KDC UDP behavior change on multihomed hosts on older OSes
Tom Yu
tlyu at mit.edu
Mon Feb 1 15:06:07 EST 2016
Hi,
This message probably only concerns you if you are running a multihomed
KDC on an operating system that lacks support for IP_PKTINFO or
IPV6_PKTINFO. We are working on a set of changes to the network code of
the KDC and kadmind that could cause a behavior change for such systems:
UDP packets sent from the KDC (or the kpasswd service of kadmind) could
have an incorrect source address, causing clients to ignore such
packets.
We believe that the affected systems are mostly older or less common
operating systems. See
http://k5wiki.kerberos.org/wiki/Portability_research
and below for some details. The proposed changes are in a GitHub pull
request at
https://github.com/krb5/krb5/pull/380
and will add the feature of being able to bind to specified listening
addresses instead of the wildcard address. This new feature should
almost completely mitigate the consequences of the behavior change on
the affected OSes, at the cost of adding some minor configuration
settings.
Please let us know if you have questions or concerns about these
proposed changes. If possible, please provide your OS and network
configuration details when providing feedback. Thanks.
-Tom
Details:
One complication of running a UDP server such as the KDC or the kpasswd
service (of kadmind) on a multihomed host is ensuring that reply packets
have the correct source address. On some operating systems, in some
configurations, sending a UDP packet from a wildcard socket will not
reliably use the correct source address. An incorrect source address
will typically cause the receiving client to discard the packet.
On systems that have IP_PKTINFO or IPV6_PKTINFO, it is possible for a
server to determine the destination address of a UDP packet that it
receives, and to set it when transmitting a reply. On systems that lack
those capabilities, we have historically used a complicated workaround
that involves explicitly binding a UDP socket to each network interface
address, and doing OS-specific operations with routing sockets to detect
when network interfaces appear or disappear. We would like to remove
this workaround because it adds considerable complexity to the network
code of the KDC and kadmind.
For further details, see the krbdev at mit.edu email thread archived at
http://mailman.mit.edu/pipermail/krbdev/2016-January/012515.html
More information about the Kerberos
mailing list