Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Sat, 15 February 2014 20:23 UTC
Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283C61A02BE for <kitten@ietfa.amsl.com>; Sat, 15 Feb 2014 12:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ghigcOjFp85T for <kitten@ietfa.amsl.com>; Sat, 15 Feb 2014 12:23:30 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF171A028A for <kitten@ietf.org>; Sat, 15 Feb 2014 12:23:29 -0800 (PST)
Received: from mail42-ch1-R.bigfish.com (10.43.68.227) by CH1EHSOBE011.bigfish.com (10.43.70.61) with Microsoft SMTP Server id 14.1.225.22; Sat, 15 Feb 2014 20:23:27 +0000
Received: from mail42-ch1 (localhost [127.0.0.1]) by mail42-ch1-R.bigfish.com (Postfix) with ESMTP id 892C83405B0; Sat, 15 Feb 2014 20:23:27 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:199.135.140.12; KIP:(null); UIP:(null); IPV:NLI; H:mail.usda.gov; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzd772hzz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h1f96jzz1de097hz2fh109h2a8h839h8e2h8e3h93fhd25hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh224fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h21a6h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255ehbe9i1155h)
Received-SPF: pass (mail42-ch1: domain of fs.fed.us designates 199.135.140.12 as permitted sender) client-ip=199.135.140.12; envelope-from=bnordgren@fs.fed.us; helo=mail.usda.gov ; ail.usda.gov ;
Received: from mail42-ch1 (localhost.localdomain [127.0.0.1]) by mail42-ch1 (MessageSwitch) id 1392495805372277_13028; Sat, 15 Feb 2014 20:23:25 +0000 (UTC)
Received: from CH1EHSMHS032.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252]) by mail42-ch1.bigfish.com (Postfix) with ESMTP id 56EB232005F; Sat, 15 Feb 2014 20:23:25 +0000 (UTC)
Received: from mail.usda.gov (199.135.140.12) by CH1EHSMHS032.bigfish.com (10.43.70.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sat, 15 Feb 2014 20:23:24 +0000
Received: from 001FSN2MPN1-045.001f.mgd2.msft.net ([169.254.5.105]) by 001FSN2MMR1-002.001f.mgd2.msft.net ([199.135.140.12]) with mapi id 14.03.0174.002; Sat, 15 Feb 2014 20:23:22 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Simo Sorce <simo@redhat.com>
Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
Thread-Index: AQHPKc4cm+IW3OJF6UmZF4IrjmPqZpq1YLmQgAEwhwCAAAjoMA==
Date: Sat, 15 Feb 2014 20:23:22 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E68DEFD@001FSN2MPN1-045.001f.mgd2.msft.net>
References: <20140214214526.22958.30728.idtracker@ietfa.amsl.com> <82E7C9A01FD0764CACDD35D10F5DFB6E68DE37@001FSN2MPN1-045.001f.mgd2.msft.net> <1392484918.22754.5.camel@willson.li.ssimo.org>
In-Reply-To: <1392484918.22754.5.camel@willson.li.ssimo.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.26.120]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: fs.fed.us
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/5h1zCBzrDwmf4KlcN87qXfdWu08
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 20:23:33 -0000
-- Clarifying discussion on draft-ietf-kitten-iakerb-01.txt -- > The remote access protocol might not be able to allow any traffic other than EAP > until the user is authenticated. So if I understand this correctly, the current situation is that the remote access point could be configured to use Kerberos as a backend, serving as a kind of one-way identity gateway between two protocols. The proposed improvement is to eliminate the need to be a gateway by allowing the access point to relay messages between a kerberos client and a KDC which otherwise have no means of communication. The net change is that clients use Kerberos instead of whatever was used previously, access points require new firmware, and clients get a TGT earlier in the process. > The most immediate use case you may think about is GSSAPI authenticated > VPN, where the KDC is inaccessible until you get on the VPN, w/o IAKERB you > have a Catch22 situation. My current situation is that I power up my laptop at home, log into Windows using cached credentials, manually start the VPN client, provide credentials to the VPN server using some means, and the VPN server validates this information using one of two backends (LDAP username/password or lincpass/HSPD-12 card/PKI). Again the VPN server acts as a kind of identity gateway and again the proposed improvement is to eliminate the need to be a gateway. Looks like the net change may also be same as above. -- Comments on draft-ietf-kitten-iakerb-01.txt -- Comment 1: Clarify exactly what the benefit is. Why are the current gateway strategies not good enough and what specifically is gained by implementing IAKERB? (Should be easy.) Comments 2 and 3 are really "discussion items". (below) Comment 4: "Proxy" has already been defined in 4120. Stress that the usage of "proxy" in this document does not imply that the client allows its tickets to be used by "others". Comment 5: This approach may be summarized as a "message relay" from client to app to KDC. Compare and contrast this approach with a "ticket relay", where a strawman (fake) KDC requests and relays proxiable and/or forwardable tickets from the "real" KDC on the client's behalf, using its own identity. Outline the tradeoffs in terms of compatibility with deployed Krb5 clients and KDCs, amount of "extension" required, types of situations to which the approach applies, state information required at the relay point, and security implications. Make the case that "message relay" is a superior strategy, and show that alternatives were considered and rejected. Comment 6: This message relay approach intentionally establishes many persistent "men in the middle", potentially piggybacking on every kerberized app you have. Note this in the security considerations. -- Technical discussion about draft-ietf-kitten-iakerb-01.txt -- Comments 2 and 3 boil down to: should an IAKERB enabled Kerberos client keep track of KDC connection failures so that it can try and get tickets when it later discovers a path to the KDC? Conversely, should an IAKERB enabled Kerberos client keep track of proxies so that it doesn't just give up when it can't contact the KDC? Details below. 2nd comment details...Proxies may be asked to acquire tickets for other services, and the order in which services are accessed by clients seems to matter. (Person A is at home, accessing web services "X" and "Y". Both X and Y are kerberized. X is IAKERB enabled and Y is not. If A connects to X first, it SHOULD request a ticket for Y using X once it discovers that Y isn't IAKERB enabled. If A connects to Y first, it has no TGT nor a means of getting one, so Y must behave like a gateway. After A connects to X, and "discovers" a pathway to its KDC, should it then request tickets for Y? How is Y informed that A now has a ticket? ) This may not require much in the way of verbage, but I think it probably should be included. The proposed improvement is to eliminate gatewaylike behavior. 3rd comment details...what if the service also does not have a path to the KDC? In the VPN example above, I log in to my host using cached credentials. Once I connect to an IAKERB proxy (VPN server), should the host try to grab a valid ticket? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
- [kitten] I-D Action: draft-ietf-kitten-iakerb-01.… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Nordgren, Bryce L -FS
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Nico Williams
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Simo Sorce
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Nordgren, Bryce L -FS
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Benjamin Kaduk