IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 11 September 2014 21:00 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE171A0026 for <kitten@ietfa.amsl.com>; Thu, 11 Sep 2014 14:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Level:
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKdPe68oJTpT for <kitten@ietfa.amsl.com>; Thu, 11 Sep 2014 14:00:48 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81451A0185 for <kitten@ietf.org>; Thu, 11 Sep 2014 14:00:46 -0700 (PDT)
X-AuditID: 1209190c-f795e6d000006c66-5e-54120d7dd106
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 43.D4.27750.D7D02145; Thu, 11 Sep 2014 17:00:45 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s8BL0i13013167; Thu, 11 Sep 2014 17:00:44 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s8BL0ghU012244 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 11 Sep 2014 17:00:43 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s8BL0gIV008386; Thu, 11 Sep 2014 17:00:42 -0400 (EDT)
Date: Thu, 11 Sep 2014 17:00:41 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E68DEFD@001FSN2MPN1-045.001f.mgd2.msft.net>
Message-ID: <alpine.GSO.1.10.1409111506230.21571@multics.mit.edu>
References: <20140214214526.22958.30728.idtracker@ietfa.amsl.com> <82E7C9A01FD0764CACDD35D10F5DFB6E68DE37@001FSN2MPN1-045.001f.mgd2.msft.net> <1392484918.22754.5.camel@willson.li.ssimo.org> <82E7C9A01FD0764CACDD35D10F5DFB6E68DEFD@001FSN2MPN1-045.001f.mgd2.msft.net>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixCmqrVvLKxRi0HNJwOLqm5+sFkc3r2Jx YPK4/eYsi8eSJT+ZApiiuGxSUnMyy1KL9O0SuDKWHHvPWtCkXXHhykTGBsaDSl2MnBwSAiYS Z1dvY4KwxSQu3FvPBmILCcxmktgwg7WLkQvI3sgocWvhZGYI5xCTxKSO44wQTgOjxNQvq9lB WlgEtCVeTJ3LCGKzCahIzHyzEWyUiIChRPfSY2BxZgF1iW9n3oDZwgKOEpOf/gWr4RSIkPg1 /TBQnIODFyi+YnEOxPxuJommlglg9aICOhKr909hAbF5BQQlTs58wgIxU0ti+fRtLBMYBWch Sc1CklrAyLSKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI11AvN7NELzWldBMjOFQleXYwvjmodIhR gINRiYe3gkUwRIg1say4MvcQoyQHk5Io7wZWoRAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrzO C4HKeVMSK6tSi/JhUtIcLErivJt+8IUICaQnlqRmp6YWpBbBZGU4OJQkeJ14gIYKFqWmp1ak ZeaUIKSZODhBhvMADe/nAqrhLS5IzC3OTIfIn2LU5VjX+a2fSYglLz8vVUqct5kbqEgApCij NA9uDizFvGIUB3pLmFcFZB0PMD3BTXoFtIQJaMlBY36QJSWJCCmpBsZyvp6Pe1UskuZMPzHV 8p3FQfknuypmOH/TNu0Uv1J2ZNoF487Ec84btRcvXvP8sxkr08u8ybq8h2wnhPj7GW+rt508 a01i7AH7lT/qVtv/fPbFvLE3zF2Ut+aly5sm8xUvfs1/cLPwwLX3hiKpOQt3/ThgtGp7ToAO pyvTDLWVB3sYJt59Gr5UiaU4I9FQi7moOBEA+e0zBgwDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/KrfctMS8N3gPcBueaPlNrlqKA-0
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 21:00:51 -0000

My apologies for the delay in responding ... hopefully the relevant
thoughts have not since been forgotten.

On Sat, 15 Feb 2014, Nordgren, Bryce L -FS wrote:

> -- Comments on draft-ietf-kitten-iakerb-01.txt --
>
> Comment 5: This approach may be summarized as a "message relay" from
> client to app to KDC. Compare and contrast this approach with a "ticket
> relay", where a strawman (fake) KDC requests and relays proxiable and/or
> forwardable tickets from the "real" KDC on the client's behalf, using
> its own identity. Outline the tradeoffs in terms of compatibility with
> deployed Krb5 clients and KDCs, amount of "extension" required, types of
> situations to which the approach applies, state information required at
> the relay point, and security implications. Make the case that "message
> relay" is a superior strategy, and show that alternatives were
> considered and rejected.

