[OpenAFS] Re: [SAGE] Code to demo NFS/UDP weakness?

Skylar Thompson skylar@cs.earlham.edu
Wed, 02 Aug 2006 10:03:12 -0700 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCFEDF33E97878A527976693E
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Daniel Clark wrote:
> On 8/2/06, Skylar Thompson <skylar@cs.earlham.edu> wrote:
>> With this system list, I can see where AFS might be better. You might
>> also check NFSv4, though.
>
> NFSv4 is even worse in terms of platform support. There isn't even
> very good support for it in recent-ish GNU/Linux distributions, and
> nothing before AIX 5.3+ supports it. Not to mention that the doc that
> I (mostly couldn't) find was incomplete and often didn't mesh with
> current reality. The one exception to this was AIX 5.3; IBM has a nice
> Redbook on NFSv4 for that platform. Sun in theory supports it well,
> but I couldn't find a "how to set up a NFSv4 client on Solaris" type
> document anywhere.

It is pretty new. When I looked at it, I was mostly looking at FreeBSD
server/Red Hat client support. There was a kernel patch for the FreeBSD
server that worked fairly well in 5-RELEASE, and the Red Hat client
could mount it.

>> > If you can point me to a site describing how to set up Kerberized
>> > NFSv3 across all of these platforms, I'd love to see it.
>>
>> I know the Linux one here:
>>
>> http://www.citi.umich.edu/projects/nfsv4/linux/
>
> The URL would seem to indicate that this actually references NFS
> version *4* :-)

>> > Also I'm not a Kerberized NFSv3 expert, but it would be hard for me =
to
>> > believe that it would solve *all* of the numerous NFSv3 security
>> > problems.
>> >
>> >> Where I work, we're moving off AFS to Kerberized NFS because AFS
>> can be
>> >> difficult to work with.
>> >
>> > You must have limited platform support requirements :-)
>>
>> Indeed. In fact, I come from a FreeBSD environment where AFS isn't eve=
n
>> an option. ;)
>
> Doesn't ARLA work fine for *BSD?

Isn't ARLA just the client? All our file servers ran FreeBSD (a bit of
religion/tradition there that predated me), so we'd need a server
implementation as well. It appears that the AFS project on FreeBSD is
pretty much dead.

>> > I've also admined both, and have had far more problems with NFSv3,
>> > esp. with things sort-of-but-not-really working in difficult-to-debu=
g
>> > ways, weird performance issues, and the automounter code, which is
>> > different for each platform, can work in inconsistant ways, and ofte=
n
>> > requires a reboot of the machine to fix.
>>
>> I find that sticking with server platforms with known-good NFS
>> implementations (i.e. not Linux) and UDP is a good approach. FreeBSD a=
nd
>> Solaris have both done well in my experience. The Linux NFS server
>> implementation has given no end of problems.
>
> We use Data OnTAP, which in theory is supposed to have one of the/the
> best NFS implementations available. All of the real problems are
> client-side.
>

That's mainly been my experience too. I've also had problems with
firewalls improperly fragmenting large NFS packets, which is why UDP help=
s.


--=20
-- Skylar Thompson (skylar@cs.earlham.edu)
-- http://www.cs.earlham.edu/~skylar/



--------------enigCFEDF33E97878A527976693E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (SunOS)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE0NrSsc4yyULgN4YRAvD4AJ4nY+OmsHmprUKiXpkNJ++h1NzC7QCgihDe
IkLtMNE8Ic2ncky5wf2OHPk=
=Rauk
-----END PGP SIGNATURE-----

--------------enigCFEDF33E97878A527976693E--