Date: Fri, 20 Mar 2020 18:51:10 +0100 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-current@freebsd.org Subject: Re: TLS certificates for NFS-over-TLS floating client Message-ID: <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de> In-Reply-To: <d4d68f01-6c1e-7c2e-4238-7cc40669c893@pinyon.org> References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <20200319191605.GJ4213@funkthat.com> <YTBPR01MB337407CFCBE26DBAB1BC985ADDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <d4d68f01-6c1e-7c2e-4238-7cc40669c893@pinyon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20.03.20 02:44, Russell L. Carter wrote: > Here I commit heresy, by A) top posting, and B) by just saying, why > not make it easy, first, to tunnel NFSv4 sessions through > e.g. net/wireguard or sysutils/spiped? NFS is point to point. > Security infrastructure that actually works understands the shared > secret model. Why not use IPsec in transport mode instead of a tunnel? It avoids unnecessary overhead and is already implemented in the kernel. It should be enough to "just" require IPsec for TCP port 2049 and run a suitable key exchange daemon.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33810a31-50f0-94ee-444a-51cf85a7b6fe>