Kerberos / GSS-API for SCTP
Greg Hudson
ghudson at mit.edu
Fri Oct 10 11:14:23 EDT 2014
On 10/10/2014 09:50 AM, Rick van Rein wrote:
> I found GSS_C_SEQUENCE_FLAG defined in RFC 1509, as a general flag for GSS-API mechanisms. And, there is an alternative flag GSS_C_REPLAY_FLAG that is also available in the Kerberos mapping of GSS-API. So the answer appears to be “yes, you can do this with Kerberos”.
You probably want to be looking at RFC 2743 and RFC 2744, not RFC 1509,
but yes.
> I’m going to assume that MIT krb5 will indeed implement these.
We do. Some implementation limits to be aware of:
* Prior to 1.12.2, we had a bug where initial out-of-order delivery
could result in GSS_S_FAILURE. The ticket is:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7872
* Prior to 1.13, we can detect replays matching any of the 20 previously
received sequence numbers. I think sequence numbers below the range of
that set will result in GSS_S_FAILURE, due to a bug.
* Starting with 1.13, we can detect replays for values within 64 of the
expected next sequence number, and will properly return GSS_S_OLD_TOKEN
if the received sequence number is below that range. Notes on the
rewrite are at:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7879
More information about the Kerberos
mailing list