RX Kerberos 5 security class requirements of Kerberos library

Troy Benjegerdes hozer at hozed.org
Sun Jan 21 17:44:09 EST 2007

On Tue, Jan 02, 2007 at 10:32:58PM -0500, Sam Hartman wrote:
> >>>>> "Marcus" == Marcus Watts <mdw at umich.edu> writes:
>     Marcus> I hope that answer's Sam's concerns regarding not going
>     Marcus> through the KDC for this code path.
> Not entirely.  I definitely think that when there is a KDC available
> that you should use it.  I'm willing to accept that you might want a
> fallback for talking to local services when you have a key and no
> network.

The maximum possible latency for determining there is no KDC is on the
order of seconds.. And determining there is no KDC too soon seems like a
timing attack waiting to happen. This ends up causing all kinds of
frustration on the end-user when say, 5% of your kerberos (or afs)
packets are being dropped, and seems to me to be a significant barrier
to widespread adoption of things like AFS and kerberos.

Latency for talking to another process on the same machine is a factor
of over 1000 times better. While I have seen cases where remote latency
over something like InfiniBand is lower than talking to a process on a
local machine, both machines on the IB network are in the same room.. If
part of your design is that the KDC might be in a different building,
you will always have people implementing services that contact the local
machine first, *then* take the network trip.

More information about the krbdev mailing list