non-KDC replay cache problems?

[Tom Yu]

I am attempting to determine if there is a significant need to improve
the false positive performance of the replay cache.  A symptom of this
behavior is the error message "Request is a replay" when there is
apparently no replay.  My impression is that many of the replay cache
false-positive problems reported to date have been due to the KDC
replay cache.

Has anyone experienced problems due to false positive conditions on an
application replay cache?  This is in contrast to a false positive
indication on the KDC replay cache, which can cause error conditions
in situations such as when mod_auth_krb obtains a ticket from the KDC
using a user-submitted password.

In the case where false positives in application replay caches present
a significant issue, the following project proposal describes one
approach we can use to solve the problem:

http://k5wiki.kerberos.org/wiki/Projects/replay_cache_collision_avoidance

If it turns out that almost all of the problems are due to the KDC
replay cache, we can consider turning off the KDC replay cache, as we
believe that doing so poses negligible security consequences, and is
substantially easier.

-- 
Tom Yu
Development Manager
MIT Kerberos Consortium