From owner-freebsd-current@freebsd.org Fri Mar 20 17:51:20 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9630F26E4BA for ; Fri, 20 Mar 2020 17:51:20 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48kWY302myz4cMN for ; Fri, 20 Mar 2020 17:51:18 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from hexe.rlwinm.de (200116b864664c00feaa14fffe7af214.dip.versatel-1u1.de [IPv6:2001:16b8:6466:4c00:feaa:14ff:fe7a:f214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 9B71223826 for ; Fri, 20 Mar 2020 17:51:10 +0000 (UTC) Subject: Re: TLS certificates for NFS-over-TLS floating client To: freebsd-current@freebsd.org References: <20200319191605.GJ4213@funkthat.com> From: Jan Bramkamp Message-ID: <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de> Date: Fri, 20 Mar 2020 18:51:10 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 48kWY302myz4cMN X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de X-Spamd-Result: default: False [-4.93 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[4.1.2.f.a.7.e.f.f.f.4.1.a.a.e.f.0.0.c.4.6.6.4.6.8.b.6.1.1.0.0.2.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.96)[-0.964,0]; DMARC_NA(0.00)[rlwinm.de]; NEURAL_HAM_MEDIUM(-0.96)[-0.964,0]; IP_SCORE(-2.70)[ip: (-9.36), ipnet: 2a01:4f8::/29(-2.57), asn: 24940(-1.54), country: DE(-0.02)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2020 17:51:20 -0000 On 20.03.20 02:44, Russell L. Carter wrote: > Here I commit heresy, by A) top posting, and B) by just saying, why > not make it easy, first, to tunnel NFSv4 sessions through > e.g. net/wireguard or sysutils/spiped?  NFS is point to point. > Security infrastructure that actually works understands the shared > secret model. Why not use IPsec in transport mode instead of a tunnel? It avoids unnecessary overhead and is already implemented in the kernel. It should be enough to "just" require IPsec for TCP port 2049 and run a suitable key exchange daemon.