Proposal for using NAPTR/URI records
Nico Williams
nico at cryptonector.com
Tue Feb 24 11:34:39 EST 2015
On Tue, Feb 24, 2015 at 8:49 AM, Simo Sorce <simo at redhat.com> wrote:
> On Mon, 2015-02-23 at 22:59 -0600, Nico Williams wrote:
> > [...]
>
> I do not see how exposing KKDCP in DNS is any different from current DNS
> SRV records, therefore I do not see why it requires additional security
> considerations.
>
> Can you explain ?
Check out this thread (all of it, particularly Viktor D.'s and Sam
H.'s comments):
https://www.ietf.org/mail-archive/web/ietf/current/msg91915.html
It's not that it can't be done. But that it requires care.
Again, if I use a locally-configured proxy, or a proxy that is
co-located with the KDCs of the target realm, then no problem. If I
use a DNS RRset that could point to a different host, and to boot I
don't use DNSSEC, then I now I have a problem.
OTOH, it's probably not a big deal, we just need to think through the
security considerations:
- TGS exchanges leak little information about the client principal
(mostly the Ticket they are using, and in the case of user2user
Kerberos, the user2user TGT of the peer).
- AS exchanges leak the cname and crealm, but could be tunneled in
FAST w/ anon PKINIT, yielding protection for the cname, but not much
protection for the crealm (since, after all, if we're talking to an
MITM, they could have used a different host:port for each realm for
which they saw a query for a proxy).
- anything else?
BTW, the better forum for this is the KITTEN WG list.
Nico
--
More information about the krbdev
mailing list