Re: [kitten] Replacing Kerberos
Nico Williams <nico@cryptonector.com> Thu, 23 February 2023 22:04 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69E15C14F74A for <kitten@ietfa.amsl.com>; Thu, 23 Feb 2023 14:04:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQAE_trRAihq for <kitten@ietfa.amsl.com>; Thu, 23 Feb 2023 14:04:46 -0800 (PST)
Received: from purple.birch.relay.mailchannels.net (purple.birch.relay.mailchannels.net [23.83.209.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8FFC14E515 for <kitten@ietf.org>; Thu, 23 Feb 2023 14:04:45 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DDBDE2618EA; Thu, 23 Feb 2023 22:04:44 +0000 (UTC)
Received: from pdx1-sub0-mail-a303.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6D9C026130E; Thu, 23 Feb 2023 22:04:44 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1677189884; a=rsa-sha256; cv=none; b=0/8mTjS7vu1VnGAhzH7hHsDjawFoLwdtmiB6i8xFqMDGC+NfCfsVldAVKHv8kY60FZkJbx 9LHxCGaHX2nwsJYe4bfOuB6KiFdbOrcN2VZZ2PudnuLMxefstRclgTL7xOhbnnk71ScQ2e vzdjUop1YuOraRL+5HptA3TJN999SZy3gezNcXZhGfV5z69ZL+7AAB3LuEG3sg61C+pYrE /Lq40FmVGnMUQ9jsPN7OCQwyeBtoWnOfIQmeB4rKcjeHQY7TQs3KAB5ycXRfF9QNnVLwGM OO4eUENt9WTImBIWdkC5myd5iwR9bQb9Hxatiiau3zvWrJ2dXmrQIYZSXDwN1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1677189884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9mipv7Tb4jOdGhwdPLE123l8TDA7lpqvWHRqfaf/T5M=; b=b6xtghK7c32rinDdEUy782BZRUUVBBTeBzxQP9xY8wC7WT9L5RLnaXYeX9xZQ2POMm1kFH RQa96zUA2PFzyyeOm22OH1lsUZszqzhCBj/I3otBFiMm4jGQqmcQzPa0uyw0Giw6GhmPNX E5PZfaHuafVW2iLadLMKs7i0Or7PA+dtikdMZyoPi1hQAGq+BgEhTSm+C7IAbPcM3q4Kjz rhZa2GkUjKjYiKUL7y3+1xdXjNT9cHKVPPYOp6UvIICbvGouQWRQZosY+Hp69Lx9gqeA6J mefwJqcn3jWs6s77SER4S7njLSv90qEiQ4iHuMiOa+xBF0ghWpYbZW21ZrZ0Bw==
ARC-Authentication-Results: i=1; rspamd-5db48964c-9shrn; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Stretch-Wipe: 5305d2714b5c7771_1677189884704_276097623
X-MC-Loop-Signature: 1677189884704:3015191313
X-MC-Ingress-Time: 1677189884703
Received: from pdx1-sub0-mail-a303.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.138.62 (trex/6.7.1); Thu, 23 Feb 2023 22:04:44 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a303.dreamhost.com (Postfix) with ESMTPSA id 4PN6Wb4d5Nz3m; Thu, 23 Feb 2023 14:04:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1677189884; bh=9mipv7Tb4jOdGhwdPLE123l8TDA7lpqvWHRqfaf/T5M=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=jc1SzYHmp8H1vbxvXv287FNVJINDtr9xbzVmA+pbyFKi65iA1xcSUBOcnLCFJfSPd WzDOu9YMxrawFSQ8L2Oe1q7OVdBY/AyQ2jjDqhtvYuBDvOYttbtIa5f2kDvMdWMkhi wbPB3E+rSX3etxbJEyB29AclrHBykgpnnm/xVXpPs4cm8fFZ/QKJ1Hy4DzIuLP+hzu 4uJnHdiGqHq32cQy4zvxHqKsIegXPcIC46qmmezpFFXikBQnDFj9c5l5no15kg/1gC PjBgiM3ufkvpJNPp6FcXz83osEnId4gOzO3NiTxii1CIc1G0Moo+QgNs0oWx5P1hdl oVzBnHA5fpT3w==
Date: Thu, 23 Feb 2023 16:04:41 -0600
From: Nico Williams <nico@cryptonector.com>
To: D.Rogers@gmx.net
Cc: Erin Shepherd <erin.shepherd@e43.eu>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y/fi+VMeFWPdhgXJ@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/GFY3wTO+TBg638@gmail.com> <134D46FA-1E2A-4DB0-9B8D-6897136972CA@e43.eu> <trinity-6e7be0e9-e437-4cdc-b08c-bd12133e26cd-1677185769010@3c-app-gmx-bs20>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <trinity-6e7be0e9-e437-4cdc-b08c-bd12133e26cd-1677185769010@3c-app-gmx-bs20>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/SBVimKozI-qxjChTxGBIaJ6ACGM>
Subject: Re: [kitten] Replacing Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2023 22:04:50 -0000
On Thu, Feb 23, 2023 at 09:56:09PM +0100, D.Rogers@gmx.net wrote: > I dont know if its worth mentioning but in 2013 I published a paper > concerning combining Kerberos with IPsec. Perhaps some ideas may still be > relevant > > http://www.ijoee.org/uploadfile/2013/1006/20131006120339992.pdf I'll take a look. Some related research / protocols you might be interested in: - RFC 4430 Kerberized Internet Negotiation of Keys (KINK) RFC 3129 Requirements for Kerberized Internet Negotiation of Keys This is a KE protocol for IPsec, like IKE, but based on Kerberos. - RFC 5386 Better-Than-Nothing Security: An Unauthenticated Mode of IPsec RFC 5660 IPsec Channels: Connection Latching This is a scheme for using IPsec (with potentially anonymous end-points) w/ channel binding from application layer authentication schemes. The only missing piece is a definition of the channel bindings for an "IPsec channel" (we never got to it mainly because we ran out of energy). An "IPsec channel" is a packet flow for a ULP connection (e.g., TCP connection, or UDP "connection", etc.) where a) the SPD is held unchanged for that flow during the flow's lifetime, b) the SAs protecting that flow retain the same end-points during the flow's lifetime. See the concluded BTNS WG: https://datatracker.ietf.org/wg/btns/about/ IPsec deals in IP addresses, so it has to have an authorization function of "authenticated entity" to "claimed IP address(es) / address range". In an environment with dynamic IP addressing that's a problem: you can't guarantee that the other end of some packet flow remains the same for the lifetime of that packet flow. The approach that we (well, I) took regarding this problem was to expand on Dan McDonald's "connection latching" functionality in Solaris (see the IP_SEC_OPT socket option) to go beyond SPD latching and also latch the identities of the two end-points. "Latching" here means "ensure they don't change [while the connection remains alive]". Then add channel binding (which we never got around to) from application layer authentication systems. IMO the connection latching approach is better than the KINK approach because then one need not work hard on credential provisioning for IKE (since anonymous credentials will do) and also there is no need to worry about dynamic IP address allocations nor about how to authorize authenticated entities to IP addresses. Except this only really works for transport mode IPsec. If you wanted to do Kerberos authentication to a security gateway... well, at Sun we had a fabulous VPN system called "punchin" that Dan wrote that essentially ran the equivalent of a tunnel over transport mode IPsec to the gateway so that you could authenticate to the gateway using an "application" protocol (punchin) that would cause the SG to plumb your tunnel's routing, and presto, you were on-network. Since Dan wrote punchin, naturally it used the IP_SEC_OPT socket option that he also wrote. We could have used Kerberos via IAKERB, or by plumbing enough routing to reach the KDCs before the rest of the routing came up. Nico --
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Greg Hudson
- [kitten] Windows Intent to revive and implement I… Steve Syfuhs (AP)
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Greg Hudson
- Re: [kitten] Windows Intent to revive and impleme… josh.howlett
- Re: [kitten] Windows Intent to revive and impleme… Luke Howard Bentata
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] Windows Intent to revive and impleme… Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Replacing Kerberos (Re: Windows Intent t… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Ken Hornstein
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Paul Romero
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Luke Howard
- Re: [kitten] Replacing Kerberos (Re: Windows Inte… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Andrew Bartlett
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Simo Sorce
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Windows Intent to rev… Nico Williams
- [kitten] Updates to IAKERB (Re: Windows Intent to… Nico Williams
- Re: [kitten] Updates to IAKERB (Re: Windows Inten… Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos D.Rogers
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Erin Shepherd
- Re: [kitten] Replacing Kerberos Watson Ladd
- Re: [kitten] Replacing Kerberos Nico Williams
- Re: [kitten] Replacing Kerberos Simo Sorce