Network Working Group Assar Westerlund SICS Internet-Draft Johan Danielsson November, 1997 PDC, KTH Expire in six months Kerberos vs firewalls Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Please send comments to the mailing list. Abstract Introduction Kerberos[RFC1510] is a protocol for authenticating parties communicating over insecure networks. Firewalling is a technique for achieving an illusion of security by putting restrictions on what kinds of packets and how these are sent between the internal (so called ''secure'') network and the global (or ''insecure'') Internet. Definitions client: the user, process, and host acquiring tickets from the KDC and authenticating itself to the kerberised server. KDC: the Kerberos Key Distribution Center Westerlund, Danielsson [Page 1] Internet Draft Kerberos vs firewalls November, 1997 Kerberised server: the server using Kerberos to authenticate the client, for example telnetd. Firewalls A firewall is usually placed between the "inside" and the "outside" networks, and is supposed to protect the inside from the evils on the outside. There are different kinds of firewalls. The main differences are in the way they forward packets. o+ The most straight forward type is the one that just imposes restrictions on incoming packets. Such a firewall could be described as a router that filters packets that match some criteria. o+ They may also "hide" some or all addresses on the inside of the firewall, replacing the addresses in the outgoing packets with the address of the firewall (aka network address translation, or NAT). NAT can also be used without any packet filtering, for instance when you have more than one host sharing a single address (for example, with a dialed-in PPP connection). There are also firewalls that does NAT both on the inside and the outside (a server on the inside will see this as a connection from the firewall). o+ A third type is the proxy type firewall, that parses the contents of the packets, basically acting as a server to the client, and as a client to the server (man-in-the-middle). If Kerberos is to be used with this kind of firewall, a protocol module that handles KDC requests has to be written. This type of firewall might also cause extra trouble when used with kerberised versions of protocols that the proxy understands, in addition to the ones mentioned below. This is the case with the FTP Security Extensions [RFC2228], that adds a new set of commands to the FTP protocol [RFC959], for integrity, confidentiality, and privacy protecting commands. When transferring data, the FTP protocol uses a separate data channel, and an FTP proxy will have to look out for commands that start a data transfer. If all commands are encrypted, this is impossible. A protocol that doesn't suffer from this is the Telnet Authentication Option [RFC1416] that does all authentication and encryption in-bound. Scenarios Here the different scenarios we have considered are described, the problems they introduce and the proposed ways of solving them. Westerlund, Danielsson [Page 2] Internet Draft Kerberos vs firewalls November, 1997 Combinations of these can also occur. Client behind firewall This is the most typical and common scenario. First of all the client needs some way of communicating with the KDC. This can be done with whatever means and is usually much simpler when the KDC is able to communicate over TCP. Apart from that, the client needs to be sure that the ticket it will acquire from the KDC can be used to authenticate to a server outside its firewall. For this, it needs to add the address(es) of potential firewalls between itself and the KDC/server, to the list of its own addresses when requesting the ticket. We are not aware of any protocol for determining this set of addresses, thus this will have to be manually configured in the client. The client could also request a ticket with no addresses, but some KDCs and servers might not accept such a ticket. With the ticket in possession, communication with the kerberised server will not need to be any different from communicating between a non-kerberised client and server. Kerberised server behind firewall The kerberised server does not talk to the KDC at all so nothing beyond normal firewall-traversal techniques for reaching the server itself needs to be applied. The kerberised server needs to be able to retrieve the original address (before its firewall) that the request was sent for. If this is done via some out-of-band mechanism or it's directly able to see it doesn't matter. KDC behind firewall The same restrictions applies for a KDC as for any other server. Specification Security considerations This memo does not introduce any known security considerations in addition to those mentioned in [RFC1510]. References Westerlund, Danielsson [Page 3] Internet Draft Kerberos vs firewalls November, 1997 [RFC959] Postel, J. and Reynolds, J., "File Transfer Protocol (FTP)", RFC 969, October 1985 [RFC1416] Borman, D., "Telnet Authentication Option", RFC 1416, February 1993. [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993. [RFC2228] Horowitz, M. and Lunt, S., "FTP Security Extensions", RFC2228, October 1997. Authors' Addresses Assar Westerlund Swedish Institute of Computer Science Box 1263 S-164 29 KISTA Sweden Phone: +46-8-7521526 Fax: +46-8-7517230 EMail: assar@sics.se Johan Danielsson PDC, KTH S-100 44 STOCKHOLM Sweden Phone: +46-8-7907885 Fax: +46-8-247784 EMail: joda@pdc.kth.se Westerlund, Danielsson [Page 4]