Date: Sat, 21 Mar 2020 01:33:53 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Jan Bramkamp <crest@rlwinm.de>, "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: TLS certificates for NFS-over-TLS floating client Message-ID: <QB1PR01MB3649E57A8E2A65BF02288D26DDF20@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de> References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <20200319191605.GJ4213@funkthat.com> <YTBPR01MB337407CFCBE26DBAB1BC985ADDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <d4d68f01-6c1e-7c2e-4238-7cc40669c893@pinyon.org>, <33810a31-50f0-94ee-444a-51cf85a7b6fe@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Jan Bramkamp wrote:=0A= >On 20.03.20 02:44, Russell L. Carter wrote:=0A= >> Here I commit heresy, by A) top posting, and B) by just saying, why=0A= >> not make it easy, first, to tunnel NFSv4 sessions through=0A= >> e.g. net/wireguard or sysutils/spiped? NFS is point to point.=0A= >> Security infrastructure that actually works understands the shared=0A= >> secret model.=0A= >=0A= >Why not use IPsec in transport mode instead of a tunnel? It avoids=0A= >unnecessary overhead and is already implemented in the kernel. It should= =0A= >be enough to "just" require IPsec for TCP port 2049 and run a suitable=0A= >key exchange daemon.=0A= I think the problem with these suggestions is interoperability.=0A= The draft (that should soon become an RFC) describes use of RPC-over-TLS=0A= and since the authors are both Linux NFS developers, I expect Linux to=0A= implement this someday.=0A= Once the Linux client can do it, the NFS server vendors will implement it.= =0A= =0A= NFS isn't great, but it is supported by a variety of vendors/systems and I= =0A= see that as one of its main features.=0A= =0A= rick=0A= =0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PR01MB3649E57A8E2A65BF02288D26DDF20>