On Wed, 24 Nov 2004 16:10:26 +0000, Tillman Hodgson wrote:

>> > I tend to prefer Kerberos + NIS, with NIS run over an IPsec'd VLAN
>> 
>> That is interesting. How do you configure IPsec for NIS? I thought about
>> such solution also and it seemed almost impossible - doesn't the port
>> used by RPC services change unpredictably?
> 
> Yes. The critical piece is the word "VLAN": I run RPC services over a
> seperate subnet. The entire subnet uses IPsec in transport mode.

Ah, a VLAN at Ethernet level. I didn't pay attention to that important
word :-) So all the RPC daemons bind only to the VLAN address, and RPC
clients are taught to contact IP adresses at the VLAN only, right?

This should work even for clients which are not on that VLAN, if the
routing is configured properly, am I right?

Hmm. Maybe an IP alias on the servers would be enough, no? If you teach
the daemons to bind only to the alias and configure IPsec to
authenticate/encrypt the traffic going to/from this reserved alias address.

Thanks for the tip.

Bye	Pavel