Quantcast

nfsv4?

classic Classic list List threaded Threaded
96 messages Options
12345
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

nfsv4?

Bayard Bell-2
The last mail I can find on the subject seems to indicate that there were
problems getting RPC to work with ipv6 (from Henning:
http://marc.info/?l=openbsd-misc&m=120291072230011&w=3). I'm not sure if this
was for lack of a TI-RPC implementation or other reasons. Any info on where
this is?

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Henning Brauer
* Bayard Bell <[hidden email]> [2010-10-27 16:31]:
> The last mail I can find on the subject seems to indicate that there were
> problems getting RPC to work with ipv6 (from Henning:
> http://marc.info/?l=openbsd-misc&m=120291072230011&w=3). I'm not sure if this
> was for lack of a TI-RPC implementation or other reasons. Any info on where
> this is?

ipvshit RPC has nothing to do with nfsv4.

nothing changed with either. personally I don't see this as bad.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Bayard Bell-2
Sorry, but it's not entirely clear where the obstacles are. Is this
unhappiness with the specification(s)? the code base for NFSv4 that's been
rolled into the other BSDs? something else?

I'm not necessarily advocating for an implementation for OpenBSD, just to
understand where and why this trailed off, as there appears to have been
significant interest in this a few years back, with not much left over to
indicate why it dropped off.

On 27 Oct 2010, at 15:51, Henning Brauer wrote:

> * Bayard Bell <[hidden email]> [2010-10-27 16:31]:
>> The last mail I can find on the subject seems to indicate that there were
>> problems getting RPC to work with ipv6 (from Henning:
>> http://marc.info/?l=openbsd-misc&m=120291072230011&w=3). I'm not sure if
this
>> was for lack of a TI-RPC implementation or other reasons. Any info on
where

>> this is?
>
> ipvshit RPC has nothing to do with nfsv4.
>
> nothing changed with either. personally I don't see this as bad.
>
> --
> Henning Brauer, [hidden email], [hidden email]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Henning Brauer
* Bayard Bell <[hidden email]> [2010-10-27 17:19]:
> Sorry, but it's not entirely clear where the obstacles are. Is this
> unhappiness with the specification(s)? the code base for NFSv4 that's
> been rolled into the other BSDs? something else?

personally I haven't looked closely at nfsv4, but what I saw didn't
please me.

i am not aware of anybody else (from us) looking into it deeply.

what problem do you think nfsv4 solves for you again? what's wrong
with our nfs implementation?

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

James A. Peltier
----- Original Message -----
| * Bayard Bell <[hidden email]> [2010-10-27 17:19]:
| > Sorry, but it's not entirely clear where the obstacles are. Is this
| > unhappiness with the specification(s)? the code base for NFSv4
| > that's
| > been rolled into the other BSDs? something else?
|
| personally I haven't looked closely at nfsv4, but what I saw didn't
| please me.
|
| i am not aware of anybody else (from us) looking into it deeply.
|
| what problem do you think nfsv4 solves for you again? what's wrong
| with our nfs implementation?
|
| --
| Henning Brauer, [hidden email], [hidden email]
| BS Web Services, http://bsws.de
| Full-Service ISP - Secure Hosting, Mail and DNS Services
| Dedicated Servers, Rootservers, Application Hosting

Pardon my ignorance in this matter, but what is it that is unpleasing?  The complexity of it?  From my understanding, NFSv4 is more firewall friendly, using only port 2049, and can also be kerberized for additional security.  Can OpenBSD's NFS implementation do that?

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : [hidden email]
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
          http://blogs.sfu.ca/people/jpeltier
MSN     : [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Theo de Raadt
> Pardon my ignorance in this matter, but what is it that is
> unpleasing?  The complexity of it?  From my understanding, NFSv4 is
> more firewall friendly, using only port 2049, and can also be
> kerberized for additional security.  Can OpenBSD's NFS implementation
> do that?

NFSv4 is a gigantic joke on everyone.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

James A. Peltier
----- Original Message -----
| > Pardon my ignorance in this matter, but what is it that is
| > unpleasing? The complexity of it? From my understanding, NFSv4 is
| > more firewall friendly, using only port 2049, and can also be
| > kerberized for additional security. Can OpenBSD's NFS implementation
| > do that?
|
| NFSv4 is a gigantic joke on everyone.

IMO, so is the notion of divine deities, but that doesn't answer the original posters question, nor my response to Henning.

We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no OpenBSD though, and to me complexity was the biggest issue.  It was very difficult because of all the potential points of breakage and inter-dependency.  Out of all of the protocols though it was the most transparent for our multi-platform support.
 
--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : [hidden email]
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
          http://blogs.sfu.ca/people/jpeltier
MSN     : [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Theo de Raadt
> | > Pardon my ignorance in this matter, but what is it that is
> | > unpleasing? The complexity of it? From my understanding, NFSv4 is
> | > more firewall friendly, using only port 2049, and can also be
> | > kerberized for additional security. Can OpenBSD's NFS implementation
> | > do that?
> |
> | NFSv4 is a gigantic joke on everyone.
>
> IMO, so is the notion of divine deities, but that doesn't answer the original posters question, nor my response to Henning.
>
> We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no OpenBSD
> though, and to me complexity was the biggest issue.  It was very difficult
> because of all the potential points of breakage and inter-dependency.

> Out of all of the protocols though it was the most transparent for
> our multi-platform support.

Hahahahaha.  That's a good one.

I guess by "all the other protocols" you must be rejecting all the rest
of your network traffic as "not protocols" or "not services".

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

James A. Peltier
----- Original Message -----
| > | > Pardon my ignorance in this matter, but what is it that is
| > | > unpleasing? The complexity of it? From my understanding, NFSv4
| > | > is
| > | > more firewall friendly, using only port 2049, and can also be
| > | > kerberized for additional security. Can OpenBSD's NFS
| > | > implementation
| > | > do that?
| > |
| > | NFSv4 is a gigantic joke on everyone.
| >
| > IMO, so is the notion of divine deities, but that doesn't answer the
| > original posters question, nor my response to Henning.
| >
| > We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no
| > OpenBSD
| > though, and to me complexity was the biggest issue. It was very
| > difficult
| > because of all the potential points of breakage and
| > inter-dependency.
|
| > Out of all of the protocols though it was the most transparent for
| > our multi-platform support.
|
| Hahahahaha. That's a good one.
|
| I guess by "all the other protocols" you must be rejecting all the
| rest
| of your network traffic as "not protocols" or "not services".

Okay, let me rephrase it then.

In order to support file services for all of the OS platforms we support, across all the campuses we support, Kerberized NFSv4 fit the bill best.

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : [hidden email]
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
          http://blogs.sfu.ca/people/jpeltier
MSN     : [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Theo de Raadt
> | I guess by "all the other protocols" you must be rejecting all the
> | rest
> | of your network traffic as "not protocols" or "not services".
>
> Okay, let me rephrase it then.
>
> In order to support file services for all of the OS platforms we
> support, across all the campuses we support, Kerberized NFSv4 fit
> the bill best.

The comedy just never ends.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

James A. Peltier
----- Original Message -----
| > | I guess by "all the other protocols" you must be rejecting all the
| > | rest
| > | of your network traffic as "not protocols" or "not services".
| >
| > Okay, let me rephrase it then.
| >
| > In order to support file services for all of the OS platforms we
| > support, across all the campuses we support, Kerberized NFSv4 fit
| > the bill best.
|
| The comedy just never ends.

Glad I can amuse you.  I still find it funny that an answer hasn't been received as well. :)

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : [hidden email]
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
          http://blogs.sfu.ca/people/jpeltier
MSN     : [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Theo de Raadt
> | > | I guess by "all the other protocols" you must be rejecting all the
> | > | rest
> | > | of your network traffic as "not protocols" or "not services".
> | >
> | > Okay, let me rephrase it then.
> | >
> | > In order to support file services for all of the OS platforms we
> | > support, across all the campuses we support, Kerberized NFSv4 fit
> | > the bill best.
> |
> | The comedy just never ends.
>
> Glad I can amuse you.  I still find it funny that an answer hasn't
> been received as well. :)

You don't listen well either.

NFSv4 is not on our roadmap.  It is a ridiculous bloated protocol
which they keep adding crap to.  In about a decade the people who
actually start auditing it are going to see all the mistakes that it
hides.

The design process followed by the NFSv4 team members matches the
methodology taken by the IPV6 people.  (As in, once a mistake is made,
and 4 people are running the test code, it is a fact on the ground and
cannot be changed again).  The result is an unrefined piece of trash.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

James A. Peltier
----- Original Message -----
| > | > | I guess by "all the other protocols" you must be rejecting all
| > | > | the
| > | > | rest
| > | > | of your network traffic as "not protocols" or "not services".
| > | >
| > | > Okay, let me rephrase it then.
| > | >
| > | > In order to support file services for all of the OS platforms we
| > | > support, across all the campuses we support, Kerberized NFSv4
| > | > fit
| > | > the bill best.
| > |
| > | The comedy just never ends.
| >
| > Glad I can amuse you. I still find it funny that an answer hasn't
| > been received as well. :)
|
| You don't listen well either.

I listen quite well, just recently had my hearing tested in fact, doctor said it was perfect.  That said, the garbage that was spewed before did not have anything of substance prior to this post.
 
| NFSv4 is not on our roadmap. It is a ridiculous bloated protocol
| which they keep adding crap to. In about a decade the people who
| actually start auditing it are going to see all the mistakes that it
| hides.

Great!  OpenBSD will not support NFSv4.  Period!  This is an answer.  Now the O.P. will know that NFSv4 is not going to happen, putting to rest the idea of any sort of NFSv4 services from OpenBSD.

| The design process followed by the NFSv4 team members matches the
| methodology taken by the IPV6 people. (As in, once a mistake is made,
| and 4 people are running the test code, it is a fact on the ground and
| cannot be changed again). The result is an unrefined piece of trash.

Also, a much more useful answer.  I look forward to seeing a multi-platform, secure file service being developed by OpenBSD developers that doesn't suck as much as IPv6 or NFSv4.  It's certainly possible that your team can do it by looking at the other successful projects.

Now, that said, is there anything that you could recommend instead of NFSv4 for offering secure file services to multiple platforms?  My research only led me to NFSv4 and AFS, and AFS would have been a much, much larger project for us than a move to NFSv4 from NFSv3 w/Samba re-shares.

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : [hidden email]
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
          http://blogs.sfu.ca/people/jpeltier
MSN     : [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

mehma sarja
On 10/27/10 1:58 PM, James A. Peltier wrote:
> Now, that said, is there anything that you could recommend instead of NFSv4 for offering secure file services to multiple platforms?  My research only led me to NFSv4 and AFS, and AFS would have been a much, much larger project for us than a move to NFSv4 from NFSv3 w/Samba re-shares.
>    
I wonder how stable sshfs is under heavy useage. Anyone know?

Mehma

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Jan Stary
In reply to this post by Henning Brauer
On Oct 27 18:54:31, Henning Brauer wrote:
> * Bayard Bell <[hidden email]> [2010-10-27 17:19]:
> > Sorry, but it's not entirely clear where the obstacles are. Is this
> > unhappiness with the specification(s)? the code base for NFSv4 that's
> > been rolled into the other BSDs? something else?
>
> personally I haven't looked closely at nfsv4, but what I saw didn't
> please me.
>
> i am not aware of anybody else (from us) looking into it deeply.

NYSE:SUN did, when it existed.

The main difference is it is no longer stateless.
Oh yeah, and it fetches directory listings a bit faster.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Jan Stary
In reply to this post by James A. Peltier
On Oct 27 11:31:31, James A. Peltier wrote:

> ----- Original Message -----
> | > Pardon my ignorance in this matter, but what is it that is
> | > unpleasing? The complexity of it? From my understanding, NFSv4 is
> | > more firewall friendly, using only port 2049, and can also be
> | > kerberized for additional security. Can OpenBSD's NFS implementation
> | > do that?
> |
> | NFSv4 is a gigantic joke on everyone.
>
> IMO, so is the notion of divine deities, but that doesn't answer the original posters question, nor my response to Henning.
>
> We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no OpenBSD though, and to me complexity was the biggest issue.  It was very difficult because of all the potential points of breakage and inter-dependency.  Out of all of the protocols though it was the most transparent for our multi-platform support.

You mean, NFSv4 seems more "transparent" to you (whatever that means)
than, say, NFSv2?

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

James A. Peltier
----- Original Message -----
| On Oct 27 11:31:31, James A. Peltier wrote:
| > ----- Original Message -----
| > | > Pardon my ignorance in this matter, but what is it that is
| > | > unpleasing? The complexity of it? From my understanding, NFSv4
| > | > is
| > | > more firewall friendly, using only port 2049, and can also be
| > | > kerberized for additional security. Can OpenBSD's NFS
| > | > implementation
| > | > do that?
| > |
| > | NFSv4 is a gigantic joke on everyone.
| >
| > IMO, so is the notion of divine deities, but that doesn't answer the
| > original posters question, nor my response to Henning.
| >
| > We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no
| > OpenBSD though, and to me complexity was the biggest issue. It was
| > very difficult because of all the potential points of breakage and
| > inter-dependency. Out of all of the protocols though it was the most
| > transparent for our multi-platform support.
|
| You mean, NFSv4 seems more "transparent" to you (whatever that means)
| than, say, NFSv2?

No, in that NFSv4 with Kerberos was an easier move from NFSv3 than to move to something like AFS, which seem would have required much more work to migrate the existing systems.

--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : [hidden email]
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
          http://blogs.sfu.ca/people/jpeltier
MSN     : [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

FRLinux-2
In reply to this post by Theo de Raadt
On Wed, Oct 27, 2010 at 9:45 PM, Theo de Raadt <[hidden email]>
wrote:
> The design process followed by the NFSv4 team members matches the
> methodology taken by the IPV6 people.  (As in, once a mistake is made,

Sorry, I'll bite. What exactly is wrong with IPv6 here? I gathered
from this list not a lot of developers here like it, but I still don't
get it. Please educate me (this should be enlightening).

Cheers,
Steph

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Brad Tilley-4
In reply to this post by James A. Peltier
James A. Peltier wrote:

> Now, that said, is there anything that you could recommend instead of NFSv4 for offering secure file services to multiple platforms?

Apache with SSL may be a solution. I've used it on small scale projects.
 You can auth users against LDAP, AD, etc. Should work with any client
that has a SSL capable web browser/client of some sort. It's very
portable, file system and client agnostic.

The one downside (IMO) is that the clients won't see it as a native file
system mount, but there are interfaces available and you can always
write your own or customize one to fit your needs.

Your own little dropbox-ish solution.

Brad

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: nfsv4?

Bayard Bell-2
In reply to this post by Henning Brauer
Henning,

I wouldn't say that there's anything wrong with the OpenBSD NFSv3
implementation, as the problems with NFSv3 are largely with the specification
(and/or the proliferation of specifications and protocols to deal with what's
not in the 1995 original). I'd anticipate a response not unlike evaluating
IPv4 vs. IPv6: granted the original is flawed, the fact that the successor
protocol is *supposed* to solve the problems of its predecessor doesn't mean
that it does as comprehensively or as well as hoped or that it doesn't have
problems of its own.

If I were looking for an objection to the OpenBSD implementation, I'd probably
follow the analogy between IPv4/IPv6 and NFSv3/NFSv4. Whereas OpenBSD
implements features like IPSec that are optional in IPv4 but mandatory in the
successor, the approach taken to the extensions in NFSv3 that were
subsequently made part of the core v4 spec seem to be displaced to transport-
rather than application-level measures (e.g. use IPSec rather than Kerberos
RPCSEC_GSS or RPCSEC_GSSv2, retaining system- rather than principal-based
authentication). Insofar as being stuck with NFSv3 means being stuck with
NFSv3 plus extensions or other supplements, I know that the interoperability
story across platforms is going to have some sad chapters.

Again, I'm not arguing that NFSv4 is or isn't a cure worse than the disease,
but I'm just as interested in what analysis may be available to argue that
conclusion if that's where the consensus is. I believe something similar was
done around IPv6 that helped feed back to changes in the protocol
specification.

I also suspect that consensus may have moved or divided around this. Looking
at a source like Secure Architectures with OpenBSD (admittedly written when
NFSv4 was rather over the horizon), I find that the relatively brief
concluding section on NFS security contends that, "NFSv4 offers significantly
more security via GSS API and Kerberos". To the extent that people may have
moved on from that view, it would be helpful if the reasoning were documented
and available for broader dissemination. Insofar as there may be some
agreement and clarity as to what to deploy instead of NFSv4 that improves on
vanilla NFSv3, I don't think it well-advertised.

Speaking more broadly, I have this general sense that NFSv4 has disappointed
and that adoption has lagged, although more in terms of deployment than
implementation (OpenBSD seems exceptional in this regard, although perhaps not
exceptionally so by its own standards). There seem to be a lot of summary
expressions, but I've not found anything that really argues the case against
it and outlines how to learn to live with something that isn't NFSv4 and the
bomb. In other words: it seems to me that OpenBSD's not implementing NFSv4 may
be a more decisive expression of objections that are elsewhere given more
mumbled expressionI'd just like to see the case laid out and an acceptable
alternative more clearly articulated.

Cheers,
Bayard

On 27 Oct 2010, at 17:54, Henning Brauer wrote:

> * Bayard Bell <[hidden email]> [2010-10-27 17:19]:
>> Sorry, but it's not entirely clear where the obstacles are. Is this
>> unhappiness with the specification(s)? the code base for NFSv4 that's
>> been rolled into the other BSDs? something else?
>
> personally I haven't looked closely at nfsv4, but what I saw didn't
> please me.
>
> i am not aware of anybody else (from us) looking into it deeply.
>
> what problem do you think nfsv4 solves for you again? what's wrong
> with our nfs implementation?
>
> --
> Henning Brauer, [hidden email], [hidden email]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

12345
Loading...