RX Kerberos 5 security class requirements of Kerberos library
Troy Benjegerdes
hozer at hozed.org
Sun Jan 21 17:44:09 EST 2007
On Tue, Jan 02, 2007 at 10:32:58PM -0500, Sam Hartman wrote:
> >>>>> "Marcus" == Marcus Watts <mdw at umich.edu> writes:
>
> Marcus> I hope that answer's Sam's concerns regarding not going
> Marcus> through the KDC for this code path.
>
>
> Not entirely. I definitely think that when there is a KDC available
> that you should use it. I'm willing to accept that you might want a
> fallback for talking to local services when you have a key and no
> network.
The maximum possible latency for determining there is no KDC is on the
order of seconds.. And determining there is no KDC too soon seems like a
timing attack waiting to happen. This ends up causing all kinds of
frustration on the end-user when say, 5% of your kerberos (or afs)
packets are being dropped, and seems to me to be a significant barrier
to widespread adoption of things like AFS and kerberos.
Latency for talking to another process on the same machine is a factor
of over 1000 times better. While I have seen cases where remote latency
over something like InfiniBand is lower than talking to a process on a
local machine, both machines on the IB network are in the same room.. If
part of your design is that the KDC might be in a different building,
you will always have people implementing services that contact the local
machine first, *then* take the network trip.
More information about the krbdev
mailing list