ietf-nntp AUTHINFO SASL protocol choices

Jeffrey M. Vinocur jeff at litech.org
Sat Mar 30 19:08:42 PST 2002 

On Sat, 30 Mar 2002, Charles Lindsey wrote:

> In <ylhen0bh4x.fsf at windlord.stanford.edu> Russ Allbery <rra at stanford.edu> writes:
>
> >If some SASL mechanisms seriously require 85K of data, then I'm definitely
> >opposed to putting the negotiation all on one line with the command.
>
> Absolutely so. I had no idea such long parameters were needed. I could
> believe in a command line extended to 2048 octets, 8192 maybe, but things
> of 85K sort of length go as multi-line stuff with dot stuffing, and all
> that.

Definitely agreed.

Some further issues:

1.  Do we want to instruct/permit servers to limit the amount of data
    sent in this fashion?  (Chris is concerned with denial of service,
    as the clients are completely unauthenticated at this point; we
    certainly can't expect servers to buffer an arbitrary amount of
    data from anybody who opens a connection.  If we don't address
    the issue here, we'll have to expect programmers to hardcode some
    limit and just close the connection, I think.)

    It sounds like the SASL spec will put a hard limit on this, which
    is great.  Then for AUTHINFO SASL we just have to decide what the
    appropriate action when that limit (with base64 expansion) is
    reached.

    But what is it we should do in this case?  I don't see how we
    have any option except to close the connection, actually.


2.  We define (in the base spec) the existence of single- and multi-
    line server responses.  Should we do something similar for the
    client commands?  The TAKETHIS extension uses this method (in
    which the client sends a command and then a multi-line chunk
    of data, without waiting for a go-ahead from the server) as
    well.


3.  Do we want to continue with any line-length changes, as part of the
    base spec, even if there is no pressing need for them?  Personally,
    I'd like to see at minimum:

    - A statement about how servers are to handle lines which are too
      long.

    - A note that the 512 limit may be changed by an extension, even
      if no details at all about this are agreed on now.


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list