[32666] in Kerberos
Re: UDP and fragmentation
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Wed Sep 15 12:08:49 2010
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Tue, 14 Sep 2010 04:45:25 +0000 (UTC)
Message-ID: <i6mul5$1bui$1@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: Greg Hudson <ghudson@MIT.EDU>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Greg Hudson wrote:
> > BTW what can make Kerberos packets so big? Microsoft says: "Depending
> > on a variety of factors including security identifier (SID) history
> > and group membership, some accounts will have larger Kerberos
> > authentication packet sizes." What's there inside? Long principal
> > names? Long keys?
> An Active Directory KDC will include authorization data within a
> Kerberos ticket which includes the set of groups you are a member of.
> If that's a lot of groups, then your ticket will be large.
It is very interesting. Where is room in a Kerberos ticket for
such data?
I have tried to examine the large Active Directory KDC packets with
Wireshark and found nothing unusual (I think nothing I have not
already seen in Heimdal packets).
> Another way Kerberos packets can get big is Diffie-Hellman values
> conveyed for PKINIT during initial authentication.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
