Many VPNs are built into routers that support stateful packet inspection as part of the firewall. If the VPN is IPSec based, the MTU on the vpn connection is typically 152 octets smaller than the MTU on the networks it connects. As a result any packet that is larger than this smaller MTU size must be fragmented. Unfortunately, many of the routers are configured to drop fragmented UDP packets because reconstructing the packets to pass them through the stateful packet inspection algorithms in one piece requires memory and cpu resources which when used for this purpose would hinder overall throughput statistics.
To answer your question, the KDC does not see the fragmentation. It often doesn't see the packets at all or only sees the first fragment of the message which is insufficient to generate a response. Jeffrey Altman On 8/2/2010 1:42 AM, Victor Sudakov wrote: > Colleagues, > > Quoting from http://support.microsoft.com/kb/244474/ > By default, Kerberos uses connectionless UDP datagram packets. > Depending on a variety of factors including security identifier (SID) > history and group membership, some accounts will have larger Kerberos > authentication packet sizes. Depending on the virtual private network > (VPN) hardware configuration, these larger packets have to be > fragmented when going through a VPN. The problem is caused by > fragmentation of these large UDP Kerberos packets. Because UDP is a > connectionless protocol, fragmented UDP packets will be dropped if > they arrive at the destination out of order. > > Quoting from > http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx > A common problem is that routers will arbitrarily fragment UDP > packets; when this happens the Kerberos ticket request packets are > discarded by the KDC. > > Please tell me how on earth does the KDC know that the packet has been > fragmented? Packets are fragmented and reassembled on the network > level (IP level), the fragmentation process should be opaque to UDP > and the application, shouldn't it? > > I assume the KDC should just receive data from the socket, no matter > if the datagram was bigger than the MTU, is it correct? > > TIA. >
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
