New extensible GSSAPI implementation
Robert Watson
rwatson at FreeBSD.org
Sat Nov 12 03:25:53 PST 2005
On Sat, 12 Nov 2005, Doug Rabson wrote:
> I have looked at the Solaris kernel GSS-API code. As far as I can see on
> a first reading, they defer the context establishment out to userland
> and once the context is up, they do the actual crypto for signing etc.
> in the kernel, via a plugin model.
>
> Doing all the crypto in userland isn't really a good idea because even
> when you aren't using message privacy and integrity, parts of the RPC
> header are still signed for basic replay detection. Flipping all that
> out to userland would be devastating for performance. Rick Macklem's
> NFSv4 server code does its crypto in the kernel in a similar way to
> Solaris but it is hard-wired to kerberosv5.
I agree entirely with the above sentiments. Are you sure you can't make
it to EuroBSDCon to talk about NFSv4 there? :-)
Robert N M Watson
More information about the freebsd-arch
mailing list