[krbdev.mit.edu #3357] Would be nice to be able to test if clients handle KRB5KDC_ERR_RESPONSE_TOO_BIG correctly.
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Fri Jun 16 22:39:00 EDT 2006
This seems like a good idea (and I'm sorry I didn't get to reviewing it
sooner), but I've got some concerns:
* The lookaside cache is there largely to prevent the libkrb5 replay
cache from reporting a replay error. If a message comes in over UDP, a
response gets sent and lost for some reason (firewall?), and then the
client tries sending the same message over TCP, I think this patch will
cause the library to detect a replay that gets past the lookaside cache.
Perhaps we should cache the "real" result before reporting the too-big
error (or retrieve the cached result and then check its size), though
that would mean some rearranging of code.
* Does it make sense for the maximum size to be a realm parameter? I'm
thinking of a KDC set up to service multiple realms... the realm data
may determine whether large responses are likely to be generated, but I
would think the network environment (or an "I'm testing" flag) would be
the determining factor as to when you'd want to switch to TCP.
More information about the krb5-bugs
mailing list