[gpfsug-discuss] gpfsug-discuss Digest, Vol 116, Issue 6

Madhav Ponamgi1 mzp at us.ibm.com
Mon Sep 20 13:44:32 BST 2021 

There are 3 flavors of NFS Kerberos (I'm only going to address NFS 4.x):
Krb5 - encrypts authentication
Krtbi - encrypts authentication and provides checksums (reducing 
man-in-the-middle attacks)
Krb5p - End-to-end encryption with integrity checking

The Krb5p protocol provides ultimate security but comes at a cost where 
all NFS packets will be encrypted (mount authenticated) and with 
checksums.   This
can add considerable overhead (for example, using AES-256 is similar to 
SMB3 signing and sealing).   There are AES-NI off-loading engines to 
reduce this
overhead.   So it is not surprising to see significant performance drop 
when using Krb5p versus Krb5.

---
Madhav Ponamgi
mzp at us.ibm.com
(215) 794-6987
http://www.ibm.biz/FOSDesignEngine
https://fileobjectsolutiondesignstudio.ibm.com/
Tech Sales Website:  w3.ibm.com/w3publisher/ww_storage_tech_sales



From:   gpfsug-discuss-request at spectrumscale.org
To:     gpfsug-discuss at spectrumscale.org
Date:   09/20/2021 07:00 AM
Subject:        [EXTERNAL] gpfsug-discuss Digest, Vol 116, Issue 6
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Send gpfsug-discuss mailing list submissions to
                 gpfsug-discuss at spectrumscale.org

To subscribe or unsubscribe via the World Wide Web, visit
                 
http://gpfsug.org/mailman/listinfo/gpfsug-discuss 

or, via email, send a message with subject or body 'help' to
                 gpfsug-discuss-request at spectrumscale.org

You can reach the person managing the list at
                 gpfsug-discuss-owner at spectrumscale.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of gpfsug-discuss digest..."


Today's Topics:

   1. nfs krb5p performance (Jon Diprose)


----------------------------------------------------------------------

Message: 1
Date: Mon, 20 Sep 2021 09:58:02 +0000
From: Jon Diprose <jon at well.ox.ac.uk>
To: "gpfsug-discuss at spectrumscale.org"
                 <gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] nfs krb5p performance
Message-ID:
 <CF41F7F23121954A8E819732615C61257AAE3DDB at exchange01.well.ox.ac.uk>
Content-Type: text/plain; charset="us-ascii"

Hello,
We have just started using the nfs protocol with SECTYPE=krb5p and are a 
little surprised by the performance impact - looks like down to a third of 
that of SECTYPE=krb5. Would any of you using krb5p be kind enough to share 
your estimates of impact? Not sure if we have a misconfiguration of setup 
or expectation.
Thanks,
Jon

--
Dr. Jonathan Diprose <jon at well.ox.ac.uk>             Tel: 01865 287873
Research Computing Manager
Henry Wellcome Building for Genomic Medicine
Roosevelt Drive, Headington, Oxford OX3 7BN


------------------------------

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss 



End of gpfsug-discuss Digest, Vol 116, Issue 6
**********************************************




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20210920/341e0d35/attachment.htm>

More information about the gpfsug-discuss mailing list