From: Nicolas Williams (Nicolas.Williams@sun.com)
Date: 12/20/02-05:41:40 PM Z
Date: Fri, 20 Dec 2002 15:41:40 -0800 From: Nicolas Williams <Nicolas.Williams@sun.com> Subject: Re: crypto performance and RPCSEC_GSS Message-ID: <20021220154140.K1041@binky.central.sun.com> On Fri, Dec 20, 2002 at 03:26:30PM -0800, Mike Eisler wrote: > So what does this mean for the wg's current portfolio of > upper layer protocols? For NFSv4, I observe (actually > Dave Noveck did in a private email, but I'm taking > it a step further than Dave)the following. Assume the > NFSv4 server can detect that IPsec is being applied to > the data stream (presumably there, or could be, APIs > to indicate this).After a particular principal has authenticated > once with RPCSEC_GSS over kerberos or spkm, or any other secure > mechanism, it could then return WRONGSEC on subsequent accesses by that > principal in order to get it to downgrade security to a flavor that is > less CPU intensive. The lightweight flavor could be AUTH_SYS or it could be > a new, simple mechanism (under the GSS-API) > that simply has the NFSv4 string-based uid as an identifier. > Given that AUTH_SYS doesn't offer a global uid space, > a string-based flavor might be better. I would think that if the wg > pursues NFS on RDDP, we'd want to this new, lightweight flavor. > Note that no protocol changes to NFSv4 are required. Good stuff. But I think that the lightweigth auth flavor need only reference already-established GSS contexts, perhaps by naming the initiator principal name, say. I don't think we should use AUTH_SYS at all for this purpose, no way, because the server is already mapping the GSS initiator principal names to its internal identifiers and we must preserve the server's ability to do so, whereas AUTH_SYS would take it away (and besides, the server would have to ensure that the AUTH_SYS data is valid for some established GSS context every time or use it as a GSS context lookup key - messy, messy). > -mre Nico --
This archive was generated by hypermail 2.1.2 : 03/04/05-01:50:45 AM Z CST