the way we decode the Kerberos is not good, as I said in a previous mail. We can't process a fragmented PDU.
I suggested that we manipulate the State in order to pick the right container, but this is really too complex, and brittle.
I have one other solution :
pre-read the PDU size. As we are using TLV, the Length once read will let us read the Value as an opaque element, then once completely read, we will be able to process the PDU
This seems a minimal cost to get the codec working with the grammars we have defined.