[36535] in Kerberos
Kerberos / GSS-API for SCTP
daemon@ATHENA.MIT.EDU (Rick van Rein)
Fri Oct 10 09:39:05 2014
From: Rick van Rein <rick@openfortress.nl>
Date: Fri, 10 Oct 2014 15:38:46 +0200
To: "<kerberos@mit.edu>" <Kerberos@mit.edu>
Message-Id: <EBF1D50A-D61D-48EE-B4C1-30C86C6FCDFE@openfortress.nl>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
I am looking into GSS-API as a protection mechanism for SCTP connections. SCTP connects multiple independent streams at once, and can decide on in-order or out-of-order delivery on a per-frame basis. SCTP has reliable delivery by default.
I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC’d message. I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new. This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus too limiting to use with SCTP. Am I correct? I found a GSS_C_SEQUENCE_FLAG, but it is not documented in RFC 4121 that mentions it :-S
FWIW, our aim is cross-realm RADIUS, SNMP and more — protocols that benefit from out-of-order delivery but that would require both reliable delivery and security. TLS-over-TCP enforces ordering of independent packets, and DTLS-over-UDP isn’t reliable. SCTP is just right, after adding security; and Kerberos is more sane than (D)TLS in our architecture.
Thanks,
Rick van Rein
InternetWide.org / OpenFortress.nl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
