Why krb5kdc and kadmind sets up ports for listening differently ?

Ken Raeburn raeburn at MIT.EDU
Wed Feb 20 09:17:07 EST 2008


On Feb 20, 2008, at 04:28, Vipin Rathor wrote:
> On 2/19/08, Ken Raeburn <raeburn at mit.edu> wrote:
>> The UDP service offered by the KDC needs to respond from the same IP
>> address that the client used to reach it.  That's not possible with a
>> wildcard-address listener unless your system has support for
>> IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as
>> well.  The TCP listener does use a wildcard address.
>>
> Does that mean, if wildcard is used over UDP for KDC, then on a
> multi-IP machine, same IP will not be returned to the client?
> Whereas TCP with wildcard, takes care of returning same IP, due to
> it's reliability feature?

A TCP server has to respond using the same address as the client  
contacted it at; it's part of how a TCP connection is specified.  UDP  
has no such automatic association between the two packets sent by  
either side; if the server wants to send the response using the same  
server-side address as the client used to contact it, instead of  
letting the operating system pick a source address, it has to take  
steps to make sure that happens.  Binding sockets to individual IP  
addresses is one way; using IP_PKTINFO or IPV6_PKTINFO, when  
supported, is another.  If it does neither of these things, and just  
uses a socket bound to the wildcard address, the server can't even  
tell which of its addresses the client used.

Ken



More information about the Kerberos mailing list