Hi all,
About 2 years ago, it was asked “when will we be able to use
LIPKEY on NFS4 on Linux?”. Ref. http://permalink.gmane.org/gmane.linux.nfs/35560.
There Trond replied as below:
“
We're likely to drop the requirement that SPKM3/LIPKEY be a
mandatory
security mechanism for NFSv4 in the revised RFC3530 (a.k.a.
RFC3530bis)
that is being drafted.
The reason is that the SPKM3 mechanism (on which LIPKEY
relies) appears
to contain inherent security flaws that are difficult to
fix. The IETF
security group have therefore pretty much killed it as an
option.
Other alternatives to SPKM3 are being discussed, but I'm not
aware of
anything that replaces LIPKEY.
“
I’m wondering today what’s the status of SPKM3/LIPKEY
support for NFS4 on Linux. Does anyone know that? Is SPKM3/LIPKEY dropped from
NFS4 or available now with the inherent security flaws being fixed?
Thank you very much for your update.
Regards,
Kai
On Mon, Jul 01, 2013 at 03:47:38PM +0800, drankye wrote:
>
>
> Hi all,
>
> About 2 years ago, it was asked “when will we be able to use
> LIPKEY on NFS4 on Linux?”. Ref. http://permalink.gmane.org/gmane.linux.nfs/35560.
> There Trond replied as below:
> “
> We're likely to drop the requirement that SPKM3/LIPKEY be a
> mandatory
> security mechanism for NFSv4 in the revised RFC3530 (a.k.a.
> RFC3530bis)
> that is being drafted.
>
> The reason is that the SPKM3 mechanism (on which LIPKEY
> relies) appears
> to contain inherent security flaws that are difficult to
> fix. The IETF
> security group have therefore pretty much killed it as an
> option.
> Other alternatives to SPKM3 are being discussed, but I'm not
> aware of
> anything that replaces LIPKEY.
> “
> I’m wondering today what’s the status of SPKM3/LIPKEY
> support for NFS4 on Linux. Does anyone know that? Is SPKM3/LIPKEY dropped from
> NFS4 or available now with the inherent security flaws being fixed?
It's gone. (The kernel code was removed by
1e7af1b8062598a038c04dfaaabd038a0d6e8b6a "J. Bruce Fields
<[email protected]>".)
And my understanding is that the flaws were inherent to the
specification and not fixable in implementation.
--b.
>
> Thank you very much for your update.
>
> Regards,
> Kai
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
VGhhbmsgeW91IEJydWNlIGZvciB0aGUgdXBkYXRlLiANCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdl
LS0tLS0NCkZyb206IGxpbnV4LW5mcy1vd25lckB2Z2VyLmtlcm5lbC5vcmcgW21haWx0bzpsaW51
eC1uZnMtb3duZXJAdmdlci5rZXJuZWwub3JnXSBPbiBCZWhhbGYgT2YgSi4gQnJ1Y2UgRmllbGRz
DQpTZW50OiBNb25kYXksIEp1bHkgMDEsIDIwMTMgMTE6MDEgUE0NClRvOiBkcmFua3llDQpDYzog
