Authentication |
According to RFC 1510, when a client contacts the KDC, the client should send a User Datagram Protocol (UDP) datagram to port 88 at the KDC's IP address. The KDC should respond with a reply datagram to the sender's IP address.
UDP is a connectionless transport protocol, which makes it a logical choice when an exchange of messages must precede a connection. UDP is also well suited to applications that send one message and expect one response, such as the exchange between a client and the KDC. However, UDP works best when each datagram is transmitted as a single unit — that is, within a single frame. The Maximum Transmission Unit (MTU) for an Ethernet frame is 1500 octets. If the physical network is Ethernet, Kerberos messages that are sent as UDP datagrams can carry up to 1500 octets of data.
Windows 2000 authorization data can easily total more than 1500 octets. Because this data is needed only by computers that are running Windows 2000, it is omitted from session tickets to computers with other operating systems. As a result, messages to other systems are well within the limits of UDP transport, and that is how they are transmitted. Messages that carry session tickets for computers that are running Windows 2000 are transmitted by using the Transmission Control Protocol (TCP), which has a much greater capacity than UDP. The use of TCP transport in Windows 2000 is consistent with recently proposed revisions to RFC 1510.