(mk|rd)_(priv|safe) and NAT

Jeffrey Altman jaltman at secure-endpoints.com
Wed Aug 3 06:05:06 EDT 2011


Is there a reason you are using mk|rd_priv|safe instead of gss?

On 8/3/2011 3:47 AM, Chris Hecker wrote:
> 
> It almost looks like I can just set 1.2.3.4:5 for the address of any 
> host behind a NAT, since at that point the code doesn't actually talk to 
> the internet.  Is there a security implication for doing that, given 
> that tickets have already moved away from containing addresses?
> 
> Thanks,
> Chris
> 
> 
> On 2011/08/03 00:11, Chris Hecker wrote:
>>
>> I'm still in the process of getting my app and server up and running
>> with kerberos, so I can't test this yet, but the code for
>> mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the
>> auth_context, and all the samples show various permutations of this.
>>
>> I'm doing NAT traversal/punchthrough potentially on both sides of the
>> connection, maybe even with a relay server in the middle for really bad
>> cases, so there are a lot of potential addresses in play here. Which
>> addresses do I set in a NAT-heavy environment like this?
>>
>> It looks like the mk versions require a local address set, and the rd
>> versions require the remote address set (presumably to the local address
>> set when the mk is called?). I'm going to be sending safe/priv messages
>> both directions...
>>
>> I'm doing full mutual authentication with subkeys in both directions to
>> avoid the need for a replay cache, if that matters.
>>
>> I found a post[*] that said kerberos was moving away from addresses
>> since they're not very secure, but the current code seems to require
>> them for these functions at least.
>>
>> Thanks,
>> Chris
>>
>> * http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html
>>
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20110803/6494711b/attachment.bin


More information about the Kerberos mailing list