TLS certificates for NFS-over-TLS floating client
Rick Macklem
rmacklem at uoguelph.ca
Sat Mar 21 01:34:05 UTC 2020
Jan Bramkamp wrote:
>On 20.03.20 02:44, Russell L. Carter wrote:
>> Here I commit heresy, by A) top posting, and B) by just saying, why
>> not make it easy, first, to tunnel NFSv4 sessions through
>> e.g. net/wireguard or sysutils/spiped? NFS is point to point.
>> Security infrastructure that actually works understands the shared
>> secret model.
>
>Why not use IPsec in transport mode instead of a tunnel? It avoids
>unnecessary overhead and is already implemented in the kernel. It should
>be enough to "just" require IPsec for TCP port 2049 and run a suitable
>key exchange daemon.
I think the problem with these suggestions is interoperability.
The draft (that should soon become an RFC) describes use of RPC-over-TLS
and since the authors are both Linux NFS developers, I expect Linux to
implement this someday.
Once the Linux client can do it, the NFS server vendors will implement it.
NFS isn't great, but it is supported by a variety of vendors/systems and I
see that as one of its main features.
rick
_______________________________________________
freebsd-current at freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list