Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
Bernard Aboba <aboba@internaut.com> Wed, 24 August 2005 21:22 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E82hi-0006cY-6J; Wed, 24 Aug 2005 17:22:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E80TQ-0005hs-VC for secmech@megatron.ietf.org; Wed, 24 Aug 2005 14:59:45 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11448 for <secmech@ietf.org>; Wed, 24 Aug 2005 14:59:43 -0400 (EDT)
Received: from outbound.mailhop.org ([63.208.196.171] ident=mailnull) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E80Tn-0003Rn-Sx for secmech@ietf.org; Wed, 24 Aug 2005 15:00:08 -0400
Received: from c-67-182-139-247.hsd1.wa.comcast.net ([67.182.139.247] helo=internaut.com) by outbound.mailhop.org with esmtpa (Exim 4.51) id 1E80TO-000NJG-Py; Wed, 24 Aug 2005 14:59:43 -0400
Received: by internaut.com (Postfix, from userid 1000) id E38C560DC2; Wed, 24 Aug 2005 11:59:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by internaut.com (Postfix) with ESMTP id D5CC260DAD; Wed, 24 Aug 2005 11:59:41 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by DynDNS.org
X-Originating-IP: 67.182.139.247
X-Report-Abuse-To: abuse@dyndns.org (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information)
X-MHO-User: aboba
Date: Wed, 24 Aug 2005 11:59:41 -0700
From: Bernard Aboba <aboba@internaut.com>
To: Ali Fessi <ali.fessi@uni-tuebingen.de>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <430CA545.3020109@uni-tuebingen.de>
Message-ID: <Pine.LNX.4.61.0508241113420.16086@internaut.com>
References: <Pine.GSO.4.60.0508191330380.16954@ismene> <20050819210308.GI6659@binky.Central.Sun.COM> <20050820031035.GA5352@isc.upenn.edu> <43074F76.8000604@cs.umd.edu> <20050822044255.GC27685@isc.upenn.edu> <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus> <Pine.GSO.4.60.0508221047001.1307@ismene> <20050822154044.GE7789@binky.Central.Sun.COM> <430CA545.3020109@uni-tuebingen.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
X-Mailman-Approved-At: Wed, 24 Aug 2005 17:22:36 -0400
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org
> - What is the benefit of having a TGT as a result of the authentication for > EAP?!! With native Kerberos, the TGT is used to get a service ticket from the > TGS to access kerberized services. What would be here the kerberized service?! > is it just the "network access"?! or is anyone planning to realize different > kerberized services at layer 2? Is this a new requirement for 802.11? IEEE 802.11i at one point mandated the use of Kerberos for network access using EAP-GSS and IAKERB. The model was for the EAP peer to obtain both a TGT and TGS via EAP-GSS, then for the peer to authenticate to the NAS using the TGS. This required the NAS devices (APs) to support Kerberos. There was some discussion about whether the TGS would apply only to a single NAS, or to the "Network Access Service" in general. That is, whether a TGS obtained for one NAS could be used at another NAS. If the TGS were reusable at multiple NASes, this would imply that those NASes shared a secret with the Kerberos server which represents poor hygene. If the TGS is not reusable, then this implies that the EAP peer would need to obtain a new TGS for each NAS it wished to connect to, requiring a round-trip to the Kerberos server. In any case, after a great deal of investigation and negotiation with the IETF, IEEE 802.11i decided to remove mandatory support for Kerberos. Since this required a 75% vote, very strong sentiment against Kerberos was required for this. As a result, I doubt that you will see 802.11 wishing to revisit Kerberos support in the near future. > - What would be the benefit of such a EAP-Kerberos (or EAP-IAKERB) method > compared to existing EAP methods that are currently used, e.g. EAP-TTLS+PAP > with a radius/diameter server at the end (except that this method might be a > "misuse" of kerberos as mentioned earlier in this mailing list). What would be > the arguments that would motivate operators to substitute their infrastructure > with a new one supporting EAP-Kerberos or EAP-IAKERB? EAP-Kerb/IAKERB/GSS is inherently different other EAP methods because it requires support for the method on the NAS. That is, the NAS needs to support Kerberos for a peer to be able to submit a TGS to the NAS in order to obtain network access. Once an EAP peer has obtained a TGS and authenticated to one NAS, if proper Kerberos hygene is required, then for the EAP peer to do a handoff it needs to obtain TGSes for other NASes in the vicinity. If there were a way to obtain multiple TGSes in an efficient way (as part of the original EAP authentication, or via a single request), then this could be the foundation of an approach to low latency handoff. However at this point, this is all water under the bridge, since Kerberos without PKINIT does not meet the security requirements of RFC 4017, and thus is not permitted within IEEE 802.11i. This leaves vendors with little motivation to support it. > - Would PKINIT really be an advantage for EAP?! The point with PKINIT is that > it supports authentication of the client with public key cryptography. But > isn't this already covered by EAP-TLS? PKINIT is the only acceptable Kerberos usage mode within RFC 4017. However, EAP-GSS with PKINIT requires changes to the NAS, which EAP-TLS does not. > - Wouldn't be helpful to talk to the authors of the EAP GSS draft (Aboba) and > find out why they stopped to work on this document? We stopped work on the document because: a) Kerberos did not meet the security criteria of RFC 4017 without PKINIT. b) IEEE 802.11i did not want to require use of certificates. c) The CAT WG refused to advance IAKERB even after it had been included as an implementation requirement within IEEE 802.11i and had been implemented by at least one vendor. This made it impossible for IEEE 802.l1i to satisfy its IETF dependencies since EAP-GSS depended on IAKERB. d) GSSAPI did not include a PRF function, which made it difficult to generate an MSK/EMSK with the properties required by RFC 3748. > IMHO, it seems that it makes sense to combine different frameworks with > different authentication mechanisms as intended by secmech. But I just would > like to have some clarification, why this would be useful. _______________________________________________ SECMECH mailing list SECMECH@lists.ietf.org https://www1.ietf.org/mailman/listinfo/secmech
- [SECMECH] Framework Bindings Vs. Mechanism Bridges Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Ali Fessi
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Jari Arkko
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Jari Arkko
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Jari Arkko
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Shumon Huque
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Josh Howlett
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Nicolas Williams
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Salowey, Joe
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy
- RE: [SECMECH] Framework Bindings Vs. Mechanism Br… Bernard Aboba
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Clint Chaplin
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… 1und1
- Re: [SECMECH] Framework Bindings Vs. Mechanism Br… Charles Clancy