TLS certificates for NFS-over-TLS floating client
Jan Bramkamp
crest at rlwinm.de
Fri Mar 20 17:51:20 UTC 2020
On 20.03.20 02:44, Russell L. Carter wrote:
> Here I commit heresy, by A) top posting, and B) by just saying, why
> not make it easy, first, to tunnel NFSv4 sessions through
> e.g. net/wireguard or sysutils/spiped? NFS is point to point.
> Security infrastructure that actually works understands the shared
> secret model.
Why not use IPsec in transport mode instead of a tunnel? It avoids
unnecessary overhead and is already implemented in the kernel. It should
be enough to "just" require IPsec for TCP port 2049 and run a suitable
key exchange daemon.
More information about the freebsd-current
mailing list