UDP and fragmentation
Danny Mayer
mayer at gis.net
Thu Aug 5 07:48:32 EDT 2010
On 8/2/2010 1:42 AM, Victor Sudakov wrote:
> Colleagues,
>
> Quoting from http://support.microsoft.com/kb/244474/
> By default, Kerberos uses connectionless UDP datagram packets.
> Depending on a variety of factors including security identifier (SID)
> history and group membership, some accounts will have larger Kerberos
> authentication packet sizes. Depending on the virtual private network
> (VPN) hardware configuration, these larger packets have to be
> fragmented when going through a VPN. The problem is caused by
> fragmentation of these large UDP Kerberos packets. Because UDP is a
> connectionless protocol, fragmented UDP packets will be dropped if
> they arrive at the destination out of order.
>
Any VPN that cannot handle UDP fragmentation is broken. Get one that
works. Routers need to fragment packets as necessary but that should be
transparent to the higher layers.
Danny
> Quoting from
> http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
> A common problem is that routers will arbitrarily fragment UDP
> packets; when this happens the Kerberos ticket request packets are
> discarded by the KDC.
>
> Please tell me how on earth does the KDC know that the packet has been
> fragmented? Packets are fragmented and reassembled on the network
> level (IP level), the fragmentation process should be opaque to UDP
> and the application, shouldn't it?
>
> I assume the KDC should just receive data from the socket, no matter
> if the datagram was bigger than the MTU, is it correct?
>
> TIA.
>
More information about the Kerberos
mailing list