Re: [kitten] firewalls and cross realm trusts
Nico Williams <nico@cryptonector.com> Tue, 18 February 2014 03:58 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877841A0430 for <kitten@ietfa.amsl.com>; Mon, 17 Feb 2014 19:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHt2dbcrMNme for <kitten@ietfa.amsl.com>; Mon, 17 Feb 2014 19:58:27 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 040941A030F for <kitten@ietf.org>; Mon, 17 Feb 2014 19:58:26 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id 069D12005D105; Mon, 17 Feb 2014 19:58:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=cHdcDWqlRnmt0r 5wO4/K43oTGzQ=; b=Ie+iLHgNxgUxt8cC6Fc8iv9J/Q358e+07P/NuOaAXDUB6g ccIBc0YOP4MoTcmsgcCv6BFsxk377f3u5qBH2bk6jxVh6iQ0VS+qTRjjP2ybFcAS Ekz/G76g37YaklmOPgLxLeF5C2/gnGD5YrN4yO9DKzgWukZo+iI0WAQYt4QnI=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id B3DE82005D104; Mon, 17 Feb 2014 19:58:23 -0800 (PST)
Date: Mon, 17 Feb 2014 21:58:23 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Message-ID: <20140218035821.GA20790@localhost>
References: <82E7C9A01FD0764CACDD35D10F5DFB6E68DF75@001FSN2MPN1-045.001f.mgd2.msft.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E68DF75@001FSN2MPN1-045.001f.mgd2.msft.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/qBikmZkVQOyTEoUtKoSE3Qjk5Rc
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] firewalls and cross realm trusts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 03:58:29 -0000
On Sat, Feb 15, 2014 at 09:06:10PM +0000, Nordgren, Bryce L -FS wrote: > > Also, to use Kerberos outside the firewall would require configuring the > > firewall to permit DNS and Kerberos, which might be too difficult, and > > anyways might be considered risky (considering all that can be smuggled in > > DNS and Kerberos messages). > > Please elaborate these issues within the context of cross-realm trusts > and perhaps your pkcross draft. It seems like no matter where you are, > you're always outside of somebody's firewall and DNS is not very > mobility friendly. If you're using a remote access protocol then you're outside the firewall until you establish the necessary tunnel. (Almost by definition, since the remote access gateway [and protocol] generally exists only to get past a firewall.) > In particular, I'm curious about the following: Say person A and > laptop B belong to realm X. Person A and laptop B visit realm Y. > Person A is the same, laptop B is the same, but laptop B's DNS entry Laptops shouldn't count on having names published in the DNS reliably and kept up to date in real-time. > (if it exists) is now issued by realm Y instead of X. Assume no DNS entries aren't issued by Kerberos realms :) (Frequently realms' KDC and DNS zones' infrastructures are co-located, at least in Microsoft's Active Directory. But that's incidental, not essential.) > firewalls and realms X and Y have a cross realm trust. Will laptop B > be recognized by realm X even though its DNS is wrong? :) Can it, for > instance, be an NFS client? Yes, it doesn't have to have its IP address be resolvable to its hostname, whatever it might be, nor does that need to match the laptop's client credentials in any way. At least the Solaris/Illumos NFS stack will work fine, both as to mobile clients and their servers, at least as to authentication. And this will work even without any machine credentials. (The laptop might not get root-equivalent access to any NFS shares though. The Solaris/Illumos NFS server will want the client's credential to be a host-based name for the "root" service and will want the hostname from that name to match the name observed through the name service. But this is probably not a problem.) > Now X and Y both have firewalls. Say realms X and Y don't have a > cross realm trust, but they both are pkcross friendly. Can pkcross + Today that can't happen: there's no PKCROSS protocol. > iakerb allow realm Y to contact realm X to validate person A and > laptop B? Can pkcross concepts be used to eliminate the need for Y to > contact X? (e.g., A and B have been issued certificates signed by X, > which has a certificate that Y would either trust or not, so why > bother contacting a firewalled X?) If there's no trust path from X to Y of any kind, then nothing can make this work, not PKI, not Kerberos, nothing. I think you're asking if there's an offline (in that X is not reachable from Y) mechanism for X's users to be able to authenticate to Y. Needham-Shroeder is out, as it's online. PK-based protocols can do it, but PKIX is not really offline: there's CRLs to check (and/or OCSP). That includes PKINIT and a hypothetical PKCROSS, but again, if the client's PKIX credentials aren't fresh enough then the protocol will become online and therefore fail. The main reason to want PKCROSS is really to complete a PKI/Kerberos duality, leading to more application protocols being available with a single credential than would be the case otherwise. It's just one more bridge in a world that needs more bridges because of how it came about. There really isn't anything you can do here to address your hypothetical use case: Y will just have to be able to reach some part of X's infrastructure. This isn't usually a problem, and it's neither the motivation for IAKERB, nor PKINIT, nor PKCROSS. IAKERB exists to deal with the lack of any network connectivity at network attachment time. The client wants to authenticate with a mechanism (Kerberos, but it could be something else) that requires connectivity to one or more infrastructure services, but this can't be retrofitted into the network attachment protocol (for whatever reasons). IAKERB basically invites the network attachment point to engage in a very limited form of routing. The client's realm's KDCs (and possibly others'), as well as the network attachment point's, will have to be reachable from the inside (from within Y), but not necessarily from the outside. (Of course, a client could smuggle all sorts of things in Kerberos payloads, just as clients can do the same over DNS. A network that wants to prevent this will simply not allow IAKERB to be used to reach any realms' KDCs not on a white-list, or perhaps it won't allow IAKERB at all.) Nico --
- [kitten] firewalls and cross realm trusts Nordgren, Bryce L -FS
- Re: [kitten] firewalls and cross realm trusts Nico Williams
- Re: [kitten] firewalls and cross realm trusts Nordgren, Bryce L -FS
- Re: [kitten] firewalls and cross realm trusts Nico Williams