Rate limiting Kerberos Requests
Frank Cusack
frank at linetwo.net
Wed Sep 26 00:59:18 EDT 2012
On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery <rra at stanford.edu> wrote:
> We were quite concerned when we first looked at putting Kerberos KDCs
> behind a hardware firewall because of that session limit. Our firewalls
> have a 100,000 UDP session limit and a fairly quick timeout.
Ideally you just disable the concept of a UDP "session" altogether. For
kerberos traffic I can't imagine a benefit to maintaining sessions unless
you need address translation.
More information about the Kerberos
mailing list