Pinning KDC IP addresses.

Jeffrey Altman jaltman at
Thu Feb 15 05:27:14 EST 2007

g.w at wrote:
> One of the issues which is a bit problematic in working against the
> MIT sources is the issue of pinning AS_REQ's to a particular IP
> address.  This strategy appears to be attractive in developing a
> robust replay avoidance mechanism not only for OTI but other hardware
> pre-authentication mechanisms as well.

While adding the IP address of the KDC to the AS_REQ seems like a
reasonable thing to do, I also believe it has the potential to cause
significant operational hardship.  You are going to be requiring the
KDC to be aware of any and all IP addresses that clients may be able
to contact the server by.  This can be a serious problem for NAT'd
environments or any KDC proxy or tunneling services that someone
might decide to deploy.

Many large organizations that I know of are attempting to get the
remaining IP address checking removed from the code base.  Adding
addition IP address based checks would not be seen as a benefit to

Jeffrey Altman
Secure Endpoints Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list