bGludXgtbmZzQHZnZXIua2VybmVsLm9yZw0KU3ViamVjdDogUmU6IFdoYXQncyB0aGUgc3RhdHVz
IG9mIFNQS00zL0xJUEtFWSBmb3IgTkZTNCBvbiBMaW51eA0KDQpPbiBNb24sIEp1bCAwMSwgMjAx
MyBhdCAwMzo0NzozOFBNICswODAwLCBkcmFua3llIHdyb3RlOg0KPiANCj4gDQo+IEhpIGFsbCwN
Cj4gwqANCj4gQWJvdXQgMiB5ZWFycyBhZ28sIGl0IHdhcyBhc2tlZCDigJx3aGVuIHdpbGwgd2Ug
YmUgYWJsZSB0byB1c2UgTElQS0VZIG9uIA0KPiBORlM0IG9uIExpbnV4P+KAnS4gUmVmLiBodHRw
Oi8vcGVybWFsaW5rLmdtYW5lLm9yZy9nbWFuZS5saW51eC5uZnMvMzU1NjAuDQo+IFRoZXJlIFRy
b25kIHJlcGxpZWQgYXMgYmVsb3c6DQo+IOKAnA0KPiBXZSdyZSBsaWtlbHkgdG8gZHJvcCB0aGUg
cmVxdWlyZW1lbnQgdGhhdCBTUEtNMy9MSVBLRVkgYmUgYSBtYW5kYXRvcnkgDQo+IHNlY3VyaXR5
IG1lY2hhbmlzbSBmb3IgTkZTdjQgaW4gdGhlIHJldmlzZWQgUkZDMzUzMCAoYS5rLmEuDQo+IFJG
QzM1MzBiaXMpDQo+IHRoYXQgaXMgYmVpbmcgZHJhZnRlZC4NCj4gwqANCj4gVGhlIHJlYXNvbiBp
cyB0aGF0IHRoZSBTUEtNMyBtZWNoYW5pc20gKG9uIHdoaWNoIExJUEtFWQ0KPiByZWxpZXMpIGFw
cGVhcnMNCj4gdG8gY29udGFpbiBpbmhlcmVudCBzZWN1cml0eSBmbGF3cyB0aGF0IGFyZSBkaWZm
aWN1bHQgdG8gZml4LiBUaGUgSUVURiANCj4gc2VjdXJpdHkgZ3JvdXAgaGF2ZSB0aGVyZWZvcmUg
cHJldHR5IG11Y2gga2lsbGVkIGl0IGFzIGFuIG9wdGlvbi4NCj4gT3RoZXIgYWx0ZXJuYXRpdmVz
IHRvIFNQS00zIGFyZSBiZWluZyBkaXNjdXNzZWQsIGJ1dCBJJ20gbm90IGF3YXJlIG9mIA0KPiBh
bnl0aGluZyB0aGF0IHJlcGxhY2VzIExJUEtFWS4NCj4g4oCcDQo+IEnigJltIHdvbmRlcmluZyB0
b2RheSB3aGF04oCZcyB0aGUgc3RhdHVzIG9mIFNQS00zL0xJUEtFWSBzdXBwb3J0IGZvciBORlM0
IA0KPiBvbiBMaW51eC4gRG9lcyBhbnlvbmUga25vdyB0aGF0PyBJcyBTUEtNMy9MSVBLRVkgZHJv
cHBlZCBmcm9tDQo+IE5GUzQgb3IgYXZhaWxhYmxlIG5vdyB3aXRoIHRoZSBpbmhlcmVudCBzZWN1
cml0eSBmbGF3cyBiZWluZyBmaXhlZD8NCg0KSXQncyBnb25lLiAgKFRoZSBrZXJuZWwgY29kZSB3
YXMgcmVtb3ZlZCBieSAxZTdhZjFiODA2MjU5OGEwMzhjMDRkZmFhYWJkMDM4YTBkNmU4YjZhICJK
LiBCcnVjZSBGaWVsZHMNCjxiZmllbGRzQHJlZGhhdC5jb20+Ii4pDQoNCkFuZCBteSB1bmRlcnN0
YW5kaW5nIGlzIHRoYXQgdGhlIGZsYXdzIHdlcmUgaW5oZXJlbnQgdG8gdGhlIHNwZWNpZmljYXRp
b24gYW5kIG5vdCBmaXhhYmxlIGluIGltcGxlbWVudGF0aW9uLg0KDQotLWIuDQoNCj4gwqANCj4g
VGhhbmsgeW91IHZlcnkgbXVjaCBmb3IgeW91ciB1cGRhdGUuIA0KPiDCoA0KPiBSZWdhcmRzLA0K
PiBLYWkNCj4gDQo+IC0tDQo+IFRvIHVuc3Vic2NyaWJlIGZyb20gdGhpcyBsaXN0OiBzZW5kIHRo
ZSBsaW5lICJ1bnN1YnNjcmliZSBsaW51eC1uZnMiIA0KPiBpbiB0aGUgYm9keSBvZiBhIG1lc3Nh
Z2UgdG8gbWFqb3Jkb21vQHZnZXIua2VybmVsLm9yZyBNb3JlIG1ham9yZG9tbyANCj4gaW5mbyBh
dCAgaHR0cDovL3ZnZXIua2VybmVsLm9yZy9tYWpvcmRvbW8taW5mby5odG1sDQotLQ0KVG8gdW5z
dWJzY3JpYmUgZnJvbSB0aGlzIGxpc3Q6IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4
LW5mcyIgaW4gdGhlIGJvZHkgb2YgYSBtZXNzYWdlIHRvIG1ham9yZG9tb0B2Z2VyLmtlcm5lbC5v
cmcgTW9yZSBtYWpvcmRvbW8gaW5mbyBhdCAgaHR0cDovL3ZnZXIua2VybmVsLm9yZy9tYWpvcmRv
bW8taW5mby5odG1sDQo=