[11164] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #6566] UDP datagrams > 4K do not work.
daemon@ATHENA.MIT.EDU (elric@mournblade.imrryr.org via RT)
Wed Sep 16 04:09:09 2009
Mail-Followup-To: rt@krbdev.mit.edu
mail-copies-to: never
From: "elric@mournblade.imrryr.org via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6566@krbdev.mit.edu>
Message-ID: <rt-6566-31719.12.6256881698914@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6566'":;"'AdminCc of krbdev.mit.edu Ticket #6566'":;@MIT.EDU
Date: Wed, 16 Sep 2009 08:08:44 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
On 1253075737 seconds since the Beginning of the UNIX epoch
"Ken Raeburn via RT" wrote:
>
>On Sep 15, 2009, at 22:02, elric@mournblade.imrryr.org via RT wrote:
>> Unfortunately, if you receive a datagram of over sizeof(pktbuf)
>> you will succeed with cc == sizeof(pktbuf) not detecting the fact
>> that there was additional data. This results in an ASN.1 parse
>> error. What should happen is that the KDC should return an
>> appropriate error to the client indicating that TCP should be used.
>
>Regardless of other options, it sounds like cc==sizeof(pktbuf) should
>trigger the use-TCP error, since we can't distinguish between a packet
>equal in size to the buffer and a packet that was larger but got
>truncated. Either that, or we could peek at the size of the next
>datagram and grow the buffer as needed, but I'm not sure that peeking
>can be done portably.
Yes, this sounds like exactly the approach I would think about
implementing.
>> I noticed this while debugging a JGSS problem. Apparently, the
>> Java Kerberos libraries do not fail over from UDP to TCP unless
>> the KDC specifically tells them to. And they have no default
>> setting for udp_preference_limit. And so, if you are constructing
>> tickets of over 4K because, let's say, a user is in a lot of groups
>> in Windows, JGSS will just fail against an MIT KDC.
>
> From what I've read, the common wisdom still seems to be that some
>gateways/routers/NAT boxes/firewalls/whatever will not properly
>process UDP fragments, so UDP traffic over ~1500 bytes (or less) may
>never get to the KDC. So this sounds like a bug in the Java Kerberos
>libraries.
It's most certainly a bug in the Java Kerberos libraries. I've also
run into them breaking when frags are dropped, etc.
Thanks,
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
