Re:
Date: Fri, 17 Mar 2006 17:43:34 -0800 (PST) From: Mike Eisler email2mre-toasters@yahoo.com Subject: Re: NFSv4 [was: Re: Mixed Mode] To: Brian Parent bparent@calvin.ucsd.edu, toasters@mathworks.com
--- Brian Parent bparent@calvin.ucsd.edu wrote:
Currently, we're using IPsec with non-kerberized NFS to deal with the vulnerabilities inherent in trusting IP address for authorization in an environment where network jacks in public places exist (e.g. most Universities).
How is the performance of this? Are you using AH or ESP?
We're only using AH, thinking the performance hit wouldn't be as large, plus our main focus was to authenticate the endpoints as opposed to privacy of the data. We sufferred quite a bit, and purchased a IPsec hardware accelerator for the R100 which helped. However, there was a compound problem that cleared up at about the same time as the installation of the accelerator, so it's hard to accurately attribute which problem to what amount of extra load. I tend to think that the IPsec accelerator would not have been necessary had the other problem not surfaced.