[39373] in Kerberos
Re: Looking for a "Kerberos Router"?
daemon@ATHENA.MIT.EDU (Yoann Gini)
Wed Mar 13 10:54:22 2024
From: Yoann Gini <yoann.gini@gmail.com>
Message-Id: <0E1030FD-5B21-446F-88D9-8E564DAA7598@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Date: Wed, 13 Mar 2024 15:53:09 +0100
In-Reply-To: <F2C79001-B1E0-4D8F-91BC-FC8260003282@dblsaiko.net>
Cc: kerberos@mit.edu
To: Marco Rebhan <me@dblsaiko.net>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> Le 13 mars 2024 à 15:44, Marco Rebhan <me@dblsaiko.net> a écrit :
>
>> On 13. Mar 2024, at 12:48, Yoann Gini <yoann.gini@gmail.com <mailto:yoann.gini@gmail.com>> wrote:
>>
>> Which allow us to have end to end TLS communication between our customers and their tenant. Which is mandatory for our mTLS. But without consuming one public IP per tenant to keep cost under control.
>>
>> Here with Kerberos, I'm wondering how we can achieve something equivalent, using a shared IP for multiple Kerberos realms and having the incoming requests routed to the appropriate backend by some kind of inspection.
>
> Set it up with a publicly routable IPv6 network, with one IP per tenant. You’re not going to run out of a /64 anytime soon, so the cost should stay constant.
That's an option not reachable so far.
I don't know in your country but in France and EU for what I see so far, we are really really late on IPv6.
OVH in France does not offer IPv6 on Kubernetes cluster, and most home router does not have it enabled.
It would have been my first choice indeed. When we started this project a year ago we for sure decided to be dual stack, but we couldn't afford the limitation set by others on the lack of spread of IPv6.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
