"Erik E. Fair" (Time Keeper) <fair@clock.org> writes:

>One phrase: NFS on IP security.

Amen to that.

In those environments where IP address checks are apparently ``way too
slow'', I have a hard time imagining per-packet triple-DES encryption
is acceptable.  

If you don't do per-host access checks at the NFS RPC level, and do
just authentication not encryption, how does IPsec stop a third party
from sniffing filehandles in mount requests and using them to send
(authenticated!)  NFS RPC requests?

(assuming you accept any non-authenticated IP packets, that is.)