Kerberos messages over TCP
Ken Raeburn
raeburn at MIT.EDU
Thu Jan 29 14:12:41 EST 2004
On Thursday, Jan 29, 2004, at 07:45 US/Eastern, anth0 wrote:
> I am wondering why in the Microsoft Kerberos implementation, an
> alternative to UDP transport is proposed : TCP. I fail to see why TCP
> resolves UDP datagram sizes problem.
>
The TCP support is going to be part of the next version of the
specification, as well.
A UDP message is limited to 64K, as I recall. If, for some reason,
there is a large amount of data to be carried in (extended versions of)
the Kerberos tickets, or the preauthentication scheme adds a large
amount of data, then it may not fit. Furthermore, individual packets
on many networks are limited to around 1500 bytes, and I've heard some
routers may have problems with fragmented UDP packets.
In a TCP stream, this limitation is removed; any size data can be sent.
If it's larger than the packet sizes supported on a network, the
implementation breaks the message down into suitable sized packets for
transmission. Schemes actually exist for figuring out what that size
is, though there are occasional sites that botch their firewall
configurations so as to make that difficult. (UDP wouldn't fare any
better in that case, though.)
Ken
More information about the Kerberos
mailing list