Pinning KDC IP addresses.
raeburn at MIT.EDU
Thu Feb 15 02:35:03 EST 2007
On Feb 15, 2007, at 01:28, g.w at hurderos.org wrote:
> In the current MIT codebase packetization of the AS_REQ occurs well
> before transmission of the request. As a result it is somewhat
> difficult to modify the payload to coincide with the IP address of the
> KDC being targeted by the krb5_sendto routine.
> The most straight forward strategy would seem to be to push
> packetization downward into the krb5_sendto_kdc function. If
> packetization were delayed until after IP address selection was
> completed the address could be made available to a plugin for final
> payload modification before transmission. It would seem straight
> forward to accomplish this by passing the krb5_kdc_req structure
> pointer all the way down to the krb5_sendto_kdc function.
At the lowest level (krb5int_sendto), we've got support for letting
the caller construct the packet based on the address to send to, via
a callback function. But that's not used in sending to the KDC,
since so far we've had no need for it.
> Sam mentioned in his outline that a more efficient replay avoidance
> implementation was being considered as part of future development
> plans. The ability to more precisly pin requests to a KDC would seem
> to be a positive move toward a more robust replay avoidance strategy.
Not sure what you're referring to here. Sam's "seed projects" list
mentioned replays, but only in improving the performance of the
replay cache for recording authenticators and detecting replays,
nothing about avoiding replays.
More information about the krbdev