On 8 apr 2010, at 23.21, Miles Nordin wrote: >>>>>> "rs" == Ragnar Sundblad <ra...@csc.kth.se> writes: > > rs> use IPSEC to make IP address spoofing harder. > > IPsec with channel binding is win, but not until SA's are offloaded to > the NIC and all NIC's can do IPsec AES at line rate. Until this > happens you need to accept there will be some protocols used on SAN > that are not on ``the Internet'' and for which your axiomatic security > declarations don't apply, where the relevant features are things like > doing the DNS lookup in the proper .rhosts manner and doing uRPF, > minimum, and more optimistically stop adding new protocols without > IPv6 support, and start adding support for multiple IP stacks / VRF's. > If saying ``the only way to do any given thing is twicecrypted > kerberized ipsec within dnssec namespaces'' is blocking doing these > immediate plaintext things that allow a host to participate in both > the internet and a SAN at once, well that's no good either.
I totally agree. Since DNS, fqdn, and the like was mentioned, I don't think this was intended for a SAN, not-on-the-internet, environment. uRPF and other filters may of course harden your environment. Let's hope everyone using the NFS features in question all use them in a completely non-spoofable (L1..L3 and name resolver) setup, then! ;-) /ragge _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
