[EXTERNAL] Rate limiting Kerberos Requests
Glenn Machin
gmachin at sandia.gov
Tue Sep 25 16:56:02 EDT 2012
A performance issue we have seen has to do when a KDC has a heavy load
and cannot provide a response within 1 sec.
The Kerberos client libraries apparently expect a response within a sec
and if they don't get it they move on to the next KDC in the list for
the realm and so on for both udp and tcp packets. Packet sniffing has
shown a KDC to send a response in 1.03 seconds however the client has
already shut down listening for that UDP response and is waiting for a
response from the next KDC on the list. So loads just get worse on all
KDCs. Curious why there is not some configuration parameter at least
for TCP connections that allows for a longer wait time for a response.
This is really a problem when the Kerberos password is a one time use
password. The first KDC provides back a TGT on the "first" request but
in 1.03 seconds, however the client ignores the response. Now when the
second KDC gets the request, it rejects it because the "password" is no
longer valid.
Glenn
On 9/25/12 2:34 PM, Jack Neely wrote:
> Greetings,
>
> Has anyone done any rate limiting or throttling of Kerberos requests?
> I've had several situations where I had a load of 600 requests / minute
> against my 3 kerberos slaves that caused degradation of performance for
> everyone else. Always from misbehaving tools or applications.
>
> What suggestions do folks have for doing this? I've thought about using
> the limit module in iptables:
>
> iptables -A INPUT -p tcp --dport 88 -m limit --limit 4/min --limit-burst 6 -j ACCEPT
> iptables -A INPUT p tcp --dport 88 -j DROP
>
> Jack
>
More information about the Kerberos
mailing list