From amu@daemon.mit.edu Sat Dec 23 17:56:09 2000
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id RAA01016
for <bugs@RT-11.MIT.EDU>; Sat, 23 Dec 2000 17:56:09 -0500 (EST)
Received: from daemon (adsl-64-123-239-54.dsl.kscymo.swbell.net [64.123.239.54])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id RAA10478
for <krb5-bugs@mit.edu>; Sat, 23 Dec 2000 17:56:08 -0500 (EST)
Received: from amu by daemon with local (Exim 3.20 #1 (Debian))
id 149xaC-0000J5-00
for <krb5-bugs@mit.edu>; Sat, 23 Dec 2000 17:56:08 -0500
Message-Id: <E149xaC-0000J5-00@daemon>
Date: Sat, 23 Dec 2000 17:56:08 -0500
From: amu@mit.edu
Sender: "Aaron M. Ucko" <amu@daemon.mit.edu>
Reply-To: amu@mit.edu
To: krb5-bugs@mit.edu
Subject: Working behind NATs requires disabling address checking entirely.
X-Send-Pr-Version: 3.99
System: Linux daemon 2.2.18 #1 Mon Dec 11 15:40:04 EST 2000 i686 unknown
Architecture: i686
address translation (NAT), I cannot get service tickets unless
I set noaddresses = true in my krb5.conf, which opens things
up more than I'd like. I would prefer to be able to specify a
short list of possible alternate addresses.
proxy_gateway configuration variable; you can find his patch at
ftp://ftp.ncsa.uiuc.edu/aces/kerberos/misc_patches/patch.app-proxy
From: Sam Hartman <hartmans@MIT.EDU>
To: amu@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 23 Dec 2000 18:00:06 -0500
So, if it were only the security issues I'd think that noaddresses
would be quite sufficient. NATs make it easy enough to defeat IP
addresses, so I'm not sure that you actually get any security benefit
from this patch.
However, there are a lot of things that don't work particularly well
behind a NAT--for example krb524init. If this patch helps with any of
those issues, then I think it would be a significant win.
From: amu@MIT.EDU (Aaron M. Ucko)
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 23 Dec 2000 21:09:36 -0500
Sam Hartman <hartmans@MIT.EDU> writes:
Really? I'd think that an attacker would only be able to use stolen
tickets behind (or on) one of the specified NATs, which narrows things
down about as well as possible.
krb524init certainly works with noaddresses = true, so I'd imagine it
would also work with an updated version of the patch; I'll give it a
try when I get a chance.
--
Aaron M. Ucko, KB1CJC <amu@mit.edu> (finger amu@monk.mit.edu)
From: Sam Hartman <hartmans@MIT.EDU>
To: amu@MIT.EDU (Aaron M. Ucko)
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 24 Dec 2000 00:07:55 -0500
Or anyone who can modify source packets. Used to be that was a lot
harder than it is now.
From: amu@MIT.EDU (Aaron M. Ucko)
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 24 Dec 2000 00:31:38 -0500
Sam Hartman <hartmans@MIT.EDU> writes:
Ah, there are Kerberized apps that still use spoofable protocols?
Sigh. In that case, I suppose the patch doesn't raise the barrier
enough to be worthwhile.
--
Aaron M. Ucko, KB1CJC <amu@mit.edu> (finger amu@monk.mit.edu)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id RAA01016
for <bugs@RT-11.MIT.EDU>; Sat, 23 Dec 2000 17:56:09 -0500 (EST)
Received: from daemon (adsl-64-123-239-54.dsl.kscymo.swbell.net [64.123.239.54])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id RAA10478
for <krb5-bugs@mit.edu>; Sat, 23 Dec 2000 17:56:08 -0500 (EST)
Received: from amu by daemon with local (Exim 3.20 #1 (Debian))
id 149xaC-0000J5-00
for <krb5-bugs@mit.edu>; Sat, 23 Dec 2000 17:56:08 -0500
Message-Id: <E149xaC-0000J5-00@daemon>
Date: Sat, 23 Dec 2000 17:56:08 -0500
From: amu@mit.edu
Sender: "Aaron M. Ucko" <amu@daemon.mit.edu>
Reply-To: amu@mit.edu
To: krb5-bugs@mit.edu
Subject: Working behind NATs requires disabling address checking entirely.