It's not really clear to me that this sort of comparison is necessary.
If I understand correctly, this proposed strawman fake KDC would also need
to be in the DMZ, with network connectivity to both the real KDC and the
client.  The real KDC would need some way to authorize the fake KDC's
principal as permitted to get tickets for (arbitrary? particular?) client
principals.

Then one considers whether the fake KDC gets a copy of the session keys
for those tickets.  If it does, how does it securely transmit those back
to the client, given that the client is not really authenticated yet.  If
it doesn't, then what it is sending back to the client is fundamentally
equivalent to a KDC-REP, at which point we've degenerated back to the
message-passing paradigm.

Maybe I'm missing something, but is there even a real strawman to prop up
here?

> Comment 6: This message relay approach intentionally establishes many
> persistent "men in the middle", potentially piggybacking on every
> kerberized app you have.  Note this in the security considerations.

I guess we could mention that.  It doesn't matter, because kerberos is
designed to run on the open internet anyway so all the interesting bits
are encrypted.

> -- Technical discussion about draft-ietf-kitten-iakerb-01.txt --
>
> Comments 2 and 3 boil down to: should an IAKERB enabled Kerberos client
> keep track of KDC connection failures so that it can try and get tickets
> when it later discovers a path to the KDC? Conversely, should an IAKERB
> enabled Kerberos client keep track of proxies so that it doesn't just
> give up when it can't contact the KDC? Details below.
>
> 2nd comment details...Proxies may be asked to acquire tickets for other

They may be, yes.  That is not the intended use case, though.
(We should still talk about any relevant security considerations, of
course.)

> services, and the order in which services are accessed by clients seems
> to matter. (Person A is at home, accessing web services "X" and "Y".
> Both X and Y are kerberized. X is IAKERB enabled and Y is not. If A
> connects to X first, it SHOULD request a ticket for Y using X once it
> discovers that Y isn't IAKERB enabled. If A connects to Y first, it has
> no TGT nor a means of getting one, so Y must behave like a gateway.
> After A connects to X, and "discovers" a pathway to its KDC, should it
> then request tickets for Y? How is Y informed that A now has a ticket? )
> This may not require much in the way of verbage, but I think it probably
> should be included. The proposed improvement is to eliminate gatewaylike
> behavior.

Since this is not the intended use case of the document, I don't think we
need to cover it at all, other than any security considerations this
client workflow might entail (which I have not yet attempted to analyze).
If at some later date, someone has a use case for this client workflow,
then we can revisit the issue, but it seems like it's really an
implementation issue, anyway.

This workflow feels quite strange anyway, since the GSSAPI security
context tokens are nominally working towards a single authentication
event, and this workflow is abusing the IAKERB proxy to exchange messages
which are relevant to a different authentication event.  I don't think we
necessarily need to forbid it at the present time, though.

> 3rd comment details...what if the service also does not have a path to
> the KDC? In the VPN example above, I log in to my host using cached
> credentials. Once I connect to an IAKERB proxy (VPN server), should the
> host try to grab a valid ticket?

I don't think I follow this question, but I'll take a couple of stabs at
it.

If the GSS acceptor ("service") does not have a network path to the KDC,
then the IAKERB mechanism must fail; there is simply no way for the
initiator to get its desired KDC responses.  There is no provision for
another layer of network proxying.

If you log onto a host by validating against cached credentials, and then
later (after the cached credentials are expired, say) go to authenticate
to a remote service over the IAKERB mechanism and obtain a new TGT during
that GSS negotiation loop, I would expect the new TGT to be retained in
your krb5 credentials cache on the original host.  Even if you already had
a TGT and were just using IAKERB to get a service ticket, I would still
expect it to be cached.  I would not expect the mechanism to proactively
go and get a service ticket for the local host's service principal and
cache that.

-Ben

v2.30.2 | Report a Bug | By Email | System Status