[983] in Kerberos_V5_Development
Krb5 & IP addresses
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue Jan 30 11:40:15 1996
Date: Tue, 30 Jan 1996 11:38:53 -0500
To: krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
I have a couple concerns with IP addresses being imbedded within
Kerberos 5.
1. With a mixed IPv6/v4 world, and address translation, the application
will have to understand address translation and the possible view that
another site might have of the client's address.
2. The use of the address within the credential makes it difficult to proxy
through firewalls.
I was talking with Ted about this, and it seemed that there should be an
easy way to simply say, "trust me from any IP address". However,
looking deeper into the code, this is not the case.
I propose we add another address family type: AF_ANY, ADDR_ANY, or
something similar. kinit can then optionally use that on the client to
indicate that the server need not check its originating address. This
would entail simply changing addr_comp.c and a couple other functions.
How does this sound?
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
