Date: Sat, 12 Nov 2005 11:25:52 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Doug Rabson <dfr@nlsystems.com> Cc: arch@freebsd.org Subject: Re: New extensible GSSAPI implementation Message-ID: <20051112112234.H33260@fledge.watson.org> In-Reply-To: <200511121115.38732.dfr@nlsystems.com> References: <200511121042.42425.dfr@nlsystems.com> <20051112110504.X33260@fledge.watson.org> <200511121115.38732.dfr@nlsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 Nov 2005, Doug Rabson wrote: > I have looked at the Solaris kernel GSS-API code. As far as I can see on > a first reading, they defer the context establishment out to userland > and once the context is up, they do the actual crypto for signing etc. > in the kernel, via a plugin model. > > Doing all the crypto in userland isn't really a good idea because even > when you aren't using message privacy and integrity, parts of the RPC > header are still signed for basic replay detection. Flipping all that > out to userland would be devastating for performance. Rick Macklem's > NFSv4 server code does its crypto in the kernel in a similar way to > Solaris but it is hard-wired to kerberosv5. I agree entirely with the above sentiments. Are you sure you can't make it to EuroBSDCon to talk about NFSv4 there? :-) Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051112112234.H33260>