[236] in Kerberos
multi-homed hosts
daemon@TELECOM.MIT.EDU (Jon Rochlis)
Wed Oct 28 14:30:28 1987
From: Jon Rochlis <jon@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU
While we're mentioning problems with Kerberos, I should point out that
Kerberos has lots of problems with multi-homed hosts. Basically if
you a request for a ticket on one interface, and send it to a service
through another interface you'll lose because the sealed IP address
won't match the IP address you claim to be coming from.
For example if you have a network (say 128.15) with a kerberos server
someplace on it and you have a multi-homed host on milnet (net 26) on
which you want to run to run some application to talk to something at
MIT. First you go off an talk to your kerberos server getting a
ticket with your 128.15 address sealed in it, but when you ship it to
MIT, you'll have your net 26 address in the packet header, and the
server's rd_ap_req will fail.
When talking to the service, binding the socket you intend to use the
same address that you used to get the ticket in the first place may be
the only "easy" was to fix the problem, without substainal changes to
the guts of kerberos.
-- Jon
