[32655] in Kerberos
Re: UDP and fragmentation
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Mon Sep 13 16:00:38 2010
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Mon, 13 Sep 2010 10:39:45 +0000 (UTC)
Message-ID: <i6kv1h$58m$1@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: Casper H.S. Dik <Casper.Dik@Sun.COM>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Casper H.S. Dik wrote:
> >Quoting from http://support.microsoft.com/kb/244474/
> >By default, Kerberos uses connectionless UDP datagram packets.
> >Depending on a variety of factors including security identifier (SID)
> >history and group membership, some accounts will have larger Kerberos
> >authentication packet sizes. Depending on the virtual private network
> >(VPN) hardware configuration, these larger packets have to be
> >fragmented when going through a VPN. The problem is caused by
> >fragmentation of these large UDP Kerberos packets. Because UDP is a
> >connectionless protocol, fragmented UDP packets will be dropped if
> >they arrive at the destination out of order.
> Only a broken implementation would drop such packets, especially when
> they arrive at the destination. I believe that some Linux implementations
> always transmit UDP packets in reverse order but that is not common.
> More likely is intervention by (broken) firewalls who can't filter
> UDP packets properly.
> >Quoting from
> >http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
> >A common problem is that routers will arbitrarily fragment UDP
> >packets; when this happens the Kerberos ticket request packets are
> >discarded by the KDC.
> Unless the TCP/IP stack on that KDC is broken; the KDC wouldn't
> notice.
> >Please tell me how on earth does the KDC know that the packet has been
> >fragmented? Packets are fragmented and reassembled on the network
> >level (IP level), the fragmentation process should be opaque to UDP
> >and the application, shouldn't it?
> It can't.
I thought as much.
> >I assume the KDC should just receive data from the socket, no matter
> >if the datagram was bigger than the MTU, is it correct?
> Yes.
Then what is Microsoft talking about?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
