NFS and Backups

Tillman Hodgson tillman at seekingfire.com
Mon Jul 5 08:54:10 PDT 2004 

On Sat, Jul 03, 2004 at 02:33:22PM -0400, Chuck Swiger wrote:
> Grant Peel wrote:
> >I have recently decided to use some extra disk space on one of my servers 
> >as
> >backup space. I have NFS client and Servers running OK, but was wondering 
> >how
> >secure it really is.
> 
> NFS is not secure at all.  If you don't trust the local subnet, don't use 
> NFS there.  Certainly don't use NFS across the Internet, unless using a 
> secure tunnelling/VPN protocol....
> 
> >So if in my nfsd configuration, I specify a host called 'ahab' for example,
> >how does the nfsd authenticate this host, and how secure is it?
> 
> NFS doesn't authenticate the host.  NFS trusts the resolver when reversing 
> the IP addr into a hostname.

Even on local networks, NFS over IPsec can be a win due to the deflate
algorithm. Here's some netperf results from some tests I did recently
between a Celeron 900 (-STABLE) file server and an 360Mhz sparc64 Ultra
5 (-CURRENT):

Raw speed, no IPsec:
[root at caliban /usr/local/netperf]# ./netperf -t UDP_STREAM -H athena
UDP UNIDIRECTIONAL SEND TEST to athena : histogram
Socket  Message  Elapsed      Messages
Size    Size     Time         Okay Errors   Throughput
bytes   bytes    secs            #      #   10^6bits/sec
  9216    9216   10.01       13004  13160      95.81
 42080           10.01       12778             94.14

IPsec (3des):
[root at caliban /usr/local/netperf]# ./netperf -t UDP_STREAM -H secathena
UDP UNIDIRECTIONAL SEND TEST to secathena : histogram
Socket  Message  Elapsed      Messages
Size    Size     Time         Okay Errors   Throughput
bytes   bytes    secs            #      #   10^6bits/sec
  9216    9216   10.01         715      0       5.27
 42080           10.01         713              5.25

IPsec (blowfish):
ot at caliban ~]#  /usr/local/netperf/netperf -t UDP_STREAM -H secathena
UDP UNIDIRECTIONAL SEND TEST to secathena : histogram
Socket  Message  Elapsed      Messages
Size    Size     Time         Okay Errors   Throughput
bytes   bytes    secs            #      #   10^6bits/sec
  9216    9216   10.01       14744      0     108.63
 42080           10.01        3681             27.12


Blowfish is definitely preferable to 3des for IPsec work involving
NFS-like traffic. Due to the deflate feature, netperf reports a result
greater than the 100Mbit/s wire speed. Unfortunately, encryption speed
drops off quickly as socket size increases, but 8k NFS looks like it's
in good shape.  Newer hardware will only nmake things better,
naturally.

IPsec handles the host authentication bit that NFS is pretty loose
about. That still leaves the "UID is checked on the wrong end" problem,
but that's very much a different problem than network level trust
attacks.

-T


-- 
"That time in Seattle... was a nightmare.  I came out of it dead broke,
 without a house, without anything except a girlfriend and a knowledge
 of UNIX."  "Well, that's something," Avi says. "Normally those two are
 mutually exclusive."   -- Neal Stephenson, "Cryptonomicon"

More information about the freebsd-questions mailing list