Subject: Re: Centralized User and Password Management
To: None <firstname.lastname@example.org>
From: Tillman Hodgson <email@example.com>
Date: 11/24/2004 10:47:07
On Wed, Nov 24, 2004 at 05:43:28PM +0100, Pavel Cahyna wrote:
> Ah, a VLAN at Ethernet level. I didn't pay attention to that important
> word :-) So all the RPC daemons bind only to the VLAN address, and RPC
> clients are taught to contact IP adresses at the VLAN only, right?
> This should work even for clients which are not on that VLAN, if the
> routing is configured properly, am I right?
Yes, though if the IPsec policy is not set to also apply to them then
that might weakening the security model.
OTOH, it might be useful to support a single weird box that doesn't do
IPsec but does grok NIS.
> Hmm. Maybe an IP alias on the servers would be enough, no? If you teach
> the daemons to bind only to the alias and configure IPsec to
> authenticate/encrypt the traffic going to/from this reserved alias address.
That should work too, yes. I used a VLAN mostly because that way I get a
separate interface on most operating systems: it makes host-based
firewalls much easier to design. It also gives me the flexibility to add
a second NIC if RPC traffic gets high enough on a host to warrant it.
"The universe is not only queerer than we suppose, but queerer than we
-- John Haldane, _Possible Worlds_