Updated NAT fixes
smch at midway.uchicago.edu
Thu Apr 11 13:02:01 EDT 2002
On 11 Apr 2002, Sam Hartman wrote:
> We will keep the address checking in krb_priv and krb_safe because
> removing this checking opens you to a reflection attack.
I'm not sure I understand. mk_priv, mk_safe, rd_priv and rd_safe all
check (and add entries to) the replay cache (by calling
krb5_rc_store()). Wouldn't the replay cache stop any attempt to send
"private" or "safe" messages back to the server that originated them?
More information about the krbdev