I'd like to make some clarifications about Kerberos and NAT.
>> When AUTH is used with Kerberos 4 and Kerberos 5 there are issues
>> related to the IP addresses which are embedded into the Kerberos
>> tickets which specify the valid machines from which the tickets are
>> valid.
> Are you saying that IP address of the senders is always embedded in
> the kerberos-4 tickets?
In Kerberos 4, when the KDC receives a ticket request, it includes the
source IP address in the returned ticket. This works fine if the KDC
is across a NAT gateway, as long as all of the Kerberos services are
also across a NAT gateway.
In Kerberos 5, the client specifies a list of IP addresses which the
ticket should be valid for, or it can ask for a ticket valid for all
IP addresses. By asking for an all-IP-addresses ticket or a ticket
containing the NAT gateway address, you can get krb5 to work with a
NAT gateway, although it isn't very transparent (it requires the
clients to behave differently than they otherwise would). The MIT
krb5 1.0 implementation didn't have any configurability for what IP
addresses the client asked for (it always asked for the set of its
interface addresses) and did not interact well with NAT. The MIT krb5
1.1 implementation allows you to put "noaddresses" somewhere in
krb5.conf to request all-IP-addresses-valid tickets.
Not all Kerberos 4 or 5 services actually check source IP addresses.
(I don't have a list of common Kerberos services which do or do not
check source IP addresses, unfortunately. AFS is a good example of a
Kerberos 4 service which does not.) Services which don't check are
obviously not picky about NAT gateways.
There are, of course, a substantial number of people who believe that
Kerberos source IP address checking is not worth the trouble, since it
is not a central part of the Kerberos security model. (Basically, it
means if someone steals Kerberos tickets, they can't use them from a
different IP address unless they can forge the source IP address or
use services which don't check.)
