Updated NAT fixes

Sam Hartman hartmans at MIT.EDU
Thu Apr 11 16:33:01 EDT 2002

>>>>> "Steven" == Steven Michaud <smch at midway.uchicago.edu> writes:

    Steven> On 11 Apr 2002, Sam Hartman wrote:

    >> We will keep the address checking in krb_priv and krb_safe
    >> because removing this checking opens you to a reflection
    >> attack.

    Steven> I'm not sure I understand.  mk_priv, mk_safe, rd_priv and
    Steven> rd_safe all check (and add entries to) the replay cache
    Steven> (by calling krb5_rc_store()).  Wouldn't the replay cache
    Steven> stop any attempt to send "private" or "safe" messages back
    Steven> to the server that originated them?

Hmm.  I don't think applications actually tend to use that feature
much.  Also, it's not required by the protocol spec, especially if
using sequence numbers.  There's discussion within the IETF of adding
a direction address type for the next version of the protocol and
removing addresses completely from priv and safe for the following

More information about the krbdev mailing list