Projects/replay_cache_collision_avoidance and replay cache uses

Sam Hartman hartmans at MIT.EDU
Mon Jan 5 17:16:46 EST 2009

The problem with sequence numbers is they depend on sequencing.
krb-priv and -safe do not have an ESP-like window.  So, if you have a
UDP application and you want to support out-of-order packets, you're
stuck using time.

Now if you use subsession keys and we could assume that the scope of a
subsession key is a single authcontext, we would not need to write out
replay data.  However that may be a bad assumption in some of the
cases where krb-priv is most attractive.

More information about the krbdev mailing list