Updated NAT fixes

Steven Michaud smch at midway.uchicago.edu
Thu Apr 11 13:02:01 EDT 2002

On 11 Apr 2002, Sam Hartman wrote:

> We will keep the address checking in krb_priv and krb_safe because
> removing this checking opens you to a reflection attack.

I'm not sure I understand.  mk_priv, mk_safe, rd_priv and rd_safe all
check (and add entries to) the replay cache (by calling
krb5_rc_store()).  Wouldn't the replay cache stop any attempt to send
"private" or "safe" messages back to the server that originated them?

More information about the krbdev mailing list