[5655] in Kerberos
Re: Understanding Kerberized POP
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Thu Aug 10 14:43:12 1995
To: kerberos@MIT.EDU
Date: 10 Aug 1995 18:26:45 GMT
From: marc@cam.ov.com (Marc Horowitz)
>> Lets say that I have Eudora + Kerborized pop server + Kerberos server, and
>> I've set Eudora to pop the mail server every 15 minutes. Does
>> authentication take place every time Eudora makes a connection to the pop
>> server?
The first time you authenticate to a pop server after typing your
password, the client goes to the KDC (kerberos server) and gets a
service key for the service (the pop server).
Then, each time the client connects to the pop server, it
authenticates.
>> If I had 10,000 pop users spread out on 5 pop servers, would 1
>> Kerberos server be sufficient to handle the load if that many people
>> were poping all day?
You're going to end up handing out 10k initial tickes and 10k pop
tickets in about an hour each morning as people show up and log in.
If we pretend that this is spread out evenly over the hour, that's
about 167 requests a minute, or almost 3 a second. This is relatively
heavy load. If everyone logs in in 15 minutes, then you have a
problem. If people are logging in all day long, then this is a
non-issue. The only real way to tell is to set up a test environment,
where you have a bunch of machines banging on your intended kerberos
server platform with requests, and see how well the server handles it.
Unfortunately, I'm unaware of good kerberos benchmarks for v4.
One answer is to have replicated kerberos servers, and to
pseudo-randomize the order of the kerberos servers in the krb.conf or
equivalent on each client. This will give you very effective
load-balancing. This is also relatively important, because if many
requests come in quickly, your major bottleneck will be the number of
UDP packets your kernel will queue before dropping some on the floor.
More hosts means more kernels means more queues :-)
Now, for the pop servers, you have about 8000 requests coming in every
hour. This is also a substantial load. However, I suspect that if
you have the i/o capacity to handle this many unauthenticated
connections now, the added cpu utilization caused by the kerberos
servers should not be a real problem.
If your logins are spread over an hour, making the number of kerberos
requests in that hour the same as the number of pop requests,
approximately, whatever you have doing pop should be overkill for the
kerberos server.
>> Would it be better to run Kerberos servers on each of the pop servers?
Unless you are *only* using kerberos for pop authentication, I would
not recommend running kerberos on the pop servers. Otherwise, the
kerberos server is only as secure as the pop server. In general, if
you can manage the hardware resources, your kerberos server should be
a dedicated host, in a locked room, etc.
Marc
