On 2/21/18 4:51 PM, Jeff Layton wrote:
On Wed, 2018-02-21 at 13:40 -0800, Frank Filz wrote:
We could take this opportunity to change the option to RPCBIND...
Fair enough.
I'd support this.
I actually disagree with the "no udp" statement above too. UDP is great
for single-shot request protocols like rpcbind, and the NFS client will
use it. DDoS is a possibility, but who exposes their rpcbind port to the
Internet?
Unfortunately, millions of websites. At one time, portmapper was a
leading method of DDoS.
Actually, it's *NOT* great. When Ganesha/ntirpc cannot find something,
it drops back from TCP to UDP. And then tries over and over into the
void. There's no return signal from UDP.
When the TCP service isn't available, you get a nice RST flag. No need
for all these retry timeouts that UDP requires.
UDP turned out to be a security nightmare for NFS. We all remember the
IP fragmentation DDoS?
That's why we tried (circa 1992) to eliminate IP fragmentation in IPv6.
Steve Deering was all over this. DNS and NFS were the big culprits,
and NFS over UDP yields far bigger IP fragment chains than DNS....
In any case, the real fix to this issue is to move to protocols that
don't require rpcbind at all. That means NFSv4.0 at a minimum (though
obviously v4.1+ would be preferred).
Ah, you're speaking to my heart. But we apparently still have a lot
of UDP downstream, and now FSAL_PROXY.
When will we ever get away from the sins of our fathers, unto the 7th
generation?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
