS as a tunneling technique, right?  Since this type of tunnel is
> designed to participate in the rope-pulling contest between
> application
> desires and (perhaps misguided) firewall configurations, it might be
> expected that new tunnels would be topped on as time passes.

Yes, this is possible: new tunnels may appear over time.

> Clients
> would need to keep up, but keep the older solutions working as
> well.  So
> instead, I would rather have some sort of a redirection to a somewhat
> general tunnel descriptor as a general discovery outcome when looking
> for a "direct" service description.  This would service many
> applications in the same manner.

How does the "general tunnel descriptor" help in the case of Kerberos
tunnelling where the tunnel protocols are Kerberos-specific?

The desire for abstraction here just adds complexity without any
benefit of reusability. OTOH, new Kerberos tunnelling protocols can
just get new URIs. In fact, this is already explicitly allowable in the
existing draft. So the system, as defined is perfectly flexible to new
situations in the future.

One advantage to the URI approach is that weights and priorities can be
used to appropriately transition between transports; something that is
not currently possible.

v2.23.0 | Report a Bug | By Email