Re: [kitten] firewalls and cross realm trusts
"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Wed, 19 February 2014 00:14 UTC
Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA891A02BB for <kitten@ietfa.amsl.com>; Tue, 18 Feb 2014 16:14:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dG2549wv9Yte for <kitten@ietfa.amsl.com>; Tue, 18 Feb 2014 16:14:26 -0800 (PST)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 817271A0246 for <kitten@ietf.org>; Tue, 18 Feb 2014 16:14:26 -0800 (PST)
Received: from mail39-tx2-R.bigfish.com (10.9.14.238) by TX2EHSOBE007.bigfish.com (10.9.40.27) with Microsoft SMTP Server id 14.1.225.22; Wed, 19 Feb 2014 00:14:22 +0000
Received: from mail39-tx2 (localhost [127.0.0.1]) by mail39-tx2-R.bigfish.com (Postfix) with ESMTP id C4D786027B; Wed, 19 Feb 2014 00:14:22 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:199.135.140.12; KIP:(null); UIP:(null); IPV:NLI; H:mail.usda.gov; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzzz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h1f96jzz1de097hz2fh109h2a8h839h8e2h8e3h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh224fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h21a6h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255ehbe9i1155h)
Received-SPF: pass (mail39-tx2: domain of fs.fed.us designates 199.135.140.12 as permitted sender) client-ip=199.135.140.12; envelope-from=bnordgren@fs.fed.us; helo=mail.usda.gov ; ail.usda.gov ;
Received: from mail39-tx2 (localhost.localdomain [127.0.0.1]) by mail39-tx2 (MessageSwitch) id 1392768861340271_5522; Wed, 19 Feb 2014 00:14:21 +0000 (UTC)
Received: from TX2EHSMHS036.bigfish.com (unknown [10.9.14.234]) by mail39-tx2.bigfish.com (Postfix) with ESMTP id 4E09C120084; Wed, 19 Feb 2014 00:14:21 +0000 (UTC)
Received: from mail.usda.gov (199.135.140.12) by TX2EHSMHS036.bigfish.com (10.9.99.136) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 19 Feb 2014 00:14:20 +0000
Received: from 001FSN2MPN1-045.001f.mgd2.msft.net ([169.254.5.105]) by 001FSN2MMR1-002.001f.mgd2.msft.net ([199.135.140.12]) with mapi id 14.03.0174.002; Wed, 19 Feb 2014 00:14:19 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: firewalls and cross realm trusts
Thread-Index: Ac8qjUsOYuIqh0sTSEi4V0d8zmaVfgB0F/6AACWsI8A=
Date: Wed, 19 Feb 2014 00:14:18 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E68E5CF@001FSN2MPN1-045.001f.mgd2.msft.net>
References: <82E7C9A01FD0764CACDD35D10F5DFB6E68DF75@001FSN2MPN1-045.001f.mgd2.msft.net> <20140218035821.GA20790@localhost>
In-Reply-To: <20140218035821.GA20790@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.26.120]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: fs.fed.us
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/4MXhSTy8JvfHson9nQCbMieOYpE
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] firewalls and cross realm trusts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 00:14:29 -0000
> DNS entries aren't issued by Kerberos realms :) (Frequently realms' KDC and > DNS zones' infrastructures are co-located, at least in Microsoft's Active > Directory. But that's incidental, not essential.) > Yes, it doesn't have to have its IP address be resolvable to its hostname, > whatever it might be, nor does that need to match the laptop's client > credentials in any way. I fear I miscommunicated. The laptop's identity in the KDC is likely an NT_SRV_HST host/home.dns.here. The fact that NT_SRV_HST is used conveys information about the host: specifically "home.dns.here" is supposed to be the internet domain name per RFC4120 section 6.2.1. The client side services supporting an nfs connection (idmapd, etc) would be "nfs/home.dns.here". I guess a better question would have been: Can hosts given NT_SRV_HST principal names still function within the Kerberos universe if their DNS entry does not exist or does not match that in the principal name? If it's even possible that a KDC or service could use the hostname in the principal as part of its authorization decision, and RFC4120 tells it how to derive hostname from principal name, then it seems to me that this is an essential, not incidental, feature of the Kerberos protocol. Does this suggest that if one wants to promote mobility-friendly deployments, that host principals should be NT_PRINCIPALS? Is it just lucky chance that the Solaris NFS stack works for mobile clients, or was it compelled to by the protocol itself? > I think you're asking if there's an offline (in that X is not reachable from Y) > mechanism for X's users to be able to authenticate to Y. Yes. > Needham-Shroeder is out, as it's online. PK-based protocols can do it, but > PKIX is not really offline: there's CRLs to check (and/or OCSP). > That includes PKINIT and a hypothetical PKCROSS, but again, if the client's > PKIX credentials aren't fresh enough then the protocol will become online > and therefore fail. A couple of things: online and offline are not necessarily binary quantities. Maybe a service has a pre-configured path to a KDC unavailable to a client. Connectivity between entities may also be "spotty", allowing an opportunistic refreshing of credentials which does not necessarily align with demand for services. One thing I have been asked to do in the past is to create a little portable network having a raid server for scientists to upload data to during a field campaign. The usage pattern would be to come to the network island on the conference table, plug in, transfer data, paw through other people's data, and go back to their hotels at night; checking email and such. In this situation, if their clients were "disconnect-aware", they could renew their tickets every night. Alternatively, allowing services to accept expired tickets would also go a long way toward making Kerberos more disconnect-tolerant. > There really isn't anything you can do here to address your hypothetical use > case: Y will just have to be able to reach some part of X's infrastructure. This > isn't usually a problem, and it's neither the motivation for IAKERB, nor PKINIT, > nor PKCROSS. What I'm really trying to get at is: disconnects break Kerberos so often that all machines using it have a fallback plan (cached credentials); so is it worth trying to define a fallback that's actually a part of the protocol? > IAKERB exists to deal with the lack of any network connectivity at network > attachment time. The client wants to authenticate with a mechanism > (Kerberos, but it could be something else) that requires connectivity to one > or more infrastructure services, but this can't be retrofitted into the network > attachment protocol (for whatever reasons). May I restate this? The Kerberos model assumes uninterrupted connectivity between the KDC and all clients. IAKERB is motivated by the fact that an "admission onto the network" authorization decision inherently means that the client not on the network is not connected to the KDC. IAKERB enhances Kerberos by allowing new authorization decisions formerly prohibited by the technical design. IAKERB seems to have a lot of potential beyond its initial motivation. In particular, it could serve to reduce the number of situations in which a client would have to rely on cached credentials. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
- [kitten] firewalls and cross realm trusts Nordgren, Bryce L -FS
- Re: [kitten] firewalls and cross realm trusts Nico Williams
- Re: [kitten] firewalls and cross realm trusts Nordgren, Bryce L -FS
- Re: [kitten] firewalls and cross realm trusts Nico Williams