New extensible GSSAPI implementation
Doug Rabson
dfr at nlsystems.com
Sat Nov 12 03:43:45 PST 2005
On Saturday 12 November 2005 11:25, Robert Watson wrote:
> On Sat, 12 Nov 2005, Doug Rabson wrote:
> > I have looked at the Solaris kernel GSS-API code. As far as I can
> > see on a first reading, they defer the context establishment out to
> > userland and once the context is up, they do the actual crypto for
> > signing etc. in the kernel, via a plugin model.
> >
> > Doing all the crypto in userland isn't really a good idea because
> > even when you aren't using message privacy and integrity, parts of
> > the RPC header are still signed for basic replay detection.
> > Flipping all that out to userland would be devastating for
> > performance. Rick Macklem's NFSv4 server code does its crypto in
> > the kernel in a similar way to Solaris but it is hard-wired to
> > kerberosv5.
>
> I agree entirely with the above sentiments. Are you sure you can't
> make it to EuroBSDCon to talk about NFSv4 there? :-)
Sorry, I really just can't make it this year :-(
More information about the freebsd-arch
mailing list