[OpenAFS] WAN speed

jukka.tuominen@finndesign.fi jukka.tuominen@finndesign.fi
Thu, 22 Mar 2012 02:51:09 +0200 (EET)

> On Mar 21, 2012, at 4:37 PM, jukka.tuominen@finndesign.fi wrote:
>>> On 21.03.2012 18:09, jukka.tuominen@finndesign.fi wrote:
>>>> Hi,
>>>> All communication must be encrypted.
>>> Ok, so you have enabled the fs crypt function in OpenAFS?
>> Right
>>> That feature is about to change with new RX standard, but current crypt
>>> function is:
>>> 1. very insecure
>>> 2. very very slow
>>> 3. very very CPU hungry
>>> Over all: do not use it, more likely try to use VPN.
>> Hmmm... How feasible is VPN serving the number of concurrent users the
>> OpenAFS is capable of? Integrated to GDM login, seamless single-sign-on?
>> At least it sounds like I'm better off waiting for the new RX standard.
>> When is this due?
> Our cell is fairly small, but I would say that it all depends on the
> amount of bandwidth you have as well as how well your VPN server is
> configured (and how well it performs).
> In my situation, I have a 25/5 cable connection. Attached to this is an
> ASA 5520. I've got nearly a dozen site-to-site VPN tunnels configured (all
> using ASA 5505s) as well as allowing up to 14 VPN clients to connect.
> Through this one cable connection, there are about 40 local users on the
> Internet all day as well as every remote office (around 50 users combined)
> accessing AFS and a number of Citrix applications. Most use the
> site-to-site VPN tunnels but some users use VPN clients when they're
> traveling. (There is no public access to our servers, so they're required
> to use the VPN.)
> 99% of our AFS users are Windows, all with crypt enabled (the default)--I
> have yet to hear of a single perform-related issue from any user.
> We've been operating very well in this configuration for over a year
> now._______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

VPN is likely to have issues in Liitin case on a principle level, as
mentioned. However, it can be useful for testing purposes. For example,
with VNC/VPN combination you can do the calculations in LAN end.

Another way to go around the problem has been to use xforwarding through
encrypted AFS account. Eventhough the account communication is slow, you
can utilise another computer in LAN for moving large files or a great
number of files. Or even more effectively, use xforward from a non-liitin
account to a liitin-account in LAN. You would even get the single-sign-on
from there on. But these don't solve the original problem either :(

br, jukka