[369] in Kerberos
Re: client name vs. client IP address.
daemon@TELECOM.MIT.EDU (Bill Sommerfeld)
Tue Apr 19 20:41:31 1988
From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: jordan@UCBARPA.BERKELEY.EDU
Cc: sdsu!vinge@UCSD.EDU, kerberos@ATHENA.MIT.EDU
The IP address is sealed into the ticket in an attempt to increase
security by a small amount. Someone attempting an attack by replay
must be able to forge the `from' address of an IP packet, which is
(marginally) harder than just sending packets, and is more likely to
be noticed.
The hostname is not in there because doing a nameserver/host table
lookup will impose a pretty large network delay on the server end; in
the current setup, the server side never blocks for I/O (not counting
looking up the service key).
Also, the domain nameserver is eminently spoofable, since its requests
aren't authenticated...
With respect to multi-homed clients (clients with more than one net
address): this is a problem which hasn't really been resolved, as
there is only one address in the packet. If the client binds all its
outgoing sockets to its `primary' address, this ceases to be a
problem, but this requires special code in each client application
using kerberos.
I suspect that there will be some sort of protocol rearrangement in
the future which should include (a) having a list of addresses sealed
in the ticket and (b) tagging each address with some sort of address
family code (I'm pretty sure that DEC, IBM, and Apollo are all
interested in using kerberos over their own proprietary protocols, and
ISO is looming somewhere over the horizon...).
The _service_ name is included in the ticket as an extra check to
make sure that the ticket was decrypted correctly.
- Bill
