Although the initial sequence number, as exchanged in AP-REQ and AP-REP, is 32-bit, RFC 4121 defined a 8-byte SND_SEQ field to store it in MessageToken_v2. This means we can "upgrade" the 32-bit integer from the security context establishment into a 64-bit integer to be used in secure communications.

MIT krb5 does this.

BTW, for interoperability, and some other compatibility reasons on signed/unsigned ints, both Java and MIT krb5 only generate an initial sequence number not greater than 2^30 now, so error could only happen after about 2^30 messages been sent.