ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Kerberos

2006-05-26 19:37:10
from [Narayanan, Vidya] [Permanent Link] 

Jeff,
Please see some questions/comments inline below. 
 

"Narayanan," == Narayanan, Vidya <vidyan(_at_)qualcomm(_dot_)com> 
writes:

    Narayanan,> I fully agree. As far as I can tell, using 

EAP in this

    Narayanan,> manner merely reduces it to a posture transport
    Narayanan,> protocol. The level of security provided by EAPoUDP
    Narayanan,> does not seem to be any greater than a 

kerberos-based

    Narayanan,> authentication done today in most 

enterprise networks,

    Narayanan,> considering the presence of switched 

ethernet. Hence,

    Narayanan,> the only reason to move to EAPoUDP would be to check
    Narayanan,> posture and I agree with Sam that making EAP the
    Narayanan,> posture transport protocol is a bad idea.

There are a number of cases where Kerberos is used in a 

manner similar 

to radius/diameter, but that's really more for convenience to have 
your passwords in one place than because you're making good use of 
Kerberos.  You're not making bad use of Kerberos per se, but you 
certainly could be providing a lot better security.


I prefer not to ever describe those use cases as "using 
Kerberos for authentication".  It's really using passwords 
for authentication, where password verification happens to be 
done by obtaining and validating a Kerberos ticket, instead 
of by computing a hash a la unix passwd, or looking them up 
in an LDAP database.



I see your point here. 


That form of authentication provides a limited level of 
security, and it doesn't provide keying material for IPsec or 
link-layer security.  Using EAP over UDP with passwords (I 
admit, I can't remember if a password-based EAP mechanism 
even exists) doesn't provide much more.



Sure, EAP can carry many authentication protocols including PAP, CHAP,
etc. and so, using passwords is definitely possible. For protected
exchange of such data, a tunneled TLS based method (such as TTLS or
PEAP) may also be used, with server side certs and client passwords. 


However, there are two distinct advantages to be gained by 
running some form of EAP over UDP instead of the current 
usurp-HTTP techniques that are so widely deployed.  The first 
is the existance of a standard means of authentication, which 
means my workstation can prompt me for the username and 
password needed to access the network.  Compare that to the 
current model, where I get an environment in which a bunch of 
things are broken because the system thinks I have network 
connectivity when I really don't, and then have to start up a 
web browser and navigate some broken authentication UI that's 
different for every network I connect to.



The proposed EAPoUDP is not being hinted as a replacement to the
scenario you have mentioned above, but rather a replacement to the use
of 802.1x on wired ethernet networks. At least, that is what I
interpreted from Bernard's email on the use of EAPoUDP. On that point, I
do believe that simple password-based authentication (with the aid of
Kerberos, for sake of not misrepresenting the use of Kerberos here :))
is what is widely used today. In that particular scenario, EAPoUDP does
not seem to buy anything. 


The second advantage is that it provides a clear path to 
replacing password-based authentication with _real_ Kerberos, 
or whatever else people have deployed.  From where I sit, 
that's pretty compelling.



I am a little confused on the above. Could you please elaborate? 



BTW, Carnegie Mellon has a single campus-wide 802.11 wireless 
network.  The access points are completely open, and access 
to the network is controlled by a combination of 
pre-registration and authentication via a web page. 
The mechanism used to actually restrict access to the network 
is filter between the wireless subnet and the rest of the 
campus network, which passes only traffic form authorized MAC 
addresses or to specific services used in the process of 
authentication and network registration.  In that model 
(which, I admit, has its flaws), the ability to handle 
authentication for network access using protocols that run on 
IP is extremely valuable.



So, I assume that the issue with using 802.11i/WPA2 would be that it
requires an upgrade of APs? If EAPoUDP (as being discussed without any
keys for data traffic protection) were to be used, you would still have
to perform the MAC address-based access control to provide an equivalent
level of security as you have now. The only advantage then is the user
being prompted for a password as opposed to web-based login - perhaps
that is still a reasonable advantage, I am not sure. 

As soon as we say that there are keys that are bound to the
authentication, it implies something like IPsec in this scenario and
that automatically leads me to EAP-in-IKEv2, rather than to EAPoUDP. 

Regards,
Vidya



-- Jeff



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PANA vs. RADIUS/Diameter (RE: The Emperor Has No Clothes: Is PANA actually useful?), Alper Yegin
Next by Date:  Re: Complexity (was RE: The Emperor Has No Clothes: Is PANA actually useful?), Dave Crocker
Previous by Thread:  RE: Kerberos, Narayanan, Vidya
Next by Thread:  Re: Kerberos, Jari Arkko
Indexes:  [Date] [Thread] [Top] [All Lists]