Date: Sat, 12 Nov 2005 11:43:26 +0000 From: Doug Rabson <dfr@nlsystems.com> To: Robert Watson <rwatson@freebsd.org> Cc: arch@freebsd.org Subject: Re: New extensible GSSAPI implementation Message-ID: <200511121143.26697.dfr@nlsystems.com> In-Reply-To: <20051112112234.H33260@fledge.watson.org> References: <200511121042.42425.dfr@nlsystems.com> <200511121115.38732.dfr@nlsystems.com> <20051112112234.H33260@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 12 November 2005 11:25, Robert Watson wrote: > On Sat, 12 Nov 2005, Doug Rabson wrote: > > I have looked at the Solaris kernel GSS-API code. As far as I can > > see on a first reading, they defer the context establishment out to > > userland and once the context is up, they do the actual crypto for > > signing etc. in the kernel, via a plugin model. > > > > Doing all the crypto in userland isn't really a good idea because > > even when you aren't using message privacy and integrity, parts of > > the RPC header are still signed for basic replay detection. > > Flipping all that out to userland would be devastating for > > performance. Rick Macklem's NFSv4 server code does its crypto in > > the kernel in a similar way to Solaris but it is hard-wired to > > kerberosv5. > > I agree entirely with the above sentiments. Are you sure you can't > make it to EuroBSDCon to talk about NFSv4 there? :-) Sorry, I really just can't make it this year :-(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511121143.26697.dfr>