[OpenAFS] Openafs vs Red Hat's Netkey
Steve Gaarder
gaarder1@math.cornell.edu
Mon, 9 Dec 2013 11:24:55 -0500 (EST)
I run a network of machines running Scientific Linux 6 (a Red Hat
Enterprise clone). We have both AFS and NFS file servers. In an effort
to add some security to NFS, we are using IPSEC. I have discovered that
IPSEC, specifically Red Hat's NETKEY protocol stack, sends OpenAFS
performance through the floor. To try this on an SL/RHEL/Centos box,
install Openswan and set it up on an OpenAFS server and client according
to these instructions:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html
Then try copying a large file from AFS to the client's local storage, e.g. with
rsync --progress. You will see performance steadily drop to miserable levels.
If you switch the client to the KLIPS stack (by using the kernel module that
comes with the Openswan source), things run fine. It does not seem to matter
which stack is on the server.
Any ideas about what is going on?
thanks,
Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder@math.cornell.edu