[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC and NFS
Let's see here. First of all we have authentication so a different host
shouldn't be able to spoof uid/etc. Second, we intrinsically assume the
host has some sort of internal security, so IPSec views it as "out of
scope" if a known valid host misrepresents UID. I assume properly
representing UID is a policy plumbing problem left to the NFS developer.
Or, you could run TLS, I suppose.
>Date: Fri, 30 Jan 1998 11:09:55 -0500
>From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
>Organization: Nortel Technology, Messaging and Security Infrastructure
>X-Mailer: Mozilla 4.03 [en] (X11; I; HP-UX A.09.05 9000/712)
>To: ipsec@tis.com
>Subject: IPSEC and NFS
>Sender: owner-ipsec@ex.tis.com
>
>Has anyone on this list given any thought to how IPSEC and NFS can play
>nicely
> together? While host-to-host IPSEC can protect NFS transactions from
>outsiders,
> there's still the problem of the client (or heck, the server) cheating
>on things
> like uid,gid, etc.
>
>The question could, I suppose, be re-asked as how to make existing RPC
>systems
> (NFS being a prime example) use IPSEC in ways that make good security
>sense.
>
>[Sorry for injecting an admittedly tangential question to IPSEC itself,
>but the
> participants in this list are the most likely candidates for having
>thought
> about some of these issues...]
>
>
>--
>----------------------------------------------------------------------
>Marcus Leech Mail: Dept 8M86, MS 012, FITZ
>Systems Security Architect Phone: (ESN) 393-9145 +1 613
>763 9145
>Messaging and Security Infrastructure Fax: (ESN) 395-1407 +1 613
>765 1407
>Nortel Technology mleech@nortel.ca
>-----------------Expressed opinions are my own, not my employer's------
>
>
-- Rodney Thayer <rodney@sabletech.com>