On 8/8/2011 12:38 AM, Greg Hudson wrote: > On Sun, 2011-08-07 at 03:13 -0400, Chris Hecker wrote: >> Is there a max size for the AP-REQ and AP-REP packets? Even a >> conservative (eg. never> 768 bytes) would be fine.
If you are using Windows AD for the KDC, the authdata Greg refers to below contains the PAC so could belarge. http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx in section "Recommended Maximum Kerberos Settings", says 65,535. > > In principal, there is no maximum size for AP-REQ, because tickets can > get arbitrarily large due to authdata. If you're not doing anything > fancy with authdata and can bound the size of client and server > principal names, you could probably compute a maximum size, but I don't > have one offhand. > > AP-REP packets do not have a lot of variability in size because they > contain no strings. If you look at an AP-REP packet containing an > AES256 subkey, that's probably as large as you're going to see, modulo a > few bytes to account for variable-length ASN.1 encoding of integers. > Again, though, I don't have any specific numbers in my head for that. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos