Hello, I am looking into GSS-API as a protection mechanism for SCTP connections. SCTP connects multiple independent streams at once, and can decide on in-order or out-of-order delivery on a per-frame basis. SCTP has reliable delivery by default.
I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC’d message. I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new. This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus too limiting to use with SCTP. Am I correct? I found a GSS_C_SEQUENCE_FLAG, but it is not documented in RFC 4121 that mentions it :-S FWIW, our aim is cross-realm RADIUS, SNMP and more — protocols that benefit from out-of-order delivery but that would require both reliable delivery and security. TLS-over-TCP enforces ordering of independent packets, and DTLS-over-UDP isn’t reliable. SCTP is just right, after adding security; and Kerberos is more sane than (D)TLS in our architecture. Thanks, Rick van Rein InternetWide.org / OpenFortress.nl ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
