From amu@daemon.mit.edu Sat Dec 23 17:56:09 2000 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id RAA01016 for ; Sat, 23 Dec 2000 17:56:09 -0500 (EST) Received: from daemon (adsl-64-123-239-54.dsl.kscymo.swbell.net [64.123.239.54]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id RAA10478 for ; Sat, 23 Dec 2000 17:56:08 -0500 (EST) Received: from amu by daemon with local (Exim 3.20 #1 (Debian)) id 149xaC-0000J5-00 for ; Sat, 23 Dec 2000 17:56:08 -0500 Message-Id: Date: Sat, 23 Dec 2000 17:56:08 -0500 From: amu@mit.edu Sender: "Aaron M. Ucko" Reply-To: amu@mit.edu To: krb5-bugs@mit.edu Subject: Working behind NATs requires disabling address checking entirely. X-Send-Pr-Version: 3.99 >Number: 910 >Category: krb5-misc >Synopsis: Working behind NATs requires setting noaddresses = true. >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Sat Dec 23 17:57:01 EST 2000 >Last-Modified: Sun Dec 24 00:32:00 EST 2000 >Originator: Aaron M. Ucko >Organization: Massachvsetts Institvte of Technology >Release: krb5-1.2.1 >Environment: laptop running Debian GNU/Linux. System: Linux daemon 2.2.18 #1 Mon Dec 11 15:40:04 EST 2000 i686 unknown Architecture: i686 >Description: When I use my laptop behind a machine which performs network address translation (NAT), I cannot get service tickets unless I set noaddresses = true in my krb5.conf, which opens things up more than I'd like. I would prefer to be able to specify a short list of possible alternate addresses. >How-To-Repeat: Attempt to use Kerberos behind a NAT. >Fix: Ken Hornstein modified an older version of krb5 to support the proxy_gateway configuration variable; you can find his patch at ftp://ftp.ncsa.uiuc.edu/aces/kerberos/misc_patches/patch.app-proxy >Audit-Trail: From: Sam Hartman To: amu@MIT.EDU Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely. Date: 23 Dec 2000 18:00:06 -0500 So, if it were only the security issues I'd think that noaddresses would be quite sufficient. NATs make it easy enough to defeat IP addresses, so I'm not sure that you actually get any security benefit from this patch. However, there are a lot of things that don't work particularly well behind a NAT--for example krb524init. If this patch helps with any of those issues, then I think it would be a significant win. From: amu@MIT.EDU (Aaron M. Ucko) To: Sam Hartman Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely. Date: 23 Dec 2000 21:09:36 -0500 Sam Hartman writes: > So, if it were only the security issues I'd think that noaddresses > would be quite sufficient. NATs make it easy enough to defeat IP > addresses, so I'm not sure that you actually get any security benefit > from this patch. Really? I'd think that an attacker would only be able to use stolen tickets behind (or on) one of the specified NATs, which narrows things down about as well as possible. > However, there are a lot of things that don't work particularly well > behind a NAT--for example krb524init. If this patch helps with any of > those issues, then I think it would be a significant win. krb524init certainly works with noaddresses = true, so I'd imagine it would also work with an updated version of the patch; I'll give it a try when I get a chance. -- Aaron M. Ucko, KB1CJC (finger amu@monk.mit.edu) From: Sam Hartman To: amu@MIT.EDU (Aaron M. Ucko) Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely. Date: 24 Dec 2000 00:07:55 -0500 >>>>> "Aaron" == Aaron M Ucko writes: Aaron> Sam Hartman writes: >> So, if it were only the security issues I'd think that >> noaddresses would be quite sufficient. NATs make it easy >> enough to defeat IP addresses, so I'm not sure that you >> actually get any security benefit from this patch. Aaron> Really? I'd think that an attacker would only be able to Aaron> use stolen tickets behind (or on) one of the specified Aaron> NATs, which narrows things down about as well as possible. Or anyone who can modify source packets. Used to be that was a lot harder than it is now. From: amu@MIT.EDU (Aaron M. Ucko) To: Sam Hartman Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely. Date: 24 Dec 2000 00:31:38 -0500 Sam Hartman writes: > Or anyone who can modify source packets. Used to be that was a lot > harder than it is now. Ah, there are Kerberized apps that still use spoofable protocols? Sigh. In that case, I suppose the patch doesn't raise the barrier enough to be worthwhile. -- Aaron M. Ucko, KB1CJC (finger amu@monk.mit.edu) >Unformatted: