draft-foo2.ms
1 .pl 10.0i 2 .po 0 3 .ll 7.2i 4 .lt 7.2i 5 .nr LL 7.2i 6 .nr LT 7.2i 7 .ds LF Westerlund, Danielsson 8 .ds RF [Page %] 9 .ds CF 10 .ds LH Internet Draft 11 .ds RH November, 1997 12 .ds CH Kerberos over TCP 13 .hy 0 14 .ad l 15 .in 0 16 .ta \n(.luR 17 .nf 18 Network Working Group Assar Westerlund 19 <draft-ietf-cat-krb5-tcp.txt> SICS 20 Internet-Draft Johan Danielsson 21 November, 1997 PDC, KTH 22 Expire in six months 23 .fi 24 25 .ce 26 Kerberos over TCP 27 28 .ti 0 29 Status of this Memo 30 31 .in 3 32 This document is an Internet-Draft. Internet-Drafts are working 33 documents of the Internet Engineering Task Force (IETF), its 34 areas, and its working groups. Note that other groups may also 35 distribute working documents as Internet-Drafts. 36 37 Internet-Drafts are draft documents valid for a maximum of six 38 months and may be updated, replaced, or obsoleted by other 39 documents at any time. It is inappropriate to use Internet- 40 Drafts as reference material or to cite them other than as 41 "work in progress." 42 43 To view the entire list of current Internet-Drafts, please check 44 the "1id-abstracts.txt" listing contained in the Internet-Drafts 45 Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net 46 (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East 47 Coast), or ftp.isi.edu (US West Coast). 48 49 Distribution of this memo is unlimited. Please send comments to the 50 <cat-ietf@mit.edu> mailing list. 51 52 .ti 0 53 Abstract 54 55 .in 3 56 This document specifies how the communication should be done between a 57 client and a KDC using Kerberos [RFC1510] with TCP as the transport 58 protocol. 59 60 .ti 0 61 Specification 62 63 This draft specifies an extension to section 8.2.1 of RFC1510. 64 65 A Kerberos server MAY accept requests on TCP port 88 (decimal). 66 67 The data sent from the client to the KDC should consist of 4 bytes 68 containing the length, in network byte order, of the Kerberos request, 69 followed by the request (AS-REQ or TGS-REQ) itself. The reply from 70 the KDC should consist of the length of the reply packet (4 bytes, 71 network byte order) followed by the packet itself (AS-REP, TGS-REP, or 72 KRB-ERROR). 73 74 .nf 75 C->S: Open connection to TCP port 88 at the server 76 C->S: length of request 77 C->S: AS-REQ or TGS-REQ 78 S->C: length of reply 79 S->C: AS-REP, TGS-REP, or KRB-ERROR 80 .fi 81 82 .ti 0 83 Discussion 84 85 Even though the preferred way of sending kerberos packets is over UDP 86 there are several occasions when it's more practical to use TCP. 87 88 Mainly, it's usually much less cumbersome to get TCP through firewalls 89 than UDP. 90 91 In theory, there's no reason for having explicit length fields, that 92 information is already encoded in the ASN1 encoding of the Kerberos 93 packets. But having explicit lengths makes it unnecessary to have to 94 decode the ASN.1 encoding just to know how much data has to be read. 95 96 Another way of signaling the end of the request of the reply would be 97 to do a half-close after the request and a full-close after the reply. 98 This does not work well with all kinds of firewalls. 99 100 .ti 0 101 Security considerations 102 103 .in 3 104 This memo does not introduce any known security considerations in 105 addition to those mentioned in [RFC1510]. 106 107 .ti 0 108 References 109 110 .in 3 111 [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network 112 Authentication Service (V5)", RFC 1510, September 1993. 113 114 .ti 0 115 Authors' Addresses 116 117 Assar Westerlund 118 .br 119 Swedish Institute of Computer Science 120 .br 121 Box 1263 122 .br 123 S-164 29 KISTA 124 .br 125 Sweden 126 127 Phone: +46-8-7521526 128 .br 129 Fax: +46-8-7517230 130 .br 131 EMail: assar@sics.se 132 133 Johan Danielsson 134 .br 135 PDC, KTH 136 .br 137 S-100 44 STOCKHOLM 138 .br 139 Sweden 140 141 Phone: +46-8-7907885 142 .br 143 Fax: +46-8-247784 144 .br 145 EMail: joda@pdc.kth.se