Replaying and server side caching.
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Apr 14 11:07:40 EDT 2003
>> I understand why you would allow this for UDP, but in our experience,
>> we found that if the TGT request got to the KDC, it was extremely
>> unlikely for the TGT response to not find its way back to the client
>> in a normal operational environment.
>
>Is your "normal" environment restricted to one organization's private
>network? And uniform software? Mine reaches four continents with
>multiple implementations. I would not activate a KDC anti-replay
>feature, knowing that at least some implementations resend the same
>message.
"What he said". I actually summarize my logs weekly and look for this,
and I see a bunch of retransmissions from inside of our own network in
addition to the ones from outside of our network. It's enough that
I would never enable such a thing.
--Ken
More information about the krbdev
mailing list