[apple/ipsec.git] / ipsec-tools / racoon / Documents / README.gssapi

The gss-api authentication mechanism implementation for racoon was
based on the ietf draft draft-ietf-ipsec-isakmp-gss-auth-06.txt.

The implementation uses the Heimdal gss-api library, i.e. gss-api
on top of Kerberos 5. The Heimdal gss-api library had to be modified
to meet the requirements of using gss-api in a daemon. More specifically,
the gss_acquire_cred() call did not work for other cases than
GSS_C_NO_CREDENTIAL ("use default creds"). Daemons are often started
as root, and have no Kerberos 5 credentials, so racoon explicitly
needs to acquire its credentials. The usual method (already used
by login authentication daemons) in these situations is to add
a set of special credentials to be used. For example, authentication
by daemons concerned with login credentials, uses 'host/fqdn' as
its credential, where fqdn is the hostname on the interface that
is being used. These special credentials need to be extracted into
a local keytab from the kdc. The default value used in racoon
is 'ike/fqdn', but it can be overridden in the racoon config file.

The modification to the Heimdal gss-api library implements the
mechanism above. If a credential other than GSS_C_NO_CREDENTIAL
is specified to gss_acquire_cred(), it first looks in the default
credential cache if it its principal matches the desired credential.
If not, it extracts it from the default keytab file, and stores
it in a memory-based credential cache, part of the gss credential
structure.


The modifcations to racoon itself are as follows:

	* The racoon.conf config file accepts a new keyword, "gssapi_id",
	  to be used inside a proposal specification. It specifies
	  a string (a Kerberos 5 principal in this case), specifying the
	  credential that racoon will try to acquire. The default value
	  is 'ike/fqdn', where fqdn is the hostname for the interface
	  being used for the exchange. If the id is not specified, no
	  GSS endpoint attribute will be specified in the first SA sent.
	  However, if the initiator does specify a GSS endpoint attribute,
	  racoon will always respond with its own GSS endpoint name
	  in the SA (the default one if not specified by this option).

	* The racoon.conf file accepts "gssapi_krb" as authentication
	  method inside a proposal specification. The number used
	  for this method is 65001, which is a temporary number as
	  specified in the draft.

	* The cftoken.l and cfparse.y source files were modified to
	  pick up the configuration options. The original sources
	  stored algorithms in bitmask, which unfortunately meant
	  that the maximum value was 32, clearly not enough for 65001.
	  After consulting with the author (sakane@kame.net), it turned
	  out that method was a leftover, and no longer needed. I replaced
	  it with plain integers.

	* The gss-api specific code was concentrated as much as possible
	  in gssapi.c and gssapi.h. The code to call functions defined
	  in these files is conditional on HAVE_GSSAPI, except for the
	  config scan code. Specifying this flag on the compiler commandline
	  is conditional on the --enable-gssapi option to the configure
	  script.

	* Racoon seems to want to send accepted SA proposals back to
	  the initiator in a verbatim fashion, leaving no room to
	  insert the (variable-length) GSS endpoint name attribute.
	  I worked around this by re-assembling the extracted SA
	  into a new SA if the gssapi_krb method is used, and the
	  initiator sent the name attribute. This scheme should
	  possibly be re-examined by the racoon maintainers, storing
	  the SAs (the transformations, to be more precise) in a different
	  fashion to allow for variable-length attributes to be
	  re-inserted would be a good change, but I considered it to be
	  beyond the scope of this project.

	* The various state functions for aggressive and main mode
	  (in isakmp_agg.c and isakmp_ident.c respectively) were
	  changed to conditionally change their behavior if the
	  gssapi_krb method is specified.


This implementation tried to follow the specification in the ietf draft
as close as possible. However, it has not been tested against other
IKE daemon implementations. The only other one I know of is Windows 2000,
and it has some caveats. I attempted to be Windows 2000 compatible.
Should racoon be tried against Windows 2000, the gssapi_id option in
the config file must be used, as Windows 2000 expects the GSS endpoint
name to be sent at all times. I have my doubts as to the W2K compatibility,
because the spec describes the GSS endpoint name sent by W2K as
an unicode string 'xxx@domain', which doesn't seem to match the
required standard for gss-api + kerberos 5 (i.e. I am fairly certain
that such a string will be rejected by the Heimdal gss-api library, as it
is not a valid Kerberos 5 principal).

With the Heimdal gss-api implementation, the gssapi_krb authentication
method will only work in main mode. Aggressive mode does not allow
for the extra round-trips needed by gss_init_sec_context and
gss_accept_sec_context when mutual authentication is requested.
The draft specifies that the a fallback should be done to main mode,
through the return of INVALID-EXCHANGE-TYPE if it turns out that
the gss-api mechanisms needs more roundtrips. This is implemented.
Unfortunately, racoon does not seem to properly fall back to
its next mode, and this is not specific to the gssapi_krb method.
So, to avoid problems, only specify main mode in the config file.


	-- Frank van der Linden <fvdl@wasabisystems.com>
Commit	Line	Data
52b7d2ce A	1	The gss-api authentication mechanism implementation for racoon was
	2	based on the ietf draft draft-ietf-ipsec-isakmp-gss-auth-06.txt.
	3
	4	The implementation uses the Heimdal gss-api library, i.e. gss-api
	5	on top of Kerberos 5. The Heimdal gss-api library had to be modified
	6	to meet the requirements of using gss-api in a daemon. More specifically,
	7	the gss_acquire_cred() call did not work for other cases than
	8	GSS_C_NO_CREDENTIAL ("use default creds"). Daemons are often started
	9	as root, and have no Kerberos 5 credentials, so racoon explicitly
	10	needs to acquire its credentials. The usual method (already used
	11	by login authentication daemons) in these situations is to add
	12	a set of special credentials to be used. For example, authentication
	13	by daemons concerned with login credentials, uses 'host/fqdn' as
	14	its credential, where fqdn is the hostname on the interface that
	15	is being used. These special credentials need to be extracted into
	16	a local keytab from the kdc. The default value used in racoon
	17	is 'ike/fqdn', but it can be overridden in the racoon config file.
	18
	19	The modification to the Heimdal gss-api library implements the
	20	mechanism above. If a credential other than GSS_C_NO_CREDENTIAL
	21	is specified to gss_acquire_cred(), it first looks in the default
	22	credential cache if it its principal matches the desired credential.
	23	If not, it extracts it from the default keytab file, and stores
	24	it in a memory-based credential cache, part of the gss credential
	25	structure.
	26
	27
	28
	29	The modifcations to racoon itself are as follows:
	30
	31	* The racoon.conf config file accepts a new keyword, "gssapi_id",
	32	to be used inside a proposal specification. It specifies
	33	a string (a Kerberos 5 principal in this case), specifying the
	34	credential that racoon will try to acquire. The default value
	35	is 'ike/fqdn', where fqdn is the hostname for the interface
	36	being used for the exchange. If the id is not specified, no
	37	GSS endpoint attribute will be specified in the first SA sent.
	38	However, if the initiator does specify a GSS endpoint attribute,
	39	racoon will always respond with its own GSS endpoint name
	40	in the SA (the default one if not specified by this option).
	41
	42	* The racoon.conf file accepts "gssapi_krb" as authentication
	43	method inside a proposal specification. The number used
	44	for this method is 65001, which is a temporary number as
	45	specified in the draft.
	46
	47	* The cftoken.l and cfparse.y source files were modified to
	48	pick up the configuration options. The original sources
	49	stored algorithms in bitmask, which unfortunately meant
	50	that the maximum value was 32, clearly not enough for 65001.
	51	After consulting with the author (sakane@kame.net), it turned
	52	out that method was a leftover, and no longer needed. I replaced
	53	it with plain integers.
	54
	55	* The gss-api specific code was concentrated as much as possible
	56	in gssapi.c and gssapi.h. The code to call functions defined
	57	in these files is conditional on HAVE_GSSAPI, except for the
	58	config scan code. Specifying this flag on the compiler commandline
	59	is conditional on the --enable-gssapi option to the configure
	60	script.
	61
	62	* Racoon seems to want to send accepted SA proposals back to
	63	the initiator in a verbatim fashion, leaving no room to
	64	insert the (variable-length) GSS endpoint name attribute.
65	I worked around this by re-assembling the extracted SA
66	into a new SA if the gssapi_krb method is used, and the
67	initiator sent the name attribute. This scheme should
68	possibly be re-examined by the racoon maintainers, storing
69	the SAs (the transformations, to be more precise) in a different
70	fashion to allow for variable-length attributes to be
71	re-inserted would be a good change, but I considered it to be
72	beyond the scope of this project.
73
74	* The various state functions for aggressive and main mode
75	(in isakmp_agg.c and isakmp_ident.c respectively) were
76	changed to conditionally change their behavior if the
77	gssapi_krb method is specified.
78
79
80	This implementation tried to follow the specification in the ietf draft
81	as close as possible. However, it has not been tested against other
82	IKE daemon implementations. The only other one I know of is Windows 2000,
83	and it has some caveats. I attempted to be Windows 2000 compatible.
84	Should racoon be tried against Windows 2000, the gssapi_id option in
85	the config file must be used, as Windows 2000 expects the GSS endpoint
86	name to be sent at all times. I have my doubts as to the W2K compatibility,
87	because the spec describes the GSS endpoint name sent by W2K as
88	an unicode string 'xxx@domain', which doesn't seem to match the
89	required standard for gss-api + kerberos 5 (i.e. I am fairly certain
90	that such a string will be rejected by the Heimdal gss-api library, as it
91	is not a valid Kerberos 5 principal).
92
93	With the Heimdal gss-api implementation, the gssapi_krb authentication
94	method will only work in main mode. Aggressive mode does not allow
95	for the extra round-trips needed by gss_init_sec_context and
96	gss_accept_sec_context when mutual authentication is requested.
97	The draft specifies that the a fallback should be done to main mode,
98	through the return of INVALID-EXCHANGE-TYPE if it turns out that
99	the gss-api mechanisms needs more roundtrips. This is implemented.
100	Unfortunately, racoon does not seem to properly fall back to
101	its next mode, and this is not specific to the gssapi_krb method.
102	So, to avoid problems, only specify main mode in the config file.
103
104
105	-- Frank van der Linden <fvdl@wasabisystems.com>
106