Jan Bramkamp wrote this message on Fri, Mar 20, 2020 at 18:51 +0100: > On 20.03.20 02:44, Russell L. Carter wrote: > > Here I commit heresy, by A) top posting, and B) by just saying, why > > not make it easy, first, to tunnel NFSv4 sessions through > > e.g. net/wireguard or sysutils/spiped? NFS is point to point. > > Security infrastructure that actually works understands the shared > > secret model. VPN tunneling doesn't provide the security that most people thinks it does... It requires complicated configuration, and often doesn't provide e2e protections. > Why not use IPsec in transport mode instead of a tunnel? It avoids > unnecessary overhead and is already implemented in the kernel. It should > be enough to "just" require IPsec for TCP port 2049 and run a suitable > key exchange daemon. Because IPsec is a PITA to configure and work, and lots of consumer OSes don't make it at all easy. Also, you forget that FreeBSD has ktls, which usees the same crypto offload engine that IPsec does, so it will effectively have similar overhead, and might actually perform better due to TLS having a 16k record encryption size vs IPsec limiting itself to packet size, usually 1500, though possibly 9k if you're using jumbo frames... I fully support doing NFS over TLS. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Fri Mar 20 2020 - 18:45:16 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC