2 Network Working Group Assar Westerlund
3 <draft-ietf-cat-krb5-tcp-00.txt> SICS
4 Internet-Draft Johan Danielsson
5 November, 1997 PDC, KTH
12 This document is an Internet-Draft. Internet-Drafts are working
13 documents of the Internet Engineering Task Force (IETF), its areas,
14 and its working groups. Note that other groups may also distribute
15 working documents as Internet-Drafts.
17 Internet-Drafts are draft documents valid for a maximum of six months
18 and may be updated, replaced, or obsoleted by other documents at any
19 time. It is inappropriate to use Internet- Drafts as reference
20 material or to cite them other than as "work in progress."
22 To view the entire list of current Internet-Drafts, please check the
23 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
24 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
25 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
26 ftp.isi.edu (US West Coast).
28 Distribution of this memo is unlimited. Please send comments to the
29 <cat-ietf@mit.edu> mailing list.
33 This document specifies how the communication should be done between
34 a client and a KDC using Kerberos [RFC1510] with TCP as the transport
39 This draft specifies an extension to section 8.2.1 of RFC1510.
41 A Kerberos server MAY accept requests on TCP port 88 (decimal).
43 The data sent from the client to the KDC should consist of 4 bytes
44 containing the length, in network byte order, of the Kerberos
45 request, followed by the request (AS-REQ or TGS-REQ) itself. The
46 reply from the KDC should consist of the length of the reply packet
47 (4 bytes, network byte order) followed by the packet itself (AS-REP,
48 TGS-REP, or KRB-ERROR).
53 Westerlund, Danielsson [Page 1]
55 Internet Draft Kerberos over TCP November, 1997
58 C->S: Open connection to TCP port 88 at the server
59 C->S: length of request
60 C->S: AS-REQ or TGS-REQ
62 S->C: AS-REP, TGS-REP, or KRB-ERROR
66 Even though the preferred way of sending kerberos packets is over UDP
67 there are several occasions when it's more practical to use TCP.
69 Mainly, it's usually much less cumbersome to get TCP through
72 In theory, there's no reason for having explicit length fields, that
73 information is already encoded in the ASN1 encoding of the Kerberos
74 packets. But having explicit lengths makes it unnecessary to have to
75 decode the ASN.1 encoding just to know how much data has to be read.
77 Another way of signaling the end of the request of the reply would be
78 to do a half-close after the request and a full-close after the
79 reply. This does not work well with all kinds of firewalls.
81 Security considerations
83 This memo does not introduce any known security considerations in
84 addition to those mentioned in [RFC1510].
88 [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
89 Authentication Service (V5)", RFC 1510, September 1993.
94 Swedish Institute of Computer Science
109 Westerlund, Danielsson [Page 2]
111 Internet Draft Kerberos over TCP November, 1997
118 EMail: joda@pdc.kth.se
165 Westerlund, Danielsson [Page 3]