[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: (mk|rd)_(priv|safe) and NAT
From: Chris Hecker <checker () d6 ! com>
Date: 2011-08-03 22:20:32
Message-ID: 4E39C9B0.7080202 () d6 ! com
[Download RAW message or body]
> Yes, you will need separate auth contexts if you want to use
> sequence numbers on some messages but not others.
That's what I figured. I'll have to mk_req/rd_req/mk_rep/rd_rep both on
the ordered and unordered channels (which, sadly, are on the same UDP
socket, so it's kind of silly...) to generate the auth_contexts
correctly, right?
Chris
On 2011/08/03 15:13, Greg Hudson wrote:
> On Wed, 2011-08-03 at 17:47 -0400, Chris Hecker wrote:
>> Right, but I'm going to force the replay cache off and use subkeys like
>> we discussed in the other thread. I assume I can't use the do-sequence
>> flag on an unordered/unreliable channel? So, if I want to mk_priv/safe
>> on that channel, will I need another auth_context?
>
> Yes, you will need separate auth contexts if you want to use sequence
> numbers on some messages but not others.
>
> For the unordered messages, since you are using neither sequence numbers
> nor a replay cache, you'll need to address replays at the application
> protocol layer.
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic