RE: What's the status of SPKM3/LIPKEY for NFS4 on Linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you Bruce for the update. 

-----Original Message-----
From: linux-nfs-owner@xxxxxxxxxxxxxxx [mailto:linux-nfs-owner@xxxxxxxxxxxxxxx] On Behalf Of J. Bruce Fields
Sent: Monday, July 01, 2013 11:01 PM
To: drankye
Cc: linux-nfs@xxxxxxxxxxxxxxx
Subject: Re: What's the status of SPKM3/LIPKEY for NFS4 on Linux

On Mon, Jul 01, 2013 at 03:47:38PM +0800, drankye wrote:
> 
> 
> Hi all,
>  
> About 2 years ago, it was asked “when will we be able to use LIPKEY on 
> NFS4 on Linux?”. Ref. http://permalink.gmane.org/gmane.linux.nfs/35560.
> There Trond replied as below:
>
> We're likely to drop the requirement that SPKM3/LIPKEY be a mandatory 
> security mechanism for NFSv4 in the revised RFC3530 (a.k.a.
> RFC3530bis)
> that is being drafted.
>  
> The reason is that the SPKM3 mechanism (on which LIPKEY
> relies) appears
> to contain inherent security flaws that are difficult to fix. The IETF 
> security group have therefore pretty much killed it as an option.
> Other alternatives to SPKM3 are being discussed, but I'm not aware of 
> anything that replaces LIPKEY.
>
> I’m wondering today what’s the status of SPKM3/LIPKEY support for NFS4 
> on Linux. Does anyone know that? Is SPKM3/LIPKEY dropped from
> NFS4 or available now with the inherent security flaws being fixed?

It's gone.  (The kernel code was removed by 1e7af1b8062598a038c04dfaaabd038a0d6e8b6a "J. Bruce Fields
<bfields@xxxxxxxxxx>".)

And my understanding is that the flaws were inherent to the specification and not fixable in implementation.

--b.

>  
> Thank you very much for your update. 
>  
> Regards,
> Kai
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" 
> in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo 
> info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux