[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Addressless tickets in 0.8.x

> RFC1918 updates RFC1597.

Yeah, and does that make any difference in detecting that one end 
of the connection is inside        -  (10/8 prefix)      -  (172.16/12 prefix)     - (192.168/16 prefix)
and the other end is not?

> One problem is that when you forward ticket to another host, you have
> to know, or guess, what addresses the host have addresses. 

If I get a connection to something at the other end, the computer
I'm on somehow figured out where to connect to.

> In gss-api
> you don't know the addresses, because the addresses is hidden behind
> a name, and the name doesn't reflect all addresses a host have.

Asuming correct setup and not NAT, is there a case where we can't 
figure out enough?

> I'm
> pretty sure I've recived a bug-repport from you on this issue, you can't
> have the cake and eat it too.

If I remember correctly, the behaviour was that the wrong address of a
bunch (v6 and v4) was chosen. If there is more than one addr, why not
issue tickets for all of them - one of them should be the correct and
can be used later. And at the same time there were endian problems in
the address forwarding part of the code. I don't think this has to do
anything with NAT, does it?

> Even worse when the host is running ipv6 with privacy-protected  
> addresses
> and is constantly switching address to make sure its not trackable.

I bought one of these camo-colored pens and now I can't find it again
in the woods? If someone is using means to be not trackable, it should
be acceptable for that person to know the implications.

> Binding tickets to addresses was a bad idea, it should really be some
> other permanat identifier, if anything at all.

And why was it bad in general to give tickets an address? Or do you
mean that the IP-number is a bad choice of address? Do we have a
better choice?

> > One could change all the krb5_appdefault_*() functions that they do
> > not take a default value, but read a global table containing option,
> > default, max and min value and maybe help string for the option in
> > question. Then a small app can be linked against the same table and
> > print the table in man page format.
> I really don't want to maintain the code in to places, if I needd to  
> do that
> I could just maintain a manfile instead.

I mean you maintain one appdefault_defaults.c file and then you have
all the text that changes in there. To make the manpage you do

cc -o manpagebuilder manpagebuilder.c appdefault_defaults.c && ./manpagebuilder > foo.man

> How about other krb5_config() function ?

Today something like:


Could be replaced with something like:

struct bar { .... KRB5_ADDRESSLESS_DEFAULT, TRUE }
int appdefaults_get_default(char *) /* accesses struct bar */

if ( appdefaults_get_default("no-addesses") ){

And if you don't like strings, use enums but then you have to
have enum->string and string->enum functions.


PS: Unrelated trivia: Someone in Kalmar uses rfc1918.com. Maybe
someone there reads this. Hi!