Rate limiting Kerberos Requests

Frank Cusack frank at linetwo.net
Wed Sep 26 00:59:18 EDT 2012


On Tue, Sep 25, 2012 at 2:08 PM, Russ Allbery <rra at stanford.edu> wrote:

> We were quite concerned when we first looked at putting Kerberos KDCs
> behind a hardware firewall because of that session limit.  Our firewalls
> have a 100,000 UDP session limit and a fairly quick timeout.


Ideally you just disable the concept of a UDP "session" altogether.  For
kerberos traffic I can't imagine a benefit to maintaining sessions unless
you need address translation.


More information about the Kerberos mailing list