[dhcwg] Comments on draft-ietf-dhc-pktc-kerb-tckt-00.txt
Sam Hartman <hartmans@mit.edu> Fri, 21 February 2003 21:50 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA16023 for <dhcwg-archive@odin.ietf.org>; Fri, 21 Feb 2003 16:50:00 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1LLvEp23594 for dhcwg-archive@odin.ietf.org; Fri, 21 Feb 2003 16:57:14 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1LLvEp23591 for <dhcwg-web-archive@optimus.ietf.org>; Fri, 21 Feb 2003 16:57:14 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA16019 for <dhcwg-web-archive@ietf.org>; Fri, 21 Feb 2003 16:49:29 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1LLtYp23540; Fri, 21 Feb 2003 16:55:34 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1LLAkp21396 for <dhcwg@optimus.ietf.org>; Fri, 21 Feb 2003 16:10:46 -0500
Received: from luminous.mit.edu (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14822 for <dhcwg@ietf.org>; Fri, 21 Feb 2003 16:03:01 -0500 (EST)
Received: by luminous.mit.edu (Postfix, from userid 1000) id 711D6767C6; Fri, 21 Feb 2003 16:06:48 -0500 (EST)
To: dhcwg@ietf.org
mail-copies-to: hartmans@mit.edu
From: Sam Hartman <hartmans@mit.edu>
Date: Fri, 21 Feb 2003 16:06:48 -0500
Message-ID: <87heaxpclz.fsf@luminous.mit.edu>
Lines: 84
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.1 (i386-debian-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [dhcwg] Comments on draft-ietf-dhc-pktc-kerb-tckt-00.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Hi. I'm not subscribed to the list, so please copy me on responses. I'm sending these comments because a review of the option from a Kerberos viewpoint was requested. First, I do not believe this document is an appropriate work item of the IETF for the following reasons. I do not think it likely there will ever be multiple implementations of the standard, so I do not think it likely that the the standard will meet criteria for advancement. The standard seems focused on a specific deployment situation and in fact on a specific category of tightly specified devices and has insufficient generic applicability to devices outside that specific environment to be an Internet standard. I understand these devices are being deployed on the open Internet. However it is not necessary for the IETF to specify all protocols that are used over the Internet. I realize this concern applies equally to the base packetcable configuration option and as such will probably be discarded. The second reason this document seems poorly scoped for the IETF is that while based on Kerberos, the authentication technology discussed is not in fact Kerberos. The Packetcable group needed a standard and could not wait for the Kerberos working group to conclude and publish a document. As such they adopted a draft that is incompatible both with RFC 1510 and with current drafts within the Kerberos working group. Fields are added to protocol messages in a manner that does cause implementations of RFC 1510 to reject the messages and will interfere with future expansion of the protocol. The mandatory to use encryption systems for Packetcable Kerberos are not even specified in the IETF drafts or published RFCs. The Kerberos working group has decided not to standardize the encryption systems that Packetcable uses in part because the encryption systems that are being standardized are significantly stronger. It may be possible to implement a system that supports both Packetcable Kerberos and IETF Kerberos--I know one vendor who is trying to do that. However it seems that the IETF should not spend time standardizing a DHCP sub option for controlling an authentication system outside of the scope of the IETF for use in a limited environment. If the IETF decides that this work is within our scope, a note needs to be added to the draft clarifying the Kerberos compatibility issue. A pointer to the Packetcable Kerberos specification should be added along with a note that this specification is incompatible with current RFC 1510 implementations and with ongoing working in the IETF. The rationale for this draft claims that it will be used among other reasons to cancel subscriber service. The presence of a Kerberos ticket should not be used to imply authorization to use a service; this is incompatible both with RFC 1510 and with current Kerberos drafts. Even if the authorization data field is used to convey authorization along with authentication, service tickets with should not be issued with lifetimes longer than are acceptable. I.E. you should only issue a ticket with a lifetime as long as you are willing to have authorization cached. I believe that this problem should be fixed by removing the text proposing that using this option is appropriate to notify a device that service has been canceled and adding a requirement that the security of the deployment MUST NOT depend on this option being honored. The option if it exists should serve to invalidate caches to deal with operational problems such as emergency rekeying of services or testing, and the only effect of failing to honor this option should be a temporary loss of service. The format of this option is insufficiently extensible. Many of the sixteen code points for available services have already been used and experiences shows new Kerberos services tend to be deployed over time. Why would you want to selectively invalidate some but not all tickets? If this option exists, it seems like providing a mechanism to completely invalidate the cache should be sufficient. Finally security considerations need to discuss the disadvantages of storing persistent Kerberos tickets. Other deployments of Kerberos are moving away from doing this and instead storing tickets in volatile memory. It would be excellent if the write up of this issue in the security considerations section gave numbers to justify the need for persistent tickets, although requiring this would be excessive. --Sam _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Comments on draft-ietf-dhc-pktc-kerb-tckt… Sam Hartman
- [dhcwg] Re: Comments on draft-ietf-dhc-pktc-kerb-… Ken Raeburn
- Re: [dhcwg] Comments on draft-ietf-dhc-pktc-kerb-… Paul Duffy
- Re: [dhcwg] Comments on draft-ietf-dhc-pktc-kerb-… Sam Hartman