On Wed, Nov 24, 2004 at 05:03:41PM +0100, Pavel Cahyna wrote:
> On Wed, 24 Nov 2004 13:51:34 +0000, Tillman Hodgson wrote:
> 
> > On Tue, Nov 23, 2004 at 10:51:26PM -0600, Thomas T. Thai wrote:
> >> I'm curious what people are using to centralize authentication and user,
> >> password, and services management. What are your thoughts on each? I'm
> >> aware of these Open Source solutions:
> >> 
> >> - NIS (YP) - insecure
> >> - Hesiod + Kerberos
> > 
> > I tend to prefer Kerberos + NIS, with NIS run over an IPsec'd VLAN
> 
> That is interesting. How do you configure IPsec for NIS? I thought about
> such solution also and it seemed almost impossible - doesn't the port
> used by RPC services change unpredictably?

Yes. The critical piece is the word "VLAN": I run RPC services over a
seperate subnet. The entire subnet uses IPsec in transport mode.

I was worried about NFS performance, but enabling compression in IPsec
really helps. Thre's some posts I did to the FreeBSD mail lists a few
months (google should be able to dig them up) where I benchmarked 105%
of wirespeed using simulated NFS UDP packets between relatively low-end
machines. Latency suffers, of course, but that may be a worthwhile
trade-off for your environment.

-T


-- 
"If you would be a real seeker after truth, you must at least once in
 your life doubt, as far as possible, all things."
    -- Rene Descartes, _Discourse on Method_