[krbdev.mit.edu #4235] Re: pending/1123: rb5_rd_priv can never never work through NAT
jik@kamens.brookline.ma.us via RT
rt-comment at krbdev.mit.edu
Tue Sep 5 11:20:15 EDT 2006
Any progress on this issue in the last four years? :-)
jik
Reference:
Sam Hartman writes:
> Hi. You are correct that krb_mk_priv and krb_rd_priv do not work with
> NAT.
>
> The address check is required by RFC 1510.
>
> Previous attempts to revise RFC 1510 made the address check optional.
> However doing so introduces a reflection attack because the address is
> the only thing that prevents me from reflecting a message generated at
> the source back to that source in cases where sequence numbers are not
> used.
>
> The current clarifications draft in the Kerberos working group of the
> IETF does propose a directional address type to work around this
> issue. We will eventually implement that feature, but until we do,
> priv and safe messages will not work with NAT.
--
Help stop the genocide in Darfur!
http://www.genocideintervention.net/
More information about the krb5-bugs
mailing list