3.3.1.5.4 Security Context Multiplexing

  • Article

These extensions allow for a client implementation to use more than one security context per connection. A client implementation MUST NOT do security context multiplexing unless the Association's Bind Feature Bitmask has the SecurityContextMultiplexingSupported bit set. When security context multiplexing has been negotiated, if a client needs to negotiate a new security context, it is allowed to do so on an existing connection subject to the constraints in the server state machine. These extensions also introduce some constraints and conventions along with this capability. If there is only one security context on a given connection, and this security context has the authentication level connect, a client and a server MAY choose not to send authentication information for that security context. In such a case, the server MUST treat request PDUs without authentication information as if they had Connect level authentication information, and all other security context attributes are picked from the only security context negotiated on the connection.<102>

A client MUST send authentication information for all request PDUs if the higher-level protocol on the client has asked for the connect authentication level and there is more than one security context negotiated for the connection.

A client MUST NOT build more than 2,000 security contexts per connection, but it MAY choose to impose an even lower limit on the number of security contexts that can be built on a connection.<103>

The server MAY enforce a limit in the number of security contexts that can be associated with a single connection.

If a server receives a request to associate a security context with an existing connection, the server SHOULD check that such limit has not been reached.<104>

If the new security context exceeds the server's limit, the server MUST send to the client an rpc_fault packet with the RPC_S_PROTOCOL_ERROR error code.

If the new association would make the limit be exceeded, the server MUST send to the client an rpc_fault packet with the RPC_S_PROTOCOL_ERROR error code.