UDP and fragmentation
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Mon Aug 2 01:42:43 EDT 2010
Colleagues,
Quoting from http://support.microsoft.com/kb/244474/
By default, Kerberos uses connectionless UDP datagram packets.
Depending on a variety of factors including security identifier (SID)
history and group membership, some accounts will have larger Kerberos
authentication packet sizes. Depending on the virtual private network
(VPN) hardware configuration, these larger packets have to be
fragmented when going through a VPN. The problem is caused by
fragmentation of these large UDP Kerberos packets. Because UDP is a
connectionless protocol, fragmented UDP packets will be dropped if
they arrive at the destination out of order.
Quoting from
http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
A common problem is that routers will arbitrarily fragment UDP
packets; when this happens the Kerberos ticket request packets are
discarded by the KDC.
Please tell me how on earth does the KDC know that the packet has been
fragmented? Packets are fragmented and reassembled on the network
level (IP level), the fragmentation process should be opaque to UDP
and the application, shouldn't it?
I assume the KDC should just receive data from the socket, no matter
if the datagram was bigger than the MTU, is it correct?
TIA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list