ABFAB A. Perez
Internet-Draft University of Murcia
Intended status: Informational J. Howlett
Expires: September 6, 2012 Janet
March 5, 2012
Options for Abfab-based Kerberos pre-authentication
draft-perez-abfab-kerberos-preauth-options-00
Abstract
Kerberos is widely used for authentication within organisations. It
is not, however, commonly used for authentication between domains or
realms ("cross-realm operation"). Abfab is a new architecture, based
on the AAA framework, that provides a mechanism for federating
authentication between realms.
AAA protocols are already widely used for federating authentication
for network access scenarios today. It has been proposed that Abfab
could be used to provide a mechanism yielding cross-realm
functionality for Kerberos. This document discusses two alternative
approaches with the aim of informing and facilitating discussion.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Perez & Howlett Expires September 6, 2012 [Page 1]
Internet-Draft Abfab-based Kerberos pre-auth March 2012
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Kerberos pre-authentication using GSS-API and an EAP
mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. EAP pre-authentication . . . . . . . . . . . . . . . . . . 4
2.2. GSS-API pre-authentication . . . . . . . . . . . . . . . . 4
3. Kerberos pre-authentication using an EAP mechanism . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
5. Informative References . . . . . . . . . . . . . . . . . . . . 5
Perez & Howlett Expires September 6, 2012 [Page 2]
Internet-Draft Abfab-based Kerberos pre-auth March 2012
1. Introduction
Kerberos [RFC4120] is a widely deployed system for authentication,
being integrated in multiple operating systems and network
applications. However, Kerberos is typically only used to manage
authentication within the scope of a single realm (typically
corresponding to a single organisation). While often supported by
implementations, Kerberos cross-realm operation is used relatively
infrequently.
The Abfab architecture [I-D.lear-abfab-arch] describes an access
management model that enables the application of federated identity
within a broad range of use cases. This is achieved by building on
proven technologies and widely deployed infrastructures. Some of
these use cases are described in [I-D.ietf-abfab-usecases].
This draft considers two new alternative approaches to typical
Kerberos cross-realm operation that build on the Abfab architecture.
This follows previous discussion about the respective advantages and
disadvantages of both approaches.
The goal of this document is to describe these approaches in the
expectation that this will facilitate and inform further discussion.
2. Kerberos pre-authentication using GSS-API and an EAP mechanism
The following figure depicts this approach and its interfaces. Two
organisations, the user organisation and the resource organisation,
are connected using a AAA infrastructure. The user organization has
a Kerberos infrastructure deployed to authenticate access to its
local services, which is also connected to the AAA infrastructure.
Finally, the end user (EU) interacts with the user organisation's KDC
to obtain a TGT using the Kerberos protocol.
To do: figure
The KDC acts as an EAP authenticator between the EAP peer (end user)
and the EAP server (user organization AAA server). Using the
Kerberos pre-authentication interface, EAP frames are exchanged
between these actors until the authentication process is completed.
If the authentication is sucessful, the end user is provided with the
a TGT as usual.
Two alternative approaches for binding EAP frames to this exchange
have been proposed.
Perez & Howlett Expires September 6, 2012 [Page 3]
Internet-Draft Abfab-based Kerberos pre-auth March 2012
2.1. EAP pre-authentication
In this approach, Kerberos itself becomes an EAP lower-layer. The
most straightforward way to approach this is to define a new EAP-
based FAST factor. This FAST factor transports EAP packets between
the EU and the KDC, following the multi round-trip procedure
described in RFC6113 [RFC6113] (i.e. returning
MORE_PREAUTH_DATA_REQUIRED error code).
This alternative is very simple, as EAP interfaces directly with
Kerberos, making the architecture more straightforward. It requires
the definition of the FAST factor in such a way that implements
RFC4137 [RFC4137], which defines the interface between EAP and the
EAP lower-layer.
2.2. GSS-API pre-authentication
In this alternative GSS-API is used by the Kerberos client and the
KDC to perform pre-authentication. Hence, a pre-authentication
mechanism based on the transport of GSS-API tokens is required, such
as that proposed by [I-D.perez-krb-wg-gss-preauth]. Such a pre-
authentication mechanism provides a generic framework where any GSS-
API mechanism can be executed, without further modification to the
Kerberos infrastructure.
This alternative introduces an additional layer, the GSS-API, between
EAP and Kerberos. The addition of this layer implies a higher
complexity of the model, but it also comes with several advantages.
The first one is the flexibility it provides. Defining a generic
GSS-preauth not only allows performing EAP pre-authentication, but it
can be used for any other existing GSS mechanism, and for those to be
defined in the future. This implies that using this alternative
would serve to integrate Kerberos into any existing federation, not
only those based on AAA, just by using a different GSS mechanism
instead of GSS-EAP.
Besides, from an design point of view, this alternative takes
advantage of the definition and implementation efforts put on the
GSS-EAP mechanism of the ABFAB WG and the Moonshot project. That
mechanism has already carefully implemented the interfaces defined
for an EAP lower-layer.
Finally, as discussed in [I-D.perez-krb-wg-gss-preauth], using this
proposal may simplify the generation of the PA-PX-COOKIE, as instead
of serializing the whole EAP state machine on each round-trip, it
could be possible to exchange GSS-API context handlers.
Perez & Howlett Expires September 6, 2012 [Page 4]
Internet-Draft Abfab-based Kerberos pre-auth March 2012
3. Kerberos pre-authentication using an EAP mechanism
4. Security Considerations
To do
5. Informative References
[I-D.lear-abfab-arch] Howlett, J., Hartman, S., Tschofenig,
H., and E. Lear, "Application
Bridging for Federated Access Beyond
Web (ABFAB) Architecture",
draft-lear-abfab-arch-02 (work in
progress), March 2011.
[I-D.ietf-abfab-usecases] Smith, R., "Application Bridging for
Federated Access Beyond web (ABFAB)
Use Cases",
draft-ietf-abfab-usecases-01 (work in
progress), July 2011.
[I-D.perez-krb-wg-gss-preauth] Perez-Mendez, A., Pereniguez-Garcia,
F., Lopez-Millan, G., and R. Lopez,
"GSS-API pre-authentication for
Kerberos",
draft-perez-krb-wg-gss-preauth-01
(work in progress), January 2012.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and
K. Raeburn, "The Kerberos Network
Authentication Service (V5)",
RFC 4120, July 2005.
[RFC4137] Vollbrecht, J., Eronen, P., Petroni,
N., and Y. Ohba, "State Machines for
Extensible Authentication Protocol
(EAP) Peer and Authenticator",
RFC 4137, August 2005.
[RFC6113] Hartman, S. and L. Zhu, "A
Generalized Framework for Kerberos
Pre-Authentication", RFC 6113,
April 2011.
Perez & Howlett Expires September 6, 2012 [Page 5]
Internet-Draft Abfab-based Kerberos pre-auth March 2012
Authors' Addresses
Alejandro Perez Mendez
University of Murcia
EMail: alex@um.es
Josh Howlett
Janet
EMail: josh.howlett@ja.net
Perez & Howlett Expires September 6, 2012 [Page 6]