IETF Logo Mail Archive

Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement

Nicolas Williams <Nicolas.Williams@sun.com> Fri, 13 October 2006 21:37 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GYUiy-0005l8-0M; Fri, 13 Oct 2006 17:37:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GYUiu-0005fN-Pk for spkm@ietf.org; Fri, 13 Oct 2006 17:37:44 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GYUXt-0000Zo-7A for spkm@ietf.org; Fri, 13 Oct 2006 17:26:22 -0400
Received: from centralmail4brm.central.Sun.COM ([129.147.62.198]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id k9DLQKs8007788 for <spkm@ietf.org>; Fri, 13 Oct 2006 15:26:20 -0600 (MDT)
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by centralmail4brm.central.Sun.COM (8.13.6+Sun/8.13.6/ENSMAIL, v2.2) with ESMTP id k9DLQJVn009116 for <spkm@ietf.org>; Fri, 13 Oct 2006 15:26:20 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6) with ESMTP id k9DLQJNf016036; Fri, 13 Oct 2006 16:26:19 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.13.6+Sun/8.13.6/Submit) id k9DLQJ3F016035; Fri, 13 Oct 2006 16:26:19 -0500 (CDT)
Date: Fri, 13 Oct 2006 16:26:19 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Razvan Trufasiu <Razvan.Trufasiu@hummingbird.com>
Subject: Re: [SPKM] Re: [67th IETF] SPKM3 BOF announcement
Message-ID: <20061013212618.GD12284@binky.Central.Sun.COM>
References: <BFBFA757A7B953449AD27E2721514FF205925B60@tor01x5.hcl.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BFBFA757A7B953449AD27E2721514FF205925B60@tor01x5.hcl.com>
User-Agent: Mutt/1.5.7i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: "'William A.(Andy) Adamson'" <andros@citi.umich.edu>, Dan Trufasiu <Dan.Trufasiu@hummingbird.com>, "'spkm@ietf.org'" <spkm@ietf.org>, 'Olga Kornievskaia' <aglo@citi.umich.edu>
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

On Thu, Oct 12, 2006 at 06:36:07PM -0400, Razvan Trufasiu wrote:
> My name is Razvan Trufasiu, and I am in charge of developing an
> SPKM-3/LIPKey implementation for the Hummingbird NFS Maestro server.

Excellent.  Nice to meet you.

> At the moment, Hummingbird NFSv4 implementation supports anonymous SPKM-3
> and LIPKey, and the next version will hopefully implement mutual SPKM-3. Any
> of these are based upon the specs released in early 2006. The specs have
> already changed, from my understanding; however, updating the code to
> support this should be simple. For interoperability, currently Olga and I
> managed to run several Connectathon tests successfully, without Integrity or
> Privacy. We can connect (tentatively) with Integrity, and are working on
> being able to connect with Privacy, and run all the tests. There are several
> problems we are currently still addressing.

You may want to adapt Microsoft's GSS-MONGER test suite.  The
Connectathon tests test NFS use of GSS-API mechanisms, but lack a
thourough test of GSS mechanisms vis-a-vis the GSS-APIv2u1.  I believe
Martin Rex has a test suite that you might be able to get access too.

> The reason we have chosen to implement SPKM-3 or LIPKey is to provide an
> alternative GSS implementation to Kerberos v5.

I'm with you.

>                                                Kerberos is often difficult
> to set up, and the overhead of having a separate Kerberos server, in
> addition to the NFS client/server can be cumbersome for certain users.

I don't think this is the reason for wanting other mechanisms.  But it
doesn't matter -- I agree that mechanisms based on credential types
other than Kerberos V tickets are desirable.

> LIPKey and anonymous SPKM-3 are easy to set up and quick to deploy, even on
> large networks, without compromising the main security of GSS (although the
> anonymous part of either protocol does come with some problems, such as
> anonymous SPKM not doing any sort of client-side security checks). It would
> also be a huge asset if the implementation of this protocol turns out to be
> faster and more performing than Kerberos v5 (which it is not at the moment).

There is the matter of distributing trust anchors, CRLs/OCSP, etc...

I don't think mechanism performance is an issue here.  SPKM performance
should be roughly comparable to TLS, SSHv2, etc...  Given its use of
public key cryptographic it certainly could not be much faster than
existing secure protocols that also use public key cryptographic.  Given
use of PKIX then there's the whole CRL/OCSP ball of wax too, that can
impact performance.

Yes, some Kerberos V implementations suffer from, for example, poorly
performing replay caches, which SPKM-3 should not need, so there's
always a possibility that some SPKM-3 implementations could be faster
than certain Kerberos V mechanism implementations.

Bottom-line: SPKM isn't needed for performance reasons.

Nico
-- 

_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email