Rate limiting Kerberos Requests

Russ Allbery rra at stanford.edu
Wed Sep 26 01:03:24 EDT 2012


Frank Cusack <frank at linetwo.net> writes:
> On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery <rra at stanford.edu> wrote:

>> We were quite concerned when we first looked at putting Kerberos KDCs
>> behind a hardware firewall because of that session limit.  Our firewalls
>> have a 100,000 UDP session limit and a fairly quick timeout.

> Ideally you just disable the concept of a UDP "session" altogether.  For
> kerberos traffic I can't imagine a benefit to maintaining sessions
> unless you need address translation.

Agreed, but apparently at least some firewalls don't make this
configurable.  I was told that, with the ones we were using, they always
create sessions and there isn't any way to avoid it.  All you can do is
time them out faster.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list