[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NFS



"Marcus Leech" <Marcus.Leech.mleech@nt.com> wrote
> Has anyone on this list given any thought to how IPSEC and NFS can play
> nicely
>   together?  While host-to-host IPSEC can protect NFS transactions from
> outsiders,
>   there's still the problem of the client (or heck, the server) cheating
> on things
>   like uid,gid, etc.
> 
> The question could, I suppose, be re-asked as how to make existing RPC
> systems
>   (NFS being a prime example) use IPSEC in ways that make good security
> sense.

Yes that is the question.

Consumers of RPC like NFS tend to multiplex multiple user "sessions" on
the same TCP connection. My understanding is that it would be
difficult to impossible for IPSEC to switch security associations at that
fine a granularity.

The direction for NFS security is RFC 2203, which a new RPC security
flavor, based on GSS-API.

	-mre





Follow-Ups: References: