Subject: Re: behavior of krb5_get_all_server_addrs()
To: None <thorpej@zembu.com>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-crypto
Date: 12/01/2000 23:11:48
> Sounds like what it should do is bind to wildcard *unless* addresses
> to bind to are explicitly in the configuration file.
>
> Comments?
You need to bind to all the interface addresses in order to assure
that KDC replies come from the address they were sent to..
At least some kerberos implementations verify that responses are
received with a source address equal to the address of the KDC.
If the KDC is multi-homed, binding to all of the machine's addresses
individual is the only vaguely portable way to know which address a
packet was sent to..
- Bill