Updated NAT fixes
Sam Hartman
hartmans at MIT.EDU
Thu Apr 11 16:33:01 EDT 2002
>>>>> "Steven" == Steven Michaud <smch at midway.uchicago.edu> writes:
Steven> On 11 Apr 2002, Sam Hartman wrote:
>> We will keep the address checking in krb_priv and krb_safe
>> because removing this checking opens you to a reflection
>> attack.
Steven> I'm not sure I understand. mk_priv, mk_safe, rd_priv and
Steven> rd_safe all check (and add entries to) the replay cache
Steven> (by calling krb5_rc_store()). Wouldn't the replay cache
Steven> stop any attempt to send "private" or "safe" messages back
Steven> to the server that originated them?
Hmm. I don't think applications actually tend to use that feature
much. Also, it's not required by the protocol spec, especially if
using sequence numbers. There's discussion within the IETF of adding
a direction address type for the next version of the protocol and
removing addresses completely from priv and safe for the following
version.
More information about the krbdev
mailing list