[6430] in Kerberos
Re: Performance of CNS vs. AFS kaserver?
daemon@ATHENA.MIT.EDU (Mark W. Eichin)
Thu Jan 4 16:11:22 1996
Date: Thu, 4 Jan 1996 15:58:08 -0500
From: "Mark W. Eichin" <eichin@cygnus.com>
To: harris@email.unc.edu (Trey Harris)
Cc: kerberos@MIT.EDU
In-Reply-To: "[6427] in Kerberos"
> I read the documentation for CNS and see that you can create "slave"
> servers which maintain readonly data from the master. But from my reading
> of the documentation, these slave servers are fallbacks for failure or
> timeout rather than a mechanism for loadleveling.
While there is no *automatic* load leveling, you can certainly have
different sets of clients talk to the slave servers first; it's just a
matter of having the slaves earlier in the krb.conf file (it is
searched in order, top to bottom.)
As for performance: my only experience with an MIT-style server and
AFS is at MIT itself, which sounds like it's about a factor of three
smaller than yours (10k users, 1k machines maybe? There's probably
more accurate data on the web server there, or even on this list) but
is using a low end Decstation (mips, not alpha) for the kdc, and I've
never heard any indication that this was a performance issue. After
all, you only talk to the kdc once at login, and then once at "aklog"
time, when you get tokens; once you have tokens, the client talks to
the fileserver/ptserver/whatever and doesn't need to talk to the kdc
again... given that, are you *sure* that you:
>> expect up to a thousand authentication attempts per minute at peak times.
That would mean 1K of your users sitting down and logging in within a
minute. Often possible at 9-to-5 business setups, and *still* not a
big deal, as v4 packets are small so the encryption overhead isn't
much, and dbm is pretty fast. I haven't actually done benchmarking on
different platforms here, mostly because noone has ever noticed there
to be a problem...
_Mark_ <eichin@cygnus.com>
Cygnus Support
Cygnus Network Security <network-security@cygnus.com>
http://www.cygnus.com/data/cns/
