Message-ID:

"You can't get very far in this world without your dossier being there first." -- Arthur Miller

devel / comp.protocols.kerberos / Re: Looking for a "Kerberos Router"?

Looking for a "Kerberos Router"?

<mailman.41.1710330506.2322.kerberos@mit.edu>

https://www.novabbs.com/devel/article-flat.php?id=492&group=comp.protocols.kerberos#492

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: yoann.g...@gmail.com (Yoann Gini)
Newsgroups: comp.protocols.kerberos
Subject: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 12:48:10 +0100
Organization: TNet Consulting
Lines: 20
Message-ID: <mailman.41.1710330506.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="19144"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=qcMrLQ70;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=j/bQ9Vba
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=l8LBXR4Csn4cs5PDb2HJlAJToYy3P5PjiLVjPds0DbUAq/Y0HXMmtNT4mGSGn5qVyfs431Z36AV2u6tBavPPIWLDzt8FJoCbaOwkods8979DyJX/rxt2AvfR99lsTdtxVaDd5HGi4nYgLm5R6bc+eqW6Rg5XnKQFZsoI/4Zro/9niPfaiXCrunkhIoWLLVC3eaBgLIp6KFxpmvJ1unZ47T0Ym3L3X/XSS184wWVPdV0w/W9F4lrtvBuaR3A5F8tNYv+7KJSppaTQa/GovlIqw3yEB19e2K4EungTqhLK/8bkUX7BN/RSfQ3JnRUM+BUoQvm/VqLaU5tAoclDxuR7kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ZPTA3GZs6SWyPAd6OUVZjZ0N0Kkb1E2L1uGZhzFejSo=;
b=BmpXecS3en4wcfG2xjFK/keq7lRljRxFgL/T8dUkV0J25UD+B5hv0ylcByTe1XH4OQHO5xwodsi3z/bfVu6d2UlbVU7KrJa7OyDHzdmw/qcTi43ecxD4lkdJEUU8yustcDvodrTLxxv+xq0cOt8bJ3PFLCZqQIvKrhC0AM1/kdHYKimQQvxZS+/3aFWeJsZ/Jean7tBJdUItRD94LmoVKXSpC9m9cSmcXv3KyDbyQuERGCVffTg0fOyVvIUj57AMfxMSFAd79pOMeJSJw6q6eapbkKtCW40y/pQlytYYBM0/InLgIftUdNODY2dVsxmJZNtFGAv+hHkkta1xxA1/Ig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.221.46) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=ZPTA3GZs6SWyPAd6OUVZjZ0N0Kkb1E2L1uGZhzFejSo=;
b=qcMrLQ701si9+2up5lmLq2O9f7hLNdbI35+uuFC4e2fgijvxndLt4pfD+l0LJsDFRzc8CEDfqu+nHCXEqSvW0wRKg3xl6gK9UiOErQ2O/OEc9zZxXvkFqaGIjcGsYOcal/8NQFy5KeHKrMCV6yD/495EZrpq/bpT6Ig9MKzz6gI=
Authentication-Results: spf=pass (sender IP is 209.85.221.46)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.221.46 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.221.46; helo=mail-wr1-f46.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710330501; x=1710935301; darn=mit.edu;
h=to:date:message-id:subject:mime-version:content-transfer-encoding
:from:from:to:cc:subject:date:message-id:reply-to;
bh=ZPTA3GZs6SWyPAd6OUVZjZ0N0Kkb1E2L1uGZhzFejSo=;
b=j/bQ9VbaXh+1CGL6D2ZxQ9crV1j3s9TOUaONUu+u+eOO2+v9MtFiw6Z8ONra5orizZ
A4tvJtMeFHlKaaZgrNzpCoDXbwLVtMv7zrVzW3exR5fo5HjDFuYf47C3pS62R/yG5eAi
NkrMkem49e+AkFDbqzuNX3mDXO57uhtXkJ1UlXavzQ0uv0eMa4pFikDsO1Z+T04hc4uV
1ywrP5BXXJr/Dc8usZwFnaCDGOm/Cm+qdPLJ4AfN3jqH31/to7bpVVWma0LkRPqF0cOD
GnDVv3tJhPFxR0zekp7Kw2OrmcfpFC/XCo3Ay6+karNKbV8zqMQ20dpAy7IsFhu9qE3R
4big==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710330501; x=1710935301;
h=to:date:message-id:subject:mime-version:content-transfer-encoding
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=ZPTA3GZs6SWyPAd6OUVZjZ0N0Kkb1E2L1uGZhzFejSo=;
b=brcA+s12Db1OMcDrHe3vG+kETSOpxLATPBnvHodqyf91J3vvwSLbD/6eDMh7nc47iY
MtzxaCIMT/uZqFwrEZEzptm2aAM+/Cym2PkXDuEtMt1VoTqlOQyrU4g5pQMcPjh4B8kG
sXozdYq2Yv2MP1BQ8PpHab2T30mDwuYmpf43uzYr5iXgog3mU0ITTXUCEmYLP89FIbKN
1GGgoz0Aho7Tx1YXHI+VK8nSiLmhjP9lx6wg6rju6wC49ehcL8Tu+S2HSFx31fXioyBb
wgczp3vHUEJ87TLH4du28TTvGYiTBUUNoRon9YH+OhYD16QG2udLGpXVxjMZgcCVjGpz
7O6Q==
X-Gm-Message-State: AOJu0YwJClNCJ+CQcBwEnTBL9DmSbrvHA6lPqrUwWxqJGxWqF8PnpZpU
mr+laj3IL+pMy1zUyTBaJg3SHTmpKXStsr7hVSAYCbGsx8CS9g3j5ndSqNTlqBg=
X-Google-Smtp-Source: AGHT+IEVyO66fYladpkAe4+8LY8wuQimaIzKGZ2rXDTy0QlpS9V9VukK5P+veqjnZ0myL0QP/ZnbMg==
X-Received: by 2002:adf:f549:0:b0:33e:ae46:f9d with SMTP id
j9-20020adff549000000b0033eae460f9dmr1767426wrp.4.1710330501202;
Wed, 13 Mar 2024 04:48:21 -0700 (PDT)
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS2PEPF0000343B:EE_|SA1PR01MB8376:EE_
X-MS-Office365-Filtering-Correlation-Id: 17d92488-7e15-4c84-1bd6-08dc43537c50
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 8Ihko7uBJw0EbfXuoBtv6eehm/rNZD56df3uBz+nJV9aHMUqLUxzsyoJpRkfvVctuSKY2Bz9w5CWd1Ggj2lVjSKan4gVAi5NHRDILmgEDl8zJjjmPaMSYNOt47UwpQqxskYrwiI2P3cMSDLG8nAmrEZU8IL9aBni4ZVYVzmHhtPObr8adHibPLswNiWCS15rOCvvucggjvQEgB5bv6LY4Kr6MOpJFikX85+gt/Bw8tvjFSDSqQmoDxS+ulS6HW5fBBgoBejW1LtgE+VkOdehN5ymFKCHJUNN9vs0LyTGm7DPt+odpdz7OnvbwuVHV5R7VPjtV1qSV4A8iSZ7Wja1hxtd/7AleJCw8WJHwNB2/G3bO8b0MnSwd2y5m77G1Lj9vEu+J7UffpGCEt9brjHKHVC6UVn1qmbXlzclnEvy8xwKhOf5ExOXaA6hPo/ECpBbDt1q58+TIinj2OikUf3gxM7Cs1ameyhubFLCmekwjwwYiqbOh8720XqDvghsiAhz47gfHHicaBEXIsmYPQd34MWcpqpXC8k2Ig11BdlsO28mqIuHBeDlex0aiakfqc5urf8aRb2e5fMcxmuEW1hDagTKv2ZZP9ZuXkWqgARcQeWPxp9MT+ISQqoEo+plEO6afjDzWtHjFM4ERSRekdERwZMiWZZInDFHmSFwqKJ1UAM8U9PQLPdIUSfnWGPxASTckQ5PLn7CQgdLvqS6UeBmMtSraaWpJ9sGn7RRcQFyht8bCBaR+PHF6YxbqggAIMkE
X-Forefront-Antispam-Report: CIP:209.85.221.46; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-wr1-f46.google.com; PTR:mail-wr1-f46.google.com;
CAT:NONE; SFS:(13230031)(376005)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 11:48:22.6739 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 17d92488-7e15-4c84-1bd6-08dc43537c50
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS2PEPF0000343B.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB8376
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
42DBmOlR1337992
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>

by: Yoann Gini - Wed, 13 Mar 2024 11:48 UTC

Hello,

I'm looking for a way to "route" Kerberos requests incoming to a single IP to different backend depending on the requested realms.

This issue I'm trying to solve is related to the scalability of automated deployment for new Kerberos realms on a cloud infrastructure.

My company is an IDP startup where we currently rely only on mTLS and WebAuthN only (no password support at all), and we would also like to support also Kerberos with PKINIT.

However, as a SaaS company, we need to think at the scalability and integration in our deployment pattern. Currently our production clusters use TLS SNI to evaluate incoming communication and to route them to the appropriate tenant.

Which allow us to have end to end TLS communication between our customers and their tenant. Which is mandatory for our mTLS. But without consuming one public IP per tenant to keep cost under control.

Here with Kerberos, I'm wondering how we can achieve something equivalent, using a shared IP for multiple Kerberos realms and having the incoming requests routed to the appropriate backend by some kind of inspection.

Current solution we seen require to write custom decoder for existing ingress solutions. But before going that way I prefer to ask if another solution exist.

Is there a way to deploy some kind of proxy/router in between clients on a public network and different KDC inside our different Kubernetes namespaces?

Best regards
Yoann Gini

Subject	Author
Looking for a "Kerberos Router"?	Yoann Gini
Re: Looking for a "Kerberos Router"?	Grant Taylor