From: | Sam Hartman <hartmans@MIT.EDU> |
To: | krb5-bugs@MIT.EDU |
Subject: | [Simon Josefsson] Re: RFC4120 |
Date: | Thu, 22 Jun 2006 09:35:01 -0400 |
Return-Path: <owner-ietf-krb-wg-outgoing@anl.gov>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP;
Thu, 22 Jun 2006 09:25:33 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <owner-ietf-krb-wg-outgoing@anl.gov>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
[18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by suchdamage.org (Postfix) with ESMTP id 094B41324F
for <hartmans@suchdamage.org>; Thu, 22 Jun 2006 09:25:32 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
k5MDPV62019127
for <hartmans@suchdamage.org>; Thu, 22 Jun 2006 09:25:31 -0400 (EDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
k5MDPNt3004706; Thu, 22 Jun 2006 09:25:23 -0400 (EDT)
Received: by mailhost.anl.gov (Postfix)
id 2B3B21C3; Thu, 22 Jun 2006 08:25:21 -0500 (CDT)
Delivered-To: ietf-krb-wg-outgoing@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1])
by localhost.ctd.anl.gov (Postfix) with ESMTP id F23E219C
for <ietf-krb-wg-outgoing@anl.gov>;
Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix, from userid 10733)
id E0B421C3; Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
X-Original-To: ietf-krb-wg@anl.gov
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1])
by localhost.ctd.anl.gov (Postfix) with ESMTP id 5DD761BF
for <ietf-krb-wg@anl.gov>; Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22])
by mailhost.anl.gov (Postfix) with ESMTP id 3408619C
for <ietf-krb-wg@anl.gov>; Thu, 22 Jun 2006 08:25:16 -0500 (CDT)
Received: from mailrelay.anl.gov (localhost [127.0.0.1])
by localhost.ctd.anl.gov (Postfix) with ESMTP id 502C65F0CE4;
Thu, 22 Jun 2006 08:25:14 -0500 (CDT)
Received-SPF: none (frigga.ctd.anl.gov: domain of jas@extundo.com does not
designate permitted sender hosts)
Received: from yxa.extundo.com (178.230.13.217.in-addr.dgcsystems.net
[217.13.230.178])
by mailrelay.anl.gov (Postfix) with ESMTP id 8EDFD5F0CB1
for <ietf-krb-wg@anl.gov>; Thu, 22 Jun 2006 08:25:07 -0500 (CDT)
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178])
(authenticated bits=0)
by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
k5MDP2Ph017527
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Thu, 22 Jun 2006 15:25:03 +0200
From: Simon Josefsson <jas@extundo.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Cc: "Shawn M. Emery" <Shawn.Emery@Sun.COM>, martin.rex@sap.com,
Durbin_Ron@emc.com, ietf-krb-wg@anl.gov
Subject: Re: RFC4120
References: <200606192125.XAA18319@uw1048.wdf.sap.corp>
<tsl1wtijtd8.fsf@cz.mit.edu> <44998FB3.5050203@sun.com>
<87bqsl1pqy.fsf@latte.josefsson.org> <tslwtb9fjyu.fsf@cz.mit.edu>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:060622:durbin_ron@emc.com::xkLicOQeOTWLip8G:1g35
X-Hashcash: 1:22:060622:shawn.emery@sun.com::zfymAT2SVYQ/unlR:B/Tt
X-Hashcash: 1:22:060622:martin.rex@sap.com::Y6vS2jF3rbDteJPM:ITrq
X-Hashcash: 1:22:060622:ietf-krb-wg@anl.gov::iTlp680teXocag44:QSy6
X-Hashcash: 1:22:060622:hartmans-ietf@mit.edu::vUwlk7es9PMXDwV8:GFcm
Date: Thu, 22 Jun 2006 15:25:03 +0200
In-Reply-To: <tslwtb9fjyu.fsf@cz.mit.edu> (Sam Hartman's message of "Thu, 22
Jun 2006 08:33:45 -0400")
Message-ID: <873bdxz5jk.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
X-Virus-Scanned: ClamAV version 0.88.2,
clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
Sender: owner-ietf-krb-wg@mailhost.anl.gov
Precedence: bulk
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
solipsist-nation.suchdamage.org
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO
autolearn=ham version=3.0.2
MIME-Version: 1.0
Sam Hartman <hartmans-ietf@mit.edu> writes:
> >> requirements made by RFC 4120. For example:
> >>
> >> Implementations of Kerberos and protocols based on Kerberos
> >> MUST NOT use insecure DNS queries to canonicalize the hostname
> >> components of the service principal names (i.e., they MUST NOT
> >> use insecure DNS queries to map one name to another to
> >> determine the host part of the principal name with which one is
> >> to communicate).
