Rate limiting Kerberos Requests
Russ Allbery
rra at stanford.edu
Wed Sep 26 01:03:24 EDT 2012
Frank Cusack <frank at linetwo.net> writes:
> On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery <rra at stanford.edu> wrote:
>> We were quite concerned when we first looked at putting Kerberos KDCs
>> behind a hardware firewall because of that session limit. Our firewalls
>> have a 100,000 UDP session limit and a fairly quick timeout.
> Ideally you just disable the concept of a UDP "session" altogether. For
> kerberos traffic I can't imagine a benefit to maintaining sessions
> unless you need address translation.
Agreed, but apparently at least some firewalls don't make this
configurable. I was told that, with the ones we were using, they always
create sessions and there isn't any way to avoid it. All you can do is
time them out faster.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list