Why krb5kdc and kadmind sets up ports for listening differently ?
Ken Raeburn
raeburn at MIT.EDU
Wed Feb 20 09:17:07 EST 2008
On Feb 20, 2008, at 04:28, Vipin Rathor wrote:
> On 2/19/08, Ken Raeburn <raeburn at mit.edu> wrote:
>> The UDP service offered by the KDC needs to respond from the same IP
>> address that the client used to reach it. That's not possible with a
>> wildcard-address listener unless your system has support for
>> IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as
>> well. The TCP listener does use a wildcard address.
>>
> Does that mean, if wildcard is used over UDP for KDC, then on a
> multi-IP machine, same IP will not be returned to the client?
> Whereas TCP with wildcard, takes care of returning same IP, due to
> it's reliability feature?
A TCP server has to respond using the same address as the client
contacted it at; it's part of how a TCP connection is specified. UDP
has no such automatic association between the two packets sent by
either side; if the server wants to send the response using the same
server-side address as the client used to contact it, instead of
letting the operating system pick a source address, it has to take
steps to make sure that happens. Binding sockets to individual IP
addresses is one way; using IP_PKTINFO or IPV6_PKTINFO, when
supported, is another. If it does neither of these things, and just
uses a socket bound to the wildcard address, the server can't even
tell which of its addresses the client used.
Ken
More information about the Kerberos
mailing list