[36537] in Kerberos
Re: Kerberos / GSS-API for SCTP
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Oct 10 11:14:34 2014
Message-ID: <5437F7CF.4010907@mit.edu>
Date: Fri, 10 Oct 2014 11:14:23 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Rick van Rein <rick@openfortress.nl>,
"<kerberos@mit.edu>" <Kerberos@mit.edu>
In-Reply-To: <ADFAD74E-04F9-454E-9C46-947524F61761@openfortress.nl>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 10/10/2014 09:50 AM, Rick van Rein wrote:
> I found GSS_C_SEQUENCE_FLAG defined in RFC 1509, as a general flag for GSS-API mechanisms. And, there is an alternative flag GSS_C_REPLAY_FLAG that is also available in the Kerberos mapping of GSS-API. So the answer appears to be “yes, you can do this with Kerberos”.
You probably want to be looking at RFC 2743 and RFC 2744, not RFC 1509,
but yes.
> I’m going to assume that MIT krb5 will indeed implement these.
We do. Some implementation limits to be aware of:
* Prior to 1.12.2, we had a bug where initial out-of-order delivery
could result in GSS_S_FAILURE. The ticket is:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7872
* Prior to 1.13, we can detect replays matching any of the 20 previously
received sequence numbers. I think sequence numbers below the range of
that set will result in GSS_S_FAILURE, due to a bug.
* Starting with 1.13, we can detect replays for values within 64 of the
expected next sequence number, and will properly return GSS_S_OLD_TOKEN
if the received sequence number is below that range. Notes on the
rewrite are at:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7879
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
