On Wed, Nov 24, 2004 at 05:43:28PM +0100, Pavel Cahyna wrote:
> 
> Ah, a VLAN at Ethernet level. I didn't pay attention to that important
> word :-) So all the RPC daemons bind only to the VLAN address, and RPC
> clients are taught to contact IP adresses at the VLAN only, right?
> 
> This should work even for clients which are not on that VLAN, if the
> routing is configured properly, am I right?

Yes, though if the IPsec policy is not set to also apply to them then
that might weakening the security model.

OTOH, it might be useful to support a single weird box that doesn't do
IPsec but does grok NIS.

> Hmm. Maybe an IP alias on the servers would be enough, no? If you teach
> the daemons to bind only to the alias and configure IPsec to
> authenticate/encrypt the traffic going to/from this reserved alias address.

That should work too, yes. I used a VLAN mostly because that way I get a
separate interface on most operating systems: it makes host-based
firewalls much easier to design. It also gives me the flexibility to add
a second NIC if RPC traffic gets high enough on a host to warrant it.

-T


-- 
"The universe is not only queerer than we suppose, but queerer than we
 can suppose."
    -- John Haldane, _Possible Worlds_