From spm@ATHENA.MIT.EDU  Fri Jun 13 15:58:31 1986
To: saltzer, ostlund, kelley, jis, bcn
Cc: spm
Subject: Kerberos servers
Date: Fri, 13 Jun 86 15:57:02 -0500
From: Steve Miller <spm@ATHENA.MIT.EDU>

Some of us have been discussing alternate means of providing
a highly available Kerberos service, and I believe that this issue
needs to be pondered for a while.

The most direct approach is to put a kerberos server in each cluster,
thus insulating each cluster from gateway and backbone problems.
The drawback with this solution is that it requires a lot of servers
(and $$), each of which ought to be more secure physically than we
currently can provide, and each of which needs to be updated and
managed.

In terms of the workload on Kerberos, I estimate that with 2000 workstations,
except for brief periods of bursty load (26-100 empties into the adjoining
terminal room), three or four uvax2 class servers will provide sufficient
service. Each should be able to handle 3-5 requests/second, with a typical
request asking for 3 tickets. Once routine logging for debugging is turned
off, the limiting factor is software encryption time.

We will have much more than 4 clusters.

I would propose, as a long term alternative, that instead of spending
the equipment money on a Kerberos server per cluster, we install only
3 or 4 Kerberos servers, judiciously located, and that the extra equipment
budget go towards providing a more redundant network, e.g. two
gateways per cluster.  This would provide higher availability for all
services, not just Kerberos.

Of course, just providing the gateways is not adequate if the backbone is
not highly reliable, but I suspect sooner or later the backbone will for
many reasons have to become highly reliable.

In the interim, Pete and John are considering the one per cluster approach,
since it is in the realm of what they can do, and do quickly.