I am wondering why in the Microsoft Kerberos implementation, an alternative to UDP transport is proposed : TCP. I fail to see why TCP resolves UDP datagram sizes problem.
The TCP support is going to be part of the next version of the specification, as well.
A UDP message is limited to 64K, as I recall. If, for some reason, there is a large amount of data to be carried in (extended versions of) the Kerberos tickets, or the preauthentication scheme adds a large amount of data, then it may not fit. Furthermore, individual packets on many networks are limited to around 1500 bytes, and I've heard some routers may have problems with fragmented UDP packets.
In a TCP stream, this limitation is removed; any size data can be sent. If it's larger than the packet sizes supported on a network, the implementation breaks the message down into suitable sized packets for transmission. Schemes actually exist for figuring out what that size is, though there are occasional sites that botch their firewall configurations so as to make that difficult. (UDP wouldn't fare any better in that case, though.)
Ken
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
