UDP and fragmentation

Jeffrey Altman jaltman at secure-endpoints.com
Tue Aug 3 18:50:46 EDT 2010


 Many VPNs are built into routers that support stateful packet
inspection as part of the firewall.  If the VPN is IPSec based, the MTU
on the vpn connection is typically 152 octets smaller than the MTU on
the networks it connects.  As a result any packet that is larger than
this smaller MTU size must be fragmented.  Unfortunately, many of the
routers are configured to drop fragmented UDP packets because
reconstructing the packets to pass them through the stateful packet
inspection algorithms in one piece requires memory and cpu resources
which when used for this purpose would hinder overall throughput statistics.

To answer your question, the KDC does not see the fragmentation.  It
often doesn't see the packets at all or only sees the first fragment of
the message which is insufficient to generate a response.

Jeffrey Altman


On 8/2/2010 1:42 AM, Victor Sudakov wrote:
> Colleagues,
>
> Quoting from http://support.microsoft.com/kb/244474/
> By default, Kerberos uses connectionless UDP datagram packets.
> Depending on a variety of factors including security identifier (SID)
> history and group membership, some accounts will have larger Kerberos
> authentication packet sizes. Depending on the virtual private network
> (VPN) hardware configuration, these larger packets have to be
> fragmented when going through a VPN. The problem is caused by
> fragmentation of these large UDP Kerberos packets. Because UDP is a
> connectionless protocol, fragmented UDP packets will be dropped if
> they arrive at the destination out of order.
>
> Quoting from
> http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
> A common problem is that routers will arbitrarily fragment UDP
> packets; when this happens the Kerberos ticket request packets are
> discarded by the KDC. 
>
> Please tell me how on earth does the KDC know that the packet has been
> fragmented? Packets are fragmented and reassembled on the network
> level (IP level), the fragmentation process should be opaque to UDP
> and the application, shouldn't it? 
>
> I assume the KDC should just receive data from the socket, no matter
> if the datagram was bigger than the MTU, is it correct?
>
> TIA.
>



More information about the Kerberos mailing list