Re: domain-based service names redux
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain-based service names redux

Martin Rex wrote:
Peter Saint-Andre wrote: 
             XMPP ROUTER
            /     |    \
          CM     CM     CM
            \     |    /
            LOAD BALANCER
            /     |    \
           C      C     C

The problem is that a client doesn't know which CM it has connected to (e.g., cm6.example.com), since that information is hidden by the load balancer in the middle (all clients appear to be connected to the IP address of the load balancer). For non-Kerberos deployments that doesn't matter, but it does matter for Kerberos deployments since a client needs to know the address of its service. 

I never liked hostbased service names ;-)

For "old-fashioned" 2-token Kerberos authentication (which is the
authentication exchange currently covered by the official Kerberos 5
gssapi mechanisms (rfc-1964 and rfc-4121), the sharing of the
server credentials is a problem.  (session replay to servers sharing
credentials but not sharing the replay cache).

If Kerberos user2user authentication is used (exclusively), such a
vulnerability from sharing the server credentials does not exist.
Microsoft has implemented the 3-token user2user authentication exchange
in addition to the 2-token authentication exchange of the IETF-defined
Kerberos 5 gssapi mechanism, it has already been available in Windows 2000.

The correct approach of using the 2-token exchange in a distributed
environment was implemented by DCE many many years ago, but requires
a secure directory, something not available in traditional Kerberos.

The most sensible and infrastructure-independent approach (i.e. independent
of how load-balancing is done within the backend and where within
the backend the secure communication is terminated) for traditional
Kerberos authentication would be to standardize the user2user
authentication exchange and use that (no use of _hostbased_
service names).

Today, this option is only available if you go proprietary
(or implementation-specific).

Not an option. XMPP implementations use the open standards developed by the IETF. That's why I'm asking in this venue. :)

It's not clear to me how the session replay attack you mention is specific to the architecture I described. Couldn't an attacker send an earlier ticket even if there is only one service involved (i.e., in my description, only one connection manager)?

My understanding of potential objections to the method I described in my previous email is that there is no way for the XMPP client to trust that the connection manager (asserted as cm6.example.com) is associated with the domain (example.com) to which the initiator connected in the first place. But if the client and connection manager have successfully upgraded the XMPP stream to TLS (see Section 5 of RFC 3920), then presumably the connection manager has provided appropriate credentials (e.g., X.509 certificate) that it is indeed so associated. And if the connection manager asserts its GSS_C_NT_DOMAINBASED_SERVICE name only after TLS has been negotiated, then I think the risk is mitigated. What is the attack at that point?

Peter

--
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.