|
>I'm still experimenting with Kerberos, Heimdal and adressfull tickets.
You know ... back in the day, I tried very hard to make Kerberos work with
addressfull tickets (this was with MIT Kerberos, but I believe the issues
are the same). I finally came to the hard realization that this was
a HUGE waste of time.
The primary reason is because of NAT; NATs (and equivalent technologies)
are all over the place, and basically in the modern Internet you have no
guarantee that the IP address of the host you are talking to matches what
the other end thinks it's IP address is. I don't particularly love this
fact, but it's just the reality. Putting IP addresses in tickets just
makes your life harder.
Secondly, the security benefit you get from IP addresses in tickets is
relatively small. I'm not saying it's zero, but it is not large. I do
not think it is worth the pain you will experience.
--Ken
|