IETF Logo Mail Archive

Re: [saag] EAP-NOOB

Benjamin Kaduk <kaduk@MIT.EDU> Fri, 08 April 2016 20:37 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0ACA12D7E3 for <saag@ietfa.amsl.com>; Fri, 8 Apr 2016 13:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUgTuAvLKjkM for <saag@ietfa.amsl.com>; Fri, 8 Apr 2016 13:37:34 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C6AA12D787 for <saag@ietf.org>; Fri, 8 Apr 2016 13:37:34 -0700 (PDT)
X-AuditID: 1209190c-b4bff700000018df-e6-5708168de83c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 82.51.06367.D8618075; Fri, 8 Apr 2016 16:37:33 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u38KbW8i017967; Fri, 8 Apr 2016 16:37:33 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u38KbSGq023737 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 8 Apr 2016 16:37:31 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u38KbS04025953; Fri, 8 Apr 2016 16:37:28 -0400 (EDT)
Date: Fri, 08 Apr 2016 16:37:28 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <C66FA039-C7F4-4324-9CE2-831215568EF6@oxy.edu>
Message-ID: <alpine.GSO.1.10.1604081634350.26829@multics.mit.edu>
References: <5706A4B5.6090600@gmx.net> <CAOW+2ds8h7Pb+nH8zweRd+nfCoXAUoX8axTP-dhzcE3DepLQRw@mail.gmail.com> <C66FA039-C7F4-4324-9CE2-831215568EF6@oxy.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1439783812-1460147848=:26829"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPIsWRmVeSWpSXmKPExsUixG6notsrxhFusPeSlMWGff+ZLT7eW8hi MaW/k8mB2WPnrLvsHkuW/GTy2Nr0lzmAOYrLJiU1J7MstUjfLoEr4+yJdywFZ/gq+g9OY21g fMfdxcjJISFgIvH38wW2LkYuDiGBNiaJx+c/soEkhAQ2MEpcnZcBkTjIJPGm6RQjRKJeYsmc JiYQm0VAS+Jw/yR2EJtNQEVi5puNYM0iAoYS01dOZAWxmQUcJV7OegrUy8EhLCAj0b6GG8Tk FLCW+L++BqSCF6hi+92ZUDfMYpSY8/cz2BhRAR2J1funsEAUCUqcnPmEBaSXWSBQYvlEywmM QMUImVkImVlge9UlGh+cZYOwtSXu32xjW8DIsopRNiW3Sjc3MTOnODVZtzg5MS8vtUjXUC83 s0QvNaV0EyMonDkleXYwnnnjdYhRgINRiYf3wnu2cCHWxLLiytxDjJIcTEqivNsesocL8SXl p1RmJBZnxBeV5qQWH2KU4GBWEuFdL8oRLsSbklhZlVqUD5OS5mBREuct3H86TEggPbEkNTs1 tSC1CCYrw8GhJMGrD9IoWJSanlqRlplTgpBm4uAEGc4DNLwNbHhxQWJucWY6RP4Uo6KUOK8s SEIAJJFRmgfXC043u5lUXzGKA70izCsNUsUDTFVw3a+ABjMBDb7AzwYyuCQRISXVwFhYdnVZ +jaNuS4TYmy5TjhxKwpxmHveT8xse7Pldl+p9CXXsh2eu45pNEtJxkYq+h87ke1UcaIs3L/1 vXkUh2UZ495v+s3FC86q7Vk9p/i28UKlSxfvaU3M0F8p2h63LKV1vpv9m+XM83gmXjq3zPGl wo0zv+/aZ1x0d/P7KbvVn3fX8+lzPJVYijMSDbWYi4oTAQ9VRGISAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/58Jfu0_SYgqyf8T7nQP1OdMha6s>
Cc: saag <saag@ietf.org>
Subject: Re: [saag] EAP-NOOB
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 20:37:36 -0000

On Thu, 7 Apr 2016, Henry B (Hank) Hotz, CISSP wrote:

>
> > On Apr 7, 2016, at 11:24 AM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> >
> > Hannes said:
> >
> > "For example, Kerberos would
> > do such a bootstrapping between a client and a server based on already
> > existing keys established between the client and the KDC and the server
> > and the KDC."
> >
> > [BA] As far as I know, there is no deployed usage of Kerberos-based EAP authentication.  The major issue is that a host typically does not have Internet access prior to completing EAP authentication, so that Kerberos would need to be integrated with EAP in order for Kerberos tickets to be obtained.
>
> I would love to hear that statement proved wrong. There is (was) a GSS-EAP draft. AFAIK (I haven’t read it) it primarily provided for tunneling the Kerberos messages via EAP.
>
> Is there still insufficient interest in creating such a thing?

draft-ietf-abfab-gss-eap became RFC 7055, and my understanding is that the
authors do have it deployed in production, though probably (mostly?) with
a non-kerberos GSS mechanism.

The IAKERB GSS mechanism (draft-ietf-kitten-iakerb) provides a way to have
the GSS acceptor proxy kerberos messages between the GSS initiator and the
KDC, which would permit an EAP client to obtain initial kerberos
credentials during the process of authenticating to EAP.  IAKERB is
implemented in MIT krb5, though I do not actually know of anyone deploying
it with GSS-EAP.

-Ben

v2.23.0 | Report a Bug | By Email