[39383] in Kerberos
RE: Looking for a "Kerberos Router"?
daemon@ATHENA.MIT.EDU (Brent Kimberley via Kerberos)
Wed Mar 13 17:43:06 2024
To: Simo Sorce <simo@redhat.com>, Yoann Gini <yoann.gini@gmail.com>,
Ken
Hornstein <kenh@cmf.nrl.navy.mil>
CC: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 13 Mar 2024 21:41:58 +0000
Message-ID: <YT3PR01MB10544C62789ED6D2FAB75F26AFA2A2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <ff6b1159594ccac0297ddcda93901dab0f22e61d.camel@redhat.com>
Content-Language: en-US
MIME-Version: 1.0
From: Brent Kimberley via Kerberos <kerberos@mit.edu>
Reply-To: Brent Kimberley <Brent.Kimberley@Durham.ca>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
To the best of my knowledge, all IPV6 ports should be closed by design and only opened if/when approved.
-----Original Message-----
From: Kerberos <kerberos-bounces@mit.edu> On Behalf Of Simo Sorce
Sent: Wednesday, March 13, 2024 4:48 PM
To: Yoann Gini <yoann.gini@gmail.com>; Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Subject: Re: Looking for a "Kerberos Router"?
[You don't often get email from simo@redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
This is well tested:
https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
> > Le 13 mars 2024 à 17:21, Ken Hornstein <kenh@cmf.nrl.navy.mil> a écrit :
> >
> > It does occur to me that maybe if you have different KDC hostnames
> > but the same IP address you could use TLS SNI or hostname routing
> > which you indicated you already use and maybe that would be simpler?
> > That presumes the client implementations set the SNI field (I see
> > that it does send a "Host" header, and it looks like MIT Kerberos
> > does set the SNI hostname).
>
> This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
>
> I will give it a try, it looks like the option I need here.
>
> And yes, all of those complexities would have been avoided by network
> teams just supporting IPv6 and not blocking random ports for no reasons... ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mail/
> man.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=05%7C02%7Cbrent.kimbe
> rley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b6
> 9b1f9da198dc3f16%7C0%7C0%7C638459596905112923%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0
> %7C%7C%7C&sdata=dZYepxHAXNhDO%2F4F%2FpLx7fDYgT6xEYGEKtjEK7l1H74%3D&res
> erved=0
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
