Re: New extensible GSSAPI implementation
From: Doug Rabson (dfr_at_nlsystems.com)
Date: 11/12/05
- Previous message: Robert Watson: "Re: New extensible GSSAPI implementation"
- In reply to: Robert Watson: "Re: New extensible GSSAPI implementation"
- Next in thread: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Robert Watson <rwatson@freebsd.org> Date: Sat, 12 Nov 2005 11:43:26 +0000
On Saturday 12 November 2005 11:25, Robert Watson wrote:
> On Sat, 12 Nov 2005, Doug Rabson wrote:
> > I have looked at the Solaris kernel GSS-API code. As far as I can
> > see on a first reading, they defer the context establishment out to
> > userland and once the context is up, they do the actual crypto for
> > signing etc. in the kernel, via a plugin model.
> >
> > Doing all the crypto in userland isn't really a good idea because
> > even when you aren't using message privacy and integrity, parts of
> > the RPC header are still signed for basic replay detection.
> > Flipping all that out to userland would be devastating for
> > performance. Rick Macklem's NFSv4 server code does its crypto in
> > the kernel in a similar way to Solaris but it is hard-wired to
> > kerberosv5.
>
> I agree entirely with the above sentiments. Are you sure you can't
> make it to EuroBSDCon to talk about NFSv4 there? :-)
Sorry, I really just can't make it this year :-(
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
- Previous message: Robert Watson: "Re: New extensible GSSAPI implementation"
- In reply to: Robert Watson: "Re: New extensible GSSAPI implementation"
- Next in thread: Doug Rabson: "Re: New extensible GSSAPI implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
