Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Subject: lookaside cache changes open minor exposures
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1141

In 3706 I removed the address check from the lookaside cache, because of
a valid case where the same message was sent with different source
addresses.  (That case was IPv4 and IPv6; multihoming can lead to other
cases.)

However, I think this results in some minor problems:

* A message can be replayed by an attacker from a different source
address, and the attacker will get the original reply sent to him.  (Of
course, the attacker has to get his hands on the original request in the
first place, which suggests he's probably but not necessarily
well-placed to have seen the original reply anyways.)  I don't think we
can distinguish this case from the legitimate case above.

* This also lets a user bypass certain aspects of the address
restrictions we implement.  For example, get a TGT that can be used only
from address A, but the attacker is at address B; send a TGS request
forged from address A (and never receive the reply); send same TGS
request from address B; collect result.  We could associate an
*optional* address, or address list, with cache entries.

See also the changes in ticket 3357 for more lookaside cache issues.