UDP and fragmentation
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Mon Sep 13 05:21:32 EDT 2010
Danny Mayer wrote:
> >
> > Quoting from http://support.microsoft.com/kb/244474/
> > By default, Kerberos uses connectionless UDP datagram packets.
> > Depending on a variety of factors including security identifier (SID)
> > history and group membership, some accounts will have larger Kerberos
> > authentication packet sizes. Depending on the virtual private network
> > (VPN) hardware configuration, these larger packets have to be
> > fragmented when going through a VPN. The problem is caused by
> > fragmentation of these large UDP Kerberos packets. Because UDP is a
> > connectionless protocol, fragmented UDP packets will be dropped if
> > they arrive at the destination out of order.
> >
> Any VPN that cannot handle UDP fragmentation is broken. Get one that
> works.
There is no VPN in my setup. Just the Kerberos packets are for some
reason bigger than the 1500 MTU can handle.
BTW what can make Kerberos packets so big? Microsoft says: "Depending
on a variety of factors including security identifier (SID) history
and group membership, some accounts will have larger Kerberos
authentication packet sizes." What's there inside? Long principal
names? Long keys?
> Routers need to fragment packets as necessary but that should be
> transparent to the higher layers.
I thought so too but Microsoft seems to think otherwise.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list