1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
Network Working Group M. Thomas
Request for Comments: 3129 Cisco Systems
Category: Informational June 2001
Requirements for Kerberized Internet Negotiation of Keys
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The goal of this document is to produce a streamlined, fast, easily
managed, and cryptographically sound protocol without requiring
public key.
Motivation
The IPsec working group has defined a number of protocols which
provide the ability to create and maintain cryptographically secure
security associations at layer three (i.e., the IP layer). This
effort has produced two distinct protocols:
1) a mechanism to encrypt and authenticate IP datagram payloads which
assumes a shared secret between the sender and receiver
2) a mechanism for IPsec peers to perform mutual authentication and
exchange keying material
The IPsec working group has defined a peer to peer authentication and
keying mechanism, IKE (RFC 2409). One of the drawbacks of a peer to
peer protocol is that each peer must know and implement a site's
security policy which in practice can be quite complex. In addition,
the lack of a trusted third party requires the use of Diffie Hellman
(DH) to establish a shared secret. DH, unfortunately, is
computationally quite expensive and prone to denial of service
attacks. IKE also relies on X.509 certificates to realize scalable
authentication of peers. Digital signatures are also computationally
expensive and certificate based trust models are difficult to deploy
Thomas Informational [Page 1]
^L
RFC 3129 Requirements for KINK June 2001
in practice. While IKE does allow for pre-shared symmetric keys, key
distribution is required between all peers -- an O(n^2) problem --
which is problematic for large deployments.
Kerberos (RFC 1510) provides a mechanism for trusted third party
authentication for clients and servers. Clients authenticate to a
centralized server -- the Key Distribution Center -- which in turn
issues tickets that servers can decrypt thus proving that the client
is who it claims to be. One of the elements of a Kerberos ticket is
a session key which is generated by the KDC which may be used by the
client and server to share a secret. Kerberos also allows for both
symmetric key authentication, as well as certificate based public key
authentication (PKinit). Since the authentication phase of Kerberos
is performed by the KDC, there is no need to perform expensive DH or
X.509 certificate signatures/verification operations on servers.
While clients may authenticate using X.509 certificates, the
authentication phase can be amortized over the lifetime of the
credentials. This allows a single DH and certificate exchange to be
used to key security associations with many servers in a
computationally economic way. Kerberos also support clients with
symmetric keys but unlike IKE, the symmetric keys are stored in the
KDC making the number of keys an O(n) problem rather than O(n^2).
Kerberos also allows security policy to be managed in a more
centralized fashion, rather than expecting each potentially
untrustworthy peer to abide by stated security policies of an
organization.
The KINK working group takes these basic features of Kerberos and
uses them to its advantage to create a protocol which can establish
and maintain IPsec security associations (RFC 2401). It should be
noted that KINK is not a replacement for IKE. IKE has one property
which KINK cannot reproduce: the ability for two peers to mutually
authenticate and exchange keys without the need for an actively
participating third party. However, there are many situations where
a trusted third party which proxies authentication is viable, and in
fact desirable.
While Kerberos specifies a standard protocol between the client and
the KDC to get tickets, the actual ticket exchange between client and
server is application specific. KINK is intended to be an
alternative to requiring each application having its own method of
transporting and validating service tickets using a protocol which is
efficient and tailored to the specific needs of Kerberos and the
applications for which it provides keying and parameter negotiation.
Given the above, a new general keying protocol which leverages the
scalability of Kerberos is desirable. The working group's first task
is to define this protocol and define an domain of interpretation for
Thomas Informational [Page 2]
^L
RFC 3129 Requirements for KINK June 2001
IPsec to establish and maintain IPsec security associations. The
protocol must be able to take full advantage of the features of RFC
2401 but in the context of a centralized keying authority.
Requirements
KINK must meet the following requirements at a minimum:
- The protocol must use the session keys found in Kerberos
tickets as the basis of the keying material used for IPsec
security association keys.
- The protocol must be able to integrate into security
architecture of IPsec (RFC 2401).
- The protocol must be able to start up SA's regardless of any
client/server disposition in the keying protocol. In other
words, either IPsec peer can be the initiator or responder,
regardless of whether it's a Kerberos 'client' (TGT-only) or
Kerberos 'server'(has a keytab).
- The protocol must support Kerberos using either secret key, or
public key (PKINIT) initial authentication.
- The protocol must support Kerberos User-to-User mode for cases
in which the initiator cannot obtain an AP_REQ for the
responder (i.e. the responder is a PKINIT client) or the
responder cannot decrypt and AP_REQ from the initiator (i.e.,
the responder doesn't have a Kerberos Keytab, just a TGT).
- The protocol must be able to allow a peer to authenticate and
participate in many realms.
- The protocol must handle absolute time skew gracefully.
- The protocol must be able to create, modify, rekey, and delete
security associations.
- The protocol must be capable of setting up both transport and
tunnel modes of IPsec.
- The protocol must be capable of setting up both AH and ESP
security associations.
- The protocol must be capable of negotiating cipher suites.
- The protocol must be capable of setting up IPsec flow
selectors.
Thomas Informational [Page 3]
^L
RFC 3129 Requirements for KINK June 2001
- The protocol must be capable of rekeying without the assistance
of the KDC if the Kerberos session ticket is still valid.
- The protocol must make an effort to mitigate third party Denial
of Service attacks (aka Zombies attacks).
- The protocol must be able to be used for more than IPsec
keying.
- The protocol must support both IPv4 and IPv6.
Security Considerations
These requirements lay out input to define a protocol which allows
the keying of IPsec security associations using Kerberos as the key
distribution mechanism. As such, the security associations that will
be created by the new protocol will inherit the union of IPsec and
Kerberos's existing security weaknesses. There is no requirement to
address those weaknesses unless in combination they produce a new
weakness which is not inherent in other keying protocols.
Acknowledgments
The original KINK Kabal was:
Michael Thomas (Cisco)
David McGrew (Cisco)
Jan Vilhuber (Cisco)
Jonathan Trostle (Cisco)
Matt Hur (Cybersafe)
Mike Froh (Cybersafe)
Sasha Medvinsky (GI)
Derek Atkins (Telcordia)
It must also be acknowledged that the Packetcable Security
specification PKT-SP-SEC-I01-991201 provided the raw fodder for this
effort in its Kerberized IPsec section, and all of the focus team
members who played a part in the spec. We must also acknowledge
Nancy Davoust of Cablelabs for keeping order in our normally
disorderly proceedings.
Thomas Informational [Page 4]
^L
RFC 3129 Requirements for KINK June 2001
References
[1] Kohl, J. and C. Neuman, "The Kerberos Network
Authentication Service (V5)", RFC 1510, September 1993.
[2] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[3] Harkins, D. and D. Carrel, "The Internet Key
Exchange (IKE)", RFC 2409, November 1998.
Author's Address
Michael Thomas
Cisco Systems
375 E Tasman Rd
San Jose, Ca, 95134, USA
Phone: +1 408-525-5386
EMail: mat@cisco.com
Thomas Informational [Page 5]
^L
RFC 3129 Requirements for KINK June 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Thomas Informational [Page 6]
^L
|
