RFR 8014870: Faster KDC availability check in Kerberos
Wang Weijun
weijun.wang at oracle.com
Tue Jul 8 14:22:08 UTC 2014
If the first UDP response can be back in a second then there is no extra workload. This should be the most common case since Kerberos is usually used in an enterprise environment with a high network speed. In most cases, the re-sent of a request is due to failed KDCs or even false settings which would wait forever.
You are right that it's not necessary to retry TCP. I will apply the max_retries parameter to UDP only.
Thanks
Max
On Jul 8, 2014, at 20:40, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> Missed the security-dev list.
>
> On 7/7/2014 10:39 AM, Xuelei Fan wrote:
>> I have not read the fix. I was just wondering that this fix save the
>> wait time, but increase the networking traffics, and increase the
>> workload of KDC servers. I think the KDC timeout should be corner cases
>> for TCP, and it is tolerable for UDP connections. I'm not confident
>> that this is a cost-effective update if we considering the overall
>> system of Kerberos.
>>
>> Xuelei
>>
>> On 6/24/2014 4:17 PM, Wang Weijun wrote:
>>> Hi All
>>>
>>> Please review the code change at
>>>
>>> http://cr.openjdk.java.net/~weijun/8014870/webrev.00/
>>>
More information about the net-dev
mailing list