[29323] in Kerberos
Re: Why krb5kdc and kadmind sets up ports for listening differently ?
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Wed Feb 20 09:17:29 2008
In-Reply-To: <33ab2aef0802200128u49a7af6aw154d49fae7a4b4b1@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v753)
Message-Id: <57670179-AEA5-4470-B687-A3E9578D8569@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Wed, 20 Feb 2008 09:17:07 -0500
To: "Vipin Rathor" <v.rathor@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Feb 20, 2008, at 04:28, Vipin Rathor wrote:
> On 2/19/08, Ken Raeburn <raeburn@mit.edu> wrote:
>> The UDP service offered by the KDC needs to respond from the same IP
>> address that the client used to reach it. That's not possible with a
>> wildcard-address listener unless your system has support for
>> IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as
>> well. The TCP listener does use a wildcard address.
>>
> Does that mean, if wildcard is used over UDP for KDC, then on a
> multi-IP machine, same IP will not be returned to the client?
> Whereas TCP with wildcard, takes care of returning same IP, due to
> it's reliability feature?
A TCP server has to respond using the same address as the client
contacted it at; it's part of how a TCP connection is specified. UDP
has no such automatic association between the two packets sent by
either side; if the server wants to send the response using the same
server-side address as the client used to contact it, instead of
letting the operating system pick a source address, it has to take
steps to make sure that happens. Binding sockets to individual IP
addresses is one way; using IP_PKTINFO or IPV6_PKTINFO, when
supported, is another. If it does neither of these things, and just
uses a socket bound to the wildcard address, the server can't even
tell which of its addresses the client used.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
