JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for MOONSHOT-COMMUNITY Archives

MOONSHOT-COMMUNITY Archives

MOONSHOT-COMMUNITY Archives


MOONSHOT-COMMUNITY@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font
LISTSERV Archives

LISTSERV Archives
MOONSHOT-COMMUNITY Home

MOONSHOT-COMMUNITY Home
MOONSHOT-COMMUNITY February 2013

MOONSHOT-COMMUNITY February 2013

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

 Log In

Log In

 Get Password

Get Password

Subject:

Re: It's Trust Routers all the way down: obtaining RADSEC credentials for TRs and TIDRs

From:

Jim Schaad <[log in to unmask]>

Reply-To:

Jim Schaad <[log in to unmask]>

Date:

Thu, 14 Feb 2013 14:34:00 -0800

Content-Type:

text/plain

Parts/Attachments:
Parts/Attachments

text/plain (290 lines) 

I was worried that I did not understand this message from Sam, so I have
done a more detailed walk through that what Sam presented here.  This is
appended at the end of this message for any curiosity seekers.  Based on the
walk through I ended up with a number of questions that I would like to get
answers to.

In this walk through I have made some "simplifying" assumptions that make
the model cleaner but do not reflect the reality as it was given to me by
Sam and Margaret last week.  Specifically, I assume that the trust router
associated with a AAA proxy/server has the ability to fully modify the key
table dynamically.  Per Sam this is not a correct statement for Free Radius.


QUESTIONS:

1.  To what degree do the trust router components tightly coupled to the AAA
proxy on the Relying Party and the IdP need to get the Trust Route flooding
information?  
    If the trust router next to the RP needs to talk to different trust
infrastructures based on COI, then it needs to know what COIs are in each
Trust Router.
    In a private mail to Sam & Margaret, I suggested a reason why the trust
router next to the IdP might need to get the same information.

2.  To what degree does a Trust Router in the system have a special
relationship with the IdP(s) that authenticate the Trust Route
infrastructure.
    It is my opinion that there will be one (or more) TRs that are
"privileged" in that they will have a pre-configured existing relationship
with the trust router IDP entity (TR-IDP).  If there are multiple TRs in a
web, not all of the TRs may have this "privileged" relationship and if there
are multiple "clones" of TR-IDP or multiple IDPs that can allow access to
the TR COI then 1) every IDP has some TR which is in a privileged
relationship and 2) a single TR may have a privileged relationship with zero
or more IDPs.

3.  What information does the RP AAA proxy need for indexing of the temp ids
for a given IdP's AAA proxy server?
    At a minimum I think this is the COI, the APC, the IdP Server Realm..
Additionally one would have the keys, the temp id and the lifetime of the
temp id.

Jim



Entities in the walk through:

User - This the person trying to get a service

RP-Service - This is the service provider that the user is trying to get to
RP-AAA - AAA proxy internal to the RP sphere
RP-AAA-TR - Trust router component - tightly coupled to the RP-AAA - also
tightly coupled to TR as it knows the set of trust routers it can talk to

TR - Centralized Trust Router
TR-IDP - IDP which issued credentials to TR, RP-AAA-TR and IDP-AAA-TR
TR-IDP-AAA - AAA proxy associated with TR-IDP

IDP - IDP which issued credentials to User
IDP-AAA - AAA Proxy associated with IDP
IDP-AAA-TR - Trust router component associated with IDP-AAA

Ports:
2083 - TLS/TCP port for RadSec
666 - TLS/TCP port for Trust Router (this port is a figment of my
imagination and is not a religious statement)

COI:
COI-TR - Trust routing COI consists of {"IDPs":["TR-IDP"], "RP":["TR",
"IDP-AAA-TR", "RP-TR"]}
COI-Service - COI that includes the user {"IDPs":["IDP"],
"RP":["RP-Service"]}

In deference to Josh, I am assuming that there are no certificates in this
system.  I thus expect that all TLS sessions using GSS-EAP for
authentication are going to be anonymous-anonymous DH and all TLS sessions
for RADIUS will use a PSK or pre-configured public key unless otherwise
stated.

