directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@apache.org>
Subject Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)
Date Thu, 07 Jun 2007 22:52:09 GMT
Enrique Rodriguez a écrit :

> On 6/7/07, Alex Karasulu <akarasulu@apache.org> wrote:
>
>> Just changed the name so we can discuss the other services separately 
>> from
>> the vote thread.
>>
>> Note that I think we might want to leave NTP since it is complete 
>> from my
>> understanding but Enrique would know best.  Also NTP might be needed for
>> time synch for Kerberos which needs time synchronization to 
>> function.  DNS
>> is not needed but is somewhat complete?
>
>
> DHCP:  DHCP stands out as being unable to respond to an initial
> request.  Every other protocol will response when probed with basic
> tools.  For that reason, I consciously left DHCP config doco out of
> the latest round of big updates and I did not wire it into the startup
> config.  I am fine with sandboxing it.

Ok.

>
> If you'll recall, DHCP needs to listen for and respond to an initial
> broadcast (before the client has an IP address).  I was hoping we'd
> see a minimal patch to at least "get it live" but in lieu of that
> sandboxing is fine.  I guess what I'm trying to say is that it could
> be easy to get it live, in which case it should be left in trunk,
> doco'd, and added to the server.

We can wait. The idea is to sandbox it until we have time to resuscitate 
it.

>
> DNS:  Modern Kerberos clients are defaulted to look for KDC's and
> Change Password servers from DNS, using SRV records.  I would classify
> DNS as somewhat complete, certainly rough around the edges, but I
> think "not needed" is too strong - it is a welcome addition to an
> environment that wants to run Kerberos.  DNS SRV can also be used to
> locate LDAP servers.

I have seen users of this service. I'm not favoring its sandboxing right 
now. If the doco is rough, them we have to work on it.

>
> NTP works.  Time synchronization is important to Kerberos and Mitosis.
> In defensive of NTP I'd also like to point out time synchronization
> is important in the newer "Identity 2.0" world, in mechanisms that use
> SAML tokens, for example CardSpace.  SAML tokens have a validity
> period, similar to Kerberos ticket lifetimes.

We also need NTP for Mitosis. Doco seems to be pretty ok too.
Emmanuel

Mime
View raw message