1
2
3
4
5
6
7Network Working Group Assar Westerlund
8<draft-ietf-cat-krb5-tcp.txt> SICS
9Internet-Draft Johan Danielsson
10November, 1997 PDC, KTH
11Expire in six months
12
13 Kerberos over TCP
14
15Status of this Memo
16
17 This document is an Internet-Draft. Internet-Drafts are working
18 documents of the Internet Engineering Task Force (IETF), its areas,
19 and its working groups. Note that other groups may also distribute
20 working documents as Internet-Drafts.
21
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet- Drafts as reference
25 material or to cite them other than as "work in progress."
26
27 To view the entire list of current Internet-Drafts, please check the
28 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
29 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
30 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
31 ftp.isi.edu (US West Coast).
32
33 Distribution of this memo is unlimited. Please send comments to the
34 <cat-ietf@mit.edu> mailing list.
35
36Abstract
37
38 This document specifies how the communication should be done between
39 a client and a KDC using Kerberos [RFC1510] with TCP as the transport
40 protocol.
41
42Specification
43
44 This draft specifies an extension to section 8.2.1 of RFC1510.
45
46 A Kerberos server MAY accept requests on TCP port 88 (decimal).
47
48 The data sent from the client to the KDC should consist of 4 bytes
49 containing the length, in network byte order, of the Kerberos
50 request, followed by the request (AS-REQ or TGS-REQ) itself. The
51 reply from the KDC should consist of the length of the reply packet
52 (4 bytes, network byte order) followed by the packet itself (AS-REP,
53 TGS-REP, or KRB-ERROR).
54
55
56
57
58Westerlund, Danielsson [Page 1]
59�
60Internet Draft Kerberos over TCP November, 1997
61
62
63 C->S: Open connection to TCP port 88 at the server
64 C->S: length of request
65 C->S: AS-REQ or TGS-REQ
66 S->C: length of reply
67 S->C: AS-REP, TGS-REP, or KRB-ERROR
68
69Discussion
70
71 Even though the preferred way of sending kerberos packets is over UDP
72 there are several occasions when it's more practical to use TCP.
73
74 Mainly, it's usually much less cumbersome to get TCP through
75 firewalls than UDP.
76
77 In theory, there's no reason for having explicit length fields, that
78 information is already encoded in the ASN1 encoding of the Kerberos
79 packets. But having explicit lengths makes it unnecessary to have to
80 decode the ASN.1 encoding just to know how much data has to be read.
81
82 Another way of signaling the end of the request of the reply would be
83 to do a half-close after the request and a full-close after the
84 reply. This does not work well with all kinds of firewalls.
85
86Security considerations
87
88 This memo does not introduce any known security considerations in
89 addition to those mentioned in [RFC1510].
90
91References
92
93 [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
94 Authentication Service (V5)", RFC 1510, September 1993.
95
96Authors' Addresses
97
98 Assar Westerlund
99 Swedish Institute of Computer Science
100 Box 1263
101 S-164 29 KISTA
102 Sweden
103
104 Phone: +46-8-7521526
105 Fax: +46-8-7517230
106 EMail: assar@sics.se
107
108 Johan Danielsson
109 PDC, KTH
110 S-100 44 STOCKHOLM
111
112
113
114Westerlund, Danielsson [Page 2]
115�
116Internet Draft Kerberos over TCP November, 1997
117
118
119 Sweden
120
121 Phone: +46-8-7907885
122 Fax: +46-8-247784
123 EMail: joda@pdc.kth.se
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170Westerlund, Danielsson [Page 3]
171�
172