max size for ap-req and ap-rep?
Douglas E. Engert
deengert at anl.gov
Mon Aug 8 09:39:37 EDT 2011
On 8/8/2011 12:38 AM, Greg Hudson wrote:
> On Sun, 2011-08-07 at 03:13 -0400, Chris Hecker wrote:
>> Is there a max size for the AP-REQ and AP-REP packets? Even a
>> conservative (eg. never> 768 bytes) would be fine.
If you are using Windows AD for the KDC, the authdata Greg refers
to below contains the PAC so could belarge.
http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx
in section "Recommended Maximum Kerberos Settings", says 65,535.
>
> In principal, there is no maximum size for AP-REQ, because tickets can
> get arbitrarily large due to authdata. If you're not doing anything
> fancy with authdata and can bound the size of client and server
> principal names, you could probably compute a maximum size, but I don't
> have one offhand.
>
> AP-REP packets do not have a lot of variability in size because they
> contain no strings. If you look at an AP-REP packet containing an
> AES256 subkey, that's probably as large as you're going to see, modulo a
> few bytes to account for variable-length ASN.1 encoding of integers.
> Again, though, I don't have any specific numbers in my head for that.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list