(mk|rd)_(priv|safe) and NAT
Greg Hudson
ghudson at MIT.EDU
Wed Aug 3 18:13:11 EDT 2011
On Wed, 2011-08-03 at 17:47 -0400, Chris Hecker wrote:
> Right, but I'm going to force the replay cache off and use subkeys like
> we discussed in the other thread. I assume I can't use the do-sequence
> flag on an unordered/unreliable channel? So, if I want to mk_priv/safe
> on that channel, will I need another auth_context?
Yes, you will need separate auth contexts if you want to use sequence
numbers on some messages but not others.
For the unordered messages, since you are using neither sequence numbers
nor a replay cache, you'll need to address replays at the application
protocol layer.
More information about the Kerberos
mailing list