[66] in linux-security and linux-alert archive
Re: Safe NFS outline
daemon@ATHENA.MIT.EDU (Alan Cox)
Wed Mar 8 13:46:40 1995
From: iialan@iifeak.swan.ac.uk (Alan Cox)
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 8 Mar 1995 17:47:00 +0000 (GMT)
In-Reply-To: <199503081449.PAA01075@mvmampc66.ciw.uni-karlsruhe.de> from "Thomas Koenig" at Mar 8, 95 03:49:58 pm
Reply-To: linux-security@tarsier.cv.nrao.edu
> Comments, anybody?
Yes. Read the IP v4 ESP and AH internet drafts (on ds.internic.net)
along with the MD5 draft you'll find what you have described.
> Current clients use AUTH_UNIX for their credentials (there are actually
> some NFS implementations around with trust the hostname in there... I
> have no idea why they should do that) with a null verifier. Trying to
> get that fixed is useless.
And those that use secure RPC
> Performance: I tried MD5 on my 486/33 and got about 200000
> rounds/second. This would be good enough, I think.
I don't know what rounds equates to. With a few tunings the generic MD5
code gives me about 1.2Mbytes/second.
> Keeping state around: Well, some is inevitable, if you want an
> approximation of a secure NFS. You have to keep track of who's
> mounting what.
Yes.
Be aware of two things: The RFC MD5 implementation can't be mixed with
GNU code (but can be redone - and an assembler one ought to touch 2Mb/second)
and in the USA packet authentication (like this) is subject to a totally
bogus Novell software patent, so you'd have to do a no US import license (
the GPL permits this in these cases).
Alan
