From: "Frank Filz" <ffilzlnx@mindspring.com>
To: "'Dan Shelton'" <dan.f.shelton@gmail.com>,
"'Linux NFS Mailing List'" <linux-nfs@vger.kernel.org>,
<libtirpc-devel@lists.sourceforge.net>
Subject: RE: Why TLS and Kerberos are not useful for NFS security Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Mon, 19 May 2025 11:44:17 -0700 [thread overview]
Message-ID: <001201dbc8ee$07bb7920$17326b60$@mindspring.com> (raw)
In-Reply-To: <CAAvCNcBPac+uDC6x_V_jW1q_JCG3yEeCMjvpc869AmBAhti3Xw@mail.gmail.com>
> -----Original Message-----
> From: Dan Shelton [mailto:dan.f.shelton@gmail.com]
> Sent: Sunday, May 18, 2025 7:14 PM
> To: Linux NFS Mailing List <linux-nfs@vger.kernel.org>; libtirpc-
> devel@lists.sourceforge.net
> Subject: Re: Why TLS and Kerberos are not useful for NFS security Re: [PATCH
> nfs-utils] exportfs: make "insecure" the default for all exports
>
> On Wed, 14 May 2025 at 23:51, Martin Wege <martin.l.wege@gmail.com>
> wrote:
> > Interoperability is also a big problem (nay, it's ZERO
> > interoperability), as this is basically a Linux kernel client/kernel
> > server only solution.
> > libtirpc doesn't support TLS, Ganesha doesn't support TLS, so yeah,
> > this is an issue, and not a solution.
> >
> > Fazit: Supporting your argumentation with Kerberos5 or TLS is not gonna fly.
>
> I tried to add TLS support to libtirpc, but I think it's simply not possible. The APIs
> are just not compatible.
> Ganesha folks also tried the same, and failed - their ntirpc would require a major
> redesign to support TLS.
For what it's worth, we (Ganesha) are still working on offering TLS. There are options (including kTLS) that seem like they would work (mostly) for us, the issue is if there needs to be a rekeying negotiation.
I can see how once a TLS session is started, we could integrate a ktls socket into our ntirpc epoll loop and send and receive packets on the TLS session. But when rekeying is necessary, I don't quite see how to get back into a library to do that, particularly in a way that still uses our epoll loop. That is the same for user space libraries. We have looked at OpenSSL and s2n.
We do see a demand for protected RPC sessions for NFS and TLS seems to be the best option at the moment.
Frank
next prev parent reply other threads:[~2025-05-19 18:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 21:50 Why TLS and Kerberos are not useful for NFS security Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Martin Wege
2025-05-15 2:09 ` Rick Macklem
2025-05-19 13:03 ` NFS/TLS situation on Windows - " Lionel Cons
2025-05-20 1:37 ` Rick Macklem
2025-05-21 7:07 ` Lionel Cons
2025-05-21 22:38 ` Rick Macklem
2025-05-15 12:29 ` Chuck Lever
2025-05-18 20:00 ` Martin Wege
2025-05-19 0:24 ` Rick Macklem
2025-05-15 14:08 ` Mkrtchyan, Tigran
2025-05-19 2:14 ` Dan Shelton
2025-05-19 3:09 ` Rick Macklem
2025-05-19 18:44 ` Frank Filz [this message]
2025-05-19 20:45 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001201dbc8ee$07bb7920$17326b60$@mindspring.com' \
--to=ffilzlnx@mindspring.com \
--cc=dan.f.shelton@gmail.com \
--cc=libtirpc-devel@lists.sourceforge.net \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox