[3977] in Kerberos
Re: I need comment on Kerberos vs. NetSP (IBM)
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Mon Oct 3 09:54:46 1994
To: kerberos@MIT.EDU
Date: Mon, 03 Oct 1994 09:36:46
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
Opening disclaimer: I don't know diddley-squat about NetSP, but it
looks like I know more about Kerberos than the Gartner folks do... :-)
bruggema@god.bel.alcatel.be (VERBRUGGEN Marc) writes:
>I would like some comment on the difference between Kerberos and NetSP
>from IBM.
>According to Gartner, following issues should be considered
>
>A. Kerberos :
>
>1. it requires that all parties be concurrently connected -> no suppor
>for dial-in
Absolutely false. One can dial in via PPP or SLIP, get a TGT via kinit,
disconnect, and then re-connect sometime later (within the lifetime of
the TGT) and use whatever "Kerberized" applications are available. This
assumes that one will always use the same IP address on every dial-in,
but even if that's not the case, the cost of re-kinit'ing is very low
(see below).
As far as "dumb" TTY-type dial-ins go, there are other solutions available,
including terminal servers that support Kerberos. Others can comment
on those and other solutions much better than I can.
>2. it can only use TCP/IP
True for Kerberos V4. Not true for V5 - RFC 1510 defines an OSI transport
for V5 communications with the KDC, and the data representation for
network addresses allows for any conceivable type of network address to
be represented. RFC 1510 defines address type constants for IP, CHAOSnet,
ISO, XNS, AppleTalk DDP, and DECnet Phase IV. (Existing public-domain
V5 implementations may only support IP, but that's an implementation issue...)
>3. it uses more cpu, memory and nework bandwidth
As I said before, I don't know anything about NetSP, so I can't make any
direct comparisons. However, it should be pointed out that Kerberos
requires *very little* in the way of network bandwidth. Getting a
Kerberos ticket from the KDC only requires a single datagram for the
request and a single datagram for the reply, and one doesn't have to
get new tickets all that frequently. It's about as low-overhead a network
protocol as can be - that's not to say NetSP can't be better (their
datagrams might be smaller :-), but it's very hard for me to see how it
can be a great deal better.
CPU and memory utilization is probably more an implementation issue
than anything else...
>4. is it available on DOS, OS/2 and AIX, MVS and VM ?
Don Rolph was kind enough to point out that FTP Software's PC/TCP provides
support (for Kerberos V4) for DOS and OS/2. Public-domain UNIX versions
support AIX, and there's at least one or two commercially-supported releases
for AIX as well. Don't have first-hand knowledge of what's available
for MVS and VM, but there's no reason why it couldn't be.
Hope this helps...
-Shawn Mamros
E-mail to: mamros@ftp.com
