Updated NAT fixes

Mon Apr 15 11:36:01 EDT 2002

It's a two-valued HostAddress. The two values are "from-initiator" and
"from-acceptor", essentially.

It's purpose is to be used in priv, safe and cred messages to prevent
reflection replay attacks while at the same time ridding us of the need
to use real HostAddresses in those messages. So the direction address
type is another step to resolve the issues with NAT.

Nico

On Mon, Apr 15, 2002 at 09:59:01AM -0500, Steven Michaud wrote:
> > There's discussion within the IETF of adding
> > a direction address type for the next version of the protocol and
> > removing addresses completely from priv and safe for the following
> > version.
> 
> What's a "direction address type"?  I did a Google search on that
> phrase, but all I found was a bare mention of it in notes on one or
> more IETF meetings (http://www.isi.edu/people/bcn/krb-revisions/).
> 
> On 11 Apr 2002, Sam Hartman wrote:
> 
> > >>>>> "Steven" == Steven Michaud <smch at midway.uchicago.edu> writes:
> > 
> >     Steven> On 11 Apr 2002, Sam Hartman wrote:
> > 
> >     >> We will keep the address checking in krb_priv and krb_safe
> >     >> because removing this checking opens you to a reflection
> >     >> attack.
> > 
> >     Steven> I'm not sure I understand.  mk_priv, mk_safe, rd_priv and
> >     Steven> rd_safe all check (and add entries to) the replay cache
> >     Steven> (by calling krb5_rc_store()).  Wouldn't the replay cache
> >     Steven> stop any attempt to send "private" or "safe" messages back
> >     Steven> to the server that originated them?
> > 
> > 
> > Hmm.  I don't think applications actually tend to use that feature
> > much.  Also, it's not required by the protocol spec, especially if
> > using sequence numbers.  There's discussion within the IETF of adding
> > a direction address type for the next version of the protocol and
> > removing addresses completely from priv and safe for the following
> > version.
> > 
> > 
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
-- 
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.