Ken,
Yes, what I would do (if I cared about encryption ;-), is to have
Firewall 3.2 [1] on clients and servers with a Virtual Private Network.
(I guess other firewall products can also provide secure IP tunnels.)
You are correct that each machine in the VPN would need Firewall software
installed and configured.
The upside is that _everything_ over a secure IP tunnel is encrypted.
That's not just AFS, it's the whole shooting match. However, I believe
you could still have a non-encrypted link (eg to other cells).
To my way of thinking, I would rather do this than have to have
individual types of encryption for individual applications.
I would also rather enumerate which machines are included in the VPN
(via the secure IP tunnel configuration).
Are you going to set up encryption for each new product (eg DCE/DFS)?
Isn't it better to solve the problem once for all cases?
Hey, I welcome new capabilities in AFS (eg encryption) but if (and only if)
they are completely hassle free and don't affect the reliability or
performance of the cells I tend today.
--
paul http://acm.org/~mpb
References:
[1] IBM Firewall 3.2
http://www.software.ibm.com/enetwork/firewall
"Is this the 5 minute argument or the full half hour?"
--The argument sketch, Monty Python
