* US-Cert recommends disabling SMB1
@ 2017-01-17 16:36 Sachin Prabhu
[not found] ` <1484670992.21675.2.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Sachin Prabhu @ 2017-01-17 16:36 UTC (permalink / raw)
To: linux-cifs
The following advisory was released by US-CERT.
https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-B
est-Practices
Sachin Prabhu
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: US-Cert recommends disabling SMB1
[not found] ` <1484670992.21675.2.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2017-01-17 19:06 ` Steve French
2017-01-17 19:14 ` L A Walsh
1 sibling, 0 replies; 4+ messages in thread
From: Steve French @ 2017-01-17 19:06 UTC (permalink / raw)
To: Sachin Prabhu, samba-technical; +Cc: linux-cifs
No surprise that we should disable cifs ... now our challenge
1) make SMB3 (linux kernel implementation clearly) better than cifs including
- the POSIX/Unix Extensions, which we were close to agreement on ...
- compounding (open/query/close)
- some minor feature finishup (xattrs and acls eg)
Although in most ways SMB3 is already better
2) finishup key security features
- Pavel's encryption patches need more review ASAP (he has a
github branch for these and I plan to merge into for-next fairly soon)
- SMB3.1.1 secure negotiate and crypto negotiation finishup
3) more testing to make sure we didn't miss anything ...
On Tue, Jan 17, 2017 at 10:36 AM, Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> The following advisory was released by US-CERT.
>
> https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-B
> est-Practices
>
> Sachin Prabhu
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: US-Cert recommends disabling SMB1
[not found] ` <1484670992.21675.2.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-01-17 19:06 ` Steve French
@ 2017-01-17 19:14 ` L A Walsh
[not found] ` <587E6D04.8010803-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org>
1 sibling, 1 reply; 4+ messages in thread
From: L A Walsh @ 2017-01-17 19:14 UTC (permalink / raw)
To: Sachin Prabhu; +Cc: linux-cifs
Sachin Prabhu wrote:
> The following advisory was released by US-CERT.
>
> https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-B
> est-Practices
>
Interesting since the KB articles they point out only tell how to disable
SMB SMB2 or SMB3, but not why you would do so.
Note, I have had to use SMB(1) on Windows7SP1 at times when I couldn't get
SMB2 to work. Could the US-CERT people explain what the risk is in
using SMB1 on a closed (not exposed to the internet) network?
FWIW, I am running SMB2 now...
Sure wish I knew how to optimize it, as I have gotten 400-600MB/s
in past testing (don't know what SMB level it was), but am now only
getting ~ 200MB/s on SMB2. SMB1 was in the low 100's for throughput.
(between Win7SP1 client and Samba-on-linux server).
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: US-Cert recommends disabling SMB1
[not found] ` <587E6D04.8010803-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org>
@ 2017-01-17 19:18 ` Steve French
0 siblings, 0 replies; 4+ messages in thread
From: Steve French @ 2017-01-17 19:18 UTC (permalink / raw)
To: L A Walsh; +Cc: Sachin Prabhu, linux-cifs
On Tue, Jan 17, 2017 at 1:14 PM, L A Walsh <cifs-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org> wrote:
> Sachin Prabhu wrote:
>>
>> The following advisory was released by US-CERT.
>>
>> https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-B
>> est-Practices
>>
>
>
> Interesting since the KB articles they point out only tell how to disable
> SMB SMB2 or SMB3, but not why you would do so.
>
> Note, I have had to use SMB(1) on Windows7SP1 at times when I couldn't get
> SMB2 to work. Could the US-CERT people explain what the risk is in
> using SMB1 on a closed (not exposed to the internet) network?
>
> FWIW, I am running SMB2 now...
>
> Sure wish I knew how to optimize it, as I have gotten 400-600MB/s
> in past testing (don't know what SMB level it was), but am now only
> getting ~ 200MB/s on SMB2. SMB1 was in the low 100's for throughput.
> (between Win7SP1 client and Samba-on-linux server).
Couple quick thoughts
- you should never be using SMB2 (SMB2.1 or SMB3 is fine) since it is
missing some important features that the later versions supply (unless
you really are running Windows Vista servers).
- smb2.1 and later should have faster large i/o (i/o sizes are larger
than cifs) but may be slower in some operations that have lots of
query of metadata (open/query/close is three operations on the wire
instead of one as it was in cifs - since we don't do compounding yet).
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-17 19:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-17 16:36 US-Cert recommends disabling SMB1 Sachin Prabhu
[not found] ` <1484670992.21675.2.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-01-17 19:06 ` Steve French
2017-01-17 19:14 ` L A Walsh
[not found] ` <587E6D04.8010803-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org>
2017-01-17 19:18 ` Steve French
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.