Date: Mon, 5 Jul 2004 09:54:08 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: NFS and Backups Message-ID: <20040705155408.GD56432@seekingfire.com> In-Reply-To: <40E6FBF2.1060201@mac.com> References: <00ba01c460fe$d9cae910$6601a8c0@grant> <40E6FBF2.1060201@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 03, 2004 at 02:33:22PM -0400, Chuck Swiger wrote: > Grant Peel wrote: > >I have recently decided to use some extra disk space on one of my servers > >as > >backup space. I have NFS client and Servers running OK, but was wondering > >how > >secure it really is. > > NFS is not secure at all. If you don't trust the local subnet, don't use > NFS there. Certainly don't use NFS across the Internet, unless using a > secure tunnelling/VPN protocol.... > > >So if in my nfsd configuration, I specify a host called 'ahab' for example, > >how does the nfsd authenticate this host, and how secure is it? > > NFS doesn't authenticate the host. NFS trusts the resolver when reversing > the IP addr into a hostname. Even on local networks, NFS over IPsec can be a win due to the deflate algorithm. Here's some netperf results from some tests I did recently between a Celeron 900 (-STABLE) file server and an 360Mhz sparc64 Ultra 5 (-CURRENT): Raw speed, no IPsec: [root@caliban /usr/local/netperf]# ./netperf -t UDP_STREAM -H athena UDP UNIDIRECTIONAL SEND TEST to athena : histogram Socket Message Elapsed Messages Size Size Time Okay Errors Throughput bytes bytes secs # # 10^6bits/sec 9216 9216 10.01 13004 13160 95.81 42080 10.01 12778 94.14 IPsec (3des): [root@caliban /usr/local/netperf]# ./netperf -t UDP_STREAM -H secathena UDP UNIDIRECTIONAL SEND TEST to secathena : histogram Socket Message Elapsed Messages Size Size Time Okay Errors Throughput bytes bytes secs # # 10^6bits/sec 9216 9216 10.01 715 0 5.27 42080 10.01 713 5.25 IPsec (blowfish): ot@caliban ~]# /usr/local/netperf/netperf -t UDP_STREAM -H secathena UDP UNIDIRECTIONAL SEND TEST to secathena : histogram Socket Message Elapsed Messages Size Size Time Okay Errors Throughput bytes bytes secs # # 10^6bits/sec 9216 9216 10.01 14744 0 108.63 42080 10.01 3681 27.12 Blowfish is definitely preferable to 3des for IPsec work involving NFS-like traffic. Due to the deflate feature, netperf reports a result greater than the 100Mbit/s wire speed. Unfortunately, encryption speed drops off quickly as socket size increases, but 8k NFS looks like it's in good shape. Newer hardware will only nmake things better, naturally. IPsec handles the host authentication bit that NFS is pretty loose about. That still leaves the "UID is checked on the wrong end" problem, but that's very much a different problem than network level trust attacks. -T -- "That time in Seattle... was a nightmare. I came out of it dead broke, without a house, without anything except a girlfriend and a knowledge of UNIX." "Well, that's something," Avi says. "Normally those two are mutually exclusive." -- Neal Stephenson, "Cryptonomicon"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040705155408.GD56432>