[14518] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Wyllys Ingersoll)
Wed May 30 17:01:02 2001
Message-Id: <200105302058.f4UKwNN281538@jurassic.eng.sun.com>
Date: Wed, 30 May 2001 17:01:22 -0400 (EDT)
From: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
Reply-To: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
To: jbrezak@windows.microsoft.com, kerberos@MIT.EDU, deengert@anl.gov
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: vEpqgcC4iiRbq693ZF6RqQ==
I believe a similar problem exists in IP Multipath environments
such as when the clients (or servers) are behind a load-balancer and the
server might get requests from the same client but they appear
to be from different source addresses.
-wyllys
>
>
>John Brezak wrote:
>>
>> There still is a problem with addresses in the kerb-priv and kerb-safe
>> messages used by password change (at least). And as was also pointed out
>> the GSSAPI channel bindings used by ftp. Neither of these are lists.
>>
>> How does a client find out what NAT server is being used to handle it's
>> request? What about a multi-homed client?
>
>Normally the client could use the TCP getsockname and getpeername to get the
>addresses of the TCP connection. So multihomed should not be a problem.
>
>This is where I would say NAT actually violates the TCP protocol.
>Since the getsockname on one end of the connection should return the same
>value as the getpeername on the other. (These are really socket routines
>and not directly TCP routines.)
>
>The client has no standard way that I know of to get the NAT addr that the
>peer is seeing. So the mod I am using has it is an KRB5NATADDR variable,
>where as the other mod posted on the list puts it in the krb5.conf. The user
>has to figure this out with the NAT box. And has to figure out if the server
>is within the local network, or outside. i.e. will a NAT take place.
>(I bring up the WEB interface to the NAT box, and copy the DHCP address
>it obtained.)
>
>Is there wide spread use of NAT other then for home firewalls where
>there is normally only one NAT box protecting a private network?
>If there is and the there could be multiple NAT boxes connecting
>a network(s) to the outside, it is extremely difficult to determine
>which NAT address might be used.
>
>As you point out the safe and priv also use these addresses, and in 1510 the
>sender address is required, but the receiver address is optional. It
>also looks like in the MIT 1.2.2 code, the sender address will be checked.
>i.e. the receiver must pass in a sender address to rd_safe.
>(Correct me if I am wrong.) This could be change by an implementation
>to ignore the address compare.
>
>So NAT is looking worse then expected.
>
>
