[Ietf-krb-wg] RFC 4121 - Context Deletion Tokens

Douglas E. Engert deengert at anl.gov
Fri May 7 10:58:44 EDT 2010

Srinivas Cheruku wrote:
>>  -----Original Message-----
>>  From: Martin Rex [mailto:mrex at sap.com]
>>  Srinivas Cheruku wrote:
>>  >
>>  > So, in GSSAPi v2, the delete_sec_context() should be called by peers
>>  > independently
>>  >
>>  > - Maybe this is the reason why RFC 4121 states the same.
>>  >
>>  > Does this mean that the application should have its own way of
>>  ending a
>>  > session and no GSS is involved in doing so?
>>  Personally, I think so.
>>  IIRC, FTP with GSS-API extension is using an empty protected message
>>  to "securely" convey the end of the data transfer.
> [Srinivas Cheruku] So, sending empty protected message is not a standard
> according GSSAPI V2 and is still supported by some apps. How does SAP
> software e.g. SAPGui and SAP Sever deal with context deletion tokens e.g.
> how will SAP signal ending the session - using GSS-API token or its own way?
>>  I argued for deprecating the context deletion token in GSS-API v2,
>>  because in a lot of layered software architectures it is somewhat
>>  difficult to indicate both, a fatal error and the need to transport
>>  a token to the peer.  Most software, when encountering a fatal error,
>>  will just close the network connection.
>>  In layered software, it is much easier to deal with app-level
>>  concious termination "handshake" of a communication that is
>>  error-free at the transport (protection) layer.
>>  It is also very app-specific how to cope with a communication
>>  failure (e.g. lost network connectivity) at some point in the
>>  middle of a communication, and which stuff to commit/save and
>>  which stuff to roll-back.
> [Srinivas Cheruku] Sorry, but I still didn't understand the logic behind
> deprecating context deletion token in GSS-API v2. Yes, I understand that
> most of the software when encountering fatal error will just close the
> network connection. But still I think that it would be good to support
> context deletion token so that when all goes well, the peer can signal
> context deletion when required. 
> Maybe I am not looking at the big picture?

Could be. In most cases GSSAPI is used to protect existing protocols,
that already have a way to signal termination.

>>  >
>>  > So, why MIT code is still generating context deletion token
>>  > with TOK_ID 0x0405?
>>  Backwards interop, I assume.  That token is likely ignored (and
>>  hopefully
>>  passed to gss_release_buffer()) by the calling application.
> [Srinivas Cheruku] GSS-API v1 TOK_ID for context deletion token is 0x0102. 
> Maybe there are no interoperable applications that are using MIT GSS-API
> code and sending the delete context token to peer to signal end of the
> session.

There might be, but it only signals the the peer's GSSAPI that it can close
the GSSAPI context not necessarily the applications session. The application
could continue to run without using wrap/unwrap or even establish a new GSSAPI
context on both ends and go back to using wrap/unwrap.

> Thanks,
> Srini
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list