From owner-freebsd-arch@FreeBSD.ORG Sat Nov 12 11:43:45 2005 Return-Path: X-Original-To: arch@freebsd.org Delivered-To: freebsd-arch@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DA1616A41F; Sat, 12 Nov 2005 11:43:45 +0000 (GMT) (envelope-from dfr@nlsystems.com) Received: from itchy.rabson.org (mailgate.nlsystems.com [80.177.232.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC84143D5A; Sat, 12 Nov 2005 11:43:39 +0000 (GMT) (envelope-from dfr@nlsystems.com) Received: from herring.rabson.org (herring [10.0.0.2]) by itchy.rabson.org (8.13.3/8.13.3) with ESMTP id jACBhSDL046742; Sat, 12 Nov 2005 11:43:28 GMT (envelope-from dfr@nlsystems.com) From: Doug Rabson To: Robert Watson Date: Sat, 12 Nov 2005 11:43:26 +0000 User-Agent: KMail/1.8.2 References: <200511121042.42425.dfr@nlsystems.com> <200511121115.38732.dfr@nlsystems.com> <20051112112234.H33260@fledge.watson.org> In-Reply-To: <20051112112234.H33260@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511121143.26697.dfr@nlsystems.com> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (itchy.rabson.org [80.177.232.242]); Sat, 12 Nov 2005 11:43:28 +0000 (GMT) X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on itchy.rabson.org X-Virus-Scanned: ClamAV 0.83/1169/Fri Nov 11 21:28:05 2005 on itchy.rabson.org X-Virus-Status: Clean Cc: arch@freebsd.org Subject: Re: New extensible GSSAPI implementation X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Nov 2005 11:43:45 -0000 On Saturday 12 November 2005 11:25, Robert Watson wrote: > On Sat, 12 Nov 2005, Doug Rabson wrote: > > I have looked at the Solaris kernel GSS-API code. As far as I can > > see on a first reading, they defer the context establishment out to > > userland and once the context is up, they do the actual crypto for > > signing etc. in the kernel, via a plugin model. > > > > Doing all the crypto in userland isn't really a good idea because > > even when you aren't using message privacy and integrity, parts of > > the RPC header are still signed for basic replay detection. > > Flipping all that out to userland would be devastating for > > performance. Rick Macklem's NFSv4 server code does its crypto in > > the kernel in a similar way to Solaris but it is hard-wired to > > kerberosv5. > > I agree entirely with the above sentiments. Are you sure you can't > make it to EuroBSDCon to talk about NFSv4 there? :-) Sorry, I really just can't make it this year :-(