Announcement

Collapse
No announcement yet.

Linux 6.12 NFS Adds LOCALIO Protocol For "Extreme" Performance Boost

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    there are better ways to do mounting....

    Comment


    • #12
      Originally posted by Chugworth View Post
      I'm surprised people still take NFS seriously when the only form of security it provides is checking the source IP address, and it transmits the data unencrypted over the network. Yes, I know there is a way to add data encryption. I've looked into it and it seems to be a convoluted mess to implement with very little good documentation.​
      There is a problem here. Its a disconnect.




      Originally posted by Chugworth View Post
      Well first of all it's not a complete package. You need add-ons from Oracle to make it work. And the very limited information about the encryption add-on leads me to believe that few people are actually using it. Hence the surprise that NFS is still a thing in today's highly security-focused environment.

      Might as well bring Telnet back.
      This is wrong and right. You don't need addons from oracle to make secure NFS work it is just one of the options. You using NFS TLS encryption you use ktls-utils that currently maintained by Orcale to use Linux kernel TLS because it a helper application to the Linux in kernel TLS. Yes that helper application is need when ever you decide to use the Linux kernel TLS. Yes arch and other write this up as a valid option but you kind have to be insane to use software that marked as expermental like ktls-utils and the in kernel TLS.

      Next is use the cross platform Kerberos NFS option.
      To use Kerberos NFS in decent sane way you need gssproxy this can encrypted identify as one option or complete encrypted the traffic as another..
      A proxy for GSSAPI | Docs at https://github.com/gssapi/gssproxy/tree/main/docs - gssapi/gssproxy

      Might come clear reading above. The reality is Kerberos NFS 4 the one that support full encrypted and lot more identification is an Kerberos application that used gssproxy for the Kerberos tasks.

      Then you have a lot of older legacy systems that don't support NFS TLS or NFS Kerberos at all and most of those have older worse performing protocol options with security that no longer works any how. So you have to do elvis solution.

      Yes the reality is NFS does not implement encryption itself instead it off load to some party being either gssproxy(for Kerberos) or inkernel TLS.

      The NFS documentation is very short or encryption and security because simple NFS protocol does not implement encryption heck barely does user identification instead these are offloaded to software that provides TLS and Kerberos support.

      Yes setting up NFS to use gssproxy you only need a few fine steps. Setting up detailed Kerberos configuration for NFS is setting up Kerberos server that kind of out side NFS then setting up all the fine settings that is all gssproxy items that is the same for gssproxy Kerberos applications. See very quickly this stops being NFS.

      Chugworth NFS has always been developed with do not reinvent the wheel model leading to you want to do X you need to get to know how to configure applications that are not NFS because NFS implementation will have offloaded the feature.

      The most common reason why NFSv3 or NFSv4 is used without encryption is performance. Yes NFSv4 does not always perform better than NFSv3 this is because NFSv4 does have better locking so yes you can gain performance using NFSv3 with high risk of messed up data.

      The most common use encrypted form of NFS is the Kerberos form because it cross platform and you don't end up having issues with the in kernel TLS. Yes issue with in kernel TLS is if other applicaitons also need to be using it. gssproxy was designed from the ground up that you would have multi different Kerberos applications running at the same time..

      Comment

      Working...
      X