Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Alex Karasulu <ak...@apache.org>]

Just changed the name so we can discuss the other services separately from
the vote thread.

Note that I think we might want to leave NTP since it is complete from my
understanding but Enrique would know best.  Also NTP might be needed for
time synch for Kerberos which needs time synchronization to function.  DNS
is not needed but is somewhat complete?

Alex

On 6/7/07, Alex Karasulu <ak...@apache.org> wrote:
>
>
> On 6/7/07, Emmanuel Lecharny <el...@gmail.com> wrote:
> >
> > Hi,
> >
> > as I'm reviewing the configuration, and the documentation, I don't find
> > anything about DHCP protocol provider. A page on confluence gives some
> > information about it, but we have nothing about how to launch it, how to
> > configure it, and how to manage it.
>
>
> Hmmm yeah you're right: it might not even be packaged with the server.
> There
> are no deps on it.  Early I liked the idea of having it in there but we
> cannot leave
> ourselves exposed without having the supporting documentation nor the
> ability to engage users as a community.  Does the same situation exist
> for NTP and DNS?
>
> I suggest that we sandbox this protocol provider untill we get some
> > documentation and some configuration for it.
> >
> > [X] +1 : Let's sandbox it
> > [ ] +/-0 : I don't know
> > [ ] -1 : Keep DHCP in the core server
>
>
> Alex
>
>
>

Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Alex Karasulu <ak...@apache.org>]

On 6/7/07, Emmanuel Lecharny <el...@gmail.com> wrote:
>
> I think that we might also use NTP for Mitosis.


Ahhhh yes yes we might need it there if we do not use timing offsets in the
change sequence number vector.

So keeping it, as it is already documented (the configuration has been
> completed by Christine), should be ok
>
> On 6/7/07, Stefan Zoerner <st...@labeo.de> wrote:
> >
> > Alex Karasulu wrote:
> > > Just changed the name so we can discuss the other services separately
> > from
> > > the vote thread.
> > >
> > > Note that I think we might want to leave NTP since it is complete from
> > my
> > > understanding but Enrique would know best.  Also NTP might be needed
> > for
> > > time synch for Kerberos which needs time synchronization to
> > function.  DNS
> > > is not needed but is somewhat complete?
> >
> > NTP is quite simple, so it should be quite easy to provide user
> > documentation. There is already something available
> >
> > http://directory.apache.org/apacheds/1.5/ntp-protocol-provider.html
> >
> > I volunteer for a simple "Getting started" article about how to enable
> > the protocol in the configuration and check with a client -- step by
> > step.
> >
> > Greetings,
> >      Stefan
> >
> >
> >
> >
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com

Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Emmanuel Lecharny <el...@gmail.com>]

I think that we might also use NTP for Mitosis.

So keeping it, as it is already documented (the configuration has been
completed by Christine), should be ok

On 6/7/07, Stefan Zoerner <st...@labeo.de> wrote:
>
> Alex Karasulu wrote:
> > Just changed the name so we can discuss the other services separately
> from
> > the vote thread.
> >
> > Note that I think we might want to leave NTP since it is complete from
> my
> > understanding but Enrique would know best.  Also NTP might be needed for
> > time synch for Kerberos which needs time synchronization to
> function.  DNS
> > is not needed but is somewhat complete?
>
> NTP is quite simple, so it should be quite easy to provide user
> documentation. There is already something available
>
> http://directory.apache.org/apacheds/1.5/ntp-protocol-provider.html
>
> I volunteer for a simple "Getting started" article about how to enable
> the protocol in the configuration and check with a client -- step by step.
>
> Greetings,
>      Stefan
>
>
>
>


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Alex Karasulu <ak...@apache.org>]

On 6/7/07, Stefan Zoerner <st...@labeo.de> wrote:
>
> Alex Karasulu wrote:
> > Just changed the name so we can discuss the other services separately
> from
> > the vote thread.
> >
> > Note that I think we might want to leave NTP since it is complete from
> my
> > understanding but Enrique would know best.  Also NTP might be needed for
> > time synch for Kerberos which needs time synchronization to
> function.  DNS
> > is not needed but is somewhat complete?
>
> NTP is quite simple, so it should be quite easy to provide user
> documentation. There is already something available
>
> http://directory.apache.org/apacheds/1.5/ntp-protocol-provider.html
>
> I volunteer for a simple "Getting started" article about how to enable
> the protocol in the configuration and check with a client -- step by step.


Cool thanks Stefan.

Perhaps Enrique could you setup an integration test to make sure NTP
works when enabled in the server?

