directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)
Date Thu, 07 Jun 2007 17:49:06 GMT
On 6/7/07, Alex Karasulu <akarasulu@apache.org> wrote:
> Just changed the name so we can discuss the other services separately from
> the vote thread.
>
> Note that I think we might want to leave NTP since it is complete from my
> understanding but Enrique would know best.  Also NTP might be needed for
> time synch for Kerberos which needs time synchronization to function.  DNS
> is not needed but is somewhat complete?

DHCP:  DHCP stands out as being unable to respond to an initial
request.  Every other protocol will response when probed with basic
tools.  For that reason, I consciously left DHCP config doco out of
the latest round of big updates and I did not wire it into the startup
config.  I am fine with sandboxing it.

If you'll recall, DHCP needs to listen for and respond to an initial
broadcast (before the client has an IP address).  I was hoping we'd
see a minimal patch to at least "get it live" but in lieu of that
sandboxing is fine.  I guess what I'm trying to say is that it could
be easy to get it live, in which case it should be left in trunk,
doco'd, and added to the server.

DNS:  Modern Kerberos clients are defaulted to look for KDC's and
Change Password servers from DNS, using SRV records.  I would classify
DNS as somewhat complete, certainly rough around the edges, but I
think "not needed" is too strong - it is a welcome addition to an
environment that wants to run Kerberos.  DNS SRV can also be used to
locate LDAP servers.

NTP works.  Time synchronization is important to Kerberos and Mitosis.
 In defensive of NTP I'd also like to point out time synchronization
is important in the newer "Identity 2.0" world, in mechanisms that use
SAML tokens, for example CardSpace.  SAML tokens have a validity
period, similar to Kerberos ticket lifetimes.

Enrique

Mime
View raw message