1.pl 10.0i 2.po 0 3.ll 7.2i 4.lt 7.2i 5.nr LL 7.2i 6.nr LT 7.2i 7.ds LF Westerlund, Danielsson 8.ds RF [Page %] 9.ds CF 10.ds LH Internet Draft 11.ds RH November, 1997 12.ds CH Kerberos over TCP 13.hy 0 14.ad l 15.in 0 16.ta \n(.luR 17.nf 18Network Working Group Assar Westerlund 19<draft-ietf-cat-krb5-tcp.txt> SICS 20Internet-Draft Johan Danielsson 21November, 1997 PDC, KTH 22Expire in six months 23.fi 24 25.ce 26Kerberos over TCP 27 28.ti 0 29Status of this Memo 30 31.in 3 32This document is an Internet-Draft. Internet-Drafts are working 33documents of the Internet Engineering Task Force (IETF), its 34areas, and its working groups. Note that other groups may also 35distribute working documents as Internet-Drafts. 36 37Internet-Drafts are draft documents valid for a maximum of six 38months and may be updated, replaced, or obsoleted by other 39documents at any time. It is inappropriate to use Internet- 40Drafts as reference material or to cite them other than as 41"work in progress." 42 43To view the entire list of current Internet-Drafts, please check 44the "1id-abstracts.txt" listing contained in the Internet-Drafts 45Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net 46(Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East 47Coast), or ftp.isi.edu (US West Coast). 48 49Distribution of this memo is unlimited. Please send comments to the 50<cat-ietf@mit.edu> mailing list. 51 52.ti 0 53Abstract 54 55.in 3 56This document specifies how the communication should be done between a 57client and a KDC using Kerberos [RFC1510] with TCP as the transport 58protocol. 59 60.ti 0 61Specification 62 63This draft specifies an extension to section 8.2.1 of RFC1510. 64 65A Kerberos server MAY accept requests on TCP port 88 (decimal). 66 67The data sent from the client to the KDC should consist of 4 bytes 68containing the length, in network byte order, of the Kerberos request, 69followed by the request (AS-REQ or TGS-REQ) itself. The reply from 70the KDC should consist of the length of the reply packet (4 bytes, 71network byte order) followed by the packet itself (AS-REP, TGS-REP, or 72KRB-ERROR). 73 74.nf 75C->S: Open connection to TCP port 88 at the server 76C->S: length of request 77C->S: AS-REQ or TGS-REQ 78S->C: length of reply 79S->C: AS-REP, TGS-REP, or KRB-ERROR 80.fi 81 82.ti 0 83Discussion 84 85Even though the preferred way of sending kerberos packets is over UDP 86there are several occasions when it's more practical to use TCP. 87 88Mainly, it's usually much less cumbersome to get TCP through firewalls 89than UDP. 90 91In theory, there's no reason for having explicit length fields, that 92information is already encoded in the ASN1 encoding of the Kerberos 93packets. But having explicit lengths makes it unnecessary to have to 94decode the ASN.1 encoding just to know how much data has to be read. 95 96Another way of signaling the end of the request of the reply would be 97to do a half-close after the request and a full-close after the reply. 98This does not work well with all kinds of firewalls. 99 100.ti 0 101Security considerations 102 103.in 3 104This memo does not introduce any known security considerations in 105addition to those mentioned in [RFC1510]. 106 107.ti 0 108References 109 110.in 3 111[RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network 112Authentication Service (V5)", RFC 1510, September 1993. 113 114.ti 0 115Authors' Addresses 116 117Assar Westerlund 118.br 119Swedish Institute of Computer Science 120.br 121Box 1263 122.br 123S-164 29 KISTA 124.br 125Sweden 126 127Phone: +46-8-7521526 128.br 129Fax: +46-8-7517230 130.br 131EMail: assar@sics.se 132 133Johan Danielsson 134.br 135PDC, KTH 136.br 137S-100 44 STOCKHOLM 138.br 139Sweden 140 141Phone: +46-8-7907885 142.br 143Fax: +46-8-247784 144.br 145EMail: joda@pdc.kth.se 146