Alex

Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Stefan Zoerner <st...@labeo.de>]

Alex Karasulu wrote:
> Just changed the name so we can discuss the other services separately from
> the vote thread.
> 
> Note that I think we might want to leave NTP since it is complete from my
> understanding but Enrique would know best.  Also NTP might be needed for
> time synch for Kerberos which needs time synchronization to function.  DNS
> is not needed but is somewhat complete?

NTP is quite simple, so it should be quite easy to provide user 
documentation. There is already something available

http://directory.apache.org/apacheds/1.5/ntp-protocol-provider.html

I volunteer for a simple "Getting started" article about how to enable 
the protocol in the configuration and check with a client -- step by step.

Greetings,
     Stefan

Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Emmanuel Lecharny <el...@apache.org>]

Enrique Rodriguez a écrit :

> On 6/7/07, Alex Karasulu <ak...@apache.org> wrote:
>
>> Just changed the name so we can discuss the other services separately 
>> from
>> the vote thread.
>>
>> Note that I think we might want to leave NTP since it is complete 
>> from my
>> understanding but Enrique would know best.  Also NTP might be needed for
>> time synch for Kerberos which needs time synchronization to 
>> function.  DNS
>> is not needed but is somewhat complete?
>
>
> DHCP:  DHCP stands out as being unable to respond to an initial
> request.  Every other protocol will response when probed with basic
> tools.  For that reason, I consciously left DHCP config doco out of
> the latest round of big updates and I did not wire it into the startup
> config.  I am fine with sandboxing it.

Ok.

>
> If you'll recall, DHCP needs to listen for and respond to an initial
> broadcast (before the client has an IP address).  I was hoping we'd
> see a minimal patch to at least "get it live" but in lieu of that
> sandboxing is fine.  I guess what I'm trying to say is that it could
> be easy to get it live, in which case it should be left in trunk,
> doco'd, and added to the server.

We can wait. The idea is to sandbox it until we have time to resuscitate 
it.

>
> DNS:  Modern Kerberos clients are defaulted to look for KDC's and
> Change Password servers from DNS, using SRV records.  I would classify
> DNS as somewhat complete, certainly rough around the edges, but I
> think "not needed" is too strong - it is a welcome addition to an
> environment that wants to run Kerberos.  DNS SRV can also be used to
> locate LDAP servers.

I have seen users of this service. I'm not favoring its sandboxing right 
now. If the doco is rough, them we have to work on it.

>
> NTP works.  Time synchronization is important to Kerberos and Mitosis.
> In defensive of NTP I'd also like to point out time synchronization
> is important in the newer "Identity 2.0" world, in mechanisms that use
> SAML tokens, for example CardSpace.  SAML tokens have a validity
> period, similar to Kerberos ticket lifetimes.

We also need NTP for Mitosis. Doco seems to be pretty ok too.
Emmanuel

Re: Sandboxing undocumented protocols (was: Re: [Vote] Sandboxing DHCP protocol)

[Enrique Rodriguez <en...@gmail.com>]

On 6/7/07, Alex Karasulu <ak...@apache.org> wrote:
> Just changed the name so we can discuss the other services separately from
> the vote thread.
>
> Note that I think we might want to leave NTP since it is complete from my
> understanding but Enrique would know best.  Also NTP might be needed for
> time synch for Kerberos which needs time synchronization to function.  DNS
> is not needed but is somewhat complete?

DHCP:  DHCP stands out as being unable to respond to an initial
request.  Every other protocol will response when probed with basic
tools.  For that reason, I consciously left DHCP config doco out of
the latest round of big updates and I did not wire it into the startup
config.  I am fine with sandboxing it.

If you'll recall, DHCP needs to listen for and respond to an initial
broadcast (before the client has an IP address).  I was hoping we'd
see a minimal patch to at least "get it live" but in lieu of that
sandboxing is fine.  I guess what I'm trying to say is that it could
be easy to get it live, in which case it should be left in trunk,
doco'd, and added to the server.

DNS:  Modern Kerberos clients are defaulted to look for KDC's and
Change Password servers from DNS, using SRV records.  I would classify
DNS as somewhat complete, certainly rough around the edges, but I
think "not needed" is too strong - it is a welcome addition to an
environment that wants to run Kerberos.  DNS SRV can also be used to
locate LDAP servers.

NTP works.  Time synchronization is important to Kerberos and Mitosis.
 In defensive of NTP I'd also like to point out time synchronization
is important in the newer "Identity 2.0" world, in mechanisms that use
SAML tokens, for example CardSpace.  SAML tokens have a validity
period, similar to Kerberos ticket lifetimes.

Enrique