[OpenAFS] AFS over NAT

[Nathan Davis]

Derek Atkins wrote:

> Nathan Davis <davisn@mailandnews.com> writes:
>
> > Derek Atkins wrote:
> >
> > > This wouldn't work if you encrypt the RPCs, becuase this AFS-NAT box
> > > would have to change the _contents_ of a number of the RPCs instead of
> > > just being a forwarder.  The filserver would still be advertising the
> > > wrong IP, and that would need to get fixed.
> >
> > Under what circumstances are RPCs encrypted?  Would it be possible
> > to go encrypted between the client and the gateway box, then
> > unencrypted between the gateway and the server?
>
> Um, whenever the client run "fs setcrypt crypt", which in my case
> is 100% of the time ;)
>
> The only way to encrypt between the client and the gateway would be if
> your gateway had your cell key (which means that anyways with access
> to your gateway has complete access to your cell).
>

Ok, I'm sorry for my ignorance of the AFS protocol.  Is there a good
comprehensive document at this level?


>
> > > The right approach is to not use NAT...  Or use ipv6 (not that AFS
> > > supports that, yet, but getting AFS to support ipv6 is probably a more
> > > useful use of your time than creating a NAT filter that can't work).
> >
> > I do not see anything wrong with NAT.  However, whether or not the
> > use of NAT is "right" or not is not pertinent to this discussion.
> > The *reallity* is that NAT is used.  Perhaps ipv6 would be a better
> > long-term solution, but I don't recall anyone asking on the list
> > about when ipv6 support.  I *do* see several questions related to
> > NAT issues.
>
> As I said, I don't want to get into this debate... It's a religious
> issue.  Suffice it to say that the AFS client works fine, but the AFS
> server was _not_ designed to sit behind a NAT.  There are some kludges
> you can do, but generally it's haphazard at best and extremely fragile
> at worst.
>
> > Hence I proposed a solution for the problem.
>
> Hence my statement that it wont work except in an extremely limited
> fashion.  You're better off running a "private" AFS Cell behind your
> NAT where all your clients and servers can talk on your private
> network, and ignoring the rest of the world.
>

... but you haven't *convinced* me it won't work ;-)


>
> > Also, I do not see this solution as strictly limited to NAT.  A
> > gateway might be useful in certain other situations, for example if
> > you want to limit (for security reasons) remote access to certain
> > volumes on the cell.
>
> This is what file system acls are for.  AFS does this intrinsically.
> You don't need firewalls to get file system security with AFS.  I
> admit that the security is rather weak (56-bit authentication and
> about 24-bit encryption), but hopefully the RX_GSS will fix that
> (if/when it gets developed and deployed).
>

Yes.  I didn't mean for the gateway to replace ACLs.  Only that you may want
to restrict access to certain volumes from outside access, regardless of the
ACLs.

--Nathan Davis