(mk|rd)_(priv|safe) and NAT

Greg Hudson ghudson at MIT.EDU
Wed Aug 3 18:13:11 EDT 2011


On Wed, 2011-08-03 at 17:47 -0400, Chris Hecker wrote:
> Right, but I'm going to force the replay cache off and use subkeys like 
> we discussed in the other thread.  I assume I can't use the do-sequence 
> flag on an unordered/unreliable channel?  So, if I want to mk_priv/safe 
> on that channel, will I need another auth_context?

Yes, you will need separate auth contexts if you want to use sequence
numbers on some messages but not others.

For the unordered messages, since you are using neither sequence numbers
nor a replay cache, you'll need to address replays at the application
protocol layer.





More information about the Kerberos mailing list