[linux-cifs-client] 2 New encryption capability bits in,
UNIX extensions.
Jeremy Allison
jra at samba.org
Tue Mar 27 01:58:23 GMT 2007
On Mon, Mar 26, 2007 at 08:18:58PM -0500, Steve French (smfltc) wrote:
> Considering that we can do transport encryption over IPSec over a
> particular
> socket already, this does not seem to add much - and it will have the
> same performance
> problem that ipsec does (although I admit that it should be orders of
> magnitude easier to configure) - the client will have to decrypt the whole
> frame for all frames.
Steve - who do you know who actually sets this up other than on
a VPN ? The goal and use of the CIFS encryption is to turn this
on for any tom-dick-and-harry NAS server on a local lan. Make
it *ubiquitous*, as it doesn't require a PK infrastructure,
just users and passwords.
> If we do what you suggest and encrypt the whole thing after RFC1001 length
> why not set it at sessionsetup (especially if we already have the flag
> defined)
> seems counterintuitive to use a tid based operation for something
> affecting all tids - even
> over IPC$. If we have to do it after sessionsetup - wouldn't it be
> simpler to
> define something that does not require a tid?
Well it's the same reason we have to use a tid based call
for the unix extension capabilities, even though it's not
a tid-based operation.
We only have freedom to add calls in the trans2 tid-based
space. It's not safe to extend CIFS in other places, we
don't have the approval to do that.
> There is one obvious problem with this though ... for the Linux/Unix case it
> will be common to have multiple uids over one socket ... this prevents that.
No it doesn't. What makes you think that ?
> We will have to go to one socket per user per server when somone turns
> this on for a session.
> If we allow multiple uids over one socket - one user who turns on
> encryption to a server
> can slow all other users down by more than 90% (and those users might
> not want to
> pay the > 90% performance penalty)
It's almost certain that servers will set this on or off
as a policy for all mounts. Look at the way this is done
in NFS. That's our use model. The likelyhood of one user
having an encrypted session and one not to the same server
isn't worth messing up the simplicity of the encryption
for (IMHO).
Jeremy.
More information about the linux-cifs-client
mailing list