[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Distributed ppolicy state

On Fri, Oct 23, 2009 at 02:15:40PM -0700, Howard Chu wrote:
> I'm not sure you're trying to solve the right problem yet. I'm pretty 
> unconvinced that account lockout is a good solution to anything, in 
> general. That's why I added login rate control to the latest ppolicy draft, 
> where the DSA simply starts inserting delays before responding to failed 
> authc attempts. As I see it, rate control can be managed completely within 
> a single DSA and no state ever needs to be replicated outward on any 
> particular schedule. But at the moment I haven't yet thought about how well 
> this will work in all the possible deployment scenarios.
> So once again, what's important here is to analyze what are the types of 
> attacks we expect to see, and how particular defense strategies will 
> behave, and how effectively they will fend off those attacks. Until you've 
> outlined the problems, you don't have any framework for designing the 
> solution.

Just a quick comment: The way we understand NT4 is that the
failed attempts are counted locally and only the lockout is
replicated. This reduces the load a lot.


Attachment: pgpyCeN7GF4De.pgp
Description: PGP signature