Re: [Ietf-krb-wg] RFC 4537 question
Larry Zhu <lzhu@windows.microsoft.com> Tue, 30 December 2008 05:57 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B5B3928C274 for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 29 Dec 2008 21:57:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.932
X-Spam-Level:
X-Spam-Status: No, score=-103.932 tagged_above=-999 required=5 tests=[AWL=-1.333, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yefFLbK9qLoo for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 29 Dec 2008 21:57:40 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 68AB928C271 for <krb-wg-archive@lists.ietf.org>; Mon, 29 Dec 2008 21:57:40 -0800 (PST)
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 2149730; Mon, 29 Dec 2008 23:57:30 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 2C46618; Mon, 29 Dec 2008 23:57:23 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id EF6B480DDF; Mon, 29 Dec 2008 23:57:22 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id F356B80D9E for <ietf-krb-wg@lists.anl.gov>; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
Received: by mailhost.anl.gov (Postfix) id E258DD; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id BAEA818 for <ietf-krb-wg@anl.gov>; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id A5285D for <ietf-krb-wg@anl.gov>; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 70CF77CC080; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20566-02; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 3BB117CC079 for <ietf-krb-wg@anl.gov>; Mon, 29 Dec 2008 23:57:20 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aj0AAHxHWUmDa3PWkWdsb2JhbACTdAEBAQEJCwoHEQaoW0cRkDKGRIQv
X-IronPort-AV: E=Sophos;i="4.36,299,1228111200"; d="scan'208";a="22740580"
Received: from mail3.microsoft.com (HELO smtp.microsoft.com) ([131.107.115.214]) by mailgateway.anl.gov with ESMTP; 29 Dec 2008 23:57:19 -0600
Received: from tk5-exhub-c103.redmond.corp.microsoft.com (157.54.88.96) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.1.291.1; Mon, 29 Dec 2008 21:57:19 -0800
Received: from tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com (157.54.18.33) by tk5-exhub-c103.redmond.corp.microsoft.com (157.54.88.96) with Microsoft SMTP Server id 8.1.291.1; Mon, 29 Dec 2008 21:57:18 -0800
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w602.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.33]) with mapi; Mon, 29 Dec 2008 21:57:18 -0800
From: Larry Zhu <lzhu@windows.microsoft.com>
To: Ken Raeburn <raeburn@MIT.EDU>, Luke Howard <lukeh@padl.com>
Date: Mon, 29 Dec 2008 21:57:15 -0800
Thread-Topic: [Ietf-krb-wg] RFC 4537 question
Thread-Index: AclqJaq24Jl2nAsyRA+x+A00oESAPAAHDhRQ
Message-ID: <AB1E5627D2489D45BD01B84BD5B900461499B69ECD@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <52A05C71-A84F-46C5-AE02-65C759E27586@padl.com> <AB1E5627D2489D45BD01B84BD5B900461499B69DC0@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <57E3D46C-270A-4227-9AEC-9249E02320BD@padl.com> <8CCC225A-F023-4528-8D7F-C5DC7E67F5BB@mit.edu>
In-Reply-To: <8CCC225A-F023-4528-8D7F-C5DC7E67F5BB@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Subject: Re: [Ietf-krb-wg] RFC 4537 question
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
The client has to deal with servers that do not support RFC4537, thus I tend to believe it is acceptable to ignore the etype list from the client. This is option #2 from the list Ken provided. -----Original Message----- From: Ken Raeburn [mailto:raeburn@MIT.EDU] Sent: Monday, December 29, 2008 6:19 PM To: Luke Howard Cc: Larry Zhu; ietf-krb-wg@anl.gov Subject: Re: [Ietf-krb-wg] RFC 4537 question On Dec 29, 2008, at 09:46, Luke Howard wrote: > Consider the case where the ticket session key enctype is absent > from EtypeList but the server prefers that enctype over any proposed > by the client. Presumably the server is free to ignore the EtypeList > and use that enctype (even though that may mean using the ticket > session key rather than a server subkey). As far as the client is > concerned this is identical behaviour to a server that doesn't > implement RFC 4537. Yes, the spec is kind of unclear here, and I think this was an area I complained about when it was in draft status, though I didn't see the scope of it then. If the server prefers the session key or client- subkey enctype over all of those in the proposed list, it MUST NOT "negotiate" that type, but it also is not required to pick one of the others unless in prefers that other. So I see three options, none of them all that great: * Pick an enctype from the list anyways, despite it not being preferred; this seems counter-indicated by the "...and the server prefers an enctype from the client's enctype list" bit. * Don't "negotiate", and instead fall back to pre-4537 behavior, namely, using the same enctype or one known a priori to be supported (though the client might then choose not to continue talking to the server). Which essentially negates the "MUST NOT be negotiated" part, and hinges on how you define "negotiate" in this context. * Treat it as an error, and refuse to finish the authentication exchange, which seems kind of silly given that a pre-4537 implementation would succeed in authenticating (though the client might then choose not to continue talking to it). And perhaps some error code should be recommended. Of course, option #1 assumes that at least one of the indicated enctypes is known and supported by the server implementation. We should also get the spec fixed. While it's an important technical point without (IMO) a clear and obvious single solution, in terms of document changes it might be just one or two new sentences. Procedurally, I don't know if it would qualify as an erratum or if we need to republish. So, when might this come up? The only example I can come up with off the top of my head is a telnet client sending an authenticator with an AES session key, but sending a list of DES enctypes (I'm assuming here that server-supplied subkey would be used under that protocol spec) because that's all it supports for telnet encryption. The server might be configured to prefer DES over AES for this one application, but if its telnet implementation has an update to support AES, or it hasn't been updated to know about RFC 4537 (but the Kerberos library has, and enables it by default, with AES preferred over DES by default), then, maybe not. I guess the only approach that would work in this case (in the sense of letting the two parties talk) is #1 -- select an enctype from the list even if you like the session key type better. If none of the enctypes are acceptable at all (e.g., you disabled DES, or the enctypes are not recognized by the server implementation)... well, I think #2 might let the client give a better error message, and gives a more secure indication that the server can't fulfill the request than an unprotected KRB-ERROR (which I assume would be the result of #3), but that doesn't mean that's what the spec says.... Ken _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] RFC 4537 question Luke Howard
- Re: [Ietf-krb-wg] RFC 4537 question Larry Zhu
- Re: [Ietf-krb-wg] RFC 4537 question Luke Howard
- Re: [Ietf-krb-wg] RFC 4537 question Ken Raeburn
- Re: [Ietf-krb-wg] RFC 4537 question Larry Zhu
- Re: [Ietf-krb-wg] RFC 4537 question Luke Howard
- Re: [Ietf-krb-wg] RFC 4537 question Jeffrey Hutzelman