[36536] in Kerberos
Re: Kerberos / GSS-API for SCTP
daemon@ATHENA.MIT.EDU (Rick van Rein)
Fri Oct 10 09:50:56 2014
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <EBF1D50A-D61D-48EE-B4C1-30C86C6FCDFE@openfortress.nl>
Date: Fri, 10 Oct 2014 15:50:37 +0200
Message-Id: <ADFAD74E-04F9-454E-9C46-947524F61761@openfortress.nl>
To: "<kerberos@mit.edu>" <Kerberos@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
*blush*
I solved my own question!
> I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC’d message. I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new. This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus too limiting to use with SCTP. Am I correct? I found a GSS_C_SEQUENCE_FLAG, but it is not documented in RFC 4121 that mentions it :-S
I found GSS_C_SEQUENCE_FLAG defined in RFC 1509, as a general flag for GSS-API mechanisms. And, there is an alternative flag GSS_C_REPLAY_FLAG that is also available in the Kerberos mapping of GSS-API. So the answer appears to be “yes, you can do this with Kerberos”.
I’m going to assume that MIT krb5 will indeed implement these.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
