Kerberos packets appear to be larger
Greg Hudson
ghudson at MIT.EDU
Thu Aug 8 01:05:25 EDT 2013
On 08/07/2013 07:26 PM, Jeremy Hunt wrote:
> Greg Hudson wrote:
>> In my test environment with a des3-hmac-sha1 long-term user key, I get
>> an AS-REP size of 250 bytes for a preauth-required error, and 714 bytes
>> for an issued TGT. The values in my 1.8 test environment aren't much
>> different (237 and 724 bytes) . So I'm not sure why your AS-REPs are so
>> much larger to start with, and why they would have gone up by so much.
> Sorry, I converted a hex dump to bytes, ... and please note I wrote the
> last email at 2 am my time. Stupidly I made a mistake, the sizes are out
> by a factor of two.
Okay, that's at least closer to what I'm seeing, but I still don't know
why you're seeing a 186-byte increase in reply size between 1.8 and 1.11
while I am not.
> I can do a snoop (it is a built MIT Kerberos on Solaris) and look at the
> dump in wireshark, but I think you are alarmed by my report of double
> sized packets Greg. Sorry to alarm you, do you still want a dump?
It's not a matter of alarm, just that more information is needed to help
resolve your problem. I can't bring to mind any changes between 1.8 and
1.11 which would increase the size of an AS-REP by very much, and I
since I can't reproduce the difference in my own tests, I can't
productively investigate. There was a change in 1.8 which increased the
size of the ticket by around 70 bytes, but that should already be
reflected in your old deployment.
All of the configuration knobs you mentioned are only likely to change
the reply size by a few bytes at most.
> I note that the sizes Greg quotes are still too large for my legacy
> application. I also notice that the sizes of the packets have gone up by
> a factor of 3.
They have not gone up by a factor of three. A preauth-required error is
much smaller than an AS-REP because it doesn't include a ticket.
Preauth-required errors were around 250 bytes in both environments, and
replies with issued TGTs were around 720 bytes in both. (The
environments I used weren't completely identical, so the small
differences could be accounted for by different realm names and TGT key
enctypes.)
More information about the Kerberos
mailing list