[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-kink-reqmt-03.txt
Rohit Aradhya <arohit@xxxxxxxxxxxx> writes:
> 1. Most of the requirements specified here are met by the Packet
> cable specification (PKT-SP-SEC-I01-991201) document, is this draft
> has some special requirements which are currently not supported by
> Packet Cable Spec mentioned above.
Considering that KINK is somewhat derived from PacketCable, it isn't
surprising that the requirements appear to mostly be met by the
PacketCable specification. However, I'm not convinced that
PacketCable meets ALL the requirements of KINK.
> 2. In third hyphen of the requirements section.. if i am
> interpreting it correctly.. does this mean to say.. It should be
> possible to start SA negotiation from either hosts participating.
> OR just send a wakeup from one host and always the AP_REQ starts
> from another machine.
It means that the complete KINK protocol must allow either
participating host to initiate an SA negotiation. HOW that is met is
a matter for the actual protocol and is out-of-scope for the
requirements themselves. This may involve a handoff, or it may
involve a direct authentication, or it may involve a request for a TGT
to perform U-2-U.
> 3. Can anybody clearify what is User-to-User mode and its significance.?
Read RFC 1510. User-to-user allows a "responder" (i.e. a "server") to
have just a TGT and not a kerberos keytab. In other words, it allows
a Kerberos "client" (an entity with just a TGT) to act as a service
> 4. The requirement for Multiple realms -- It should be a
> requirement mostly for KDC?
Not necessarily. This is an issue in terms of naming at the KINK
protocol level. You cannot just push it off to the KDCs. Otherwise a
protocol may just assume that all entities are in the same Kerberos
Realm, and that would be bad.
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@xxxxxxx PGP key available