7.2. KDC Messaging: IP Transports
Overview
Kerberos clients communicate with KDCs using UDP or TCP over IP networks. This section specifies transport requirements and KDC discovery mechanisms.
7.2.1. UDP/IP Transport
Default Behavior
- KDC listens on port 88 (UDP)
- Clients send requests via UDP
- Suitable for small messages
Limitations
- Maximum practical UDP packet size considerations
- May require TCP for large messages
- Network MTU affects usability
7.2.2. TCP/IP Transport
When to Use
- KDC listens on port 88 (TCP)
- Required for large messages exceeding UDP limits
- More reliable for some network environments
Connection Handling
- Client initiates TCP connection
- 4-byte length field precedes each message
- Connection can carry multiple exchanges
- Connection management considerations
7.2.3. KDC Discovery on IP Networks
DNS-Based Discovery
- SRV records for KDC location
- Format:
_kerberos._udp.REALMand_kerberos._tcp.REALM - Enables automatic KDC discovery
- Priority and weight for multiple KDCs
Static Configuration
- Manual KDC addresses in client configuration
- krb5.conf or equivalent
- Fallback when DNS unavailable
Master KDC Discovery
_kerberos-master._udp.REALM_kerberos-master._tcp.REALM- Used for password changes and administrative operations
Security Considerations
- DNS responses may not be trustworthy
- DNSSEC recommended for secure KDC discovery
- Static configuration more secure but less flexible
Port Numbers
- Standard port: 88 (both UDP and TCP)
- Registered with IANA
- Both transports should be supported
Reference
For complete transport specifications, refer to RFC 4120 Section 7.2.