Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

You can observe a lot just by watching. -- Yogi Berra


devel / comp.protocols.kerberos / Re: Looking for a "Kerberos Router"?

SubjectAuthor
o Re: Looking for a "Kerberos Router"?Yoann Gini

1
Re: Looking for a "Kerberos Router"?

<mailman.46.1710341602.2322.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=498&group=comp.protocols.kerberos#498

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: yoann.g...@gmail.com (Yoann Gini)
Newsgroups: comp.protocols.kerberos
Subject: Re: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 15:53:09 +0100
Organization: TNet Consulting
Lines: 31
Message-ID: <mailman.46.1710341602.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<F2C79001-B1E0-4D8F-91BC-FC8260003282@dblsaiko.net>
<0E1030FD-5B21-446F-88D9-8E564DAA7598@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17463"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Marco Rebhan <me@dblsaiko.net>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=qVUmt04J;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=bcY/wGiI
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=DkN04PgAPSWzpKpiacW41dp0heOpajgThj6og9CQFru1ec9nEI3bEf59rwJAC+u3z1Xuhxi/hqgJ4rq73vLTHgIUW59J6FnejfqSoyMllels6RtpHlYIC69lOldyoRQ/X2sxY3u+Ni0zNpk9E5KZulijSVZaQ9+mJlG5ldBCVmmb3hI6NH02nJX/kYTM5BGwXl9D1+fmeuPz/v8U5BDawDfO28EbTRqzXr0xd5tWKwdH2OMCrdORjlVqJHtibdhB1ibJOC1Ukk50HSnR0rH+l2QLzVAx52AIK/5SakuqIYBFr5Du3y9llYtbkTOpZ9i9q51LZ/qY83ABOhs6Ae0WHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=gHKjeZIDg6Kb6U/iYnRNcZjxN5cx8afBj5bNJjQH2Cg=;
b=N65Mm/aPsl54u7C9Ar8mbNnYgIKScN+O1SKOLbRgpwrM9TNzPwJW6IiF9D/rYfsDECiqZgPxka9R9eN9xSHR7QX9nWbbwlkaYe0x3bRN6GhzAaAgNlMRPEFhctGW26SdAKHH+puKu0spHBDryj4hs3xTc1A2h7QYBdMB44+kZbQICN8++VrLxgiawch2KjKuJaPxySrJhZDGZf2/R400NFpqIsbtItlMb8ywGzBhTs7FwQUasn7qAGLP+AyvVLkD7gXMw1RC/O+zfYYsoCPOw+cmHW6t2nIduW4G+0Ybh51qT1hQ0NWN17zPDz7aZqvJeP5GX3SUv5xn23ksGJCTKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.128.48) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=gHKjeZIDg6Kb6U/iYnRNcZjxN5cx8afBj5bNJjQH2Cg=;
b=qVUmt04JTuI0MFk2rdeHQMmvXPZA3O0yZiNKIzcSzfB7t3sB4o139GpLjBmvUyZQuKNiDe6sjtdDCBaC68sVpEnWy3ckm6gtxljjEaohs+gbanQnBRpg3pB2By0FTeEL3tH72QyJF5PqSyRwjBpM66V7r07Ym4rcDRCBUAmTqZk=
Authentication-Results: spf=pass (sender IP is 209.85.128.48)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.128.48 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.128.48; helo=mail-wm1-f48.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1710341597; x=1710946397; darn=mit.edu;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:from:to:cc:subject:date:message-id:reply-to;
bh=gHKjeZIDg6Kb6U/iYnRNcZjxN5cx8afBj5bNJjQH2Cg=;
b=bcY/wGiIFBePR+3LS/jxEXU5uP49VYpGExICKKIm/SBG/oh5pNVg8yafwZ2i1+ReyV
opCVfonFQq0qwlYRFKdNz9ZUwBkCnz+e4PT8V0Az8TufuTucUs4LcONj1OLwQuuCVGuv
HAgyzX1YSQUB8y5omHtsEIBUyvD5u7kpei3xWMflF31UixKjJsy3FHrpR4btAmfNr6zj
YnICLiDTweAo/4+7K3tzpX7VztUaWjetuuGaPOGoU/QLx88vy+a9F1sldfOlFOVfsvxY
jvw1rwTgTFskw7XTKhvz00h85LbhTNPrIJjiRnAEVn1/6uoqap62+PVBU+sfsRDzF7Yb
CPaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710341597; x=1710946397;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=gHKjeZIDg6Kb6U/iYnRNcZjxN5cx8afBj5bNJjQH2Cg=;
b=Q+86lmGjZU8jDqrFj3ZTnOEQ0JQ3cOUWB+M8m1q7KYpvAdtKL5MI3J9HyqJLwyM9sH
LFOuupmz1FsT2XBsCQ5d/wl35PhvlHBmjcsF0Jo2RtVtPeC3iGgWL8d/KKiG1/8vCpAw
W7PNbLOPNuKsJVG0ALwMdWpD0FLGbw1VOY5SNO86MHJCrcbRJ9qGyQXNVoKZI/xN6rqH
4ddT7VFgfoegv04UhoxYVpgmfJkFnRUdusu/ku81kjkjNBPFDDlFkh2PvlwYSYcIEXSY
zIw7Kjb9i0I/723l4XusFmsrRYtVtsKshY3ADtCibsOPpViUeQtO28mNt9qL3R34O0oS
AAtA==
X-Gm-Message-State: AOJu0YwH7FoGlk79Z/CrRQv/zYwc81leUwmkh7nd3rQ1Xnzr4/hOySbF
xElO7BndAm9Dl/3BeWja72JMSCRv6McGEgEpLV1tDRMTsGYo9x6WJH5RgqKxkqk=
X-Google-Smtp-Source: AGHT+IF1BgnnfZCh1xpPCn5CuNCWhyqVEzG6v2UfBxvekLBflxga55oTAZBpfgLDKFR2ME66bwtp0w==
X-Received: by 2002:a05:600c:4f4b:b0:412:f196:c1f3 with SMTP id
m11-20020a05600c4f4b00b00412f196c1f3mr139059wmq.6.1710341597136;
Wed, 13 Mar 2024 07:53:17 -0700 (PDT)
In-Reply-To: <F2C79001-B1E0-4D8F-91BC-FC8260003282@dblsaiko.net>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN2PEPF000044A5:EE_|DS0PR01MB7938:EE_
X-MS-Office365-Filtering-Correlation-Id: fd947e02-636b-4c87-b416-08dc436d51cb
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vgAspBkdaGqJRF2wcT06EvSDKl8ntQqwTTwjhR8z4mwnNFPXkRShCJQg6vR/vu4ukuBhtO/uiLH5ifVOZ7KCIkFafxytP7Qr+YA6rjuneR6a7iiUnZ+3PXrZRLqSo/p67yRvVUzuJVX7r/Zj/FhRqcnRAldX7MvAeFfPm2E1qGQUJlFCwWeiakIyjCGpYIoIxsIBi1PPuFq9Mr3gEsIOMHAyxKfju7um/8/juCiJwFqSTaQAFX/Xk6T3Q1ZqNSa/nmLz4O31kX6aln7mhg8MJeeXuZZncnfcKd5lvZcTJBQhdiMizjknlLzBmcnZ789iPaOu5TwPQbjGKVABZvJK7vIEyhSS5oDNbFS32YhLFUfZtfdUiUrD3GKLiTjoqjHL7Ug1dB1PVfq+7m2uHi8NK+LkfWvxmjYrCSSjs+VrPPl085jZfgMB+hQIP1rMzW6jVABua/4SQYBmD2l+sQJoO7hSKYdZTteGhzk4QXZAvOPxfoeXrfp5XKkz3yqh9TcB9XexsiSU28KYqolPwMoegsJq9SRHmDo6KjUJd+uqzbrAPYNZ9W3R2tSnHQsh4WtyvO4+SXgb6hGj26wbgFYZQyIwRl5o7IkzR8QHrWNaT0Az7CrdhVhqT9r7RyRE95Zt9DpkVDvXOt9/CE/cB1g06nNAUJ/haE9R0s0CJR7iD842+veyfRYf8Qsl1rGluv0jUkznyvL8MAzUdTPfWWAS7IvdAM+FDpYmsgCCLAd1YTitLT3RgZJLQgmJeGyEqebm
X-Forefront-Antispam-Report: CIP:209.85.128.48; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-wm1-f48.google.com; PTR:mail-wm1-f48.google.com;
CAT:NONE; SFS:(13230031)(376005)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 14:53:18.2412 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fd947e02-636b-4c87-b416-08dc436d51cb
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN2PEPF000044A5.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR01MB7938
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <0E1030FD-5B21-446F-88D9-8E564DAA7598@gmail.com>
X-Mailman-Original-References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<F2C79001-B1E0-4D8F-91BC-FC8260003282@dblsaiko.net>
 by: Yoann Gini - Wed, 13 Mar 2024 14:53 UTC

> Le 13 mars 2024 à 15:44, Marco Rebhan <me@dblsaiko.net> a écrit :
>
>> On 13. Mar 2024, at 12:48, Yoann Gini <yoann.gini@gmail.com <mailto:yoann.gini@gmail.com>> wrote:
>>
>> Which allow us to have end to end TLS communication between our customers and their tenant. Which is mandatory for our mTLS. But without consuming one public IP per tenant to keep cost under control.
>>
>> Here with Kerberos, I'm wondering how we can achieve something equivalent, using a shared IP for multiple Kerberos realms and having the incoming requests routed to the appropriate backend by some kind of inspection.
>
> Set it up with a publicly routable IPv6 network, with one IP per tenant. You’re not going to run out of a /64 anytime soon, so the cost should stay constant.

That's an option not reachable so far.

I don't know in your country but in France and EU for what I see so far, we are really really late on IPv6.

OVH in France does not offer IPv6 on Kubernetes cluster, and most home router does not have it enabled.

It would have been my first choice indeed. When we started this project a year ago we for sure decided to be dual stack, but we couldn't afford the limitation set by others on the lack of spread of IPv6.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor