Kerberos / GSS-API for SCTP

Rick van Rein rick at openfortress.nl
Fri Oct 10 09:38:46 EDT 2014


Hello,

I am looking into GSS-API as a protection mechanism for SCTP connections.  SCTP connects multiple independent streams at once, and can decide on in-order or out-of-order delivery on a per-frame basis.  SCTP has reliable delivery by default.

I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC’d message.  I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new.  This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus too limiting to use with SCTP.  Am I correct?  I found a GSS_C_SEQUENCE_FLAG, but it is not documented in RFC 4121 that mentions it :-S

FWIW, our aim is cross-realm RADIUS, SNMP and more — protocols that benefit from out-of-order delivery but that would require both reliable delivery and security.  TLS-over-TCP enforces ordering of independent packets, and DTLS-over-UDP isn’t reliable.  SCTP is just right, after adding security; and Kerberos is more sane than (D)TLS in our architecture.


Thanks,

Rick van Rein
InternetWide.org / OpenFortress.nl


More information about the Kerberos mailing list