(mk|rd)_(priv|safe) and NAT

Chris Hecker checker at d6.com
Wed Aug 3 17:47:48 EDT 2011


> By default, an auth context will use a replay cache to prevent
> replays (this is controlled by the do-time flag).

Right, but I'm going to force the replay cache off and use subkeys like 
we discussed in the other thread.  I assume I can't use the do-sequence 
flag on an unordered/unreliable channel?  So, if I want to mk_priv/safe 
on that channel, will I need another auth_context?

Not sure if that makes sense?  If not, I can try to explain it better.

Chris



On 2011/08/03 14:39, Greg Hudson wrote:
> On Wed, 2011-08-03 at 16:56 -0400, Chris Hecker wrote:
>> This brings up the question of what to do in unordered/unreliable
>> situations?  I have a UDP stream between clients that's a mix of
>> ordered/reliable "pseudo-tcp" messages and unordered/unreliable
>> messages.  My original plan was to use the pseudo-tcp messages to
>> negotiate the u2u auth_contexts, but I also want to be able to
>> mk_safe/mk_priv on the unreliable messages.  Do I need two auth_contexts
>> in that case, one without do-sequence set?
>
> By default, an auth context will use a replay cache to prevent replays
> (this is controlled by the do-time flag).
>
>
>



More information about the Kerberos mailing list