ietf-nntp AUTHINFO SASL protocol choices
Jeffrey M. Vinocur
jeff at litech.org
Sat Mar 30 19:08:42 PST 2002
On Sat, 30 Mar 2002, Charles Lindsey wrote:
> In <ylhen0bh4x.fsf at windlord.stanford.edu> Russ Allbery <rra at stanford.edu> writes:
>
> >If some SASL mechanisms seriously require 85K of data, then I'm definitely
> >opposed to putting the negotiation all on one line with the command.
>
> Absolutely so. I had no idea such long parameters were needed. I could
> believe in a command line extended to 2048 octets, 8192 maybe, but things
> of 85K sort of length go as multi-line stuff with dot stuffing, and all
> that.
Definitely agreed.
Some further issues:
1. Do we want to instruct/permit servers to limit the amount of data
sent in this fashion? (Chris is concerned with denial of service,
as the clients are completely unauthenticated at this point; we
certainly can't expect servers to buffer an arbitrary amount of
data from anybody who opens a connection. If we don't address
the issue here, we'll have to expect programmers to hardcode some
limit and just close the connection, I think.)
It sounds like the SASL spec will put a hard limit on this, which
is great. Then for AUTHINFO SASL we just have to decide what the
appropriate action when that limit (with base64 expansion) is
reached.
But what is it we should do in this case? I don't see how we
have any option except to close the connection, actually.
2. We define (in the base spec) the existence of single- and multi-
line server responses. Should we do something similar for the
client commands? The TAKETHIS extension uses this method (in
which the client sends a command and then a multi-line chunk
of data, without waiting for a go-ahead from the server) as
well.
3. Do we want to continue with any line-length changes, as part of the
base spec, even if there is no pressing need for them? Personally,
I'd like to see at minimum:
- A statement about how servers are to handle lines which are too
long.
- A note that the 512 limit may be changed by an extension, even
if no details at all about this are agreed on now.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the ietf-nntp
mailing list