Jan Bramkamp wrote: >On 20.03.20 02:44, Russell L. Carter wrote: >> Here I commit heresy, by A) top posting, and B) by just saying, why >> not make it easy, first, to tunnel NFSv4 sessions through >> e.g. net/wireguard or sysutils/spiped? NFS is point to point. >> Security infrastructure that actually works understands the shared >> secret model. > >Why not use IPsec in transport mode instead of a tunnel? It avoids >unnecessary overhead and is already implemented in the kernel. It should >be enough to "just" require IPsec for TCP port 2049 and run a suitable >key exchange daemon. I think the problem with these suggestions is interoperability. The draft (that should soon become an RFC) describes use of RPC-over-TLS and since the authors are both Linux NFS developers, I expect Linux to implement this someday. Once the Linux client can do it, the NFS server vendors will implement it.
NFS isn't great, but it is supported by a variety of vendors/systems and I see that as one of its main features. rick _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"