[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: I-D ACTION:draft-ietf-ldapext-cldap-00.txt
FWIW, I think the approach of "just" embedding raw LDAP requests in UDP
packets is wrong; it offers too little support for solving the problems
noted here.
A better approach would be to update RFC 1798, and include 3 parts in the
UDP packet:
- A "wrapper" function
- A "control information" block, which could be used for security,
authentication or just sequence numbers
- An LDAP request or response
It's no accident that this is almost exactly what SNMP does!
I'd like to structure the document set like this:
- A basic standard describing the wrapper, an extremely primitive control
info block (basically just enough to correlate requests with responses
reliably), a basic retransmission strategy, and a basic profile saying
"if you use this simple stuff, only use Search, and expect to be spoofed".
- An extension that describes how to do an adequate security layer (whether
it's IPSec, SASL-with-secure-session-ID, or something else), how to achieve
at-most-once semantics for update operations, and an extended
profile saying "it makes sense to do almost any LDAP operation with this".
This should achieve the goal of making the document the current authors
want out the door short and easy to write, while not painting ourselves
into a corner we don't want to be in.
Harald
--
Harald Tveit Alvestrand, EDB Maxware, Norway
Harald.Alvestrand@edb.maxware.no