On Wed, Oct 09, 2013 at 02:33:22PM -0400, Andy Adamson wrote: > RPCSEC_GSS requires that the GSS-API level sequencing is turned off - > e.g. the sequence_req_flag is set to false. > > rfc2203: > > When GSS_Init_sec_context() is called, the parameters > replay_det_req_flag and sequence_req_flag must be turned off. The > reasons for this are: > > * ONC RPC can be used over unreliable transports and provides no > layer to reliably re-assemble messages. Thus it is possible for > gaps in message sequencing to occur, as well as out of order > messages. > > * RPC servers can be multi-threaded, and thus the order in which > GSS-API messages are signed or wrapped can be different from the > order in which the messages are verified or unwrapped, even if > the requests are sent on reliable transports. > > * To maximize convenience of implementation, the order in which an > ONC RPC entity will verify the header and verify/unwrap the body > of an RPC call or reply is left unspecified. > > The RPCSEC_GSS protocol provides for protection from replay attack, > yet tolerates out-of-order delivery or processing of messages and > tolerates dropped requests. > > > So the RPCSEC_GSS layer does the sequencing, not the GSS layer. Thanks Andy, that RFC text is a good explanation; I'll add a comment referencing that. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html