(mk|rd)_(priv|safe) and NAT
Chris Hecker
checker at d6.com
Wed Aug 3 03:11:14 EDT 2011
I'm still in the process of getting my app and server up and running
with kerberos, so I can't test this yet, but the code for
mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the
auth_context, and all the samples show various permutations of this.
I'm doing NAT traversal/punchthrough potentially on both sides of the
connection, maybe even with a relay server in the middle for really bad
cases, so there are a lot of potential addresses in play here. Which
addresses do I set in a NAT-heavy environment like this?
It looks like the mk versions require a local address set, and the rd
versions require the remote address set (presumably to the local address
set when the mk is called?). I'm going to be sending safe/priv messages
both directions...
I'm doing full mutual authentication with subkeys in both directions to
avoid the need for a replay cache, if that matters.
I found a post[*] that said kerberos was moving away from addresses
since they're not very secure, but the current code seems to require
them for these functions at least.
Thanks,
Chris
* http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html
More information about the Kerberos
mailing list