IPv6 support in MIT Kerberos

Ken Raeburn raeburn at MIT.EDU
Fri Dec 27 18:24:50 EST 2002

erik at aarg.net (Erik Arneson) writes:
> I've begun playing around with IPv6.  However, I use Kerberos for
> authentication, and am wondering what kind of IPv6 support exists
> currently in MIT Kerberos, and what is still left to be done?

In the development sources that will become the 1.3 release, I think
we're doing pretty good.

The krb5 library supports IPv6, as does the KDC.  (However, in doing
the porting work, I've found quite a number of problems with various
implementations of getaddrinfo(); the main one not yet worked around
is that the GNU libc version used in the Red Hat release we're using
on campus can drop some IPv4 addresses under certain conditions.)
Thus kinit should automatically work over IPv6.  Telnet and rlogin
should handle it as well.

The RPC code doesn't support IPv6, and won't; we're hoping to entirely
replace it soon.  So for now, kadmin will not use IPv6 to talk to the
master KDC.  We don't recommend anyone use the current gssrpc code in
their own applications -- in fact, we strongly recommend against it.

The ftp code doesn't support IPv6 at present, and I don't plan to work
on that any time soon.  Note that there are protocol extensions for
transferring non-IPv4 addresses to establish data connections; it's
not just a matter of changing gethostbyname to getaddrinfo.

The krb4 library does not support IPv6 for communication with the KDC.
It wouldn't make a lot of sense, since the krb4 protocol incorporates
4-octet addresses.  (We do have an option for disabling address
checks, and we *could* add IPv6 support that would work if you disable
address checks on the KDC and application servers, but we didn't think
it was worth our time.)  There is a little bit of IPv6-related code in
the krb4 library, but mostly just for noticing if instead of a
sockaddr_in pointer it's given a sockaddr pointer that points to an
IPv4-mapped IPv6 address, for example in an application server that
supports both krb5 and krb4, and both IP protocols.

I think that's everything, off the top of my head....


More information about the Kerberos mailing list