 72856d3e44
			
		
	
	72856d3e44
	
	
	
		
			
			git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4048 ec53bebd-3082-4978-b11e-865c3cabbd6b
		
			
				
	
	
		
			172 lines
		
	
	
		
			3.9 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			172 lines
		
	
	
		
			3.9 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| Network Working Group                                   Assar Westerlund
 | ||
| <draft-ietf-cat-krb5-tcp.txt>                                       SICS
 | ||
| Internet-Draft                                          Johan Danielsson
 | ||
| November, 1997                                                  PDC, KTH
 | ||
| Expire in six months
 | ||
| 
 | ||
|                            Kerberos over TCP
 | ||
| 
 | ||
| Status of this Memo
 | ||
| 
 | ||
|    This document is an Internet-Draft.  Internet-Drafts are working
 | ||
|    documents of the Internet Engineering Task Force (IETF), its areas,
 | ||
|    and its working groups.  Note that other groups may also distribute
 | ||
|    working documents as Internet-Drafts.
 | ||
| 
 | ||
|    Internet-Drafts are draft documents valid for a maximum of six months
 | ||
|    and may be updated, replaced, or obsoleted by other documents at any
 | ||
|    time.  It is inappropriate to use Internet- Drafts as reference
 | ||
|    material or to cite them other than as "work in progress."
 | ||
| 
 | ||
|    To view the entire list of current Internet-Drafts, please check the
 | ||
|    "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
 | ||
|    Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
 | ||
|    munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
 | ||
|    ftp.isi.edu (US West Coast).
 | ||
| 
 | ||
|    Distribution of this memo is unlimited.  Please send comments to the
 | ||
|    <cat-ietf@mit.edu> mailing list.
 | ||
| 
 | ||
| Abstract
 | ||
| 
 | ||
|    This document specifies how the communication should be done between
 | ||
|    a client and a KDC using Kerberos [RFC1510] with TCP as the transport
 | ||
|    protocol.
 | ||
| 
 | ||
| Specification
 | ||
| 
 | ||
|    This draft specifies an extension to section 8.2.1 of RFC1510.
 | ||
| 
 | ||
|    A Kerberos server MAY accept requests on TCP port 88 (decimal).
 | ||
| 
 | ||
|    The data sent from the client to the KDC should consist of 4 bytes
 | ||
|    containing the length, in network byte order, of the Kerberos
 | ||
|    request, followed by the request (AS-REQ or TGS-REQ) itself.  The
 | ||
|    reply from the KDC should consist of the length of the reply packet
 | ||
|    (4 bytes, network byte order) followed by the packet itself (AS-REP,
 | ||
|    TGS-REP, or KRB-ERROR).
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| Westerlund, Danielsson                                          [Page 1]
 | ||
| 
 | ||
| Internet Draft             Kerberos over TCP              November, 1997
 | ||
| 
 | ||
| 
 | ||
|    C->S: Open connection to TCP port 88 at the server
 | ||
|    C->S: length of request
 | ||
|    C->S: AS-REQ or TGS-REQ
 | ||
|    S->C: length of reply
 | ||
|    S->C: AS-REP, TGS-REP, or KRB-ERROR
 | ||
| 
 | ||
| Discussion
 | ||
| 
 | ||
|    Even though the preferred way of sending kerberos packets is over UDP
 | ||
|    there are several occasions when it's more practical to use TCP.
 | ||
| 
 | ||
|    Mainly, it's usually much less cumbersome to get TCP through
 | ||
|    firewalls than UDP.
 | ||
| 
 | ||
|    In theory, there's no reason for having explicit length fields, that
 | ||
|    information is already encoded in the ASN1 encoding of the Kerberos
 | ||
|    packets.  But having explicit lengths makes it unnecessary to have to
 | ||
|    decode the ASN.1 encoding just to know how much data has to be read.
 | ||
| 
 | ||
|    Another way of signaling the end of the request of the reply would be
 | ||
|    to do a half-close after the request and a full-close after the
 | ||
|    reply.  This does not work well with all kinds of firewalls.
 | ||
| 
 | ||
| Security considerations
 | ||
| 
 | ||
|    This memo does not introduce any known security considerations in
 | ||
|    addition to those mentioned in [RFC1510].
 | ||
| 
 | ||
| References
 | ||
| 
 | ||
|    [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
 | ||
|    Authentication Service (V5)", RFC 1510, September 1993.
 | ||
| 
 | ||
| Authors' Addresses
 | ||
| 
 | ||
|    Assar Westerlund
 | ||
|    Swedish Institute of Computer Science
 | ||
|    Box 1263
 | ||
|    S-164 29  KISTA
 | ||
|    Sweden
 | ||
| 
 | ||
|    Phone: +46-8-7521526
 | ||
|    Fax:   +46-8-7517230
 | ||
|    EMail: assar@sics.se
 | ||
| 
 | ||
|    Johan Danielsson
 | ||
|    PDC, KTH
 | ||
|    S-100 44  STOCKHOLM
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| Westerlund, Danielsson                                          [Page 2]
 | ||
| 
 | ||
| Internet Draft             Kerberos over TCP              November, 1997
 | ||
| 
 | ||
| 
 | ||
|    Sweden
 | ||
| 
 | ||
|    Phone: +46-8-7907885
 | ||
|    Fax:   +46-8-247784
 | ||
|    EMail: joda@pdc.kth.se
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| 
 | ||
| Westerlund, Danielsson                                          [Page 3]
 | ||
| 
 |