Chris's Wiki :: blog/linux/NFSMountAuthProblems Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/NFSMountAuthProblems?atomcommentsDWiki2014-11-08T03:15:41ZRecent comments in Chris's Wiki :: blog/linux/NFSMountAuthProblems.By Elijah Buck on /blog/linux/NFSMountAuthProblemstag:CSpace:blog/linux/NFSMountAuthProblems:76b0a12f79bdf47702df99ccffd2fd586d592a84Elijah Buck<div class="wikitext"><p>You may be able to use ipsec for authentication only and not encryption. That might not have as much of a performance hit.</p>
</div>2014-11-08T03:15:41ZBy Ewen McNeill on /blog/linux/NFSMountAuthProblemstag:CSpace:blog/linux/NFSMountAuthProblems:68f76659b8c63f8eb63de66ae9a7f61f71bc2361Ewen McNeill<div class="wikitext"><p>A couple of potentially helpful observations:
1. On your firewall approach, a potential implementation would be a generic catch-all NAT rule that pushed TCP connections (UDP too, if you're using that) for the mount daemon off to some other port that could do additional authentication and then inject a specific NAT-bypass rule for that IP (-j ACCEPT, with specific IPs). If you have control over the clients and they're Linux, you could possibly include OUTPUT table rules for those which similarly diverted the traffic to some client-authentication proxy, potentially speeding up the process (eg, pre-doing auth passing along required auth data up front). None of that should require particular netfilter hacks, just a bit of user space code to do the side-channel auth, and some (user-space inserted) "iptables -t nat" rules).</p>
<p>2. glibc has new maintainers (since a couple of years ago). I understand that they're much more open to suggestions than the previous maintainer. A supposedly modular thing which requires depending on an internal implementation detail (internal structure) seems like something which they might be willing to investigate from a stable-API point of view. But of course there's the "in my distro OS version in N years" problem still to contend with there.</p>
<p>Ewen</p>
</div>2014-11-04T05:36:23Z