Kerberos / GSS-API for SCTP
Rick van Rein
rick at openfortress.nl
Fri Oct 10 09:50:37 EDT 2014
*blush*
I solved my own question!
> I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC’d message. I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new. This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus too limiting to use with SCTP. Am I correct? I found a GSS_C_SEQUENCE_FLAG, but it is not documented in RFC 4121 that mentions it :-S
I found GSS_C_SEQUENCE_FLAG defined in RFC 1509, as a general flag for GSS-API mechanisms. And, there is an alternative flag GSS_C_REPLAY_FLAG that is also available in the Kerberos mapping of GSS-API. So the answer appears to be “yes, you can do this with Kerberos”.
I’m going to assume that MIT krb5 will indeed implement these.
-Rick
More information about the Kerberos
mailing list