>
> Really?
> MIt certainly intended to behave correctly.
> Do you have a simple test case? If you could describe the problem within the next day or so, we could probably get a fix into 1.5.
The details were posted in:
http://article.gmane.org/gmane.ietf.krb-wg/4342
I confirmed this again with Debian's krb5-kdc version 1.4.3-7.
To test this, just send a message with all bits set:
jas@latte:~$ printf "\xff\xff\xff\xff" | nc localhost 88
The KDC closes the connection and logs:
Jun 22 15:19:01 localhost krb5kdc[5081]: TCP client 127.0.0.1.44841 wants 4294967295 bytes, cap is 1048572
It would be useful to have one implementation that behaves according
to RFC 4120 to test with, when Shishi tries to use the extension
mechanism against a server that doesn't support it.
/Simon
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.16-IPv6-Debian-2.1.16-10) with LMTP;
Thu, 22 Jun 2006 09:25:33 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <owner-ietf-krb-wg-outgoing@anl.gov>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU
[18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by suchdamage.org (Postfix) with ESMTP id 094B41324F
for <hartmans@suchdamage.org>; Thu, 22 Jun 2006 09:25:32 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
k5MDPV62019127
for <hartmans@suchdamage.org>; Thu, 22 Jun 2006 09:25:31 -0400 (EDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
k5MDPNt3004706; Thu, 22 Jun 2006 09:25:23 -0400 (EDT)
Received: by mailhost.anl.gov (Postfix)
id 2B3B21C3; Thu, 22 Jun 2006 08:25:21 -0500 (CDT)
Delivered-To: ietf-krb-wg-outgoing@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1])
by localhost.ctd.anl.gov (Postfix) with ESMTP id F23E219C
for <ietf-krb-wg-outgoing@anl.gov>;
Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix, from userid 10733)
id E0B421C3; Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
X-Original-To: ietf-krb-wg@anl.gov
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1])
by localhost.ctd.anl.gov (Postfix) with ESMTP id 5DD761BF
for <ietf-krb-wg@anl.gov>; Thu, 22 Jun 2006 08:25:20 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22])
by mailhost.anl.gov (Postfix) with ESMTP id 3408619C
for <ietf-krb-wg@anl.gov>; Thu, 22 Jun 2006 08:25:16 -0500 (CDT)
Received: from mailrelay.anl.gov (localhost [127.0.0.1])
by localhost.ctd.anl.gov (Postfix) with ESMTP id 502C65F0CE4;
Thu, 22 Jun 2006 08:25:14 -0500 (CDT)
Received-SPF: none (frigga.ctd.anl.gov: domain of jas@extundo.com does not
designate permitted sender hosts)
Received: from yxa.extundo.com (178.230.13.217.in-addr.dgcsystems.net
[217.13.230.178])
by mailrelay.anl.gov (Postfix) with ESMTP id 8EDFD5F0CB1
for <ietf-krb-wg@anl.gov>; Thu, 22 Jun 2006 08:25:07 -0500 (CDT)
Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178])
(authenticated bits=0)
by yxa.extundo.com (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id
k5MDP2Ph017527
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Thu, 22 Jun 2006 15:25:03 +0200
From: Simon Josefsson <jas@extundo.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Cc: "Shawn M. Emery" <Shawn.Emery@Sun.COM>, martin.rex@sap.com,
Durbin_Ron@emc.com, ietf-krb-wg@anl.gov
Subject: Re: RFC4120
