Re: New extensible GSSAPI implementation
From: Robert Watson (rwatson_at_FreeBSD.org)
Date: 11/12/05
- Previous message: Doug Rabson: "Re: New extensible GSSAPI implementation"
- In reply to: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Next in thread: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Reply: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 12 Nov 2005 11:25:52 +0000 (GMT) To: Doug Rabson <dfr@nlsystems.com>
On Sat, 12 Nov 2005, Doug Rabson wrote:
> I have looked at the Solaris kernel GSS-API code. As far as I can see on
> a first reading, they defer the context establishment out to userland
> and once the context is up, they do the actual crypto for signing etc.
> in the kernel, via a plugin model.
>
> Doing all the crypto in userland isn't really a good idea because even
> when you aren't using message privacy and integrity, parts of the RPC
> header are still signed for basic replay detection. Flipping all that
> out to userland would be devastating for performance. Rick Macklem's
> NFSv4 server code does its crypto in the kernel in a similar way to
> Solaris but it is hard-wired to kerberosv5.
I agree entirely with the above sentiments. Are you sure you can't make
it to EuroBSDCon to talk about NFSv4 there? :-)
Robert N M Watson
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
- Previous message: Doug Rabson: "Re: New extensible GSSAPI implementation"
- In reply to: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Next in thread: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Reply: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
