k5wiki: Impromptu Realm Crossover with Kerberos

Rick van Rein rick at openfortress.nl
Tue Jan 19 11:13:55 EST 2016


Hello,

A few of you showed an interest in our work towards Realm Crossover
between KDCs, protected by DNSSEC/DANE but otherwise suitable to serve
the impromptu secure connections between previously unconnected realms. 
A page describing the proposed procedure has been posted on the k5wiki,

http://k5wiki.kerberos.org/wiki/Projects/Realm_Crossover_between_KDCs

Although we're documenting options for clients that directly address a
remote KDC, the central idea is to have KDCs connect, so they can cache
realm crossover keys for as long as the keys may be used.  Keys for
bidirectional uses require two separate crossover leaps.

If people like, I could release an early I-D describing what we are
doing, but it really is premature/unfinished at the moment.  For now it
feels more like a design/coding project to me.

Oriol (on Cc) is the one heroically implementing this work as his MSc
thesis project, and thereby testing my spec work.  I should be blamed
when anything is wrong with the protocol design.  The implementation
uses a separate "KXOVER" daemon to which the KDC forwards certain
traffic, so most of the KDC remains untouched and there should be no
blocking of the KDC due to these setup actions.


Cheers,

Rick van Rein
OpenFortress.nl / ARPA2.net


More information about the Kerberos mailing list