There are 3 flavors of NFS Kerberos (I'm only going to address NFS 4.x): Krb5 - encrypts authentication Krtbi - encrypts authentication and provides checksums (reducing man-in-the-middle attacks) Krb5p - End-to-end encryption with integrity checking
The Krb5p protocol provides ultimate security but comes at a cost where all NFS packets will be encrypted (mount authenticated) and with checksums. This can add considerable overhead (for example, using AES-256 is similar to SMB3 signing and sealing). There are AES-NI off-loading engines to reduce this overhead. So it is not surprising to see significant performance drop when using Krb5p versus Krb5. --- Madhav Ponamgi [email protected] (215) 794-6987 http://www.ibm.biz/FOSDesignEngine https://fileobjectsolutiondesignstudio.ibm.com/ Tech Sales Website: w3.ibm.com/w3publisher/ww_storage_tech_sales From: [email protected] To: [email protected] Date: 09/20/2021 07:00 AM Subject: [EXTERNAL] gpfsug-discuss Digest, Vol 116, Issue 6 Sent by: [email protected] Send gpfsug-discuss mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://gpfsug.org/mailman/listinfo/gpfsug-discuss or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of gpfsug-discuss digest..." Today's Topics: 1. nfs krb5p performance (Jon Diprose) ---------------------------------------------------------------------- Message: 1 Date: Mon, 20 Sep 2021 09:58:02 +0000 From: Jon Diprose <[email protected]> To: "[email protected]" <[email protected]> Subject: [gpfsug-discuss] nfs krb5p performance Message-ID: <cf41f7f23121954a8e819732615c61257aae3...@exchange01.well.ox.ac.uk> Content-Type: text/plain; charset="us-ascii" Hello, We have just started using the nfs protocol with SECTYPE=krb5p and are a little surprised by the performance impact - looks like down to a third of that of SECTYPE=krb5. Would any of you using krb5p be kind enough to share your estimates of impact? Not sure if we have a misconfiguration of setup or expectation. Thanks, Jon -- Dr. Jonathan Diprose <[email protected]> Tel: 01865 287873 Research Computing Manager Henry Wellcome Building for Genomic Medicine Roosevelt Drive, Headington, Oxford OX3 7BN ------------------------------ _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss End of gpfsug-discuss Digest, Vol 116, Issue 6 **********************************************
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
