Extended timeout for new TCP connections
Nathaniel McCallum
npmccallum at redhat.com
Tue Apr 9 16:44:28 EDT 2013
The current code in libkrb5 has a 1 second timeout for each server when
sending packets. This timeout is intentionally aggressive due to the
lack of assurances surrounding UDP. However, in some cases, if a KDC
takes a few seconds to respond, multiple packets may be sent to multiple
KDCs. The end result is unneeded work and potentially even account
lockouts.
For UDP this is probably acceptable, but in the case of TCP, if a
connection is established a 1 second timeout probably does not make
sense. In this case we are assured that the KDC will receive the packet.
We can thus wait longer. Doing this decreases workload on the server and
on the client (which may be on battery power). It also solves problems
where the KDC is slow to respond due external delays (now that preauth
is asynchronous; an example of this is OTP).
There are three patches here that implement this behavior:
https://github.com/npmccallum/krb5/commits/tcp. When a client obtains a
successful (short lived) TCP connection, the timeout is expanded to 10s.
In the most common case of successful authentication, no additional
delay is expected. The only scenario where the delay would be
experienced is a KDC which accepts TCP connections but does not process
the data. I believe this case to be extremely unlikely.
Please review the patches at the link above. This region of code that
this patches is somewhat fragile. So many eyes would be helpful.
Thanks!
Nathaniel
More information about the krbdev
mailing list