Updated NAT fixes
Steven Michaud
smch at midway.uchicago.edu
Mon Apr 15 11:00:00 EDT 2002
> There's discussion within the IETF of adding
> a direction address type for the next version of the protocol and
> removing addresses completely from priv and safe for the following
> version.
What's a "direction address type"? I did a Google search on that
phrase, but all I found was a bare mention of it in notes on one or
more IETF meetings (http://www.isi.edu/people/bcn/krb-revisions/).
On 11 Apr 2002, Sam Hartman wrote:
> >>>>> "Steven" == Steven Michaud <smch at midway.uchicago.edu> writes:
>
> Steven> On 11 Apr 2002, Sam Hartman wrote:
>
> >> We will keep the address checking in krb_priv and krb_safe
> >> because removing this checking opens you to a reflection
> >> attack.
>
> Steven> I'm not sure I understand. mk_priv, mk_safe, rd_priv and
> Steven> rd_safe all check (and add entries to) the replay cache
> Steven> (by calling krb5_rc_store()). Wouldn't the replay cache
> Steven> stop any attempt to send "private" or "safe" messages back
> Steven> to the server that originated them?
>
>
> Hmm. I don't think applications actually tend to use that feature
> much. Also, it's not required by the protocol spec, especially if
> using sequence numbers. There's discussion within the IETF of adding
> a direction address type for the next version of the protocol and
> removing addresses completely from priv and safe for the following
> version.
>
>
More information about the krbdev
mailing list