Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
Nico Williams <nico@cryptonector.com> Fri, 14 February 2014 23:58 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F8E1A0332 for <kitten@ietfa.amsl.com>; Fri, 14 Feb 2014 15:58:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUHeJqtekuxQ for <kitten@ietfa.amsl.com>; Fri, 14 Feb 2014 15:58:10 -0800 (PST)
Received: from homiemail-a77.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1A0931A0486 for <kitten@ietf.org>; Fri, 14 Feb 2014 15:58:10 -0800 (PST)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 8FF4F9406E for <kitten@ietf.org>; Fri, 14 Feb 2014 15:58:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=yRRyAWd5zBrgotGepcxI9ZamGgs=; b=S83Fat9ner7 23x2HFHO5DimHwuZEiCy5Dq+WGoNdl+20Y17FPU2sUxOJ07sJuam8WtO46b8ydye jo8JSrOVIMVhXRQ5uG0iMXvE0a4dEwD24HxH+IryrglpblXTbajty67vB2e5hzMr +7+zgDfW3jWdb0RJsJ+Czn94YCIXHx3s=
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 44B369406D for <kitten@ietf.org>; Fri, 14 Feb 2014 15:58:08 -0800 (PST)
Received: by mail-we0-f182.google.com with SMTP id u57so9084034wes.41 for <kitten@ietf.org>; Fri, 14 Feb 2014 15:58:06 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=oTWOcbiXWMUIa6SXzLHyHeolcA/+TLww6VcbIuTHpgs=; b=AEKCrRnmwKd2t/rKpHaIH4NBH8ZbrixBIlskv+/w5QxAVJqs5PkBMhH8vQ/qSV5QW2 UAkz8uTpxBSxW7zG9CtktjVHS9azD9Q+jr9X68bfEVPgtyaNF4fgR/fUe00rwF7O3pOS quSBpdZETLQv3VxUOkxJXv4VycC9c+CUewkeDo5HyK32/oSY5AyYuUWv+hCuv4RWMRWv RkR16uMzwZCTBCQZqQaEcYAZCwLhcYzlRUrRX0GNtMUsrwroWOqLsuYLD64R2XqcflC6 TENCChzSjvPrjfJ2bxq7aJnryhJ/Jz4Ph71A1ILmc+Jo+sXmudAM/peZwD6BJO69Gzgz ZfUA==
MIME-Version: 1.0
X-Received: by 10.180.97.72 with SMTP id dy8mr4300041wib.5.1392422286550; Fri, 14 Feb 2014 15:58:06 -0800 (PST)
Received: by 10.217.108.132 with HTTP; Fri, 14 Feb 2014 15:58:06 -0800 (PST)
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E68DE37@001FSN2MPN1-045.001f.mgd2.msft.net>
References: <20140214214526.22958.30728.idtracker@ietfa.amsl.com> <82E7C9A01FD0764CACDD35D10F5DFB6E68DE37@001FSN2MPN1-045.001f.mgd2.msft.net>
Date: Fri, 14 Feb 2014 17:58:06 -0600
Message-ID: <CAK3OfOjsq0SnK+GJe4h6rE+uOzM=jdfNVj4BrJoiAbtPSoUzXQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/wLTXyXPl-oRQvXRBacZny15Kh8Y
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-iakerb-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 23:58:12 -0000
On Fri, Feb 14, 2014 at 5:47 PM, Nordgren, Bryce L -FS <bnordgren@fs.fed.us> wrote: > "Remote access" to me means "outside the firewall of the organization operating the KDC, which is not exposed to the public internet." What you appear to be talking about is authenticating to an access point which is operated by the same entity which operates the KDC? > > So the big question is: if an organization is hiding their KDC behind a firewall, or they just haven't configured their access points to use the KDC as a back end, how is a proxy easier to implement or more secure than just configuring access thru their firewall or access point? Or really how does providing 1000 routes to the KDC thru any public-facing, Kerberos-authenticated service (nfs, web apps, ssh...) beat just opening up port 88 to the wide world? > > Not trying to be a pita, just not seeing it yet... The remote access protocol might not be able to allow any traffic other than EAP until the user is authenticated. Also, to use Kerberos outside the firewall would require configuring the firewall to permit DNS and Kerberos, which might be too difficult, and anyways might be considered risky (considering all that can be smuggled in DNS and Kerberos messages). Nico --
- [kitten] I-D Action: draft-ietf-kitten-iakerb-01.… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Nordgren, Bryce L -FS
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Nico Williams
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Simo Sorce
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Nordgren, Bryce L -FS
- Re: [kitten] I-D Action: draft-ietf-kitten-iakerb… Benjamin Kaduk