TLS certificates for NFS-over-TLS floating client

John-Mark Gurney jmg at
Fri Mar 20 19:45:16 UTC 2020

Jan Bramkamp wrote this message on Fri, Mar 20, 2020 at 18:51 +0100:
> On 20.03.20 02:44, Russell L. Carter wrote:
> > Here I commit heresy, by A) top posting, and B) by just saying, why
> > not make it easy, first, to tunnel NFSv4 sessions through
> > e.g. net/wireguard or sysutils/spiped?  NFS is point to point.
> > Security infrastructure that actually works understands the shared
> > secret model.

VPN tunneling doesn't provide the security that most people thinks it
does...  It requires complicated configuration, and often doesn't
provide e2e protections.

> Why not use IPsec in transport mode instead of a tunnel? It avoids 
> unnecessary overhead and is already implemented in the kernel. It should 
> be enough to "just" require IPsec for TCP port 2049 and run a suitable 
> key exchange daemon.

Because IPsec is a PITA to configure and work, and lots of consumer OSes
don't make it at all easy.

Also, you forget that FreeBSD has ktls, which usees the same crypto
offload engine that IPsec does, so it will effectively have similar
overhead, and might actually perform better due to TLS having a 16k
record encryption size vs IPsec limiting itself to packet size, usually
1500, though possibly 9k if you're using jumbo frames...

I fully support doing NFS over TLS.

  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the freebsd-current mailing list