[14658] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Michael Thomas)
Thu Jul 12 10:37:11 2001
From: Michael Thomas <mike@mtcc.com>
Message-ID: <v7itgy2phq.fsf@fasolt.mtcc.com>
Date: 12 Jul 2001 07:25:54 -0700
To: kerberos@MIT.EDU
jaltman@watsun.cc.columbia.edu (Jeffrey Altman) writes:
> Now this wraps the forwarded credentials in an auth context which
> is bound to the local address/port and remote address/port. There is
> no method that allows you to perform this binding and say
>
> hey wait a minute, whenever you see the local address 192.168.1.10
> replace it with the address of the NAT (whatever that happens to be)
>
> This is done to protect the credentials. The host won't accept a
> credential that is permitted for use on address A if it comes from
> address B. The one exception to this rule is if you decide not to
> embed ip addresses in the credentials at all. In that case, the
> auth context is not bound to the endpoints of the socket pair.
While not trying to defend NAT (heaven forfend),
the use of IP addresses as a form of identity is
an extremely suspect practice. Mobility, renumbering,
and multihoming are all completely legitimate practices,
and make the assumption of non-volatility of IP addresses
completely wrong.
--
Michael Thomas (mike@mtcc.com http://www.mtcc.com/~mike/)
Multi-mode fiber with an optical splitter |
B G P sessions conFIGGED not to litter | My Fav'rite 'Net Things
Reverting from A T M back to I P | by kc claffy, CAIDA
These are a few of my fav'rite `Net things |
