OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: (Fwd) Re: Win2000 and BIND GSS-TSIG Interoperability?
From: Paul Leach (paulleEXCHANGE.MICROSOFT.COM)
Date: Tue Mar 14 2000 - 15:17:15 CST

> -----Original Message-----
> From: Paul B. Hill [mailto:pbhMIT.EDU]
> Sent: Tuesday, March 14, 2000 11:13 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Re: (Fwd) Re: Win2000 and BIND GSS-TSIG Interoperability?
>

<snip>

> The other problem is that Microsoft's current use of name
> canonicalization
> means that more ticket requests than are normally necessary
> are placed on
> to the wire. Combined with their use of the authorization
> data field which
> greatly inflates the size of the packet, these two factors invalidate
> Microsoft's original claim that they saw the use of the
> authorization data
> field as an optimization of network traffic.

This is nonsense.

A. It wasn't network traffic volume that we were trying to optimize, it was
server and DC load. We've done that. Authorization data is computed once at
login time, not once per authentication request.

B. The additional ticket requests were not an intended characteristic of our
design; even so, they don't happen that much (we don't use very many names
for the same account). And the effect you mention was not intended -- we
didn't recognize it until it was too late to change in Windows 2000. We
still don't think the effect is large, and certainly does not cause on
average one ticket request for each authentication to the service -- whereas
the mechanism Kerberos replaced (NTLM) generated one or two requests to the
DC for each authentication -- _guaranteed_ -- thus loading both the server
and the DC. If the effect turns out to be larger than we anticipated, then
we can optimize it in a future release without any change to the protocol.

Paul