IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Greg Hudson <ghudson@mit.edu> Wed, 22 February 2023 22:49 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DAE4C152573 for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 14:49:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8tDZjs_9YBZ for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 14:49:40 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B7D3C1524DD for <kitten@ietf.org>; Wed, 22 Feb 2023 14:49:40 -0800 (PST)
Received: from [18.30.130.192] ([18.30.130.192]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 31MMnSeg022902 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 22 Feb 2023 17:49:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1677106173; bh=OSpp6dKxOaQ9/fvjKJ6SXeWcvWC96SmW4rkFFVEkR6w=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Lp1T0Le4ceeF7gKJaBnCHCaii0Eh1CYaMj1HIT7UnPjRexQze3L06ge3LgGKNEBKJ ppfhJQfoL+k3FRjqUZ5kNJxVRiJE1OLHMWjRqpVAxpS8dhAS1wsh6BkeuErdRpHl8G wJzgm7Q9Ff7RHq5HpG7Xg7uxebTxfgXGsP54L9FhES8QLLAhWoft4LJ4UYLWWl0CKY y51cw3C3y4Lt7pWH2uD/pEYQqJNbrnD2xiA1zJ5UamSkejgskVlHjMRAocZXnpd/J1 dJ0OFMvXVFqS0jQIXIheGyIJfWpoCIpON1Uuyuy+5M4cmx2xzn+X/2SPCvqQ52bYGt Kmu/a3dPpIVXA==
Message-ID: <abc45a16-e5dd-a770-fd8c-01f02fa9b03c@mit.edu>
Date: Wed, 22 Feb 2023 17:49:27 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>, Nico Williams <nico@cryptonector.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
References: <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/VnjL/IBYXFWkYX@gmail.com> <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/WWjumkyhEjMvda@gmail.com> <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/TfIC47d439YTxwBDmiGqX0DZG_U>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 22:49:41 -0000

On 2/22/23 12:36, Steve Syfuhs (AP) wrote:
> That said, I'm a bit surprised you've seen any issues with key rotation. We generally return ap-err-modified in such bad key cases which should just trigger a client renew/reauth of the ticket. What do non-Windows clients do in that case? Do they just drop the request?

We drop the request.  By "renew/reauth" I am guessing you mean flush the 
cache and start with a new local TGT, obtained either by 
reauthenticating with a stored password equivalent or by renewing with 
the existing local TGT.

The open source implementations do not have any concept of a stored 
password equivalent for reauth, for several reasons: retaining a 
non-expiring credential defeats the purpose of expiration times on 
tickets, we aren't deeply integrated into the operating system and 
therefore don't have the concept of an LSA to mitigate the risk of 
storing such a credential, and not every preauth mechanism has a 
non-expiring password equivalent.

Renewing is an option if the local TGT is renewable, but it doesn't help 
if it's non-renewable, or if it's the local TGT which rotated keys.

I'll also echo Nico's concerns about adding to the complexity of the 
client TGS code path.  There is a lot of inherent complexity there 
already: it must be stepwise for IAKERB, there's a lot of fiddly 
processing for RBCD and cross-realm S4U2Self, the open-source 
implementations need to support caller-specified service realms as well 
as referrals, and there are some backwards compatibility hacks.

v2.23.0 | Report a Bug | By Email