[OpenAFS] AFS over NAT

Derek Atkins warlord@MIT.EDU
07 Aug 2002 16:18:18 -0400


Nathan Davis <davisn@mailandnews.com> writes:

> Derek Atkins wrote:
> 
> > This wouldn't work if you encrypt the RPCs, becuase this AFS-NAT box
> > would have to change the _contents_ of a number of the RPCs instead of
> > just being a forwarder.  The filserver would still be advertising the
> > wrong IP, and that would need to get fixed.
> 
> Under what circumstances are RPCs encrypted?  Would it be possible
> to go encrypted between the client and the gateway box, then
> unencrypted between the gateway and the server?

Um, whenever the client run "fs setcrypt crypt", which in my case
is 100% of the time ;)

The only way to encrypt between the client and the gateway would be if
your gateway had your cell key (which means that anyways with access
to your gateway has complete access to your cell).

> > The right approach is to not use NAT...  Or use ipv6 (not that AFS
> > supports that, yet, but getting AFS to support ipv6 is probably a more
> > useful use of your time than creating a NAT filter that can't work).
> 
> I do not see anything wrong with NAT.  However, whether or not the
> use of NAT is "right" or not is not pertinent to this discussion.
> The *reallity* is that NAT is used.  Perhaps ipv6 would be a better
> long-term solution, but I don't recall anyone asking on the list
> about when ipv6 support.  I *do* see several questions related to
> NAT issues.

As I said, I don't want to get into this debate... It's a religious
issue.  Suffice it to say that the AFS client works fine, but the AFS
server was _not_ designed to sit behind a NAT.  There are some kludges
you can do, but generally it's haphazard at best and extremely fragile
at worst.

> Hence I proposed a solution for the problem.

Hence my statement that it wont work except in an extremely limited
fashion.  You're better off running a "private" AFS Cell behind your
NAT where all your clients and servers can talk on your private
network, and ignoring the rest of the world.

> Also, I do not see this solution as strictly limited to NAT.  A
> gateway might be useful in certain other situations, for example if
> you want to limit (for security reasons) remote access to certain
> volumes on the cell.

This is what file system acls are for.  AFS does this intrinsically.
You don't need firewalls to get file system security with AFS.  I
admit that the security is rather weak (56-bit authentication and
about 24-bit encryption), but hopefully the RX_GSS will fix that
(if/when it gets developed and deployed).

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available