Re: I-D ACTION:draft-ietf-ldapext-cldap-00.txt

[Harald Tveit Alvestrand <Harald@Alvestrand.no>]

FWIW, I think the approach of "just" embedding raw LDAP requests in UDP 
packets is wrong; it offers too little support for solving the problems 
noted here.

A better approach would be to update RFC 1798, and include 3 parts in the 
UDP packet:

- A "wrapper" function
- A "control information" block, which could be used for security, 
authentication or just sequence numbers
- An LDAP request or response

It's no accident that this is almost exactly what SNMP does!
I'd like to structure the document set like this:

- A basic standard describing the wrapper, an extremely primitive control
  info block (basically just enough to correlate requests with responses
  reliably), a basic retransmission strategy, and a basic profile saying
  "if you use this simple stuff, only use Search, and expect to be spoofed".

- An extension that describes how to do an adequate security layer (whether
  it's IPSec, SASL-with-secure-session-ID, or something else), how to achieve
  at-most-once semantics for update operations, and an extended
  profile saying "it makes sense to do almost any LDAP operation with this".

This should achieve the goal of making the document the current authors 
want out the door short and easy to write, while not painting ourselves 
into a corner we don't want to be in.

                     Harald


--
Harald Tveit Alvestrand, EDB Maxware, Norway
Harald.Alvestrand@edb.maxware.no