[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NFS
Angelos D. Keromytis wrote:
>
> I've been using NFS over IPsec to protect against outsider attacks for
> a while now, but I don't see how NFS can be made insider-resistant
> without major restructuring of the protocol. There's the implicit
> assumption that the client kernel is behaving. Of course, you didn't
> quite explain what your threat model was (hostile users on the client
> machine I presume -- in which case IPsec+priviledged ports required
> for the client can do wonders).
> Cheers,
Fair enough, I wasn't very clear on the threat model.
I'm particularly concerned about things like PCs participating in
NFS services, in which it's sooooo easy for the client to "cheat"
in the sense of claiming a uid/gid that it has no "right" to.
I'm afraid that your analysis of NFS requiring major restructuring
to protect agaist this is correct. Secure RPC doesn't appear to
be a reasonable fix for this either. Sigh.
If I restrict an NFS server to only allowing SAs with hosts it
knows "play by the rules"--in that user processes cannot fake
legitimate NFS protocol (because they can't get a privileged port),
then host-to-host IPSEC works. What a marvellous world it would
be if I could always make that assumption...
Follow-Ups: