Interesting problem with Kerberos IPv6 support

Ken Raeburn raeburn at MIT.EDU
Fri Jun 25 16:01:52 EDT 2004

> I've recently been testing the IPv6 support in more recent versions of
> Kerberos, and I've run into an interesting problem.
> Host "A" has the newer version of Kerberos, with the IPv6 support, and
> has an IPv6 address.  The KDC also will respond to requests on the
> IPv6 interface.
> Person on host "B" an has older version of Kerberos that is not IPv6
> aware.  They connect to host "A" with their favorite Kerberos utility,
> and use it to forward their tickets across.  However ... because the
> tickets forwarded across from host B only have the IPv4 addresses in
> them, when you try to use the tickets, you get the accursed "Incorrect
> Net Address", because the client code on host A will use IPv6 to contact
> the KDC.

If host B has any IPv4 addresses that host A wasn't aware of, they
also will not be listed in the forwarded tickets.

> I've been trying to come up with a reasonable way of dealing with this
> issue that doesn't involve enforced client upgrades.  Anyone got any
> ideas?

A few...

(1) Get tickets without any addresses specified.
(2) Send forwardable tickets to host B, and have host B forward them
    to itself (with all local addresses, or without any addresses) if
    they're missing any local addresses.
(3) If the tickets do list addresses, then when contacting the KDC,
    bind specifically to listed addreses.  That just moves the
    problem to cases where you contact IPv6-capable services.
(4) Hack the KDC to always ignore addresses in its checks.  But the
    issued tickets should keep the same address list, so the problem
    persists when you contact IPv6-capable services.
(5) Hack the KDC to always issue address-less tickets.


More information about the krbdev mailing list