References: <200606192125.XAA18319@uw1048.wdf.sap.corp>
<tsl1wtijtd8.fsf@cz.mit.edu> <44998FB3.5050203@sun.com>
<87bqsl1pqy.fsf@latte.josefsson.org> <tslwtb9fjyu.fsf@cz.mit.edu>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:060622:durbin_ron@emc.com::xkLicOQeOTWLip8G:1g35
X-Hashcash: 1:22:060622:shawn.emery@sun.com::zfymAT2SVYQ/unlR:B/Tt
X-Hashcash: 1:22:060622:martin.rex@sap.com::Y6vS2jF3rbDteJPM:ITrq
X-Hashcash: 1:22:060622:ietf-krb-wg@anl.gov::iTlp680teXocag44:QSy6
X-Hashcash: 1:22:060622:hartmans-ietf@mit.edu::vUwlk7es9PMXDwV8:GFcm
Date: Thu, 22 Jun 2006 15:25:03 +0200
In-Reply-To: <tslwtb9fjyu.fsf@cz.mit.edu> (Sam Hartman's message of "Thu, 22
Jun 2006 08:33:45 -0400")
Message-ID: <873bdxz5jk.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)
X-Virus-Scanned: ClamAV version 0.88.2,
clamav-milter version 0.88.2 on yxa.extundo.com
X-Virus-Status: Clean
Sender: owner-ietf-krb-wg@mailhost.anl.gov
Precedence: bulk
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
solipsist-nation.suchdamage.org
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO
autolearn=ham version=3.0.2
MIME-Version: 1.0
Sam Hartman <hartmans-ietf@mit.edu> writes:
Show quoted text
>>>>>> "Simon" == Simon Josefsson <jas@extundo.com> writes:
>> Simon> "Shawn M. Emery" <Shawn.Emery@Sun.COM> writes:
> >>> Notable differences include support for AES which is mandated
> >>> by RFC 4120, but which will not be hugely common until Windows
> >>> Vista ships. MIT, Heimdal, Solaris and Apple have had AES for
> >>> a hile now, though.
> >>>
> >> There are a number of implementations that don't enforce> >>> by RFC 4120, but which will not be hugely common until Windows
> >>> Vista ships. MIT, Heimdal, Solaris and Apple have had AES for
> >>> a hile now, though.
> >>>
> >> requirements made by RFC 4120. For example:
> >>
> >> Implementations of Kerberos and protocols based on Kerberos
> >> MUST NOT use insecure DNS queries to canonicalize the hostname
> >> components of the service principal names (i.e., they MUST NOT
> >> use insecure DNS queries to map one name to another to
> >> determine the host part of the principal name with which one is
> >> to communicate).
> Simon> There are several other examples:
>> Simon> 1) Nobody else's implementation that I've tested seem to
> Simon> behave according to RFC 4120 wrt to the high bit set on TCP
> Simon> connections.
>> Simon> behave according to RFC 4120 wrt to the high bit set on TCP
> Simon> connections.
> Really?
> MIt certainly intended to behave correctly.
> Do you have a simple test case? If you could describe the problem within the next day or so, we could probably get a fix into 1.5.
The details were posted in:
http://article.gmane.org/gmane.ietf.krb-wg/4342
I confirmed this again with Debian's krb5-kdc version 1.4.3-7.
To test this, just send a message with all bits set:
jas@latte:~$ printf "\xff\xff\xff\xff" | nc localhost 88
The KDC closes the connection and logs:
Jun 22 15:19:01 localhost krb5kdc[5081]: TCP client 127.0.0.1.44841 wants 4294967295 bytes, cap is 1048572
It would be useful to have one implementation that behaves according
to RFC 4120 to test with, when Shishi tries to use the extension
mechanism against a server that doesn't support it.
/Simon