Re: Why TLS and Kerberos are not useful for NFS security Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports

public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed

From: Chuck Lever <chuck.lever@oracle.com>
To: Frank Filz <ffilzlnx@mindspring.com>,
	'Dan Shelton' <dan.f.shelton@gmail.com>,
	'Linux NFS Mailing List' <linux-nfs@vger.kernel.org>,
	libtirpc-devel@lists.sourceforge.net
Subject: Re: Why TLS and Kerberos are not useful for NFS security Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Mon, 19 May 2025 16:45:25 -0400	[thread overview]
Message-ID: <b2c1bfe1-2272-40cd-a4a5-784d03b214e3@oracle.com> (raw)
In-Reply-To: <001201dbc8ee$07bb7920$17326b60$@mindspring.com>

On 5/19/25 2:44 PM, Frank Filz wrote:
> 
> 
>> -----Original Message-----
>> From: Dan Shelton [mailto:dan.f.shelton@gmail.com]
>> Sent: Sunday, May 18, 2025 7:14 PM
>> To: Linux NFS Mailing List <linux-nfs@vger.kernel.org>; libtirpc-
>> devel@lists.sourceforge.net
>> Subject: Re: Why TLS and Kerberos are not useful for NFS security Re: [PATCH
>> nfs-utils] exportfs: make "insecure" the default for all exports
>>
>> On Wed, 14 May 2025 at 23:51, Martin Wege <martin.l.wege@gmail.com>
>> wrote:
>>> Interoperability is also a big problem (nay, it's ZERO
>>> interoperability), as this is basically a Linux kernel client/kernel
>>> server only solution.
>>> libtirpc doesn't support TLS, Ganesha doesn't support TLS, so yeah,
>>> this is an issue, and not a solution.
>>>
>>> Fazit: Supporting your argumentation with Kerberos5 or TLS is not gonna fly.
>>
>> I tried to add TLS support to libtirpc, but I think it's simply not possible. The APIs
>> are just not compatible.
>> Ganesha folks also tried the same, and failed - their ntirpc would require a major
>> redesign to support TLS.
> 
> For what it's worth, we (Ganesha) are still working on offering TLS. There are options (including kTLS) that seem like they would work (mostly) for us, the issue is if there needs to be a rekeying negotiation.
> 
> I can see how once a TLS session is started, we could integrate a ktls socket into our ntirpc epoll loop and send and receive packets on the TLS session. But when rekeying is necessary, I don't quite see how to get back into a library to do that, particularly in a way that still uses our epoll loop. That is the same for user space libraries. We have looked at OpenSSL and s2n.

The current behavior for our implementation is that when re-keying is
needed, the connection is closed and a fresh handshake is done. This
does not appear to happen often.

KeyUpdate support was added to ktls recently, but we haven't plumbed
it into the Linux kernel RPC implementation.


> We do see a demand for protected RPC sessions for NFS and TLS seems to be the best option at the moment.



-- 
Chuck Lever

     prev parent reply	other threads:[~2025-05-19 20:45 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-14 21:50 Why TLS and Kerberos are not useful for NFS security Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Martin Wege
2025-05-15  2:09 ` Rick Macklem
2025-05-19 13:03   ` NFS/TLS situation on Windows - " Lionel Cons
2025-05-20  1:37     ` Rick Macklem
2025-05-21  7:07       ` Lionel Cons
2025-05-21 22:38         ` Rick Macklem
2025-05-15 12:29 ` Chuck Lever
2025-05-18 20:00   ` Martin Wege
2025-05-19  0:24     ` Rick Macklem
2025-05-15 14:08 ` Mkrtchyan, Tigran
2025-05-19  2:14 ` Dan Shelton
2025-05-19  3:09   ` Rick Macklem
2025-05-19 18:44   ` Frank Filz
2025-05-19 20:45     ` Chuck Lever [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b2c1bfe1-2272-40cd-a4a5-784d03b214e3@oracle.com \
    --to=chuck.lever@oracle.com \
    --cc=dan.f.shelton@gmail.com \
    --cc=ffilzlnx@mindspring.com \
    --cc=libtirpc-devel@lists.sourceforge.net \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox