IETF Logo Mail Archive

[kitten] firewalls and cross realm trusts

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Sat, 15 February 2014 21:06 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEDFC1A02BA for <kitten@ietfa.amsl.com>; Sat, 15 Feb 2014 13:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxTJQd1_GdTh for <kitten@ietfa.amsl.com>; Sat, 15 Feb 2014 13:06:18 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 6B4EE1A02CE for <kitten@ietf.org>; Sat, 15 Feb 2014 13:06:18 -0800 (PST)
Received: from mail35-ch1-R.bigfish.com (10.43.68.247) by CH1EHSOBE009.bigfish.com (10.43.70.59) with Microsoft SMTP Server id 14.1.225.22; Sat, 15 Feb 2014 21:06:16 +0000
Received: from mail35-ch1 (localhost [127.0.0.1]) by mail35-ch1-R.bigfish.com (Postfix) with ESMTP id 3BE33220589; Sat, 15 Feb 2014 21:06:16 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:199.135.140.11; KIP:(null); UIP:(null); IPV:NLI; H:mail.usda.gov; RD:none; EFVD:NLI
X-SpamScore: 3
X-BigFish: VPS3(zzzz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h1f96jzzz2fh109h2a8h839h8e2h8e3h93fhd25hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh224fh1fb3h1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h21a6h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255ehbe9i1155h)
Received-SPF: pass (mail35-ch1: domain of fs.fed.us designates 199.135.140.11 as permitted sender) client-ip=199.135.140.11; envelope-from=bnordgren@fs.fed.us; helo=mail.usda.gov ; ail.usda.gov ;
Received: from mail35-ch1 (localhost.localdomain [127.0.0.1]) by mail35-ch1 (MessageSwitch) id 1392498372954643_27772; Sat, 15 Feb 2014 21:06:12 +0000 (UTC)
Received: from CH1EHSMHS003.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.242]) by mail35-ch1.bigfish.com (Postfix) with ESMTP id B37D7320055; Sat, 15 Feb 2014 21:06:12 +0000 (UTC)
Received: from mail.usda.gov (199.135.140.11) by CH1EHSMHS003.bigfish.com (10.43.70.3) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sat, 15 Feb 2014 21:06:12 +0000
Received: from 001FSN2MPN1-045.001f.mgd2.msft.net ([169.254.5.105]) by 001FSN2MMR1-001.001f.mgd2.msft.net ([199.135.140.11]) with mapi id 14.03.0174.002; Sat, 15 Feb 2014 21:06:11 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: firewalls and cross realm trusts
Thread-Index: Ac8qjUsOYuIqh0sTSEi4V0d8zmaVfg==
Date: Sat, 15 Feb 2014 21:06:10 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E68DF75@001FSN2MPN1-045.001f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.26.120]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: fs.fed.us
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/bWGRB6RxUDVC56yxA4rbvpT2340
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: [kitten] firewalls and cross realm trusts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 21:06:20 -0000

I appreciate your patience in advance. :)

> Also, to use Kerberos outside the firewall would require configuring the
> firewall to permit DNS and Kerberos, which might be too difficult, and
> anyways might be considered risky (considering all that can be smuggled in
> DNS and Kerberos messages).

Please elaborate these issues within the context of cross-realm trusts and perhaps your pkcross draft. It seems like no matter where you are, you're always outside of somebody's firewall and DNS is not very mobility friendly.

In particular, I'm curious about the following: Say person A and laptop B belong to realm X. Person A and laptop B visit realm Y. Person A is the same, laptop B is the same, but laptop B's DNS entry (if it exists) is now issued by realm Y instead of X. Assume no firewalls and realms X and Y have a cross realm trust. Will laptop B be recognized by realm X even though its DNS is wrong? :) Can it, for instance, be an NFS client?

Now X and Y both have firewalls.  Say realms X and Y don't have a cross realm trust, but they both are pkcross friendly. Can pkcross + iakerb allow realm Y to contact realm X to validate person A and laptop B? Can pkcross concepts be used to eliminate the need for Y  to contact X? (e.g., A and B have been issued certificates signed by X, which has a certificate that Y would either trust or not, so why bother contacting a firewalled X?)

Bryce








This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status