If the first UDP response can be back in a second then there is no extra workload. This should be the most common case since Kerberos is usually used in an enterprise environment with a high network speed. In most cases, the re-sent of a request is due to failed KDCs or even false settings which would wait forever.
You are right that it's not necessary to retry TCP. I will apply the max_retries parameter to UDP only. Thanks Max On Jul 8, 2014, at 20:40, Xuelei Fan <xuelei....@oracle.com> wrote: > Missed the security-dev list. > > On 7/7/2014 10:39 AM, Xuelei Fan wrote: >> I have not read the fix. I was just wondering that this fix save the >> wait time, but increase the networking traffics, and increase the >> workload of KDC servers. I think the KDC timeout should be corner cases >> for TCP, and it is tolerable for UDP connections. I'm not confident >> that this is a cost-effective update if we considering the overall >> system of Kerberos. >> >> Xuelei >> >> On 6/24/2014 4:17 PM, Wang Weijun wrote: >>> Hi All >>> >>> Please review the code change at >>> >>> http://cr.openjdk.java.net/~weijun/8014870/webrev.00/ >>>
