RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Bernard Aboba <aboba@internaut.com> Fri, 26 August 2005 15:08 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8foN-0000P1-Mk; Fri, 26 Aug 2005 11:08:07 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E8fmd-0000C8-GH for secmech@megatron.ietf.org; Fri, 26 Aug 2005 11:06:19 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25379 for <secmech@ietf.org>; Fri, 26 Aug 2005 11:06:17 -0400 (EDT)
Received: from outbound.mailhop.org ([63.208.196.171] ident=mailnull) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8fnN-0001Eh-1j for secmech@ietf.org; Fri, 26 Aug 2005 11:07:06 -0400
Received: from c-67-182-139-247.hsd1.wa.comcast.net ([67.182.139.247] helo=internaut.com) by outbound.mailhop.org with esmtpa (Exim 4.51) id 1E8fmZ-000OoW-Ao; Fri, 26 Aug 2005 11:06:15 -0400
Received: by internaut.com (Postfix, from userid 1000) id 7B1842469D; Fri, 26 Aug 2005 08:06:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by internaut.com (Postfix) with ESMTP id 6CC552469A; Fri, 26 Aug 2005 08:06:14 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by DynDNS.org
X-Originating-IP: 67.182.139.247
X-Report-Abuse-To: abuse@dyndns.org (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information)
X-MHO-User: aboba
Date: Fri, 26 Aug 2005 08:06:14 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: Josh Howlett <josh.howlett@bristol.ac.uk>
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <191B6A09CAEEC043419A68E5@cumulus>
Message-ID: <Pine.LNX.4.61.0508260801090.18505@internaut.com>
References: <7210B31550AC934A8637D6619739CE6905C8BEEC@e2k-sea-xch2.sea-alpha. cisco.com> <Pine.LNX.4.61.0508252336520.5325@internaut.com> <191B6A09CAEEC043419A68E5@cumulus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.1 (/)
X-Scan-Signature: d6b246023072368de71562c0ab503126
X-Mailman-Approved-At: Fri, 26 Aug 2005 11:08:06 -0400
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

> Just to clarify - it would be possible for the AAA server to authenticate
> against the KDC and return an EAP-Success to the NAS as per other EAP types,
> without the NAS needing to understand Kerberos. However, the NAS would need to
> understand Kerberos in order to allow a service ticket to be used for, ie,
> fast reconnect (...which is undesirable for secret hygene).
> 
> Right?

Yes, if the NAS needs to act as a Kerberos principal, it needs to support 
Kerberos.  Note that "fast handoff" typically refers to situations in 
which the AAA server does not need to be contacted during a handoff.  If 
the EAP peer needs to obtain a new ticket for each NAS, and each ticket 
request requires a round-trip to the KDC, that is not "fast handoff" as 
the term is normally used.  If in addition the NAS needs a round-trip to 
the AAA server in order to validate each ticket (e.g. the case where the 
AAA server is the service principal) then an EAP-Kerberos scheme will 
perform more poorly than existing EAP methods.  



_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech