draft-kamada-krb-client-friendly-cross-02.txt [plain text]
Network Working Group Ken'ichi Kamada
INTERNET-DRAFT Shoichi Sakane
Expires: January 10, 2008 Yokogawa Electric Corporation
July 9, 2007
Client-Friendly Cross-Realm Model for Kerberos 5
draft-kamada-krb-client-friendly-cross-02.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft expires on January 10, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Kamada and Sakane [Page 1]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
Abstract
This document proposes a cross-realm traversal model, which is
suitable for resource-limited clients, for Kerberos Version 5. This
model provides a way to move the cost of consecutive Ticket-Granting
Service (TGS) exchanges from clients to Key Distribution Centers
(KDCs) and a way to reduce the traversal cost by generating a direct
inter-realm relationship between two realms. The document describes
behavior of clients and KDCs, but does not specify any wire format,
which need to be specified separately.
Table of Contents
1. Introduction ................................................. 3
2. Problems on Client Performance ............................... 3
2.1. Long Authentication Path ................................ 4
2.2. Client-Centric Ticketing ................................ 4
3. Proposal of Client-Friendly Cross-Realm Model ................ 4
3.1. Temporary Inter-Realm Relationship Generation Mode ...... 5
3.2. Attorney Ticketing Mode ................................. 6
3.3. Combination of the Two Modes ............................ 7
4. Advantage of The Proposed Model for Deployment ............... 8
4.1. Compatibility with Traditional Kerberos Deployment ...... 8
4.2. Orthogonality of the Two Modes .......................... 8
5. Front-End Protocol for Attorney Ticketing Mode ............... 9
6. Related Protocols Currently Proposed ......................... 10
6.1. PKCROSS ................................................. 10
6.2. XTGS .................................................... 10
7. Interoperability Considerations .............................. 10
8. Security Considerations ...................................... 11
8.1. Denial of Service (DoS) ................................. 11
8.2. Ticketing Policy ........................................ 11
9. IANA Considerations .......................................... 12
10. Acknowledgments .............................................. 12
11. References ................................................... 12
11.1. Normative References ................................... 12
11.2. Informative References ................................. 12
Authors' Addresses ............................................... 13
Full Copyright Statement ......................................... 13
Intellectual Property Statement .................................. 13
Kamada and Sakane [Page 2]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
1. Introduction
Kerberos Version 5 [RFC4120] has a concept of cross-realm
authentication so that principals in different realms can
authenticate each other. However in the current cross-realm model,
each client has to traverse the authentication path, and the burden
of the traversal is not negligible for clients with limited
resources, e.g., computational speed or power supply [CRPS].
In the current cross-realm operation, a client obtains a service
ticket for a remote principal in the following steps:
1) N TGSes to get cross-realm TGTs in order to traverse the
intermediate realms, where N is the number of transit, and
2) One TGS to get the final service ticket.
That is, the client needs to perform N + 1 transactions to obtain a
ticket for the remote service.
This document proposes a new cross-realm model, which consists of
"temporary inter-realm relationship generation mode" and "attorney
ticketing mode". The former is intended to reduce transit cost
itself, and the latter is to move the cost from clients to KDCs. The
document describes behavior of clients and KDCs, but does not specify
any wire format, which need to be specified separately.
Terms defined in section 1.7 of RFC 4120 are used throughout this
document.
2. Problems on Client Performance
In the current model of cross-realm operation, a client has to
transit all realms on the path to the destination realm. When the
source realm and the destination realm have a direct inter-realm
relationship, a client is able to obtain a service ticket with two
TGS transactions (one for a cross-realm TGT and another for the
service ticket). When the realms have a multi-hop relationship, a
client must transit the intermediate realms before it obtains the
service ticket. That is, the client's task increases in proportion
to the distance of the relationship.
Two issues can be observed here behind the client load, which are
described in the following subsections.
Kamada and Sakane [Page 3]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
2.1. Long Authentication Path
When a client wants to get a service ticket for a remote realm, it
must transit to the remote realm by traversing the intermediate
realms on the authentication path to the remote realm. The result of
traversal is cached as a cross-realm TGT, but it is nothing more than
a per-client optimization. Thus all clients accessing a remote realm
must pay the cost separately, even if their resources are limited.
For a long authentication path, the cost of the whole system becomes
large.
2.2. Client-Centric Ticketing
In Kerberos, any service tickets or cross-realm TGTs are issued via
TGS, where a client present a ticket for the TGS and obtains a next
ticket. Currently, all TGS transactions are initiated by the client
and it needs to get all necessary cross-realm TGTs iteratively before
the final service ticket. This process is a burden to a resource-
limited client.
3. Proposal of Client-Friendly Cross-Realm Model
In this section, two modes of operation are introduced, "Temporary
Inter-Realm Relationship Generation Mode" and "Attorney Ticketing
Mode", to solve the issues described in the previous section. These
two modes are designed to be independent, that is, can be used
separately or in combination.
Temporary Inter-Realm Relationship Generation Mode solves the issue
of the long authentication path. In this mode, if the source realm
and the destination realm do not have a direct inter-realm
relationship, the source KDC traverses the authentication path by
itself, contacts with the remote KDC, and generates a direct inter-
realm relationship between them. After that, the source KDC can
issue direct inter-realm TGTs for the destination realm. The purpose
of this mode is to reduce the traversal cost itself by caching the
result of traversal.
Attorney Ticketing Mode solves the issue of the client-centric
ticketing. Consecutive TGS transactions to get cross-realm TGTs
and/or a final service ticket are initiated by a client in the
traditional Kerberos, whereas a KDC undertake that process in this
mode. The purpose of this mode is to shift the cost of TGSes from a
client to a KDC. This does not reduce the cost itself.
Kamada and Sakane [Page 4]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
3.1. Temporary Inter-Realm Relationship Generation Mode
Temporary inter-realm relationship generation mode enables a KDC to
issue an inter-realm TGT directly to a remote KDC with which the KDC
doesn't preshare an inter-realm key. To issue an inter-realm TGT
directly, a temporary inter-realm key needs to be provided somehow.
To achieve that, the local KDC obtains a special ticket for the
remote KDC and uses its session key as an inter-realm key. This
methodology was introduced by PKCROSS [PKCROSS]. In this document,
that special ticket is called as an "inter-KDC ticket", and an inter-
realm TGT generated from an inter-KDC ticket is called as a "direct
inter-realm TGT".
How does the local KDC reach the remote KDC is out of scope of this
model, but we can easily come up with 1) traversing a long
authentication path if available or 2) using PKINIT. In the context
of this model, PKCROSS is interpreted as a combination of this mode
and PKINIT.
This document does not standardize a specific protocol, but an inter-
KDC ticket will have the following form:
- its sname has a special form (PKCROSS proposes
"pkcross/realm@REALM", but it would be better to use a more
general name than "pkcross"),
and a direct inter-realm TGT will have the following form:
- its TicketExtensions field [KRBEXT] contains the inter-KDC ticket,
and
- it is protected by the session key (or the sub-session key) of the
inter-KDC ticket.
Kamada and Sakane [Page 5]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
client C KDC-L KDC-I KDC-R
-------- ----- ----- -----
1. --------TGS-REQ-------->
2. [Reach to KDC-R in any way.]
[Below is an example of PKCROSS.]
------------PKINIT------------>
<----------XTKT(L,R)-----------
3. <--TKT(C,R)w/XTKT(L,R)--
4. ----------------------TGS-REQ------------------------>
5. <---------------------TKT(C,S)------------------------
[Note: TKT(x,y) means a ticket whose cname is x and sname is y. ]
[ XTKT is an inter-KDC ticket. See PKCROSS. ]
[ The client C and KDC-L belong to the local realm L. ]
[ The KDC-I is a KDC of an intermediate realm I. ]
[ The KDC-R is a KDC of the remote realm R. ]
1. The client C sends a normal TGS-REQ to KDC-L, requesting
a cross-realm TGT to KDC-R.
2. KDC-L reaches KDC-R in any way and obtains a XTKT.
There is no standardized way to achieve this step yet.
PKCROSS is one candidate. We could also standardize a way
in which KDC-L normally transits to KDC-R and obtains an XTKT.
3. KDC-L generates a cross-realm TGT that is from C to KDC-R
and returns to it to C.
4. The same with the traditional cross-realm TGS.
5. The same with the traditional cross-realm TGS.
Figure 1: Message Flow of Temporary Inter-Realm Relationship
Generation
3.2. Attorney Ticketing Mode
Traditionally, a Kerberos client repeats TGS transactions until it
gets the final ticket. For example, it has a TGT for its own realm
and wants to get a ticket for a service in 3-hop neighbor realm, then
it will:
1) Present the TGT and get a cross-realm TGT for the next realm,
2) Present the 1st cross-realm TGT and get a cross-realm TGT for the
2nd next realm,
3) Present the 2nd cross-realm TGT and get a cross-realm TGT for the
final realm, and
Kamada and Sakane [Page 6]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
4) Present the final cross-realm TGT and get a service ticket.
Attorney ticketing mode enables the client to delegate the KDC to
perform all transactions listed above on behalf of the client. An
example message flow is shown in Figure 2. The client entrust the
KDC with its TGT (step 1). The KDC "impersonates" the client and
performs all necessary TGS transactions (steps 2 to 4), and returns
the final ticket to the client (step 5).
client C KDC-L KDC-I KDC-R
-------- ----- ----- -----
1. --------TGS-REQ-------->
2. TKT(C,I)
3. ----TGS-REQ---->
<---TKT(C,R)----
4. ------------TGS-REQ----------->
<-----------TKT(C,S)-----------
5. <-------TKT(C,S)--------
1. The client C sends a special TGS-REQ, which indicates attorney
ticketing mode requesting a service ticket for a server S
instead of a cross-realm TGT, to KDC-L.
2. KDC-L internally generates a cross-realm TGT that is from C
to KDC-I, but does not return it to C.
3. KDC-L uses the generated cross-realm TGT by itself, and sends
a TGS-REQ to KDC-I, which requests a cross-realm TGT from C
to KDC-R.
4. KDC-L use the obtained cross-realm TGT by itself, and sends
a TGS-REQ to KDC-R, which requests a service ticket from C
to S.
5. KDC-L returns the final service ticket to C.
Figure 2: Message Flow of Attorney Ticketing Mode
3.3. Combination of the Two Modes
Figure 3 shows a typical message flow when the temporary inter-realm
relationship generation mode and the attorney ticketing mode are used
in combination. The figure shows the case of the initial contact, so
a transaction to obtain an inter-KDC ticket is shown (step 2), but it
is infrequently used because the XTKT is cached. Usually, only two
round-trips do all the work.
Kamada and Sakane [Page 7]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
client C KDC-L KDC-I KDC-R
-------- ----- ----- -----
1. --------TGS-REQ-------->
2. [Temporary inter-realm relationship
generation mode runs here.]
------------PKINIT------------>
<----------XTKT(L,R)-----------
3. [Attorney ticketing mode runs here.]
TKT(C,R)w/XTKT(L,R)
4. ------------TGS-REQ----------->
<-----------TKT(C,S)-----------
5. <-------TKT(C,S)--------
Figure 3: Message Flow When Temporary Inter-Realm Relationship
Generation Mode and Attorney Ticketing Mode
Are Combined
4. Advantage of The Proposed Model for Deployment
4.1. Compatibility with Traditional Kerberos Deployment
Temporary inter-realm relationship generation involves only KDCs.
From the viewpoint of a client (and a server), it seems that there is
a direct inter-realm relationship between two realms. This means
that temporary inter-realm relationship generation mode needs to be
deployed only in KDCs. This property is advantageous, because it
does not affect large installed base of clients. One impeding factor
in practice is that some existing implementations cannot handle
ticket extensions transparently. This is further discussed in
Interoperability Considerations section.
Attorney ticketing mode involves only a client and its local KDC.
From the viewpoint of the remote KDC, TGS-REQs from a KDC as an
attorney cannot be distinguished from those from a "genuine" client
(except caddr; see Interoperability Considerations section).
Resulting service ticket is identical to the traditional one, so the
remote server has nothing to do with this mode. In short, attorney
ticketing mode can be deployed in local realm, independently of the
remote deployment. The merit of this property is large, because
remote realms are often in different administration.
4.2. Orthogonality of the Two Modes
Temporary inter-realm relationship generation mode and attorney
ticketing mode are independent concepts. Both can be implemented
separately or can be used in combination. When they are combined,
Kamada and Sakane [Page 8]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
the load of clients are shifted to KDCs and additional load of KDCs
are minimized, thus efficient cross-realm environment is achieved.
5. Front-End Protocol for Attorney Ticketing Mode
This document does not specify wire-level protocol, which will be
done in another document. This section provides some candidates for
the protocol, which is used to request attorney ticketing mode from a
KDC (Figure 4). This protocol can be used for other than attorney
ticketing mode, as long as the KDC's behavior for clients is
identical to the mode.
+------+ +-------+
|client|------------>| KDC |-------------> cross-realm cloud
+------+ +-------+ Cross-realm
Front-end protocol traversal by KDC
to request a final (Attorney Ticketing Mode)
ticket in one shot
or
-------------> remote KDC (directly)
XTGSP
or
------------->
Whatever the KDC chooses
Figure 4: Front-End Protocol for Attorney Ticketing Mode
Candidate 1: Implicit Signaling
A client simply requests a final ticket to the local KDC. If the
KDC supports this implicit protocol, it will process the request.
If not, KDC_ERR_S_PRINCIPAL_UNKNOWN will be returned. A possible
drawback is that if a requested final ticket is for a TGS, the KDC
does not know whether the client expects normal mode or attorney
mode. In addition, implicit signaling can conflict with future
extensions.
Candidate 2: Explicit Signaling
A flag in KDCOptions or pre-authentication can be used to request
attorney mode.
[[what happens if not supported?]]
Kamada and Sakane [Page 9]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
6. Related Protocols Currently Proposed
6.1. PKCROSS
PKCROSS will be usable as a protocol for temporary inter-realm
relationship generation mode.
6.2. XTGS
The purpose of XTGS protocol is similar to that of this model, but
the behavior is somewhat different [XTGS]. If XTGS is viewed from
the perspective of this model, it blends the two modes indivisibly to
reduce the number of messages between KDCs as far as possible at the
price of the abstraction of cross-realm TGTs and inter-KDC tickets.
Once a front-end (i.e., between a client and a KDC) protocol to
request attorney ticketing mode is standardized, XTGS can be used as
an opaque back-end.
7. Interoperability Considerations
User-to-user mode
The protocol for the attorney mode should be able to indicate
user-to-user authentication.
The addresses field in TGS-REQ
This field is copied into the caddr field in EncTicketPart, so if
this field is used in a TGS-REQ, the resulting ticket can be used
only from the specified addresses. When the local KDC receives a
TGS-REQ requesting attorney mode, it should copy the addresses
field only into the final TGS-REQ in the attorney process. It
must not copy the field into TGS-REQs to intermediate KDCs,
because resulting tickets are to be used by the local KDC instead
of the client.
Opacity of ticket extensions
The ticket extensions defined in rfc1510ter [KRBEXT] extends the
Ticket ASN.1 type, which is visible to clients. This is not a
problem if a client implementation treats a Ticket as an opaque
data, and there are such implementations, but unfortunately the
major free implementations do not. On the other hand, there is a
proposal of etype-based ticket extensions [TKTEXTALT]. It
encapsulates cleartext bits in the enc-part component of a Ticket.
It should not have any problems of opacity.
[[negotiation of various parameters]]
Kamada and Sakane [Page 10]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
[[If there are multiple authentication paths and a client has enough
knowledge, it could choose which path to take. With attorney
ticketing mode, it cannot because it is up to the KDC to select the
path. Is this a problem? With temporary inter-realm relationship
generation mode, it can as before.]]
[[co-existence with the plain Kerberos; attorney ticketing mode
client vs. non-attorney KDC; inter-realm generating local KDC vs.
non-generating remote KDC]]
[[anything to do with referral?]]
[[when a KDC in attorney mode receives a KRB-ERROR?]]
8. Security Considerations
8.1. Denial of Service (DoS)
A KDC that implements attorney ticketing mode needs to initiate
multiple TGS-REQ upon a request from a client. This means that the
KDC will have some states in it and may suffer from DoS attacks.
Fortunately, attorney ticketing mode can be requested in TGS-REQ,
which is only available to authenticated clients, thus, any untrusted
party cannot exploit this statefulness.
8.2. Ticketing Policy
Attorney ticketing mode changes nothing about the messages sent to
the intermediate and remote KDCs. Those KDCs will not notice the
difference and their ticketing process have nothing to be changed.
Temporary inter-realm relationship generation mode dynamically
generates new authentication paths. This means that KDCs that are
involved in the transit of a client are different from those that
would be involved if this mode were not used.
- Parameters of cross-realm TGTs (lifetime and flags) for a new
relationship need to be dynamically transferred (a la PKCROSS).
- How to handle the transited fields in inter-KDC tickets, direct
inter-realm tickets, and service tickets?
- Where the remote KDC adds AuthorizationData and the end-server
checks it: there is no problem because it is a local matter of the
remote realm.
Kamada and Sakane [Page 11]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
- Where an intermediate KDC adds AuthorizationData: traditionally it
is added in a cross-realm TGT and propagated to the service
ticket; now it will be propagated to the inter-KDC ticket. Should
AuthorizationData in an inter-KDC ticket be copied into a cross-
realm TGT or not? Even if it is copied, AuthorizationData on
inter-KDC ticket cannot represent per-client information, so if it
is necessary, temporary inter-realm relationship generation mode
must not be used.
9. IANA Considerations
This document has no actions for IANA.
10. Acknowledgments
The authors would like to acknowledge Saber Zrelli, Masahiro
Ishiyama, Atsushi Inoue, Kazunori Miyazawa, and Nobuo Okabe for
contributions to this document.
11. References
11.1. Normative References
[KRBEXT] Yu, T., "The Kerberos Network Authentication Service
(Version 5)", draft-ietf-krb-wg-rfc1510ter-04, Work in
Progress, March 2007.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC
4120, July 2005.
11.2. Informative References
[CRPS] Sakane, S., Zrelli, S., M. Ishiyama, "Problem statement
on the cross-realm operation of Kerberos in a specific
system", draft-sakane-krb-cross-problem-statement-02,
Work in Progress, April 2007.
[PKCROSS] Hur, M. et al., "Public Key Cryptography for Cross-
Realm Authentication in Kerberos", draft-ietf-cat-
kerberos-pk-cross-08 (expired), Work in Progress,
November 2001.
[TKTEXTALT] Message-ID: <tslfy54akcb.fsf@mit.edu>.
Kamada and Sakane [Page 12]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
[XTGS] Zrelli, S. et al., "XTGSP, the Inter-TGS protocol for
cross-realm operations in Kerberos", draft-zrelli-krb-
xtgsp-01, Work in Progress, March 2007.
Authors' Addresses
Ken'ichi Kamada
Shoichi Sakane
Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi,
Tokyo 180-8750 Japan
E-mail: Ken-ichi.Kamada@jp.yokogawa.com,
Shouichi.Sakane@jp.yokogawa.com
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
Kamada and Sakane [Page 13]
�
Internet-Draft Client-Friendly Cross-Realm July 2007
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Kamada and Sakane [Page 14]