I know, NFS has a lot of new security features in both the more or less mythical NFS v4 and in NFS v3 with some hacks. The problem is that they all give me the wrong sort of security (as far as I can tell); like other real network filesystems, they're all focused on authenticating the users. What I want is good authentication of the hosts.

(The problem with user-based authentication is that it takes out all forms of setuid. This forces a really big, really drastic change in the fundamentals of how you structure your systems, which I am just not interested in exploring. I trust my systems, and I'd better, because they're all multi-user systems.)

The best way to authenticate hosts is for hosts to sign every NFS message, and then the other end to verify the signatures. At a minimum I'd like the host to be authenticated on each message; better would be message integrity validation as well. (Outright encryption is probably still too slow, and performance is important for me here; I can't suggest using something that cuts our NFS performance significantly.)

One can do this today with IPSec, but IPSec has two flaws for this: it's not integrated into NFS administration, and it's remarkably complex. One could probably solve both problems with a bunch of scripts, but then we'd have added another problem. And I'm don't know if current IPSec implementations can run fast enough to manage gigabit wire speeds, even just for host authentication.

(I'm also not sure if the authentication only modes are well regarded or well tested; I have the impression that most people feel that IPSec should be used with full encryption, which I believe is significantly slower than just authentication.)