In Kerberos 4, when the KDC receives a ticket request, it includes the
source IP address in the returned ticket. This works fine if the KDC
is across a NAT gateway, as long as all of the Kerberos services are
also across a NAT gateway.
doesn't this require the NAT to use the same inside<->outside address
binding for the connection between the client and the KDC as for
the connection between the client and the application server?
e.g. it seems like the NAT could easily change address bindings
during the lifetime of a ticket.
Keith