From owner-freebsd-current@freebsd.org Sat Mar 21 01:34:05 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC862279156 for ; Sat, 21 Mar 2020 01:34:05 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on062b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48kjq03xW8z4cvS for ; Sat, 21 Mar 2020 01:34:03 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BaefSsTs6IAIina+jXwgtFbOEyixzQu1uQlXh8v6TM83X7c7ViauiRvFAXJrHTG5927eiXnbbh7xePrW11UN4Q41C/5OTVmUjY57nExB/Zr+io6BeWXamX0NV1dCMQxAI8TZ+KY5Um35v+cd+LDNQhaG4UQAOMFx+pEGifwMfmEPUAjdJVK3VknAA0bDrzQtRlpG8C7kF16AHj7Azgnp0VCjngpztKCTfnSHBbP5HvmYMqq/iLtTYYFStw/gfDG3WRvB/iBI7GNdJmOoSiIAbiMT0UCC7lL+mX3S4QFV9m+2I3ZW1lFHR/jBgTVSZlhhGuBICDbBjFkPBOzuU3r0/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2tsURHKgXolmbtyTFQemU/cwWKWiXxLRgSzKS5CzgIk=; b=GLIpNqLImYWAsqRzBoOVERnsvBxUJfwA4EOvNLwAydpwFewJYqAFmDJwbomVnBn12i7t4bL7QaI7bmGE1ZZR45IyV0VNJfGn+nbSTDNlFxr2q3jhsCPowkwtJX+AA/yX0Hnh32acFLH77nO6/fmJXgtPs5MFO8E0M5YmAAypYAhFAuKxjFSG9a2NHmXJMUQBfasK/99UP1hp2bgX2NXZM+q6qiRV9zLscASmlj2MQZSiIB1RyrfDED4RjHS5hi8dNJxCHtBpAs1ldH0E58kFugHQq4F5izntF2jQYn/NwytSjG/z/zwf90p2plh3emlzAYqb4gqlspHlHhv+BmWg/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM (52.132.86.26) by QB1PR01MB2451.CANPRD01.PROD.OUTLOOK.COM (52.132.84.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18; Sat, 21 Mar 2020 01:34:01 +0000 Received: from QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ([fe80::ed8c:7662:79ba:5f9f]) by QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM ([fe80::ed8c:7662:79ba:5f9f%5]) with mapi id 15.20.2835.017; Sat, 21 Mar 2020 01:33:53 +0000 From: Rick Macklem To: Jan Bramkamp , "freebsd-current@FreeBSD.org" Subject: Re: TLS certificates for NFS-over-TLS floating client Thread-Topic: TLS certificates for NFS-over-TLS floating client Thread-Index: AQHV8dDjD29GK4BL2kGnxfg+gW2rAahQYgqAgABFwt6AACbMgIABDg0AgAB/rIo= Date: Sat, 21 Mar 2020 01:33:53 +0000 Message-ID: References: <20200319191605.GJ4213@funkthat.com> , <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de> In-Reply-To: <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1b981344-4927-410a-d9e1-08d7cd37ea61 x-ms-traffictypediagnostic: QB1PR01MB2451: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2887; x-forefront-prvs: 034902F5BC x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(346002)(366004)(136003)(396003)(199004)(81156014)(81166006)(64756008)(66446008)(76116006)(478600001)(86362001)(5660300002)(52536014)(55016002)(33656002)(7696005)(66946007)(66476007)(8676002)(66556008)(9686003)(6506007)(316002)(2906002)(8936002)(786003)(71200400001)(110136005)(966005)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:QB1PR01MB2451; H:QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: uPhkCZ1MFVLJvZ8p90392+259voiRwTgTY7N8Osj4RQ/wI6mcvGvmQXAhWeKprsaEM5NT9p0ZJTCIe6tn6+qSRPhnHwBcp2osQWCNz/2/Sj/W5i8E/hFYzAlTq6aaYxSG1Sj8MkeNROCzwe7UQ03k4XhAlz2+UTWMMhr7FpG3mnMj2HW3nA9F2r6NOdhGtTxFhZYpeaHwTAyM7Oj3InDhOZc7ci/iKi8B0d/RmBuwZQ+0DS3B1ecPgESR3Kett7SORywbkdfc+VawXoTfrqhb422bw7OlBQB53ObmowevVGktoD2StiGJNHZxZZYo/FaaAXlieZlcTRzUq2c7v9vXyCh89QUvpR4Mq/N07g4HLDIIkLMMF0n08bU79/cuhtBlZVYlMNeDJrLZ3e1P76YiMY9fPVP1KwRbnLC4+VzG5tTM0kd/RP8QezDMaUpZS8aDI5T95snQmwRa1aeHcEsVLOz+3MrWowEMS5WHvEknWaPu5iEZ9Kyfe9ixttP7Z1zQ+BmlSLVG/XCJa77QgMS5g== x-ms-exchange-antispam-messagedata: OyY2aNrNP4+RXIz0llGVpSDRhoCL+haaEn3qulP/cV8/N6AZXvRmyhbRwKlgcpg5hRBHPrqdRNiy43aVsVCUSyoLCXESXXhs3ZUS0NDZLRvSFewEFP6ZHAkTkMOoqgRDQVy0OnM4UvxwAqWal+ozHG3oa86VjoU5dfD+3mAZ/I1ikCeqsx+HJVot5TCq85x3YwYcCZNldjyE449yL3iyzQ== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 1b981344-4927-410a-d9e1-08d7cd37ea61 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2020 01:33:53.4721 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: SCHa6wyXduLm0Y3H+aUJBwuBUEGh8gnvlYLh9UygvZJhc5AVK2AJJ0STK6fD0/XcV5JaaYKY/di117krMdGXqw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2451 X-Rspamd-Queue-Id: 48kjq03xW8z4cvS X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 2a01:111:f400:fe5c::62b as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-4.71 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.975,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[uoguelph.ca]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-1.44)[ipnet: 2a01:111:f000::/36(-4.01), asn: 8075(-3.12), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2020 01:34:05 -0000 Jan Bramkamp wrote:=0A= >On 20.03.20 02:44, Russell L. Carter wrote:=0A= >> Here I commit heresy, by A) top posting, and B) by just saying, why=0A= >> not make it easy, first, to tunnel NFSv4 sessions through=0A= >> e.g. net/wireguard or sysutils/spiped? NFS is point to point.=0A= >> Security infrastructure that actually works understands the shared=0A= >> secret model.=0A= >=0A= >Why not use IPsec in transport mode instead of a tunnel? It avoids=0A= >unnecessary overhead and is already implemented in the kernel. It should= =0A= >be enough to "just" require IPsec for TCP port 2049 and run a suitable=0A= >key exchange daemon.=0A= I think the problem with these suggestions is interoperability.=0A= The draft (that should soon become an RFC) describes use of RPC-over-TLS=0A= and since the authors are both Linux NFS developers, I expect Linux to=0A= implement this someday.=0A= Once the Linux client can do it, the NFS server vendors will implement it.= =0A= =0A= NFS isn't great, but it is supported by a variety of vendors/systems and I= =0A= see that as one of its main features.=0A= =0A= rick=0A= =0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A=