Kerberos packets appear to be larger

Jeremy Hunt jeremyh at optimation.com.au
Thu Aug 8 01:41:28 EDT 2013


Greg Hudson wrote:
> On 08/07/2013 07:26 PM, Jeremy Hunt wrote:
>> Greg Hudson wrote:
>>> In my test environment with a des3-hmac-sha1 long-term user key, I get
>>> an AS-REP size of 250 bytes for a preauth-required error, and 714 bytes
>>> for an issued TGT.  The values in my 1.8 test environment aren't much
>>> different (237 and 724 bytes) .  So I'm not sure why your AS-REPs are so
>>> much larger to start with, and why they would have gone up by so much.
>> Sorry, I converted a hex dump to bytes, ... and please note I wrote the
>> last email at 2 am my time. Stupidly I made a mistake, the sizes are out
>> by a factor of two.
> Okay, that's at least closer to what I'm seeing, but I still don't know
> why you're seeing a 186-byte increase in reply size between 1.8 and 1.11
> while I am not.
>
>> I can do a snoop (it is a built MIT Kerberos on Solaris) and look at the
>> dump in wireshark, but I think you are alarmed by my report of double
>> sized packets Greg. Sorry to alarm you, do you still want a dump?
> It's not a matter of alarm, just that more information is needed to help
> resolve your problem.  I can't bring to mind any changes between 1.8 and
> 1.11 which would increase the size of an AS-REP by very much, and I
> since I can't reproduce the difference in my own tests, I can't
> productively investigate.  There was a change in 1.8 which increased the
> size of the ticket by around 70 bytes, but that should already be
> reflected in your old deployment.
>
> All of the configuration knobs you mentioned are only likely to change
> the reply size by a few bytes at most.
I can produce a snoop trace of both from my DEV environment, in fact I 
have the 1.11 already. Do you want a PDML export, a txt export, the raw 
snoop file or any other format?
Do you mind if I just send it to you rather than the list. especially if 
you want the raw snoop files. I prefer not to broadcast network 
information widely, it is just our dev environment, but still.
>> I note that the sizes Greg quotes are still too large for my legacy
>> application. I also notice that the sizes of the packets have gone up by
>> a factor of 3.
> They have not gone up by a factor of three.  A preauth-required error is
> much smaller than an AS-REP because it doesn't include a ticket.
> Preauth-required errors were around 250 bytes in both environments, and
> replies with issued TGTs were around 720 bytes in both.  (The
> environments I used weren't completely identical, so the small
> differences could be accounted for by different realm names and TGT key
> enctypes.)
>
Sorry I misread your email, I thought it was one size at 1.8 and the 
other at 1.11, you have clarified the smaller as the Pre-Auth error 
AS-REP. I understand why  the error packet is smaller.



More information about the Kerberos mailing list