kprop with multiple or NATted IP address

Greg Hudson ghudson at mit.edu
Fri Jan 3 11:53:29 EST 2020


On 1/3/20 11:00 AM, Jerry Shipman wrote:
> I am continuing (sorry) my old 2016 thread (part of it below) about trying to kprop through a NAT. 

Apologies that I didn't follow up on that.  In that thread, I wrote:

> Many protocols aren't susceptible to reflection
> attacks because they don't use similar formats for requests and
> responses.  After verifying that the kprop protocol isn't vulnerable,
> we could probably make changes similar to the ones we made to kpasswd
> to allow it to work over NATs.

I took at look at the kprop protocol just now.  Unfortunately, kprop and
kpropd use  the same format for the client-to-server and
server-to-client KRB-SAFE messages, and on successful completion the
payloads are expected to be identical.  (KRB-PRIV messages only flow
from client to server.)  So without protection from reflection attacks,
an attacker could potentially make a failed transmission look like a
successful transmission by reflecting the client's KRB-SAFE message.

I think that sequence numbers would generally thwart this attack, since
kprop and kpropd use mutual authentication and enable sequence number
checking.  But I would have to do some additional analysis to be
confident about that; these sequence numbers are only 32 bits, and there
is some fudging around past implementations which further reduces the
margin of safety.

> I wound up working around it by periodically dumping the database, copying it over to the secondaries, and importing it.
> But this workaround is causing some other trouble (the master database is locked for a noticeable amount of time during the periodic exports). 

Fortunately, we have a couple of workarounds for this secondary problem.

Release 1.13 added support for unlocked database dumps with the db2 KDB
module: "kdb5_util -x unlockiter dump".  This will make the dump command
take longer, but not keep the database locked.

Release 1.17 added the lmdb KDB module, which does not suffer from
locking conflicts between dump operations and write operations.


More information about the Kerberos mailing list