load balancing Kerberos

[Russ Allbery]

"Jim Green" <jfgreen at msu.edu> writes:

> There is a proposal here at Michigan State to put our MIT Kerberos
> system behind our F5 BigIP load balancer.  The idea is to have automatic
> failover to one of our Kerberos slaves for authentication requests, and
> also to have additional flexibility to make changes to the server
> infrastructure behind the F5 invisibly (or less visibly) to users.

Our experience is that the automatic failover in the Kerberos clients just
works, so this has never seemed like a good use of resources.

Be aware that Kerberos, being a high-volume UDP service, tends to create a
rather insane number of UDP sessions, which can cause problems for
stateful networking hardware like load balancers if they're not tuned
appropriately.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>