From owner-freebsd-current@freebsd.org  Fri Mar 20 19:45:16 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 19BFF27133E
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Fri, 20 Mar 2020 19:45:16 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gate2.funkthat.com",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48kZ4T3GFGz3QCW
 for <freebsd-current@freebsd.org>; Fri, 20 Mar 2020 19:45:12 +0000 (UTC)
 (envelope-from jmg@gold.funkthat.com)
Received: from gold.funkthat.com (localhost [127.0.0.1])
 by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 02KJj7rj065647
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 20 Mar 2020 12:45:07 -0700 (PDT)
 (envelope-from jmg@gold.funkthat.com)
Received: (from jmg@localhost)
 by gold.funkthat.com (8.15.2/8.15.2/Submit) id 02KJj7i7065646;
 Fri, 20 Mar 2020 12:45:07 -0700 (PDT) (envelope-from jmg)
Date: Fri, 20 Mar 2020 12:45:07 -0700
From: John-Mark Gurney <jmg@funkthat.com>
To: Jan Bramkamp <crest@rlwinm.de>
Cc: freebsd-current@freebsd.org
Subject: Re: TLS certificates for NFS-over-TLS floating client
Message-ID: <20200320194507.GM4213@funkthat.com>
Mail-Followup-To: Jan Bramkamp <crest@rlwinm.de>, freebsd-current@freebsd.org
References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
 <20200319191605.GJ4213@funkthat.com>
 <YTBPR01MB337407CFCBE26DBAB1BC985ADDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
 <d4d68f01-6c1e-7c2e-4238-7cc40669c893@pinyon.org>
 <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de>
X-Operating-System: FreeBSD 11.3-STABLE amd64
X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7  ED9B D5FF 5A51 C0AC 3D65
X-Files: The truth is out there
X-URL: https://www.funkthat.com/
X-Resume: https://www.funkthat.com/~jmg/resume.html
X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (gold.funkthat.com [127.0.0.1]); Fri, 20 Mar 2020 12:45:07 -0700 (PDT)
X-Rspamd-Queue-Id: 48kZ4T3GFGz3QCW
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy
 when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com
X-Spamd-Result: default: False [1.98 / 15.00]; ARC_NA(0.00)[];
 RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 IP_SCORE(-0.42)[ip: (-1.07), ipnet: 208.87.216.0/21(-0.53), asn: 32354(-0.43),
 country: US(-0.05)]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[];
 NEURAL_SPAM_MEDIUM(0.28)[0.282,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
 NEURAL_SPAM_LONG(0.92)[0.915,0]; R_SPF_NA(0.00)[];
 FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US];
 FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 19:45:16 -0000

Jan Bramkamp wrote this message on Fri, Mar 20, 2020 at 18:51 +0100:
> On 20.03.20 02:44, Russell L. Carter wrote:
> > Here I commit heresy, by A) top posting, and B) by just saying, why
> > not make it easy, first, to tunnel NFSv4 sessions through
> > e.g. net/wireguard or sysutils/spiped?  NFS is point to point.
> > Security infrastructure that actually works understands the shared
> > secret model.

VPN tunneling doesn't provide the security that most people thinks it
does...  It requires complicated configuration, and often doesn't
provide e2e protections.

> Why not use IPsec in transport mode instead of a tunnel? It avoids 
> unnecessary overhead and is already implemented in the kernel. It should 
> be enough to "just" require IPsec for TCP port 2049 and run a suitable 
> key exchange daemon.

Because IPsec is a PITA to configure and work, and lots of consumer OSes
don't make it at all easy.

Also, you forget that FreeBSD has ktls, which usees the same crypto
offload engine that IPsec does, so it will effectively have similar
overhead, and might actually perform better due to TLS having a 16k
record encryption size vs IPsec limiting itself to packet size, usually
1500, though possibly 9k if you're using jumbo frames...

I fully support doing NFS over TLS.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."