[6090] in Kerberos
Re: error in "krb5_sendto_kdc" logic
daemon@ATHENA.MIT.EDU (Jim Miller)
Wed Nov 1 14:14:23 1995
From: jim@bilbo.suite.com (Jim Miller)
Date: Wed, 1 Nov 95 13:01:54 -0600
To: jik@jik.datasrv.co.il
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@bilbo.suite.com
> |> if the request *did* reach the
> |> KDC but the KDC's reply got lost, then it is not ok for the client to
> |> re-send the request..
>
> That's not true -- the KDC (at least the one that MIT
> distributes, and any KDC sold or distributed by someone
> besides MIT that doesn't have this feature is arguably
> broken) has code in it whose specific purpose is to avoid
> the problem you describe.
>
> In particular, the KDC caches in a lookaside buffer the
> actual on-the-wire contents of recent requests, as well
> as the responses that were sent to them. Each time it gets a
> new request, it checks to see if it exactly matches a
> request in the lookaside buffer; if it does, then the
> exact same response (as cached in the lookaside buffer)
> is sent.
>
You're right. I did not correctly understand how the KDC replay worked.
I thought it simply returned an error where it detected a replay, but, as
you point out, it actually re-transmits the reply it sent for the first
request.
Sorry for the false alarm,
Jim_Miller@suite.com
