The site philosophy can be expressed as fail open / fail closed /fail safe / fail deadly... ________________________________ From: Brent Kimberley Sent: Wednesday, March 13, 2024 5:41:58 PM To: Simo Sorce <s...@redhat.com>; Yoann Gini <yoann.g...@gmail.com>; Ken Hornstein <k...@cmf.nrl.navy.mil> Cc: kerberos@mit.edu <kerberos@mit.edu> Subject: RE: Looking for a "Kerberos Router"?
To the best of my knowledge, all IPV6 ports should be closed by design and only opened if/when approved. -----Original Message----- From: Kerberos <kerberos-boun...@mit.edu> On Behalf Of Simo Sorce Sent: Wednesday, March 13, 2024 4:48 PM To: Yoann Gini <yoann.g...@gmail.com>; Ken Hornstein <k...@cmf.nrl.navy.mil> Cc: kerberos@mit.edu Subject: Re: Looking for a "Kerberos Router"? [You don't often get email from s...@redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] This is well tested: https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flatchset%2Fkdcproxy&data=05%7C02%7Cbrent.kimberley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b69b1f9da198dc3f16%7C0%7C0%7C638459596905104881%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=4H0nZRxcUm0XdRKqLsydlI06oDz2pfHxBiKC7HxZmv4%3D&reserved=0<https://github.com/latchset/kdcproxy> On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein <k...@cmf.nrl.navy.mil> a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames > > but the same IP address you could use TLS SNI or hostname routing > > which you indicated you already use and maybe that would be simpler? > > That presumes the client implementations set the SNI field (I see > > that it does send a "Host" header, and it looks like MIT Kerberos > > does set the SNI hostname). > > This is what I have in mind looking at the documentation of kkdcp (reading as > exchanging here). Using SNI to select the KDC. > > I will give it a try, it looks like the option I need here. > > And yes, all of those complexities would have been avoided by network > teams just supporting IPv6 and not blocking random ports for no reasons… > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail<https://mail/> > man.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=05%7C02%7Cbrent.kimbe > rley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b6 > 9b1f9da198dc3f16%7C0%7C0%7C638459596905112923%7CUnknown%7CTWFpbGZsb3d8 > eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0 > %7C%7C%7C&sdata=dZYepxHAXNhDO%2F4F%2FpLx7fDYgT6xEYGEKtjEK7l1H74%3D&res > erved=0 -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=05%7C02%7Cbrent.kimberley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b69b1f9da198dc3f16%7C0%7C0%7C638459596905118780%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dzii88nyGoDkbNfjgCWFYvNUHCh%2B%2FiR4CIc%2FQggCEjs%3D&reserved=0<https://mailman.mit.edu/mailman/listinfo/kerberos> THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
