Kerberos / GSS-API for SCTP
Rick van Rein
rick at openfortress.nl
Fri Oct 10 09:38:46 EDT 2014
Hello,
I am looking into GSS-API as a protection mechanism for SCTP connections. SCTP connects multiple independent streams at once, and can decide on in-order or out-of-order delivery on a per-frame basis. SCTP has reliable delivery by default.
I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC’d message. I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new. This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus too limiting to use with SCTP. Am I correct? I found a GSS_C_SEQUENCE_FLAG, but it is not documented in RFC 4121 that mentions it :-S
FWIW, our aim is cross-realm RADIUS, SNMP and more — protocols that benefit from out-of-order delivery but that would require both reliable delivery and security. TLS-over-TCP enforces ordering of independent packets, and DTLS-over-UDP isn’t reliable. SCTP is just right, after adding security; and Kerberos is more sane than (D)TLS in our architecture.
Thanks,
Rick van Rein
InternetWide.org / OpenFortress.nl
More information about the Kerberos
mailing list