Flow:

1.  User opens TLS/TCP:XXX session to RP-Service and start running GSS-EAP -
User name="@example.org"

2.  RP-Service sends RADIUS message to RP-AAA - Security on this link is out
of scope as this is internal to the RP cloud

3.  RP-Service looks up "example.org" determines that it has no PSK/IDP pair
for that realm name

4.  RP-Service requests PKS/IDP information from RP-AAA-TR

5.  RP-AAA-TR discovers that it does not know this information

6.  RP-AAA-TR opens TLS/TCP:666 session to TR (anonymous) then starts
Moonshot w/ username="[log in to unmask]"

7.  TR sends RADIUS message to TR-IDP.  Message secured by configured
public/private key pair (or similar). (using TLS/TCP:2083 session)

8.  TR-IDP replies w/ Access-Accept  - At this point RP-TR is validated to
TR.

9.  TR determines that it needs to route the Trust Message to IDP - however
it does not have a relationship now.  The trust network has the name of the
IdP pre-configured in TR's database.

10.  TR opens a TLS/TCP:666 session to IDP-TR and sends an GSS-EAP request
to the server.

11.  IDP-TR has no current path back to TR-IDP and thus cannot do the
validation.  At this point there are two options in the protocol.  The first
would be to open a separate TCP session back to TR and perform the
validation on that path.  The second is to use the current session and
reverse the GSS-EAP entities so that the IDP-TR becomes the initiator and TR
becomes the acceptor.  The Trust Router protocol could have a message to say
- "My name is TR. My voice is my passport. Verify Me." (Sneakers)  In bound
(i.e. toward the IDP) validation is easy.  Out bound (i.e away from the IDP)
is really hard because the GSS-API acceptor has no current path back to the
IDP.

12.  TR requests a public-key from IDP-TR which is returned

13.  TR returns public key to RP-TR

14.  RP-TR returns public key and IDP name to RP-AAA

15.  RP-AAA opens TLS/TCP:2083 session directly to IDP-AAA and sends RADIUS
message

16.  IDP-AAA sends access-accept back to RP-AAA

17.  RP-AAA sends access-accept back to RP-Server

18.  RP-Server sends GSS-EAP accept back to User



    

> -----Original Message-----
> From: Moonshot community list [mailto:MOONSHOT-
> [log in to unmask]] On Behalf Of Sam Hartman
> Sent: Wednesday, February 13, 2013 2:56 AM
> To: [log in to unmask]
> Subject: It's Trust Routers all the way down: obtaining RADSEC credentials
for
> TRs and TIDRs
> 
> Well, it's trust routers all the way down until you start mining the
elephant at
> least.
> 
> A couple of weeks ago, I noted that we don't currently have a  solution
for
> obtaining credentials for RADSEC  clients that are trust router entities.
> In particular, a trust router needs a RADSEC credential in order to act as
a
> Moonshot acceptor so other trust routers and TIDCs can connect to it.
> A TIDRS needs to have RADSEC credentials in order to act as a Moonshot
> acceptor so TRs and TIDCs can connect to it.
> 
> In that message, I pointed out that we could potentially use the TID
protocol to
> obtain temporary identities in a realm associated with the APC.
> 
> Margaret thought that sounded a lot like a special case.
> "How does this work for a normal Moonshot acceptor?"
> "Uh. Hmm. It's not really different at all. That's kind of messy too."
> 
> Within a realm we have a couple of options:
> 
> 1) You can use self-signed certificates.
> 
> 2) You can use that single PSK key that Freeradius supports.
> 
> Margaret then asked why we couldn't hook a trust router or TIDRs up to an
> AAA proxy just like we would anything else.
> 
> Hmm, I bet that creates a loop of some kind. Let's see if it has a base
case.
> 
> Turns out if you configure things right  it just works.
> 
> Let's take an example.
> RPP1: RP proxy 1
> TR: The single trust router
> IDP1: an IDP realm and AAA server in that realm
> APC: The AAA server and realm associated with the APC
> tid(a,b): TIDR with target_realm a from source b
> 
> IDP1, TR and RPP1 all have credentials in APC.  In the following we assume
> everything is done in the context of the APC.  I'll argue at the end we
probably
> want a COI for trust router internal messaging.
> 
> RPP1 gets an authentication from [log in to unmask] It discovers it has no
key
> for IDP1.
> 
> SO, RPP1 sends a TIDR for IDP1 to TR.  to do that, RPP1 opens a gss
connection
> using its credential in APC1 to TR.  TR is run by the same folks as APC1
so it
> shares the PSK or a self signed cert with APC1 and can accept this
connection.
> 
> TR attempts to forward the TIDR to IDP1. To do that it opens a GSS
connection
> to IDP1 using its identity within APC1.
> 
> IDP1's TIDRS contacts its RP proxy (IDP1). IDP1 discovers it doesn't have
a
> RADSEC key with APC1.
> So, it initiates a TIDR with target_realm APC1 from IDP1.
> 
> To do this IDP1 opens a GSS connection with TR. It does have an EAP
> credential in APC1 so it can act as a client.
> TR does have a RADSEc key for APC1 so it can accept the connection.
> 
> TR forwards tid(APC1,IDP1) to APC1. To do this, it opens a GSS connection.
TR
> has an EAP credential in APC1 so it can do this. APC1's TIDRs is closely
> associated with APC1 (same machine) so it has a RADSEc key with APC1 and
> can accept the connection.
> A response to TID(APC1,IDP1) is responded.
> This makes its way back to IDP1, which now has a key for APC1.
> 
> Now, IDP1 can accept that connection from TR to process tid(IDP1,RPP1).
> 
> See, there is a base case!  It will "work."  This is really nice because
we didn't
> need more must-haves for the upcoming beta or pilot releases.
> 
> I'm a bit concerned about the scaling and performance. There's a fair bit
of
> recursion involved that all needs to resolve itself before the client
behind
> RPP1 gives up on RPP1's ability to get an access-request to IDP1.  If that
fails,
> then the user behind RP1 will get a timeout and authentication failure.
If they
> try again it will work better, but that provides bad usability, especially
for
> automated authentications.
> 
> If the trust router is good about connection caching, holds open TID
> connections to popular TIDRS, etc, then I suspect we can make this work
with
> reasonable performance.
> Currently that sort of caching is not part of the plan.
> So, I expect that things may be a bit slow for the first version.
Especially since
> we don't expire temporary identities right now, I think it will work out
OK.
> However, I think that this will give us some pressure post-April to
improve our
> performance.
> 
> 
> I had originally hoped that the APC realm would not be routable from the
> normal AAA proxies. My hope was to avoid having normal users be able to
> connect to trust router infrastructure for better isolation of the trust
plane
> than the normal authentication plane.  I think we can gain the same
isolation
> by having a COI in which these requests are made. The
> APC1 AAAserver only accepts requests with this orig_coi. Similarly  the
trust
> router and TIDRs will make their requests in this COI, and only the APC1
realm
> will be an IDP realm in that COI.
> 
> In many ways this ends up being  an excellent architectural validation:
> 
> 1) I proposed introducing a special case at the protocol level. It turns
out it's
> easier to do it using existing tools treating the recursive authentication
just as
> another case of Moonshot.
> 
> 2) I thought the trust router internal infrastructure was "special enough"
that
> it didn't want to use the one APC. It turns out it works better if we do
use the
> APC and just use COIs to provide isolation exactly the way we're asking
people
> to do for their resources.

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

April 2024
March 2022
December 2021
October 2021
September 2021
August 2021
June 2021
April 2021
February 2021
January 2021
December 2020
November 2020
October 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
January 2020
November 2019
October 2019
September 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
June 2018
April 2018
November 2017
October 2017
September 2017
August 2017
July 2017
May 2017
April 2017
March 2017
February 2017
November 2016
October 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager