Kerberos for Wireless Authentication

Jeffrey Hutzelman jhutz at cmu.edu
Mon Jun 6 12:46:39 EDT 2005



On Monday, June 06, 2005 09:59:56 AM -0500 Nicolas Williams 
<Nicolas.Williams at sun.com> wrote:

> On Mon, Jun 06, 2005 at 09:27:51AM -0500, Matt Crawford wrote:
>> >> I really think that working on this axis [IAKERB/Wireless Auth.]
>> >> should be amongst the milestones of kerberos wg.
>>
>> Work area for energetic contributors, yes.  Milestones of the group,
>> no.  IMO, of course.
>
> Such a mechanism could be pursued outside the KRB WG, either as an
> individual submission or in another WG (AAA?), and it could receive
> expert review from Kerberos V experts when and as needed.

IAKERB or something like it is clearly within the scope of this working 
group; it was an "existing proposal" at the time the WG was formed.  There 
is no milestone because the group decided to drop the proposal, for various 
reasons.  As others have noted, one of the main reasons why no work has 
been done recently in that space is because potential contributors are 
currently involved in other work, and only have so much time.

If there are folks that want to reopen IAKERB, are willing to spend time on 
it, and can convince the WG that this is the right approach, then I see no 
problem with carrying on such work here.  Of course, I would expect any 
GSSAPI mechanism work to be reviewed in KITTEN as well.  I think it would 
be ill-advised to pursue any such work as an indiviudal without input from 
one or both of these working groups.



A while back there was a proposal for a Kerberos EAP method which would 
have supported tunneling of Kerberos messages in a similar fashion to EAP, 
allowing a client to communicate with its KDC to obtain credentials needed 
for EAP authentication.  This looked somewhat promising, and possibly a 
better fit for network access applications than IAKERB, but to my knowledge 
no work has been done on this in a while.

It's not clear to me that work on an EAP method is in scope for this WG, 
though I'd be inclined towards "yes" by analogy to IAKERB.  Perhaps Sam 
would be willing to comment on this point.  It clearly is not in scope for 
the EAP WG, whose charter does not currently include standardizing new EAP 
methods.  However, I would expect any actual work in this area to be 
reviewed in both WG's, even if pursued as individual work.  Again, I think 
it would be ill-advised to pursue such work without input from members of 
one or both WG's.


I do not believe that either type of mechanism is within the scope of the 
AAA working group, though a Diameter extension to tunnel krb5 messages 
between Diameter servers likely would be.  Those determinations are 
ultimately up to the AAA chairs and the OPS AD's.


An extension to the Kerberos protocol such as Saber Zrelli proposed is 
clearly not within the scope of AAA.  Any such work should be done within 
the Kerberos WG; I would not expect approval of a standards-track extension 
to Kerberos that had passed review here.  Note that in order to convince 
this WG to take on such work, you will need to convince us that extending 
Kerberos is the right way of solving the problem you describe, and that 
your propsed extension is the right one.  If you want it to happen in a 
timely fashion, it of course would help to bring along people willing to do 
some of the work (protocol design, document editing, etc); preferably such 
people should be familiar with the Kerberos protocol and with the needs of 
network operators with respect to the problem you are trying to solve.


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA



More information about the Kerberos mailing list