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 910
>Category: krb5-misc
>Synopsis: Working behind NATs requires setting noaddresses = true.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Sat Dec 23 17:57:01 EST 2000
>Last-Modified: Sun Dec 24 00:32:00 EST 2000
>Originator: Aaron M. Ucko
>Organization:
Massachvsetts Institvte of Technology>Category: krb5-misc
>Synopsis: Working behind NATs requires setting noaddresses = true.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Sat Dec 23 17:57:01 EST 2000
>Last-Modified: Sun Dec 24 00:32:00 EST 2000
>Originator: Aaron M. Ucko
>Organization:
Show quoted text
>Release: krb5-1.2.1
>Environment:
laptop running Debian GNU/Linux.>Environment:
System: Linux daemon 2.2.18 #1 Mon Dec 11 15:40:04 EST 2000 i686 unknown
Architecture: i686
Show quoted text
>Description:
When I use my laptop behind a machine which performs networkaddress translation (NAT), I cannot get service tickets unless
I set noaddresses = true in my krb5.conf, which opens things
up more than I'd like. I would prefer to be able to specify a
short list of possible alternate addresses.
Show quoted text
>How-To-Repeat:
Attempt to use Kerberos behind a NAT.Show quoted text
>Fix:
Ken Hornstein modified an older version of krb5 to support theproxy_gateway configuration variable; you can find his patch at
ftp://ftp.ncsa.uiuc.edu/aces/kerberos/misc_patches/patch.app-proxy
Show quoted text
>Audit-Trail:
From: Sam Hartman <hartmans@MIT.EDU>
To: amu@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 23 Dec 2000 18:00:06 -0500
So, if it were only the security issues I'd think that noaddresses
would be quite sufficient. NATs make it easy enough to defeat IP
addresses, so I'm not sure that you actually get any security benefit
from this patch.
However, there are a lot of things that don't work particularly well
behind a NAT--for example krb524init. If this patch helps with any of
those issues, then I think it would be a significant win.
From: amu@MIT.EDU (Aaron M. Ucko)
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 23 Dec 2000 21:09:36 -0500
Sam Hartman <hartmans@MIT.EDU> writes:
Show quoted text
> So, if it were only the security issues I'd think that noaddresses
> would be quite sufficient. NATs make it easy enough to defeat IP
> addresses, so I'm not sure that you actually get any security benefit
> from this patch.
> would be quite sufficient. NATs make it easy enough to defeat IP
> addresses, so I'm not sure that you actually get any security benefit
> from this patch.
Really? I'd think that an attacker would only be able to use stolen
tickets behind (or on) one of the specified NATs, which narrows things
down about as well as possible.
Show quoted text
> However, there are a lot of things that don't work particularly well
> behind a NAT--for example krb524init. If this patch helps with any of
> those issues, then I think it would be a significant win.
> behind a NAT--for example krb524init. If this patch helps with any of
> those issues, then I think it would be a significant win.
krb524init certainly works with noaddresses = true, so I'd imagine it
would also work with an updated version of the patch; I'll give it a
try when I get a chance.
--
Aaron M. Ucko, KB1CJC <amu@mit.edu> (finger amu@monk.mit.edu)
From: Sam Hartman <hartmans@MIT.EDU>
To: amu@MIT.EDU (Aaron M. Ucko)
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 24 Dec 2000 00:07:55 -0500
Show quoted text
>>>>> "Aaron" == Aaron M Ucko <amu@MIT.EDU> writes:
Show quoted text
Aaron> Sam Hartman <hartmans@MIT.EDU> writes:
Show quoted text
>> So, if it were only the security issues I'd think that
>> noaddresses would be quite sufficient. NATs make it easy
>> enough to defeat IP addresses, so I'm not sure that you
>> actually get any security benefit from this patch.
>> noaddresses would be quite sufficient. NATs make it easy
>> enough to defeat IP addresses, so I'm not sure that you
>> actually get any security benefit from this patch.
Show quoted text
Aaron> Really? I'd think that an attacker would only be able to
Aaron> use stolen tickets behind (or on) one of the specified
Aaron> NATs, which narrows things down about as well as possible.
Aaron> use stolen tickets behind (or on) one of the specified
Aaron> NATs, which narrows things down about as well as possible.
Or anyone who can modify source packets. Used to be that was a lot
harder than it is now.
From: amu@MIT.EDU (Aaron M. Ucko)
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-misc/910: Working behind NATs requires disabling address checking entirely.
Date: 24 Dec 2000 00:31:38 -0500
Sam Hartman <hartmans@MIT.EDU> writes:
Show quoted text
> Or anyone who can modify source packets. Used to be that was a lot
> harder than it is now.
> harder than it is now.
Ah, there are Kerberized apps that still use spoofable protocols?
Sigh. In that case, I suppose the patch doesn't raise the barrier
enough to be worthwhile.
--
Aaron M. Ucko, KB1CJC <amu@mit.edu> (finger amu@monk.mit.edu)
Show quoted text
>Unformatted: