IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt

"Nordgren, Bryce L -FS" <bnordgren@fs.fed.us> Fri, 14 February 2014 23:47 UTC

Return-Path: <bnordgren@fs.fed.us>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9C5F1A0517 for <kitten@ietfa.amsl.com>; Fri, 14 Feb 2014 15:47:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbvUNI_ETEWz for <kitten@ietfa.amsl.com>; Fri, 14 Feb 2014 15:47:19 -0800 (PST)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 948051A0519 for <kitten@ietf.org>; Fri, 14 Feb 2014 15:47:19 -0800 (PST)
Received: from mail195-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE008.bigfish.com (10.9.40.28) with Microsoft SMTP Server id 14.1.225.22; Fri, 14 Feb 2014 23:47:17 +0000
Received: from mail195-tx2 (localhost [127.0.0.1]) by mail195-tx2-R.bigfish.com (Postfix) with ESMTP id 8F34D2C0394 for <kitten@ietf.org>; Fri, 14 Feb 2014 23:47:17 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:199.135.140.18; KIP:(null); UIP:(null); IPV:NLI; H:mail.usda.gov; RD:none; EFVD:NLI
X-SpamScore: 2
X-BigFish: VPS2(zzzz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h1f96jzzz2fh109h2a8h839h8e3h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh224fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h21a6h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh1155h)
Received-SPF: pass (mail195-tx2: domain of fs.fed.us designates 199.135.140.18 as permitted sender) client-ip=199.135.140.18; envelope-from=bnordgren@fs.fed.us; helo=mail.usda.gov ; ail.usda.gov ;
Received: from mail195-tx2 (localhost.localdomain [127.0.0.1]) by mail195-tx2 (MessageSwitch) id 1392421636203681_17757; Fri, 14 Feb 2014 23:47:16 +0000 (UTC)
Received: from TX2EHSMHS026.bigfish.com (unknown [10.9.14.253]) by mail195-tx2.bigfish.com (Postfix) with ESMTP id 2C1C560062 for <kitten@ietf.org>; Fri, 14 Feb 2014 23:47:16 +0000 (UTC)
Received: from mail.usda.gov (199.135.140.18) by TX2EHSMHS026.bigfish.com (10.9.99.126) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 14 Feb 2014 23:47:16 +0000
Received: from 001FSN2MMR1-014.001f.mgd2.msft.net (199.135.140.69) by 001FSN2MMR1-008.001f.mgd2.msft.net (199.135.140.18) with Microsoft SMTP Server (TLS) id 14.3.174.2; Fri, 14 Feb 2014 23:47:14 +0000
Received: from 001FSN2MPN1-045.001f.mgd2.msft.net ([169.254.5.105]) by 001FSN2MMR1-014.001f.mgd2.msft.net ([199.135.140.69]) with mapi id 14.03.0174.002; Fri, 14 Feb 2014 23:47:14 +0000
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
Thread-Index: AQHPKc4cm+IW3OJF6UmZF4IrjmPqZpq1YLmQ
Date: Fri, 14 Feb 2014 23:47:13 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E68DE37@001FSN2MPN1-045.001f.mgd2.msft.net>
References: <20140214214526.22958.30728.idtracker@ietfa.amsl.com>
In-Reply-To: <20140214214526.22958.30728.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.7.26.120]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: fs.fed.us
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/khTqK-8MNqNngSkrlakY93Rn8MQ
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 23:47:25 -0000

> For example, in remote access scenarios, the client must initially
> authenticate to an access point in order to gain full access to the network.
> Here the client may be unable to directly contact the KDC either because it
> does not have an IP address, or the access point packet filter does
> not allow the client to send packets to the Internet before it
> authenticates to the access point.

"Remote access" to me means "outside the firewall of the organization operating the KDC, which is not exposed to the public internet." What you appear to be talking about is authenticating to an access point which is operated by the same entity which operates the KDC?

So the big question is: if an organization is hiding their KDC behind a firewall, or they just haven't configured their access points to use the KDC as a back end, how is a proxy easier to implement or more secure than just configuring access thru their firewall or access point? Or really how does providing 1000 routes to the KDC thru any public-facing, Kerberos-authenticated service (nfs, web apps, ssh...) beat just opening up port 88 to the wide world?

Not trying to be a pita, just not seeing it yet...

Bryce





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

v2.30.2 | Report a Bug | By Email | System Status